From jcholast at redhat.com Wed Jul 1 05:33:17 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 1 Jul 2015 07:33:17 +0200 Subject: [Freeipa-devel] [PATCHES 306-316] Automated migration tool from Winsync In-Reply-To: <5592BC07.70406@redhat.com> References: <54FD8369.10803@redhat.com> <54FF0F46.3010109@redhat.com> <55005D3C.5090304@redhat.com> <5540B23A.9060404@redhat.com> <5548B13B.60607@redhat.com> <5549CCE6.3010006@redhat.com> <557FDAE8.4000501@redhat.com> <558001ED.6070206@redhat.com> <5592BC07.70406@redhat.com> Message-ID: <55937B9D.9090505@redhat.com> Dne 30.6.2015 v 17:55 Tomas Babej napsal(a): > > > On 06/16/2015 01:01 PM, Jan Cholasta wrote: >> >> Also please rename the class to "MigrateWinsync", for consistency. >> > > Naming is consistent, the tool is called ipa-winsync-migrate, class is > called WinsyncMigrate. This is consistent with other IPA tools. Ah, I didn't notice you renamed it in a separate patch, as we normally do that by fixing the original patch. Which is what you really should have done as well, I don't see how such patch spamming is good for anyone. -- Jan Cholasta From ftweedal at redhat.com Wed Jul 1 06:06:11 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 1 Jul 2015 16:06:11 +1000 Subject: [Freeipa-devel] CA ACL enforcement when authenticated as root Message-ID: <20150701060611.GT6584@dhcp-40-8.bne.redhat.com> Hi everyone, With the addition of CA ACLs, there are now two levels of permissions checked by the `cert-request' command: - LDAP permission checks. This check is performed against the bind principal; `admin' has permission to write the userCertificate attribute of any principal. - CA ACLs: whether issuing a certificate to a particular principal using a particular profile is permitted. This check is performed against the principal for whom the certificate is being requested, which might or might not be the bind principal. Some questions came up after the recent GSS IdM test day: 1) It was requested to add a caacl rule to allow `admin' to issue a certificite for itself via any profile. This is straightforward, but what are the use cases for the `admin' account issuing certificates to itself? 2) When `admin' (as bind principal) requests a certificate for another principal and there is no CA ACL allowing issuance of a certificate for that principal+profile, the request is currently rejected. Should we change the behaviour to allow `admin' to issue a certificate to any principal, using any profile? (This would be accomplished by skipping CA ACL checks in `cert-request' when authenticated as admin.) (Note, if the answer to (2) is "yes", (1) is subsumed.) Cheers, Fraser From jcholast at redhat.com Wed Jul 1 06:53:37 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 1 Jul 2015 08:53:37 +0200 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <558C33DF.6080403@redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <556CF209.7050404@redhat.com> <556EF05E.90103@redhat.com> <55719260.8080300@redhat.com> <5571FD75.5010708@redhat.com> <557568CB.3040503@redhat.com> <557756EE.8020507@redhat.com> <5577D581.1020800@redhat.com> <557E7D21.2040304@redhat.com> <557F5998.2000103@redhat.com> <55811463.8050802@redhat.com> <5588D21A.1020104@redhat.com> <558B9334.8030104@redhat.com> <558C33DF.6080403@redhat.com> Message-ID: <55938E71.1070405@redhat.com> Dne 25.6.2015 v 19:01 Endi Sukma Dewata napsal(a): > On 6/25/2015 12:35 AM, Jan Cholasta wrote: >>>>>> I think it would be better to use a new attribute type which inherits >>>>>> from ipaPublicKey (ipaVaultPublicKey?) rather than ipaPublicKey >>>>>> directly >>>>>> for assymetric vault public keys, so that assymetric public key and >>>>>> escrow public key are on the same level and you can still use >>>>>> ipaPublicKey to refer to either one: >>>>>> >>>>>> ipaPublicKey >>>>>> ipaVaultPublicKey >>>>>> ipaEscrowPublicKey >>>>>> >>>>> OK. To be consistent the parameters need to be renamed too: >>>>> --vault-public-key and --vault-public-key-file. >>>> >>>> It doesn't need to, there is no requirement for CLI names to always >>>> match attribute names. (Also I don't insist on the name >>>> "ipaVaultPublicKey", feel free to change it if you want.) >>> >>> It's unchanged for now. In a previous discussion it was advised to reuse >>> the existing attribute type whenever possible. >> >> Well, in this discussion, it is not. Escrow public key should also reuse >> ipaPublicKey, but it can't if you use it for vault public key. By using >> ipaPublicKey subtypes you can distinguish between the two uses and still >> use ipaPublicKey to refer to either of them. > > So what's changed? This is what you said when I posted the same patch > six months ago: > >>> In this patch I'm adding ipaVaultSalt and ipaVaultPublicKey attribute >>> types to store salt and public key for vault. Are there existing >>> attribute types that I can use instead? I see there's an ipaPublicKey, >>> should I use that and maybe add ipaSalt/ipaEncSalt? Thanks. >> >> yes, please re-use existing attributes where possible. >> >> Honza What changed is that I now know there is also escrow public key, which I didn't know six months ago. > > Could you show me how to use ipaPublicKey to refer to ipaVaultPublicKey > and ipaEscrowPublicKey? Under what situation would that be useful? For example for ipaPublicKey searches - if ipaVaultPublicKey and ipaEscrowPublicKey both inherit from ipaPublicKey, then an ipaPublicKey search will look in both ipaVaultPublicKey and ipaEscrowPublicKey. This is not something we actually need right now, but once the schema is done, it can't be fixed and I don't think we should prevent this, especially since we can get it for free. BTW even the core LDAP schema does this, see for example how the cn attribute inherits from the more general name attribute: . > >>>> a) When the non-split vault_{archive,retrieve} was called from a >>>> server API with client-only options, it crashed. This is the broken API >>>> I was talking about. >>> >>> This is because in the current framework any API called on the server >>> side will be a server API, so you are not supposed to call it with >>> client options in the first place. Because of that limitation, the only >>> way to use client options is to use a separate API on the client side to >>> call the original API on the server side. The point is, client options >>> belong to client API, and server options belong to server API. In >>> vault_add the public key file name belongs to client API because it's >>> used to load a file on the client side. You should not add public key >>> file name option to the server API just because it can safely be >>> ignored. >> >> I don't disagree, but file name options do not belong to the general >> client API either, as they are strictly CLI-specific. > > To my understanding the current framework doesn't have a separate CLI > class, so you don't have a choice but to put CLI-specific options in the > client API class too. However, you do have a choice not to combine > client API class and server API class because otherwise that will put > CLI-specific options in the server API class too. Right. > >>>>>>>> 2. Since the vault_archive_internal inherits from Update, it >>>>>>>> accepts >>>>>>>> all non >>>>>>>> primary-key attributes automatically. This is incorrect since we >>>>>>>> don't want to >>>>>>>> update these parameters during archival. Can this behavior be >>>>>>>> overridden? >>>>>> >>>>>> Inherit from PKQuery instead (don't forget to add "has_output = >>>>>> output.standard_entry"). >>>>> >>>>> Previously you didn't want to use LDAPQuery because of semantics >>>>> reasons. Is PKQuery fine semantically? >>>> >>>> It's not. Currently there is a set of commands which operate on the >>>> LDAP >>>> part of vault and another set of commands which operate on the KRA part >>>> of vault and we don't want the commands in one set to see attributes >>>> related to the other part of vault. If you insist on keeping both parts >>>> in a single object, you have to resort to hackery like using PKQuery, >>>> hence my suggestion to split the data part off to a separate object to >>>> avoid this. >>> >>> This because the framework was based on simplistic assumptions which >>> create unnecessary restrictions, for example: >>> * client API is just a proxy to server API (i.e. client and server >>> cannot do different things) >> >> They can do different things the same way vault_archive/vault_retrieve >> does that, the commands just can't be called the same (which is not >> necessarily a bad thing). > > Of course different APIs can do different things, like vault_add calling > vault_archive, or vault_archive calling vault_archive_internal. The > point is right now the client portion of an API (i.e. the forward() > method) cannot do anything other than forwarding the request to the > server, so the API has to be split into different APIs: > > * vault_archive > * vault_archive_internal > > It would be nice to have formal separation between client and server > APIs so it's clear they are different but still related without > resorting to ugly names: > > * client.vault_archive > * server.vault_archive Yes. > >>> * CLI options will be identical to client and server API options (i.e. >>> no CLI-only, client-only, or server-only options) >> >> Actually, you can create CLI-only options (add include='cli' to the >> param's kwargs). > > I need to look at this more closely. If I understand correctly in > user_del there are two 'preserve' options, the Bool preserve is for > client and server API, and the Flag preserve is for CLI. Wouldn't it be > better if they are stored in separate lists (or maybe separate classes)? > And it looks like you still need to delete the CLI options explicitly > anyway. Well, it would be better if there was no Flag class at all and flags were handled by CLI exclusively, because parameter classes should reflect the data type (bool) and not the presentation (flag). > > Does the API.txt actually show the CLI options, the client API options, > or the server API options? I only see the Flag preserve, not the Bool > preserve. It shows CLI options, see how the API object is initialized in makeapi. > >>> * a plugin will only access one type of data (i.e. LDAP plugin can only >>> access LDAP data) >> >> This is not assumed anywhere in the framework, you can access whatever >> you want, but you can't expect baseldap to do everything for you. > > Nobody is expecting baseldap to do KRA operations. > >> As the >> name implies, it is LDAP specific, if you want something else, you have >> to implement it yourself. > > In the previous patch vault_retrieve inherits from LDAPRetrieve so it > can rely on baseldap to retrieve the vault entry, then on top of that it > implements an additional KRA operations (without baseldap obviously). If > that is not allowed, aren't you basically saying LDAP plugin can only > access LDAP data? Yes, basically, but I'm also saying that you are not limited to doing LDAP plugins only. You can abuse the callbacks to do anything, including data retrieval from other sources, but it doesn't make it right, as it only leads to code duplication, inconsistencies and weird bugs. I have seen too much of this, hence my reluctance to do it again. > >>> * a command name will match the object name (i.e. must use vaultdata_mod >>> instead of a more intuitive vault_archive) >> >> I don't see how consistency is a bad thing, or how this could limit >> anyone doing things cleanly. I do agree that vaultdata_mod is ugly, but >> it's not the only way to achieve the same goal. > > Look at it from user's perspective. If you create a vault using > vault-add , then archive data using vaultdata-mod name>, how is this consistent? Because it's object-verb and not object-verbofsomeotherobject. (Also I already acknowledged the vaultdata idea is ugly.) > >>> We know that some use cases do not fit these assumptions. Rather than >>> compromising the use case, or looking at workarounds as hacks, I'd >>> suggest finding ideas to improve the framework itself to be more >>> accommodating. >> >> I would personally love to improve the framework (it's just retarded >> sometimes as you may have noticed), but it does not have high priority >> right now (not my decision). > > We don't have to modify the current framework right now, but we can > align new codes that don't fit the current framework to match the future > framework. Although the future framework is not defined yet, some things > are already clear, for example there should be separate client and > server APIs. So if a command like vault_add has differing client and > server options, regardless how insignificant it is, there's no reason to > force it to be combined. The current framework doesn't prevent > separation anyway. Aligning new code is exactly what I'm aiming to do and why I want people to look at their APIs from an object oriented perspective rather than just dumb RPC, because that's the direction the framework is heading. > >> Keep in mind that workarounds which screw with the object model will >> always be considered hacks, even after the framework is made more >> accomodating. > > Don't get this wrong. The framework will only be considered > accommodating if it allows people to implement features without > 'hacking'. 'Hacking' itself is never a goal, it's the last resort to > work around the framework's current limitations, just like how you ended > up using PKQuery for vault_archive_internal. Well, there's so many hacks in every corner of IPA that many people don't see them as hacks. PKQuery is not that bad, though it doesn't implement as many bits as would be useful in this case. -- Jan Cholasta From mbasti at redhat.com Wed Jul 1 07:05:33 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 1 Jul 2015 09:05:33 +0200 Subject: [Freeipa-devel] [PATCH 0050] Fix client ca.crt to match the server's cert In-Reply-To: References: <5592ACFE.8020803@redhat.com> Message-ID: <5593913D.8000303@redhat.com> On 30/06/15 17:31, Gabe Alford wrote: > On Tue, Jun 30, 2015 at 8:51 AM, Martin Basti > wrote: > > On 16/06/15 16:58, Gabe Alford wrote: >> I know you guys are busy. Bump for review. >> >> Thanks, >> >> Gabe >> >> On Tue, May 26, 2015 at 8:16 AM, Gabe Alford >> > wrote: >> >> Hello, >> >> Fix for https://fedorahosted.org/freeipa/ticket/3809 >> >> Thanks, >> >> Gabe >> >> >> >> > I'm getting certificate on server without extra '\n' at the end. > > So certificate files are not the same. > > > I assume you did a diff of the server /etc/ipa/ca.crt and the client > /etc/ipa/ca.crt, right? Did you setup a server and then connect a > client (just wonder what your steps were so that I can also reproduce)? Yes. I did that. I will retest it today. > > -- > Martin Basti > > -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Wed Jul 1 07:30:39 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 1 Jul 2015 09:30:39 +0200 Subject: [Freeipa-devel] [PATCHES 448-460] Allow multiple API instances (take 2) In-Reply-To: <55927162.6090600@redhat.com> References: <558ACAEE.3060503@redhat.com> <55927162.6090600@redhat.com> Message-ID: <5593971F.7050105@redhat.com> Dne 30.6.2015 v 12:37 Martin Babinsky napsal(a): > On 06/24/2015 05:21 PM, Jan Cholasta wrote: >> Hi, >> >> the attached patches fix >> and . >> >> Honza >> >> >> > > Hi Honza, > > everything seems to work except `ipa-replica-prepare` which raises the > following exception: http://fpaste.org/237625/43558123/ > > `git bisect` marks PATCH 453 as guilty. > See new patch 461 for a fix. Rebased patches attached. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-448.1-plugable-Move-plugin-base-class-and-override-logic-t.patch Type: text/x-patch Size: 21388 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-449.1-ipalib-Load-ipaserver-plugins-when-api.env.in_server.patch Type: text/x-patch Size: 9838 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-450.1-ipalib-Move-find_modules_in_dir-from-util-to-plugabl.patch Type: text/x-patch Size: 3025 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-451.1-plugable-Specify-plugins-to-import-in-API-by-module-.patch Type: text/x-patch Size: 6893 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-452.1-plugable-Load-plugins-only-from-modules-imported-by-.patch Type: text/x-patch Size: 9770 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-453.1-plugable-Pass-API-to-plugins-on-initialization-rathe.patch Type: text/x-patch Size: 59262 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-454.1-plugable-Do-not-use-DictProxy-for-API.patch Type: text/x-patch Size: 3168 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-455.1-plugable-Lock-API-on-finalization-rather-than-on-ini.patch Type: text/x-patch Size: 2352 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-456.1-ipaplatform-Do-not-use-MagicDict-for-KnownServices.patch Type: text/x-patch Size: 1858 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-457.1-plugable-Remove-SetProxy-DictProxy-and-MagicDict.patch Type: text/x-patch Size: 9764 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-458.1-plugable-Change-is_production_mode-to-method-of-API.patch Type: text/x-patch Size: 9760 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-459.1-plugable-Specify-plugin-base-classes-and-modules-usi.patch Type: text/x-patch Size: 4955 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-460.1-plugable-Remove-unused-call-method-of-Plugin.patch Type: text/x-patch Size: 2339 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-461-replica-prepare-Do-not-use-entry-after-disconnecting.patch Type: text/x-patch Size: 1599 bytes Desc: not available URL: From mkosek at redhat.com Wed Jul 1 07:35:53 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 01 Jul 2015 09:35:53 +0200 Subject: [Freeipa-devel] [PATCH] 886-890 webui: API browser In-Reply-To: <5592C535.8070708@redhat.com> References: <5592C535.8070708@redhat.com> Message-ID: <55939859.4040704@redhat.com> On 06/30/2015 06:35 PM, Petr Vobornik wrote: > First part of API Browser - displaying the metadata in more consumable way. > > Second part, how to use it in different languages will be written as wiki pages > first. > > The browser could be later enhanced with more infos and tooltips. > > Patch 886 extends backend to send more metadata. > Patch 887,888,889 are webui fixes and prerequisites > Patch 890 is the API browser Thanks, this is a very good start. I looked at a VM with the patches and have couple usability suggestions: 1) It was hard for me to find where the API Browser is. But "IPA Server" looks as a good tab where it should be though. 2) I have strong doubts about the "Objects" tab, this is only understandable to users knowledgeable about FreeIPA framework internals. Common API user who just want to consume the API and not know about the internals will not know what this is. What I would do is make "API Browser" directly clickable so that it opens the Commands tab. This is what most people will use. Other tabs may be stacked on the left just like with Staged or Deleted users. For now, I would hide Objects as I think it would cause more confusion. If we want to show it, there should be some introduction what it is good for and maybe limitation of showed fields to only those that has any value for the consumers. 3) In Commands tab, we will some more explanatory what the attributes of Param needs and probably hide some. For example "exclude" is not needed for consumers. 4) Many attributes have "autofill": True. I wonder how usable it is without knowing the actual default for the attribute. Can we show the default? 5) I would hide "Output Params" all together given we don't have them set up correctly in FreeIPA framework and they may rather confuse people, with having all the HBAC or SUDO with User objects. I may think about it more, there were just my couple first thoughts. Others may have different opinions here. Martin From mbasti at redhat.com Wed Jul 1 08:34:33 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 1 Jul 2015 10:34:33 +0200 Subject: [Freeipa-devel] [PATCH 0272] Server upgrade: log more into debug log instead of info log Message-ID: <5593A619.3000808@redhat.com> Update is logging too much info into info log. Patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0272-Server-Upgrade-use-debug-log-level-for-upgrade-inste.patch Type: text/x-patch Size: 16488 bytes Desc: not available URL: From mbasti at redhat.com Wed Jul 1 08:37:29 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 1 Jul 2015 10:37:29 +0200 Subject: [Freeipa-devel] [PATCH 0046] DNSSEC: Store time & date key metadata in UTC In-Reply-To: <55928D34.4020703@redhat.com> References: <55928D34.4020703@redhat.com> Message-ID: <5593A6C9.7010701@redhat.com> On 30/06/15 14:36, Petr Spacek wrote: > Hello, > > DNSSEC: Store time & date key metadata in UTC. > > OpenDNSSEC stores key metadata in local time zone but BIND needs > timestamps in UTC. UTC will be stored in LDAP. > > https://fedorahosted.org/freeipa/ticket/4657 > ACK -- Martin Basti From mbasti at redhat.com Wed Jul 1 08:49:15 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 1 Jul 2015 10:49:15 +0200 Subject: [Freeipa-devel] [PATCH] 0020..0022 pki-related upgrade fixes In-Reply-To: <20150630160232.GQ6584@dhcp-40-8.bne.redhat.com> References: <20150619072838.GR29330@dhcp-40-8.bne.redhat.com> <558BC875.1040002@redhat.com> <20150629140313.GH6584@dhcp-40-8.bne.redhat.com> <55916A9B.20105@redhat.com> <20150630160232.GQ6584@dhcp-40-8.bne.redhat.com> Message-ID: <5593A98B.6080804@redhat.com> On 30/06/15 18:02, Fraser Tweedale wrote: > On Mon, Jun 29, 2015 at 05:56:11PM +0200, Martin Basti wrote: >> On 29/06/15 16:03, Fraser Tweedale wrote: >>> On Thu, Jun 25, 2015 at 11:23:01AM +0200, Martin Basti wrote: >>>> On 19/06/15 09:28, Fraser Tweedale wrote: >>>>> The attached patches fix upgrade issues when pki is also updated >>>> >from pre 10.2.4. >>>>> pki dependency is bumped to 10.2.5 - the official builds should be >>>>> done Friday (US time) but it is available from my copr[1]. If >>>>> someone wants to add to official freeipa COPR in meantime the SRPM >>>>> is here[2]. >>>>> >>>>> [1] https://copr.fedoraproject.org/coprs/ftweedal/freeipa/ >>>>> [2] https://ftweedal.fedorapeople.org/pki-core-10.2.5-0.2.fc21.src.rpm >>>>> >>>>> Thanks, >>>>> Fraser >>>>> >>>>> >>>> Thank you. >>>> >>>> 1) >>>> I cannot apply patches. >>>> >>> Rebased patches attached. >>> >>>> 2) >>>> IMO patch 0020 was fixed with my patch 266 >>>> >>> It seems we are hitting another case of LDAP disconnection during >>> upgrade; without 0020 the upgrade fails. There might be a better >>> way so let me know if you have ideas. >>> >>>> 3) >>>> This print should not be there >>>> + >>>> + print cs_cfg >>>> + for profile_id in profile_ids: >>>> >>> Thakns; removed. >>> >>>> 4) >>>> This is unused variable, it is defined later >>>> + cs_cfg = None >>>> >>> Thanks; removed. >>> >>>> 5) >>>> Can you add there log.error or log.debug instead of pass please? >>>> + # enable the profile >>>> + try: >>>> + profile_api.enable_profile(profile_id) >>>> + except errors.RemoteRetrieveError: >>>> + pass >>>> >>> You've got it. Also did this a few lines up where the profile is >>> disabled. >>> >>>> I will test it later. >>>> >>>> -- >>>> Martin Basti >>>> >>> Thank you, >>> Fraser >> PATCH 0020 - NACK see my patch 269, it fixes root cause. (IMO with reworked >> patch 21 it is not needed) >> >> PATCH 0021 - NACK, it runs whole upgrade machinery again. Patch how to fix >> it is attached. Sorry I didn't notice it last time. >> >> PATCH 0022 - LGTM >> >> >> -- >> Martin Basti >> > Thank you very much! > > Your patch to my patch works perfectly. I squashed it into 0021. > Patch 0020 rescinded. Rebased patches attached. > > Cheers, > Fraser Thank you, ACK for both patches. -- Martin Basti From mbasti at redhat.com Wed Jul 1 08:54:19 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 1 Jul 2015 10:54:19 +0200 Subject: [Freeipa-devel] [PATCH 0050] Fix client ca.crt to match the server's cert In-Reply-To: <5593913D.8000303@redhat.com> References: <5592ACFE.8020803@redhat.com> <5593913D.8000303@redhat.com> Message-ID: <5593AABB.607@redhat.com> On 01/07/15 09:05, Martin Basti wrote: > On 30/06/15 17:31, Gabe Alford wrote: >> On Tue, Jun 30, 2015 at 8:51 AM, Martin Basti > > wrote: >> >> On 16/06/15 16:58, Gabe Alford wrote: >>> I know you guys are busy. Bump for review. >>> >>> Thanks, >>> >>> Gabe >>> >>> On Tue, May 26, 2015 at 8:16 AM, Gabe Alford >>> wrote: >>> >>> Hello, >>> >>> Fix for https://fedorahosted.org/freeipa/ticket/3809 >>> >>> Thanks, >>> >>> Gabe >>> >>> >>> >>> >> I'm getting certificate on server without extra '\n' at the end. >> >> So certificate files are not the same. >> >> >> I assume you did a diff of the server /etc/ipa/ca.crt and the client >> /etc/ipa/ca.crt, right? Did you setup a server and then connect a >> client (just wonder what your steps were so that I can also reproduce)? > > Yes. I did that. > > I will retest it today. > Retested and ca.cert on client has extra '\n' at the end. >> >> >> -- >> Martin Basti >> >> > > > -- > Martin Basti > > -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Wed Jul 1 10:05:59 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 01 Jul 2015 12:05:59 +0200 Subject: [Freeipa-devel] [PATCH 0018] allow deletion of segment, if not both nodes are managed Message-ID: <5593BB87.5070407@redhat.com> This fix allows the removal of segments, where not both endpoints of the segments are managed. These segments can exist after deliberately disconnecting a topology by removal of a central node, a fix to automatically remove dangling segments is in process, but it cannot handle all situations, especially if the removed server is no longer working and the topology is already broken before the removal. In these cases a manual cleanup must be possible and is addressed in this patch Ludwig -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-lkrispen-0018-allow-deletion-of-segment-if-endpoint-is-not-managed.patch Type: text/x-patch Size: 3074 bytes Desc: not available URL: From tbordaz at redhat.com Wed Jul 1 10:11:13 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 01 Jul 2015 12:11:13 +0200 Subject: [Freeipa-devel] [PATCH 0017] dirsrv crash on segment add if suffix does not exist In-Reply-To: <5592AC99.10803@redhat.com> References: <55926A72.9040205@redhat.com> <55929B9F.2060905@redhat.com> <5592AC99.10803@redhat.com> Message-ID: <5593BCC1.4000101@redhat.com> On 06/30/2015 04:50 PM, Ludwig Krispenz wrote: > new patch attached > > On 06/30/2015 03:37 PM, thierry bordaz wrote: >> On 06/30/2015 12:07 PM, Ludwig Krispenz wrote: >>> added verification for issue reported in ticket 5088 and sanity >>> checks requested in review for patch 0014 >>> >>> >> Hello, >> >> The fix looks good except those sanity settings: >> >> * In ipa_topo_post_del, tsegm needs to be NULL initialized >> * In ipa_topo_check_segment_is_valid or ipa_topo_pre_add, I think >> *errtxt should be initialized to NULL >> >> thanks >> thierry >> > ACK thanks thierry -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbabej at redhat.com Wed Jul 1 10:21:01 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 01 Jul 2015 12:21:01 +0200 Subject: [Freeipa-devel] [PATCH] 1114 don't rely on positional arguments in pykerberos calls In-Reply-To: <55927F5E.4020103@redhat.com> References: <558D763B.2020102@redhat.com> <55927F5E.4020103@redhat.com> Message-ID: <5593BF0D.3090609@redhat.com> On 06/30/2015 01:37 PM, Tomas Babej wrote: > > > On 06/26/2015 05:56 PM, Rob Crittenden wrote: >> I'm working on rebasing python-kerberos (PyKerberos) in rawhide and when >> upstream accepted our patch which added the ability to pass in flags to >> authGSSClientInit() they changed the ordering such that the IPA call >> will fail as it relies on positional arguments. >> >> The fix is simple enough: use named arguments. >> >> Still working on the rebase but this patch is obvious. >> >> Target would be master branch only. I have no plans on updating >> python-kerberos in F22. >> >> rob >> >> > > ACK. > Pushed to master: 57429c1cfa73dbcb45f705dd1723c822be4b6617 From tbabej at redhat.com Wed Jul 1 10:27:26 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 01 Jul 2015 12:27:26 +0200 Subject: [Freeipa-devel] [PATCH 0046] DNSSEC: Store time & date key metadata in UTC In-Reply-To: <5593A6C9.7010701@redhat.com> References: <55928D34.4020703@redhat.com> <5593A6C9.7010701@redhat.com> Message-ID: <5593C08E.8090107@redhat.com> On 07/01/2015 10:37 AM, Martin Basti wrote: > On 30/06/15 14:36, Petr Spacek wrote: >> Hello, >> >> DNSSEC: Store time & date key metadata in UTC. >> >> OpenDNSSEC stores key metadata in local time zone but BIND needs >> timestamps in UTC. UTC will be stored in LDAP. >> >> https://fedorahosted.org/freeipa/ticket/4657 >> > ACK > Pushed to: master: fe6819eb9d7d9f84616daadb5f07072a3dfa02b1 ipa-4-1: 840bf5f41a532252db329cbdab0baf544f2448b2 From tbabej at redhat.com Wed Jul 1 10:28:48 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 01 Jul 2015 12:28:48 +0200 Subject: [Freeipa-devel] [PATCH] 0020..0022 pki-related upgrade fixes In-Reply-To: <5593A98B.6080804@redhat.com> References: <20150619072838.GR29330@dhcp-40-8.bne.redhat.com> <558BC875.1040002@redhat.com> <20150629140313.GH6584@dhcp-40-8.bne.redhat.com> <55916A9B.20105@redhat.com> <20150630160232.GQ6584@dhcp-40-8.bne.redhat.com> <5593A98B.6080804@redhat.com> Message-ID: <5593C0E0.9040800@redhat.com> On 07/01/2015 10:49 AM, Martin Basti wrote: > On 30/06/15 18:02, Fraser Tweedale wrote: >> On Mon, Jun 29, 2015 at 05:56:11PM +0200, Martin Basti wrote: >>> On 29/06/15 16:03, Fraser Tweedale wrote: >>>> On Thu, Jun 25, 2015 at 11:23:01AM +0200, Martin Basti wrote: >>>>> On 19/06/15 09:28, Fraser Tweedale wrote: >>>>>> The attached patches fix upgrade issues when pki is also updated >>>>> >from pre 10.2.4. >>>>>> pki dependency is bumped to 10.2.5 - the official builds should be >>>>>> done Friday (US time) but it is available from my copr[1]. If >>>>>> someone wants to add to official freeipa COPR in meantime the SRPM >>>>>> is here[2]. >>>>>> >>>>>> [1] https://copr.fedoraproject.org/coprs/ftweedal/freeipa/ >>>>>> [2] >>>>>> https://ftweedal.fedorapeople.org/pki-core-10.2.5-0.2.fc21.src.rpm >>>>>> >>>>>> Thanks, >>>>>> Fraser >>>>>> >>>>>> >>>>> Thank you. >>>>> >>>>> 1) >>>>> I cannot apply patches. >>>>> >>>> Rebased patches attached. >>>> >>>>> 2) >>>>> IMO patch 0020 was fixed with my patch 266 >>>>> >>>> It seems we are hitting another case of LDAP disconnection during >>>> upgrade; without 0020 the upgrade fails. There might be a better >>>> way so let me know if you have ideas. >>>> >>>>> 3) >>>>> This print should not be there >>>>> + >>>>> + print cs_cfg >>>>> + for profile_id in profile_ids: >>>>> >>>> Thakns; removed. >>>> >>>>> 4) >>>>> This is unused variable, it is defined later >>>>> + cs_cfg = None >>>>> >>>> Thanks; removed. >>>> >>>>> 5) >>>>> Can you add there log.error or log.debug instead of pass please? >>>>> + # enable the profile >>>>> + try: >>>>> + profile_api.enable_profile(profile_id) >>>>> + except errors.RemoteRetrieveError: >>>>> + pass >>>>> >>>> You've got it. Also did this a few lines up where the profile is >>>> disabled. >>>> >>>>> I will test it later. >>>>> >>>>> -- >>>>> Martin Basti >>>>> >>>> Thank you, >>>> Fraser >>> PATCH 0020 - NACK see my patch 269, it fixes root cause. (IMO with >>> reworked >>> patch 21 it is not needed) >>> >>> PATCH 0021 - NACK, it runs whole upgrade machinery again. Patch how >>> to fix >>> it is attached. Sorry I didn't notice it last time. >>> >>> PATCH 0022 - LGTM >>> >>> >>> -- >>> Martin Basti >>> >> Thank you very much! >> >> Your patch to my patch works perfectly. I squashed it into 0021. >> Patch 0020 rescinded. Rebased patches attached. >> >> Cheers, >> Fraser > Thank you, ACK for both patches. > Pushed to master: 3827137b32756f5b23092adb573c5e254b007c14 From tbabej at redhat.com Wed Jul 1 10:29:49 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 01 Jul 2015 12:29:49 +0200 Subject: [Freeipa-devel] [PATCH 0017] dirsrv crash on segment add if suffix does not exist In-Reply-To: <5593BCC1.4000101@redhat.com> References: <55926A72.9040205@redhat.com> <55929B9F.2060905@redhat.com> <5592AC99.10803@redhat.com> <5593BCC1.4000101@redhat.com> Message-ID: <5593C11D.1080005@redhat.com> On 07/01/2015 12:11 PM, thierry bordaz wrote: > On 06/30/2015 04:50 PM, Ludwig Krispenz wrote: >> new patch attached >> >> On 06/30/2015 03:37 PM, thierry bordaz wrote: >>> On 06/30/2015 12:07 PM, Ludwig Krispenz wrote: >>>> added verification for issue reported in ticket 5088 and sanity >>>> checks requested in review for patch 0014 >>>> >>>> >>> Hello, >>> >>> The fix looks good except those sanity settings: >>> >>> * In ipa_topo_post_del, tsegm needs to be NULL initialized >>> * In ipa_topo_check_segment_is_valid or ipa_topo_pre_add, I think >>> *errtxt should be initialized to NULL >>> >>> thanks >>> thierry >>> >> > ACK > > thanks > thierry > > Pushed to master: 5b76df4e7335c723f3fb14ef809e4d71e53509c9 From tbabej at redhat.com Wed Jul 1 10:32:56 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 01 Jul 2015 12:32:56 +0200 Subject: [Freeipa-devel] [PATCHES 326-328] ID Views improvements In-Reply-To: <5566F52D.5030008@redhat.com> References: <5566F52D.5030008@redhat.com> Message-ID: <5593C1D8.4040607@redhat.com> On 05/28/2015 12:59 PM, Tomas Babej wrote: > Hi, > > this couple of patches improves ID Views and ID overrides handling. See > commit messages for details. > > Tomas > > > Bump. Can this sad, forgotten patch set get a review? From mbasti at redhat.com Wed Jul 1 10:35:14 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 1 Jul 2015 12:35:14 +0200 Subject: [Freeipa-devel] [PATCHES 0252-0253, 268, 50 - 51] DNSSEC: allow to move DNSSEC key master to another IPA server In-Reply-To: <5592F78C.3060406@redhat.com> References: <555CAFAC.2050803@redhat.com> <55717FD9.6010002@redhat.com> <5580275F.1000106@redhat.com> <5581596D.9080209@redhat.com> <55815BF8.50202@redhat.com> <558BEA12.8060601@redhat.com> <55914517.7090404@redhat.com> <55925275.7020708@redhat.com> <5592A1DF.4060601@redhat.com> <5592F78C.3060406@redhat.com> Message-ID: <5593C262.6040906@redhat.com> On 30/06/15 22:09, Petr Spacek wrote: > On 30.6.2015 16:04, Martin Basti wrote: >> On 30/06/15 10:25, Martin Basti wrote: >>> On 29/06/15 15:16, Martin Basti wrote: >>>> On 25/06/15 13:46, Petr Spacek wrote: >>>>> On 17.6.2015 13:37, Martin Basti wrote: >>>>>> On 17/06/15 13:26, Petr Spacek wrote: >>>>>>> On 16.6.2015 15:40, Martin Basti wrote: >>>>>>>> On 05/06/15 12:54, Petr Spacek wrote: >>>>>>>>> On 20.5.2015 18:00, Martin Basti wrote: >>>>>>>>>> This patch allows to disable DNSSEC key master on IPA server, or replace >>>>>>>>>> current DNSSEC key master with another IPA server. >>>>>>>>>> >>>>>>>>>> Only for master branch. >>>>>>>>>> >>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4657 >>>>>>>>>> >>>>>>>>>> Patches attached. >>>>>>>>> NACK. This happens on DNSSEC key master: >>>>>>>>> $ ipa-dns-install --disable-dnssec-master >>>>>>>>> >>>>>>>>> Do you want to disable current DNSSEC key master? [no]: yes >>>>>>>>> Unexpected error - see /var/log/ipaserver-install.log for details: >>>>>>>>> TypeError: sequence item 0: expected string, DNSName found >>>>>>>>> 2015-06-05T10:52:35Z DEBUG File >>>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>>>>>>>> line >>>>>>>>> 733, in run_script >>>>>>>>> return_value = main_function() >>>>>>>>> >>>>>>>>> File "/sbin/ipa-dns-install", line 128, in main >>>>>>>>> dns_installer.disable_dnssec_master(options.unattended) >>>>>>>>> >>>>>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py", >>>>>>>>> line >>>>>>>>> 112, >>>>>>>>> in disable_dnssec_master >>>>>>>>> ", ".join(dnssec_zones)) >>>>>>>>> >>>>>>>>> 2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed, exception: >>>>>>>>> TypeError: sequence item 0: expected string, DNSName found >>>>>>>>> >>>>>>>> Updated patches attached. >>>>>>>> >>>>>>>> Due new installers, more changes were required. >>>>>>> Sorry, NACK, I'm not able to apply this patch set to current master >>>>>>> (69607250b9762a6c9b657dd31653b03d54a7b411). >>>>>>> >>>>>> Rebased patches attached. >>>>> NACK. >>>>> >>>>> >>>>> 0) ipa-dns-install --replace-dnssec-master always puts file into >>>>> /root/ipa-kasp.db. >>>>> >>>>> It would be better to put it into local working directory or /var/lib/ipa (as >>>>> with replica files). >>>>> >>>>> >>>>> 1) I installed DNSSEC key master role on the vm-134 but DNSSEC services were >>>>> not stopped by ipactl stop: >>>>> >>>>> [root at vm-134 review]# ipactl stop >>>>> Stopping ipa-otpd Service >>>>> Stopping httpd Service >>>>> Stopping ipa_memcached Service >>>>> Stopping kadmin Service >>>>> Stopping krb5kdc Service >>>>> Stopping Directory Service >>>>> ipa: INFO: The ipactl command was successful >>>>> >>>>> [root at vm-134 review]# ipactl start >>>>> Starting Directory Service >>>>> Starting krb5kdc Service >>>>> Starting kadmin Service >>>>> Starting named Service >>>>> Starting ipa_memcached Service >>>>> Starting httpd Service >>>>> Starting ipa-otpd Service >>>>> Starting ipa-ods-exporter Service >>>>> Starting ods-enforcerd Service >>>>> Starting ipa-dnskeysyncd Service >>>>> >>>>> Subsequent ipactl stop worked fine, only the first one is affected. >>>>> >>>>> >>>>> 2a) vm-134 was the original master. I ran this: >>>>> >>>>> [root at vm-134 review]# ipa-dns-install >>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com >>>>> >>>>> ... and then attempted to install master to vm-059: >>>>> [root at vm-059 review]# ipa-dns-install --dnssec-master >>>>> >>>>> This command was accepted despite of missing --kasp-db option and wrong >>>>> replica name. >>>>> >>>>> It should error out and tell the user to run the command with --kasp-db >>>>> option. >>>>> >>>>> Even better, we could get rid of explicit replica name specification in >>>>> --replace-dnssec-master option and allow to run installation with >>>>> --kasp-db on >>>>> any replica as long as the kasp.db file is provided. >>>>> >>>>> >>>>> >>>>> 2b) Attempt to move DNSSEC key master from vm-134 to vm-090 *without* >>>>> specifying --kasp-db option was accepted. >>>>> >>>>> [root at vm-090 review]# ipa-dns-install --dnssec-master >>>>> >>>>> As in case (2a), it should print what user is supposed to do. >>>>> >>>>> I propose following text: >>>>> >>>>> Current DNSSEC key master is being >>>>> moved to different server. >>>>> >>>>> You need to copy kasp.db file from >>>>> and >>>>> run following command to complete the transition: >>>>> >>>>> # ipa-dns-install --dnssec-master --kasp-db=/path/to/the/copied/kasp.db >>>>> >>>>> >>>>> >>>>> 3) [root at vm-134 review]# ipa-dns-install >>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com >>>>> does not remove ISMASTER option from file /etc/sysconfig/ipa-dnskeysyncd . >>>>> >>>>> >>>>> 4) [root at vm-134 review]# ipa-dns-install >>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com >>>>> >>>>> it is possible to run >>>>> >>>>> [root at vm-134 review]# ipa-dns-install --dnssec-master >>>>> >>>>> again without --kasp-db and it is accepted. >>>>> >>>>> Moreover, in this case ipaConfigString "NEW_DNSSEC_MASTER" is not properly >>>>> removed from >>>>> cn=DNSKeySync,cn=vm-090.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example. >>>>> >>>>> >>>>> >>>>> >>>>> 5) Sequence of commands >>>>> [root at vm-134 review]# ipa-dns-install >>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com >>>>> >>>>> [root at vm-090 review]# ipa-replica-manage del >>>>> vm-134.abc.idm.lab.eng.brq.redhat.com >>>>> >>>>> allows me to run >>>>> [root at vm-090 review]# ipa-dns-install --dnssec-master >>>>> >>>>> without --kasp-db option, it does not throw an error, and the information >>>>> that >>>>> some other master existed somewhere is lost. >>>>> >>>>> It would be probably better to replace this and to use some global attribute >>>>> in cn=dns so similar problems do not happen. >>>>> >>>>> >>>>> >>>>> 6) The migration itself seems to work, KASP DB seems to work properly, >>>>> however >>>>> it is necessary to run 'ods-ksmutil zonelist' command *before* all the >>>>> daemons >>>>> on the new master are (re)started. This needs do be done to re-generate file >>>>> /etc/opendnssec/zonelist.xml from the new (copied) DB. >>>>> >>>>> Here please be careful about file permissions. >>>>> >>>>> The command should be ran under 'ods' user to avoid permission clobbering. >>>>> >>>>> >>>>> Thank you for your hard work on this! >>>>> >>>> New patches attached. >>>> >>>> Major part of the code was changed. >>>> >>>> Please apply patch 268 first. >>>> >>>> >>>> >>>> >>>> >>> Updated patches attached. >>> >>> I just changed the error log to debug log >>> ipautil.run(cmd, runas=ods_enforcerd.get_user_name()) >>> - except CalledProcessError as e: >>> - root_logger.error("%s", e) >>> + except CalledProcessError: >>> + root_logger.debug("OpenDNSSEC database has not been updated") >>> >>> As this is not error during uninstall. >>> >>> -- >>> Martin Basti >>> >>> >> Updated patches attached. > Cond-NACK. Moving master does not work without additional patching. I'm > attaching fix for this + some polish for messages. > > Please review my amendments, it can be pushed if you are okay with my changes. > Thank you, it works. I did 2 small changes 1) In patch 51 i moved the check to parser, and fixed error message to proper option 2) in patch 50 I switched: if api.env.host not in dnssec_masters and dnssec_masters: to if dnssec_masters and api.env.host not in dnssec_masters: These patches belong to master branch only. All patches attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0252.7-DNSSEC-allow-to-disable-replace-DNSSEC-key-master.patch Type: text/x-patch Size: 25215 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0253.7-DNSSEC-update-message.patch Type: text/x-patch Size: 4256 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0268-Allow-to-run-subprocess-with-suplementary-groups.patch Type: text/x-patch Size: 3182 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0050.2-DNSSEC-ipa-dns-install-Detect-existing-master-server.patch Type: text/x-patch Size: 2860 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0051.2-DNSSEC-Detect-attempt-to-install-disable-master-at-t.patch Type: text/x-patch Size: 1151 bytes Desc: not available URL: From abokovoy at redhat.com Wed Jul 1 10:46:41 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 1 Jul 2015 13:46:41 +0300 Subject: [Freeipa-devel] [PATCHES 326-328] ID Views improvements In-Reply-To: <5566F52D.5030008@redhat.com> References: <5566F52D.5030008@redhat.com> Message-ID: <20150701104641.GA13602@redhat.com> On Thu, 28 May 2015, Tomas Babej wrote: >>From 8acc50c10d9886668a0147b46f311f9aa83294bb Mon Sep 17 00:00:00 2001 >From: Tomas Babej >Date: Wed, 27 May 2015 14:31:13 +0200 >Subject: [PATCH] idviews: Set dcerpc detection flag properly > >The availability of dcerpc bindings is being checked on the client >side as well, hence we need to define it properly. > >https://fedorahosted.org/freeipa/ticket/5025 >--- > ipalib/plugins/idviews.py | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > >diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py >index 57f0cce1549edb4e582df225f7831916d96c216b..a7b1e0a78e57fcd2864d258c7968393c359499f2 100644 >--- a/ipalib/plugins/idviews.py >+++ b/ipalib/plugins/idviews.py >@@ -30,12 +30,14 @@ from ipalib.util import (normalize_sshpubkey, validate_sshpubkey, > > from ipapython.dn import DN > >+_dcerpc_bindings_installed = False >+ > if api.env.in_server and api.env.context in ['lite', 'server']: > try: > import ipaserver.dcerpc > _dcerpc_bindings_installed = True > except ImportError: >- _dcerpc_bindings_installed = False >+ pass > > __doc__ = _(""" > ID Views >-- >2.1.0 > ACK -- / Alexander Bokovoy From pspacek at redhat.com Wed Jul 1 10:47:55 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 01 Jul 2015 12:47:55 +0200 Subject: [Freeipa-devel] [PATCHES 0252-0253, 268, 50 - 51] DNSSEC: allow to move DNSSEC key master to another IPA server In-Reply-To: <5593C262.6040906@redhat.com> References: <555CAFAC.2050803@redhat.com> <55717FD9.6010002@redhat.com> <5580275F.1000106@redhat.com> <5581596D.9080209@redhat.com> <55815BF8.50202@redhat.com> <558BEA12.8060601@redhat.com> <55914517.7090404@redhat.com> <55925275.7020708@redhat.com> <5592A1DF.4060601@redhat.com> <5592F78C.3060406@redhat.com> <5593C262.6040906@redhat.com> Message-ID: <5593C55B.4090500@redhat.com> On 1.7.2015 12:35, Martin Basti wrote: > On 30/06/15 22:09, Petr Spacek wrote: >> On 30.6.2015 16:04, Martin Basti wrote: >>> On 30/06/15 10:25, Martin Basti wrote: >>>> On 29/06/15 15:16, Martin Basti wrote: >>>>> On 25/06/15 13:46, Petr Spacek wrote: >>>>>> On 17.6.2015 13:37, Martin Basti wrote: >>>>>>> On 17/06/15 13:26, Petr Spacek wrote: >>>>>>>> On 16.6.2015 15:40, Martin Basti wrote: >>>>>>>>> On 05/06/15 12:54, Petr Spacek wrote: >>>>>>>>>> On 20.5.2015 18:00, Martin Basti wrote: >>>>>>>>>>> This patch allows to disable DNSSEC key master on IPA server, or >>>>>>>>>>> replace >>>>>>>>>>> current DNSSEC key master with another IPA server. >>>>>>>>>>> >>>>>>>>>>> Only for master branch. >>>>>>>>>>> >>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4657 >>>>>>>>>>> >>>>>>>>>>> Patches attached. >>>>>>>>>> NACK. This happens on DNSSEC key master: >>>>>>>>>> $ ipa-dns-install --disable-dnssec-master >>>>>>>>>> >>>>>>>>>> Do you want to disable current DNSSEC key master? [no]: yes >>>>>>>>>> Unexpected error - see /var/log/ipaserver-install.log for details: >>>>>>>>>> TypeError: sequence item 0: expected string, DNSName found >>>>>>>>>> 2015-06-05T10:52:35Z DEBUG File >>>>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>>>>>>>>> line >>>>>>>>>> 733, in run_script >>>>>>>>>> return_value = main_function() >>>>>>>>>> >>>>>>>>>> File "/sbin/ipa-dns-install", line 128, in main >>>>>>>>>> dns_installer.disable_dnssec_master(options.unattended) >>>>>>>>>> >>>>>>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py", >>>>>>>>>> line >>>>>>>>>> 112, >>>>>>>>>> in disable_dnssec_master >>>>>>>>>> ", ".join(dnssec_zones)) >>>>>>>>>> >>>>>>>>>> 2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed, >>>>>>>>>> exception: >>>>>>>>>> TypeError: sequence item 0: expected string, DNSName found >>>>>>>>>> >>>>>>>>> Updated patches attached. >>>>>>>>> >>>>>>>>> Due new installers, more changes were required. >>>>>>>> Sorry, NACK, I'm not able to apply this patch set to current master >>>>>>>> (69607250b9762a6c9b657dd31653b03d54a7b411). >>>>>>>> >>>>>>> Rebased patches attached. >>>>>> NACK. >>>>>> >>>>>> >>>>>> 0) ipa-dns-install --replace-dnssec-master always puts file into >>>>>> /root/ipa-kasp.db. >>>>>> >>>>>> It would be better to put it into local working directory or >>>>>> /var/lib/ipa (as >>>>>> with replica files). >>>>>> >>>>>> >>>>>> 1) I installed DNSSEC key master role on the vm-134 but DNSSEC services >>>>>> were >>>>>> not stopped by ipactl stop: >>>>>> >>>>>> [root at vm-134 review]# ipactl stop >>>>>> Stopping ipa-otpd Service >>>>>> Stopping httpd Service >>>>>> Stopping ipa_memcached Service >>>>>> Stopping kadmin Service >>>>>> Stopping krb5kdc Service >>>>>> Stopping Directory Service >>>>>> ipa: INFO: The ipactl command was successful >>>>>> >>>>>> [root at vm-134 review]# ipactl start >>>>>> Starting Directory Service >>>>>> Starting krb5kdc Service >>>>>> Starting kadmin Service >>>>>> Starting named Service >>>>>> Starting ipa_memcached Service >>>>>> Starting httpd Service >>>>>> Starting ipa-otpd Service >>>>>> Starting ipa-ods-exporter Service >>>>>> Starting ods-enforcerd Service >>>>>> Starting ipa-dnskeysyncd Service >>>>>> >>>>>> Subsequent ipactl stop worked fine, only the first one is affected. >>>>>> >>>>>> >>>>>> 2a) vm-134 was the original master. I ran this: >>>>>> >>>>>> [root at vm-134 review]# ipa-dns-install >>>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com >>>>>> >>>>>> ... and then attempted to install master to vm-059: >>>>>> [root at vm-059 review]# ipa-dns-install --dnssec-master >>>>>> >>>>>> This command was accepted despite of missing --kasp-db option and wrong >>>>>> replica name. >>>>>> >>>>>> It should error out and tell the user to run the command with --kasp-db >>>>>> option. >>>>>> >>>>>> Even better, we could get rid of explicit replica name specification in >>>>>> --replace-dnssec-master option and allow to run installation with >>>>>> --kasp-db on >>>>>> any replica as long as the kasp.db file is provided. >>>>>> >>>>>> >>>>>> >>>>>> 2b) Attempt to move DNSSEC key master from vm-134 to vm-090 *without* >>>>>> specifying --kasp-db option was accepted. >>>>>> >>>>>> [root at vm-090 review]# ipa-dns-install --dnssec-master >>>>>> >>>>>> As in case (2a), it should print what user is supposed to do. >>>>>> >>>>>> I propose following text: >>>>>> >>>>>> Current DNSSEC key master is being >>>>>> moved to different server. >>>>>> >>>>>> You need to copy kasp.db file from >>>>>> and >>>>>> run following command to complete the transition: >>>>>> >>>>>> # ipa-dns-install --dnssec-master --kasp-db=/path/to/the/copied/kasp.db >>>>>> >>>>>> >>>>>> >>>>>> 3) [root at vm-134 review]# ipa-dns-install >>>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com >>>>>> does not remove ISMASTER option from file /etc/sysconfig/ipa-dnskeysyncd . >>>>>> >>>>>> >>>>>> 4) [root at vm-134 review]# ipa-dns-install >>>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com >>>>>> >>>>>> it is possible to run >>>>>> >>>>>> [root at vm-134 review]# ipa-dns-install --dnssec-master >>>>>> >>>>>> again without --kasp-db and it is accepted. >>>>>> >>>>>> Moreover, in this case ipaConfigString "NEW_DNSSEC_MASTER" is not properly >>>>>> removed from >>>>>> cn=DNSKeySync,cn=vm-090.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> 5) Sequence of commands >>>>>> [root at vm-134 review]# ipa-dns-install >>>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com >>>>>> >>>>>> [root at vm-090 review]# ipa-replica-manage del >>>>>> vm-134.abc.idm.lab.eng.brq.redhat.com >>>>>> >>>>>> allows me to run >>>>>> [root at vm-090 review]# ipa-dns-install --dnssec-master >>>>>> >>>>>> without --kasp-db option, it does not throw an error, and the information >>>>>> that >>>>>> some other master existed somewhere is lost. >>>>>> >>>>>> It would be probably better to replace this and to use some global >>>>>> attribute >>>>>> in cn=dns so similar problems do not happen. >>>>>> >>>>>> >>>>>> >>>>>> 6) The migration itself seems to work, KASP DB seems to work properly, >>>>>> however >>>>>> it is necessary to run 'ods-ksmutil zonelist' command *before* all the >>>>>> daemons >>>>>> on the new master are (re)started. This needs do be done to re-generate >>>>>> file >>>>>> /etc/opendnssec/zonelist.xml from the new (copied) DB. >>>>>> >>>>>> Here please be careful about file permissions. >>>>>> >>>>>> The command should be ran under 'ods' user to avoid permission clobbering. >>>>>> >>>>>> >>>>>> Thank you for your hard work on this! >>>>>> >>>>> New patches attached. >>>>> >>>>> Major part of the code was changed. >>>>> >>>>> Please apply patch 268 first. >>>>> >>>>> >>>>> >>>>> >>>>> >>>> Updated patches attached. >>>> >>>> I just changed the error log to debug log >>>> ipautil.run(cmd, runas=ods_enforcerd.get_user_name()) >>>> - except CalledProcessError as e: >>>> - root_logger.error("%s", e) >>>> + except CalledProcessError: >>>> + root_logger.debug("OpenDNSSEC database has not been >>>> updated") >>>> >>>> As this is not error during uninstall. >>>> >>>> -- >>>> Martin Basti >>>> >>>> >>> Updated patches attached. >> Cond-NACK. Moving master does not work without additional patching. I'm >> attaching fix for this + some polish for messages. >> >> Please review my amendments, it can be pushed if you are okay with my changes. >> > Thank you, it works. I did 2 small changes > > 1) > In patch 51 i moved the check to parser, and fixed error message to proper option > > 2) > in patch 50 I switched: > if api.env.host not in dnssec_masters and dnssec_masters: > > to > if dnssec_masters and api.env.host not in dnssec_masters: > > These patches belong to master branch only. > All patches attached. Seems reasonable, ACK. -- Petr^2 Spacek From abokovoy at redhat.com Wed Jul 1 10:49:12 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 1 Jul 2015 13:49:12 +0300 Subject: [Freeipa-devel] [PATCHES 326-328] ID Views improvements In-Reply-To: <5566F52D.5030008@redhat.com> References: <5566F52D.5030008@redhat.com> Message-ID: <20150701104911.GB13602@redhat.com> On Thu, 28 May 2015, Tomas Babej wrote: >>From 41f158cd2b18ee7007e5b1d9ee2e1e02e37512c5 Mon Sep 17 00:00:00 2001 >From: Tomas Babej >Date: Wed, 27 May 2015 15:06:15 +0200 >Subject: [PATCH] idviews: Allow users specify the raw anchor directly as > identifier > >For various reasons, it can happen that the users or groups that >have overrides defined in a given ID view are no longer resolvable. > >Since user and group names are used to specify the ID override objects >too by leveraging the respective user's or group's ipaUniqueID, >we need to provide a fallback in case these user or group entries >no longer exist. > >https://fedorahosted.org/freeipa/ticket/5026 ACK -- / Alexander Bokovoy From abokovoy at redhat.com Wed Jul 1 10:50:35 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 1 Jul 2015 13:50:35 +0300 Subject: [Freeipa-devel] [PATCHES 326-328] ID Views improvements In-Reply-To: <5566F52D.5030008@redhat.com> References: <5566F52D.5030008@redhat.com> Message-ID: <20150701105035.GC13602@redhat.com> On Thu, 28 May 2015, Tomas Babej wrote: >>From c4ad3ba829ab2816c6ddb64da8d5c6ceb8789340 Mon Sep 17 00:00:00 2001 >From: Tomas Babej >Date: Wed, 27 May 2015 16:30:48 +0200 >Subject: [PATCH] idviews: Remove ID overrides for permanently removed users > and groups > >For IPA users and groups we are able to trigger a removal of >any relevant ID overrides in user-del and group-del commands. > >https://fedorahosted.org/freeipa/ticket/5026 ACK. -- / Alexander Bokovoy From mbabinsk at redhat.com Wed Jul 1 11:17:12 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 1 Jul 2015 13:17:12 +0200 Subject: [Freeipa-devel] [PATCHES 448-460] Allow multiple API instances (take 2) In-Reply-To: <5593971F.7050105@redhat.com> References: <558ACAEE.3060503@redhat.com> <55927162.6090600@redhat.com> <5593971F.7050105@redhat.com> Message-ID: <5593CC38.40409@redhat.com> On 07/01/2015 09:30 AM, Jan Cholasta wrote: > Dne 30.6.2015 v 12:37 Martin Babinsky napsal(a): >> On 06/24/2015 05:21 PM, Jan Cholasta wrote: >>> Hi, >>> >>> the attached patches fix >>> and . >>> >>> Honza >>> >>> >>> >> >> Hi Honza, >> >> everything seems to work except `ipa-replica-prepare` which raises the >> following exception: http://fpaste.org/237625/43558123/ >> >> `git bisect` marks PATCH 453 as guilty. >> > > See new patch 461 for a fix. > > Rebased patches attached. > Rebased patch 253 can't be applied, see http://fpaste.org/238377/57489761/ But the original version works even with the rest of rebased patches. This is the diff between them: """ diff freeipa-jcholast-453.1-plugable-Pass-API-to-plugins-on-initialization-rathe.patch freeipa-jcholast-453-plugable-Pass-API-to-plugins-on-initialization-rathe.patch 1c1 < From a3d2332b4d0a8348da6be804f446bfda3fc2972e Mon Sep 17 00:00:00 2001 --- > From 55b1eff76dd5bfd720f8fbef77894fb6fd342b47 Mon Sep 17 00:00:00 2001 4c4 < Subject: [PATCH 06/14] plugable: Pass API to plugins on initialization rather --- > Subject: [PATCH 06/13] plugable: Pass API to plugins on initialization rather 227d226 < """ -- Martin^3 Babinsky From tbabej at redhat.com Wed Jul 1 11:30:27 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 01 Jul 2015 13:30:27 +0200 Subject: [Freeipa-devel] [PATCHES 326-328] ID Views improvements In-Reply-To: <20150701105035.GC13602@redhat.com> References: <5566F52D.5030008@redhat.com> <20150701105035.GC13602@redhat.com> Message-ID: <5593CF53.1090701@redhat.com> On 07/01/2015 12:50 PM, Alexander Bokovoy wrote: > On Thu, 28 May 2015, Tomas Babej wrote: >>> From c4ad3ba829ab2816c6ddb64da8d5c6ceb8789340 Mon Sep 17 00:00:00 2001 >> From: Tomas Babej >> Date: Wed, 27 May 2015 16:30:48 +0200 >> Subject: [PATCH] idviews: Remove ID overrides for permanently removed >> users >> and groups >> >> For IPA users and groups we are able to trigger a removal of >> any relevant ID overrides in user-del and group-del commands. >> >> https://fedorahosted.org/freeipa/ticket/5026 > ACK. > Pushed to master, ipa-4-1. Patch 328 required a slight rebase. From pspacek at redhat.com Wed Jul 1 12:12:45 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 01 Jul 2015 14:12:45 +0200 Subject: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package Message-ID: <5593D93D.7090000@redhat.com> Hello, Create server-dns sub-package. This allows us to automatically pull in package bind-pkcs11 and thus create upgrade path for on CentOS 7.1 -> 7.2. IPA previously had no requires on BIND packages and these had to be installed manually before first ipa-dns-install run. We need to pull additional bind-pkcs11 package during RPM upgrade so ipa-dns-install cannot help with this. https://fedorahosted.org/freeipa/ticket/4058 -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0052-Create-server-dns-sub-package.patch Type: text/x-patch Size: 6389 bytes Desc: not available URL: From mbasti at redhat.com Wed Jul 1 12:13:51 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 1 Jul 2015 14:13:51 +0200 Subject: [Freeipa-devel] [PATCH 0273] KRA install: check if replica file contains all required certificates Message-ID: <5593D97F.1060705@redhat.com> Fixes: https://fedorahosted.org/freeipa/ticket/5059 Patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0273-KRA-Install-check-replica-file-if-contains-req.-cert.patch Type: text/x-patch Size: 1888 bytes Desc: not available URL: From mbabinsk at redhat.com Wed Jul 1 12:26:07 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 1 Jul 2015 14:26:07 +0200 Subject: [Freeipa-devel] [PATCHES 448-460] Allow multiple API instances (take 2) In-Reply-To: <5593971F.7050105@redhat.com> References: <558ACAEE.3060503@redhat.com> <55927162.6090600@redhat.com> <5593971F.7050105@redhat.com> Message-ID: <5593DC5F.70507@redhat.com> On 07/01/2015 09:30 AM, Jan Cholasta wrote: > Dne 30.6.2015 v 12:37 Martin Babinsky napsal(a): >> On 06/24/2015 05:21 PM, Jan Cholasta wrote: >>> Hi, >>> >>> the attached patches fix >>> and . >>> >>> Honza >>> >>> >>> >> >> Hi Honza, >> >> everything seems to work except `ipa-replica-prepare` which raises the >> following exception: http://fpaste.org/237625/43558123/ >> >> `git bisect` marks PATCH 453 as guilty. >> > > See new patch 461 for a fix. > > Rebased patches attached. > Had to fix a snippet of code recently introduced by Fraser's patch (see attachment) to make them work. But otherwise everything seems to be OK. ACK -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-fixed-Fraser-s-LDAP-call.patch Type: text/x-patch Size: 937 bytes Desc: not available URL: From mbabinsk at redhat.com Wed Jul 1 13:05:14 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 1 Jul 2015 15:05:14 +0200 Subject: [Freeipa-devel] [PATCHES 0042-45] new commands for adding/removing certificates from entries In-Reply-To: <55928F78.6010408@redhat.com> References: <558947C9.9020509@redhat.com> <559103A2.4080706@redhat.com> <55926999.5020301@redhat.com> <5592797F.6030509@redhat.com> <55928F78.6010408@redhat.com> Message-ID: <5593E58A.90801@redhat.com> On 06/30/2015 02:45 PM, Martin Babinsky wrote: > On 06/30/2015 01:11 PM, Martin Babinsky wrote: >> On 06/30/2015 12:04 PM, Jan Cholasta wrote: >>> Dne 29.6.2015 v 10:36 Martin Babinsky napsal(a): >>>> On 06/23/2015 01:49 PM, Martin Babinsky wrote: >>>>> This patchset implements new API commands for manipulating >>>>> user/host/service userCertificate attribute alongside some underlying >>>>> plumbing. >>>>> >>>>> PATCH 0045 is a small test suite that I slapped together since manual >>>>> testing of this stuff is very cumbersome. It requires my PATCH 0040 to >>>>> apply and work which was pushed to master recently >>>>> (commit 74883bbc959058c8bfafd9f63e8fad0e3792ac28). >>>>> >>>>> The work is related to >>>>> http://www.freeipa.org/page/V4/User_Certificates >>>>> and https://fedorahosted.org/freeipa/ticket/4238 >>>>> >>>>> >>>>> >>>> Attaching updated patches. >>>> >>>> Here are some notes for Jan because I did some things differently than >>>> we agreed on during review: >>>> >>>> >>>> 1.) I chose not to rename 'usercertificate' to 'usercertificate;binary' >>>> and back in pre/post callbacks. Despite the fact that the correct >>>> way to >>>> name the certificate attribute is 'usercertificate;binary', I feel that >>>> suddenly renaming it in the new code is asking for trouble. >>> >>> New code is new, there is no renaming, there is naming, and that naming >>> should follow standards, and the standard is userCertificate;binary. >>> >>> (For the record I did not ask for any renaming in *old* host and service >>> code.) >>> >> OK I will then use 'usercertificate;binary' and try to not break things. >>>> >>>> I'm all for changing the mapping between CLI options and actual >>>> attribute names but it should be done in a systematic fashion. >>> >>> +1, shall I post a patch? >>> >> That would be great, but I'm not sure if there is time for it. Maybe we >> can create a ticket for tracking? >>>> >>>> 2.) I have kept the `normalize_certs` function. It has the potential to >>>> catch incorrectly formatted/encoded certificates and in a way >>>> circumvents the slightly demented way the framework deals with >>>> supposedly binary data. >>> >>> One sentence above you asked for doing things in systematic fashion. >>> This is exactly what it isn't. A systematic solution would be a new >>> parameter type for certificates. >>> >> Ha I didn't notice that incorrect encoding is caught by validator. >> >> But I think that we still need to catch malformed certificates that can >> not be decoded to DER and AFAIK we don't do that anywhere (failing tests >> when adding a random Base64-encoded string confirm this). >> >> All this probably stems from my confusion about the way IPA framework >> guesses binary data. For example, if I call `api.Command.user_add_cert` >> and fill 'certificate' option with Base64 blob reencoded to Unicode, >> everything works as expected. >> >> However, filling this option with 'str' leads to another round of Base64 >> encoding in the framework, leading to 'userCertificate;binary' which is >> filled by original Base64 blob instead of DER encoded cert. >> >>>> >>>> I have also added two negative test cases which deal with incorrectly >>>> encoded and formatted certificates. >>>> >>> >>> >> >> > Attaching updated patches (actually only 44 is updated, I added the > rename to/from 'usercertificate;binary' to user pre/post callbacks). > > > Another patch update attached (mainly fixing pep8 complaints and reworking certificate validation). -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0045.2-test-suite-for-user-host-service-certificate-managem.patch Type: text/x-patch Size: 12207 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0044.2-new-commands-to-manage-user-host-service-certificate.patch Type: text/x-patch Size: 14654 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0043.2-reworked-certificate-normalization-and-revocation.patch Type: text/x-patch Size: 3319 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0042.2-baseldap-add-support-for-API-commands-managing-only-.patch Type: text/x-patch Size: 4804 bytes Desc: not available URL: From jcholast at redhat.com Wed Jul 1 13:06:28 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 1 Jul 2015 15:06:28 +0200 Subject: [Freeipa-devel] [PATCHES 448-460] Allow multiple API instances (take 2) In-Reply-To: <5593DC5F.70507@redhat.com> References: <558ACAEE.3060503@redhat.com> <55927162.6090600@redhat.com> <5593971F.7050105@redhat.com> <5593DC5F.70507@redhat.com> Message-ID: <5593E5D4.2030501@redhat.com> Dne 1.7.2015 v 14:26 Martin Babinsky napsal(a): > On 07/01/2015 09:30 AM, Jan Cholasta wrote: >> Dne 30.6.2015 v 12:37 Martin Babinsky napsal(a): >>> On 06/24/2015 05:21 PM, Jan Cholasta wrote: >>>> Hi, >>>> >>>> the attached patches fix >>>> and . >>>> >>>> Honza >>>> >>>> >>>> >>> >>> Hi Honza, >>> >>> everything seems to work except `ipa-replica-prepare` which raises the >>> following exception: http://fpaste.org/237625/43558123/ >>> >>> `git bisect` marks PATCH 453 as guilty. >>> >> >> See new patch 461 for a fix. >> >> Rebased patches attached. >> > > Had to fix a snippet of code recently introduced by Fraser's patch (see > attachment) to make them work. Squashed the change into patch 453. I also found 3 more occurences of the same issue in tests and fixed them. See attachment. > > But otherwise everything seems to be OK. > > ACK Thanks. Pushed to master: e43296ba9acb20342d2b6d4bb030d06deac39c2a -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-453.2-plugable-Pass-API-to-plugins-on-initialization-rathe.patch Type: text/x-patch Size: 61685 bytes Desc: not available URL: From jcholast at redhat.com Wed Jul 1 13:13:12 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 1 Jul 2015 15:13:12 +0200 Subject: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package In-Reply-To: <5593D93D.7090000@redhat.com> References: <5593D93D.7090000@redhat.com> Message-ID: <5593E768.6030401@redhat.com> Hi, Dne 1.7.2015 v 14:12 Petr Spacek napsal(a): > Hello, > > Create server-dns sub-package. > > This allows us to automatically pull in package bind-pkcs11 > and thus create upgrade path for on CentOS 7.1 -> 7.2. > > IPA previously had no requires on BIND packages and these had to be > installed manually before first ipa-dns-install run. > We need to pull additional bind-pkcs11 package during RPM upgrade > so ipa-dns-install cannot help with this. > > https://fedorahosted.org/freeipa/ticket/4058 Can this be done without adding server-core? Because it's not server core, it's the whole thing! Or maybe just rename it to server-common? To me it seems that the real problem is that IPA should continue to work with plain bind after upgrade, without DNSSEC which is optional anyway, but it does not. Why not fix that instead? Honza -- Jan Cholasta From pspacek at redhat.com Wed Jul 1 13:25:49 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 01 Jul 2015 15:25:49 +0200 Subject: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package In-Reply-To: <5593E768.6030401@redhat.com> References: <5593D93D.7090000@redhat.com> <5593E768.6030401@redhat.com> Message-ID: <5593EA5D.90404@redhat.com> On 1.7.2015 15:13, Jan Cholasta wrote: > Hi, > > Dne 1.7.2015 v 14:12 Petr Spacek napsal(a): >> Hello, >> >> Create server-dns sub-package. >> >> This allows us to automatically pull in package bind-pkcs11 >> and thus create upgrade path for on CentOS 7.1 -> 7.2. >> >> IPA previously had no requires on BIND packages and these had to be >> installed manually before first ipa-dns-install run. >> We need to pull additional bind-pkcs11 package during RPM upgrade >> so ipa-dns-install cannot help with this. >> >> https://fedorahosted.org/freeipa/ticket/4058 > > Can this be done without adding server-core? I'm not aware of such method (except of adding all DNS dependencies as Requires straight into freeipa-server package). > Because it's not server core, > it's the whole thing! Or maybe just rename it to server-common? I'm fine with 'common'. Ticket 4058 calls for sub-package for CA too so my idea was to create 'core' package which will be gradually reduced more and more. > To me it seems that the real problem is that IPA should continue to work with > plain bind after upgrade, without DNSSEC which is optional anyway, but it does > not. Why not fix that instead? Because it is impossible to support and debug. Differences between bind and bind-pkcs11 are quite subtle and I'm not willing to spend my and support's time on debugging subtle bugs in someone's deployment. We do not need more newspapers to hide our packaging problems, we need to get rid of them. -- Petr^2 Spacek From mbasti at redhat.com Wed Jul 1 13:32:03 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 1 Jul 2015 15:32:03 +0200 Subject: [Freeipa-devel] [PATCH 0274] DNS: Check if dns package is installed Message-ID: <5593EBD3.2000902@redhat.com> https://fedorahosted.org/freeipa/ticket/4058 Requires patch freeipa-pspacek-0052 Patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0274-DNS-check-if-DNS-package-is-installed.patch Type: text/x-patch Size: 7872 bytes Desc: not available URL: From dkupka at redhat.com Wed Jul 1 14:31:01 2015 From: dkupka at redhat.com (David Kupka) Date: Wed, 1 Jul 2015 16:31:01 +0200 Subject: [Freeipa-devel] [PATCH 0054] cermonger: Use private unix socket when DBus SystemBus is not, available. Message-ID: <5593F9A5.4080703@redhat.com> -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0054-cermonger-Use-private-unix-socket-when-DBus-SystemBu.patch Type: text/x-patch Size: 10192 bytes Desc: not available URL: From pspacek at redhat.com Wed Jul 1 14:45:58 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 01 Jul 2015 16:45:58 +0200 Subject: [Freeipa-devel] [PATCH 0274] DNS: Check if dns package is installed In-Reply-To: <5593EBD3.2000902@redhat.com> References: <5593EBD3.2000902@redhat.com> Message-ID: <5593FD26.8010903@redhat.com> On 1.7.2015 15:32, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/4058 > Requires patch freeipa-pspacek-0052 ACK -- Petr^2 Spacek From pvoborni at redhat.com Wed Jul 1 14:51:16 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 01 Jul 2015 16:51:16 +0200 Subject: [Freeipa-devel] [PATCH] 886-890 webui: API browser In-Reply-To: <55939859.4040704@redhat.com> References: <5592C535.8070708@redhat.com> <55939859.4040704@redhat.com> Message-ID: <5593FE64.40307@redhat.com> For those of you who don't want to try the patches: * https://pvoborni.fedorapeople.org/images/api-user-show.png * https://pvoborni.fedorapeople.org/images/api-user-add.png On 07/01/2015 09:35 AM, Martin Kosek wrote: > On 06/30/2015 06:35 PM, Petr Vobornik wrote: >> First part of API Browser - displaying the metadata in more consumable way. >> >> Second part, how to use it in different languages will be written as wiki pages >> first. >> >> The browser could be later enhanced with more infos and tooltips. >> >> Patch 886 extends backend to send more metadata. >> Patch 887,888,889 are webui fixes and prerequisites >> Patch 890 is the API browser > > Thanks, this is a very good start. I looked at a VM with the patches and have > couple usability suggestions: > > 1) It was hard for me to find where the API Browser is. But "IPA Server" looks > as a good tab where it should be though. could be moved to "Help" tab when it's introduced. For that we need at least one more link. > > 2) I have strong doubts about the "Objects" tab, this is only understandable to > users knowledgeable about FreeIPA framework internals. Common API user who just > want to consume the API and not know about the internals will not know what > this is. > > What I would do is make "API Browser" directly clickable so that it opens the > Commands tab. This is what most people will use. Other tabs may be stacked on > the left just like with Staged or Deleted users. For now, I would hide Objects > as I think it would cause more confusion. If we want to show it, there should > be some introduction what it is good for and maybe limitation of showed fields > to only those that has any value for the consumers. fixed, there is only "API Browser" and no submenu > > 3) In Commands tab, we will some more explanatory what the attributes of Param > needs and probably hide some. For example "exclude" is not needed for consumers. > Attributes as follows were kept: label, type, default, default_from, values, minlength, maxlength, pattern, minvalue, maxvalue, precision, cli_name, option_group > 4) Many attributes have "autofill": True. I wonder how usable it is without > knowing the actual default for the attribute. Can we show the default? default_from now contains list of attrs which are used for the default value, e.g.: default value created from: givenname, sn > > 5) I would hide "Output Params" all together given we don't have them set up > correctly in FreeIPA framework and they may rather confuse people, with having > all the HBAC or SUDO with User objects. > Removed from metadata > I may think about it more, there were just my couple first thoughts. Others may > have different opinions here. > > Martin > Other changes: * cli options are shown with dashes as in CLI * required and multivalued were changed into tags next to option name. 'flags' which were shown as the tags are not displayed anymore updated patches attached. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0890-1-webui-API-browser.patch Type: text/x-patch Size: 34705 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0889-1-webui-menu-and-navigation-fixes.patch Type: text/x-patch Size: 4667 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0888-1-webui-fix-webui-specific-metadata.patch Type: text/x-patch Size: 2038 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0887-1-webui-ListViewWidget.patch Type: text/x-patch Size: 7146 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0886-1-include-more-information-in-metadata.patch Type: text/x-patch Size: 6302 bytes Desc: not available URL: From tbordaz at redhat.com Wed Jul 1 15:25:18 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 01 Jul 2015 17:25:18 +0200 Subject: [Freeipa-devel] [PATCH] 0016 user life cycle: Display the wrong attribute name when mandatory attribute is missing Message-ID: <5594065E.4020509@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbordaz-0016-Display-the-wrong-attribute-name-when-mandatory-attr.patch Type: text/x-patch Size: 1102 bytes Desc: not available URL: From tbabej at redhat.com Wed Jul 1 15:39:40 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 01 Jul 2015 17:39:40 +0200 Subject: [Freeipa-devel] [PATCH] 0016 user life cycle: Display the wrong attribute name when mandatory attribute is missing In-Reply-To: <5594065E.4020509@redhat.com> References: <5594065E.4020509@redhat.com> Message-ID: <559409BC.4000001@redhat.com> Hi Thierry, I think it would be better to use: error=_('Entry has no \'%s\'') % attr or even better, use named substitution: error=_('Entry has no \'%(attribute)s\'') % dict(attribute=attr) This way will generate a more readable strings for translators. Tomas From mbasti at redhat.com Wed Jul 1 15:53:12 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 1 Jul 2015 17:53:12 +0200 Subject: [Freeipa-devel] [PATCH 0275] DNS commands: do not show traceback if DNS is not installed Message-ID: <55940CE8.9040907@redhat.com> https://fedorahosted.org/freeipa/ticket/5017 Patch attached -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0275-DNS-Do-not-traceback-if-DNS-is-not-installed.patch Type: text/x-patch Size: 2534 bytes Desc: not available URL: From pvoborni at redhat.com Wed Jul 1 16:32:47 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 01 Jul 2015 18:32:47 +0200 Subject: [Freeipa-devel] [PATCH] 891 replication: fix regression in get_agreement_type Message-ID: <5594162F.3070703@redhat.com> dcb6916a3b0601e33b08e12aeb25357efed6812b introduced a regression where get_agreement_type does not raise NotFound error if an agreement for host does not exist. The exception was swallowed by get_replication_agreement. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0891-replication-fix-regression-in-get_agreement_type.patch Type: text/x-patch Size: 1154 bytes Desc: not available URL: From pvoborni at redhat.com Wed Jul 1 16:59:02 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 01 Jul 2015 18:59:02 +0200 Subject: [Freeipa-devel] [PATCH] 892 webui: add mangedby tab to otptoken Message-ID: <55941C56.9060703@redhat.com> Added managedby_user tab to manage users who can manage the token. https://fedorahosted.org/freeipa/ticket/5003 Nathaniel, I could not reproduce the following part of the ticket: """ Careful interaction is required here. In the current code, this also creates a bug since all UI created tokens are owned but not managed. When users of these tokens are deleted, their self-created tokens are orphaned rather than deleted. Self-created tokens MUST be both self-owned AND self-managed. """ The self-created tokens which I created in Web UI as admin or normal user were in both cases managed by the same user who created them. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0892-webui-add-mangedby-tab-to-otptoken.patch Type: text/x-patch Size: 968 bytes Desc: not available URL: From mbabinsk at redhat.com Wed Jul 1 17:32:51 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 1 Jul 2015 19:32:51 +0200 Subject: [Freeipa-devel] [PATCHES 306-316] Automated migration tool from Winsync In-Reply-To: <5592BC07.70406@redhat.com> References: <54FD8369.10803@redhat.com> <54FF0F46.3010109@redhat.com> <55005D3C.5090304@redhat.com> <5540B23A.9060404@redhat.com> <5548B13B.60607@redhat.com> <5549CCE6.3010006@redhat.com> <557FDAE8.4000501@redhat.com> <558001ED.6070206@redhat.com> <5592BC07.70406@redhat.com> Message-ID: <55942443.3050602@redhat.com> On 06/30/2015 05:55 PM, Tomas Babej wrote: > > > On 06/16/2015 01:01 PM, Jan Cholasta wrote: >> Dne 16.6.2015 v 10:14 Martin Babinsky napsal(a): >>> On 05/06/2015 10:12 AM, Tomas Babej wrote: >>>> >>>> >>>> On 05/05/2015 02:02 PM, Tomas Babej wrote: >>>>> >>>>> >>>>> On 04/29/2015 12:28 PM, Tomas Babej wrote: >>>>>> >>>>>> >>>>>> On 03/11/2015 04:20 PM, Jan Cholasta wrote: >>>>>>> Hi, >>>>>>> >>>>>>> Dne 10.3.2015 v 16:35 Tomas Babej napsal(a): >>>>>>>> >>>>>>>> On 03/09/2015 12:26 PM, Tomas Babej wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> this couple of patches provides a initial implementation of the >>>>>>>>> winsync migration tool: >>>>>>>>> >>>>>>>>> https://fedorahosted.org/freeipa/ticket/4524 >>>>>>>>> >>>>>>>>> Some parts could use some polishing, but this is a sound >>>>>>>>> foundation. >>>>>>>>> >>>>>>>>> Tomas >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> Attaching one more patch to the bundle. This one should make the >>>>>>>> winsync >>>>>>>> tool readily available after install. >>>>>>>> >>>>>>>> Tomas >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> Nitpicks: >>>>>>> >>>>>>> The winsync_migrate module should be in ipaserver.install. Also I >>>>>>> don't see why it has to be a package when there is just one short >>>>>>> file in it. >>>>>>> >>>>>>> By convention, the AdminTool subclass should be named >>>>>>> WinsyncMigrate, or the tool should be named ipa-migrate-winsync. >>>>>>> >>>>>>> Honza >>>>>>> >>>>>> >>>>>> Updated patches attached. >>>>>> >>>>>> Tomas >>>>> >>>>> Rebased patches with cleaned membership bits. >>>>> >>>>> Tomas >>>> >>>> I did some self-review, updated patches attached. >>>> >>>> >>> Hi Tomas, >>> >>> patches look good and seem to work as expected. I have some comments: >>> >>> 1.) When running the tool I get a number of warnings about users not >>> found (https://paste.fedoraproject.org/232251/43884831/), but in the end >>> everything seems to be fine and users are migrated in the external >>> groups just fine. Is this behavior normal? >>> > > In that case, yes. What happened here is that SSSD in POSIX trust will > not resolve users that do not have POSIX attributes set. Winsync > synchornizes all the users, hence the discrepancy. > > >>> 2.) Since both "--realm" and "--server" options are mandatory, I was >>> thinking if it would be better to use positional arguments, since you >>> always have to specify them. What are your thought on this? >> >> I would rather stay consistent with ipa-server-install and friends and >> keep them as options. >> >>> >>> 3.) Patches 317-318 seem to just just rename/move things and could be >>> squashed in the previous ones. But that is just a minor thing and I >>> leave that to your discretion. >>> >>> 4.) After all the renaming and moving around the WinsyncMigrate class >>> (see previous point) there is an unused file >>> "ipaserver/winsync_migrate/__init__.py" left. You should remove it in >>> some patch (e.g. in patch 318 if you decide to keep it). > > I removed the file and squashed the change into 318. > >> >> Also please rename the class to "MigrateWinsync", for consistency. >> > > Naming is consistent, the tool is called ipa-winsync-migrate, class is > called WinsyncMigrate. This is consistent with other IPA tools. > > >>> >>> 5.) Option "--log-file" seems to be broken. When specified on CLI the >>> log is created but empty, the program prints out nothing and then exits >>> without doing anything. However, I suspect that this is AdminTool's >>> problem, not yours. >>> > > Yep. Please, file a ticket for this more generic issue. > Will do. Otherwise ACK. -- Martin^3 Babinsky From tbabej at redhat.com Wed Jul 1 17:44:39 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 01 Jul 2015 19:44:39 +0200 Subject: [Freeipa-devel] [PATCH] 891 replication: fix regression in get_agreement_type In-Reply-To: <5594162F.3070703@redhat.com> References: <5594162F.3070703@redhat.com> Message-ID: <55942707.3080201@redhat.com> On 07/01/2015 06:32 PM, Petr Vobornik wrote: > dcb6916a3b0601e33b08e12aeb25357efed6812b introduced a regression where > get_agreement_type does not raise NotFound error if an agreement for > host does not exist. The exception was swallowed by > get_replication_agreement. > > ACK. Pushed to master: 25a5e38b85f897cc798609217830b626b7880da1 From tbabej at redhat.com Wed Jul 1 18:19:34 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 01 Jul 2015 20:19:34 +0200 Subject: [Freeipa-devel] [PATCH 0275] DNS commands: do not show traceback if DNS is not installed In-Reply-To: <55940CE8.9040907@redhat.com> References: <55940CE8.9040907@redhat.com> Message-ID: <55942F36.2020609@redhat.com> On 07/01/2015 05:53 PM, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5017 > > Patch attached > > > Repeated code hurts my eyes, but abstracting it seems like an overkill. ACK. Pushed to master: 96c23659fcb8adc64dd925556fb40f558fa7e37d From tbabej at redhat.com Wed Jul 1 18:29:21 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 01 Jul 2015 20:29:21 +0200 Subject: [Freeipa-devel] [PATCH 0274] DNS: Check if dns package is installed In-Reply-To: <5593FD26.8010903@redhat.com> References: <5593EBD3.2000902@redhat.com> <5593FD26.8010903@redhat.com> Message-ID: <55943181.5060604@redhat.com> On 07/01/2015 04:45 PM, Petr Spacek wrote: > On 1.7.2015 15:32, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/4058 >> Requires patch freeipa-pspacek-0052 > > ACK > I must admit I don't really like wrapping a constant in the method in the TaskNamespace object. We're interested in the constant itself - there's no case I can imagine where the name of the freeipa's dns package will be dynamic. For paths we have BasePathNamespace that contains all the paths, maybe we should introduce something similar for the non-path platform dependent constants? Tomas From simo at redhat.com Wed Jul 1 18:34:09 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 01 Jul 2015 14:34:09 -0400 Subject: [Freeipa-devel] topology plugin woes Message-ID: <1435775649.18746.7.camel@willson.usersys.redhat.com> I am working on the replica promotion code and suddenly the topology plugin is getting in the way. First thing I noticed is that it converted an agreement into a segment even though my domain level is 0, is this expected ? I thought we'd enable the plugin only when level -> 1 By taking over immediately it will break ipa management tools from older serves which know nothing about dealing with segments, they only know about direct removal of replication agreements. The other problem is that it seem I can't remove the replication agreement even if I removed all references to the (failed) replica I installed. It complains it would cause split brain .. but this is the last replica and I already removed the master's computer object, why is the topology plugin not recognizing the master is no more and not letting me remove the segment ? Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Wed Jul 1 18:44:12 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 01 Jul 2015 14:44:12 -0400 Subject: [Freeipa-devel] topology plugin woes In-Reply-To: <1435775649.18746.7.camel@willson.usersys.redhat.com> References: <1435775649.18746.7.camel@willson.usersys.redhat.com> Message-ID: <1435776252.18746.9.camel@willson.usersys.redhat.com> On Wed, 2015-07-01 at 14:34 -0400, Simo Sorce wrote: > I am working on the replica promotion code and suddenly the topology > plugin is getting in the way. > > First thing I noticed is that it converted an agreement into a segment > even though my domain level is 0, is this expected ? I thought we'd > enable the plugin only when level -> 1 > > By taking over immediately it will break ipa management tools from older > serves which know nothing about dealing with segments, they only know > about direct removal of replication agreements. > > The other problem is that it seem I can't remove the replication > agreement even if I removed all references to the (failed) replica I > installed. It complains it would cause split brain .. but this is the > last replica and I already removed the master's computer object, why is > the topology plugin not recognizing the master is no more and not > letting me remove the segment ? Ugh, I just found the Domain Level is set to 1 ... ok so it is ok the topology is managed, but why can't I remove the segment if the server object is gone ? Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Wed Jul 1 18:59:23 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 01 Jul 2015 14:59:23 -0400 Subject: [Freeipa-devel] [PATCH 0018] allow deletion of segment, if not both nodes are managed In-Reply-To: <5593BB87.5070407@redhat.com> References: <5593BB87.5070407@redhat.com> Message-ID: <1435777163.18746.14.camel@willson.usersys.redhat.com> On Wed, 2015-07-01 at 12:05 +0200, Ludwig Krispenz wrote: > This fix allows the removal of segments, where not both endpoints of the > segments are managed. > These segments can exist after deliberately disconnecting a topology by > removal of a central node, a fix to automatically remove dangling > segments is in process, but it cannot handle all situations, especially > if the removed server is no longer working and the topology is already > broken before the removal. > In these cases a manual cleanup must be possible and is addressed in > this patch > > Ludwig Tested and works as expected. Full ACK. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Wed Jul 1 19:00:07 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 01 Jul 2015 15:00:07 -0400 Subject: [Freeipa-devel] topology plugin woes In-Reply-To: <1435776252.18746.9.camel@willson.usersys.redhat.com> References: <1435775649.18746.7.camel@willson.usersys.redhat.com> <1435776252.18746.9.camel@willson.usersys.redhat.com> Message-ID: <1435777207.18746.15.camel@willson.usersys.redhat.com> On Wed, 2015-07-01 at 14:44 -0400, Simo Sorce wrote: > On Wed, 2015-07-01 at 14:34 -0400, Simo Sorce wrote: > > I am working on the replica promotion code and suddenly the topology > > plugin is getting in the way. > > > > First thing I noticed is that it converted an agreement into a segment > > even though my domain level is 0, is this expected ? I thought we'd > > enable the plugin only when level -> 1 > > > > By taking over immediately it will break ipa management tools from older > > serves which know nothing about dealing with segments, they only know > > about direct removal of replication agreements. > > > > The other problem is that it seem I can't remove the replication > > agreement even if I removed all references to the (failed) replica I > > installed. It complains it would cause split brain .. but this is the > > last replica and I already removed the master's computer object, why is > > the topology plugin not recognizing the master is no more and not > > letting me remove the segment ? > > Ugh, I just found the Domain Level is set to 1 ... ok so it is ok the > topology is managed, but why can't I remove the segment if the server > object is gone ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > Patch 0018 fully solved this problem, next time I'll dig the uncommitted patches before opening my mouth :-) Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Wed Jul 1 20:15:34 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 01 Jul 2015 16:15:34 -0400 Subject: [Freeipa-devel] topology plugin woes In-Reply-To: <1435777207.18746.15.camel@willson.usersys.redhat.com> References: <1435775649.18746.7.camel@willson.usersys.redhat.com> <1435776252.18746.9.camel@willson.usersys.redhat.com> <1435777207.18746.15.camel@willson.usersys.redhat.com> Message-ID: <1435781734.18746.17.camel@willson.usersys.redhat.com> On Wed, 2015-07-01 at 15:00 -0400, Simo Sorce wrote: > On Wed, 2015-07-01 at 14:44 -0400, Simo Sorce wrote: > > On Wed, 2015-07-01 at 14:34 -0400, Simo Sorce wrote: > > > I am working on the replica promotion code and suddenly the topology > > > plugin is getting in the way. > > > > > > First thing I noticed is that it converted an agreement into a segment > > > even though my domain level is 0, is this expected ? I thought we'd > > > enable the plugin only when level -> 1 > > > > > > By taking over immediately it will break ipa management tools from older > > > serves which know nothing about dealing with segments, they only know > > > about direct removal of replication agreements. > > > > > > The other problem is that it seem I can't remove the replication > > > agreement even if I removed all references to the (failed) replica I > > > installed. It complains it would cause split brain .. but this is the > > > last replica and I already removed the master's computer object, why is > > > the topology plugin not recognizing the master is no more and not > > > letting me remove the segment ? > > > > Ugh, I just found the Domain Level is set to 1 ... ok so it is ok the > > topology is managed, but why can't I remove the segment if the server > > object is gone ? > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > Patch 0018 fully solved this problem, next time I'll dig the uncommitted > patches before opening my mouth :-) A followup question though, why is the toplogy plugin not seeing a new agreement (created by another replica that is being installed) until the server is restarted ? Simo. -- Simo Sorce * Red Hat, Inc * New York From pspacek at redhat.com Thu Jul 2 06:50:11 2015 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 02 Jul 2015 08:50:11 +0200 Subject: [Freeipa-devel] [PATCH 0274] DNS: Check if dns package is installed In-Reply-To: <55943181.5060604@redhat.com> References: <5593EBD3.2000902@redhat.com> <5593FD26.8010903@redhat.com> <55943181.5060604@redhat.com> Message-ID: <5594DF23.8060103@redhat.com> On 1.7.2015 20:29, Tomas Babej wrote: > > > On 07/01/2015 04:45 PM, Petr Spacek wrote: >> On 1.7.2015 15:32, Martin Basti wrote: >>> https://fedorahosted.org/freeipa/ticket/4058 >>> Requires patch freeipa-pspacek-0052 >> >> ACK >> > > I must admit I don't really like wrapping a constant in the method in > the TaskNamespace object. > > We're interested in the constant itself - there's no case I can imagine > where the name of the freeipa's dns package will be dynamic. > > For paths we have BasePathNamespace that contains all the paths, maybe > we should introduce something similar for the non-path platform > dependent constants? Generally I support this but it seems like a 4.3 material (and out of scope of #4058). We need to finish 4.2 now. Please ACK or NACK ASAP. -- Petr^2 Spacek From jcholast at redhat.com Thu Jul 2 06:57:00 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 2 Jul 2015 08:57:00 +0200 Subject: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package In-Reply-To: <5593EA5D.90404@redhat.com> References: <5593D93D.7090000@redhat.com> <5593E768.6030401@redhat.com> <5593EA5D.90404@redhat.com> Message-ID: <5594E0BC.8090803@redhat.com> Dne 1.7.2015 v 15:25 Petr Spacek napsal(a): > On 1.7.2015 15:13, Jan Cholasta wrote: >> Hi, >> >> Dne 1.7.2015 v 14:12 Petr Spacek napsal(a): >>> Hello, >>> >>> Create server-dns sub-package. >>> >>> This allows us to automatically pull in package bind-pkcs11 >>> and thus create upgrade path for on CentOS 7.1 -> 7.2. >>> >>> IPA previously had no requires on BIND packages and these had to be >>> installed manually before first ipa-dns-install run. >>> We need to pull additional bind-pkcs11 package during RPM upgrade >>> so ipa-dns-install cannot help with this. >>> >>> https://fedorahosted.org/freeipa/ticket/4058 >> >> Can this be done without adding server-core? > I'm not aware of such method (except of adding all DNS dependencies as > Requires straight into freeipa-server package). > >> Because it's not server core, >> it's the whole thing! Or maybe just rename it to server-common? > > I'm fine with 'common'. Ticket 4058 calls for sub-package for CA too so my > idea was to create 'core' package which will be gradually reduced more and more. Well, I don't like the fact that in order to install IPA server without DNS you have to install freeipa-server-core instead of just freeipa-server. Fedora packaging guidelines [1] state that the metapackage should be named freeipa-server-compat, so I guess renaming freeipa-server to freeipa-server-compat and freeipa-server-core to freeipa-server is good enough. > >> To me it seems that the real problem is that IPA should continue to work with >> plain bind after upgrade, without DNSSEC which is optional anyway, but it does >> not. Why not fix that instead? > > Because it is impossible to support and debug. Differences between bind and > bind-pkcs11 are quite subtle and I'm not willing to spend my and support's > time on debugging subtle bugs in someone's deployment. OK. I was under the impression that it only adds bits required for DNSSEC. What are the other differences BTW? > > We do not need more newspapers to hide our packaging problems, we need to get > rid of them. Predending we got rid of them does not exactly mean we actually got rid of them. It's the pretense I don't like. Anyway, if we add DNS subpackage, we should add subpackages for the other optional components (CA, KRA) as well, to at least be self-consistent. [1] -- Jan Cholasta From abokovoy at redhat.com Thu Jul 2 07:06:47 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 2 Jul 2015 10:06:47 +0300 Subject: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package In-Reply-To: <5594E0BC.8090803@redhat.com> References: <5593D93D.7090000@redhat.com> <5593E768.6030401@redhat.com> <5593EA5D.90404@redhat.com> <5594E0BC.8090803@redhat.com> Message-ID: <20150702070647.GH11876@redhat.com> On Thu, 02 Jul 2015, Jan Cholasta wrote: >Dne 1.7.2015 v 15:25 Petr Spacek napsal(a): >>On 1.7.2015 15:13, Jan Cholasta wrote: >>>Hi, >>> >>>Dne 1.7.2015 v 14:12 Petr Spacek napsal(a): >>>>Hello, >>>> >>>>Create server-dns sub-package. >>>> >>>>This allows us to automatically pull in package bind-pkcs11 >>>>and thus create upgrade path for on CentOS 7.1 -> 7.2. >>>> >>>>IPA previously had no requires on BIND packages and these had to be >>>>installed manually before first ipa-dns-install run. >>>>We need to pull additional bind-pkcs11 package during RPM upgrade >>>>so ipa-dns-install cannot help with this. >>>> >>>>https://fedorahosted.org/freeipa/ticket/4058 >>> >>>Can this be done without adding server-core? >>I'm not aware of such method (except of adding all DNS dependencies as >>Requires straight into freeipa-server package). >> >>>Because it's not server core, >>>it's the whole thing! Or maybe just rename it to server-common? >> >>I'm fine with 'common'. Ticket 4058 calls for sub-package for CA too so my >>idea was to create 'core' package which will be gradually reduced more and more. > >Well, I don't like the fact that in order to install IPA server >without DNS you have to install freeipa-server-core instead of just >freeipa-server. Fedora packaging guidelines [1] state that the >metapackage should be named freeipa-server-compat, so I guess renaming >freeipa-server to freeipa-server-compat and freeipa-server-core to >freeipa-server is good enough. I think you are misunderstanding what the guidelines say. -compat subpackage is something that only contains Requires: and Obsoletes:, to help to pull the right packages. It is not supposed to be a full-featured package with content. I think we are good enough with freeipa-server-dns. We have the same situation with freeipa-server-trust-ad -- it is not required by the main package and pulls in Samba-related bits. We also don't have any -compat or metapackage for it. >Anyway, if we add DNS subpackage, we should add subpackages for the >other optional components (CA, KRA) as well, to at least be >self-consistent. Yes, in the cases where they are really optional. For example, CA is installed by default, so claiming it is optional would require us to change the default to always install without CA or this split wouldn't have much sense. Perhaps, splitting out CA subpackage is fine for future when we would be OK to default to not installing CA but until that it is just a complication. -- / Alexander Bokovoy From lkrispen at redhat.com Thu Jul 2 07:15:03 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 02 Jul 2015 09:15:03 +0200 Subject: [Freeipa-devel] topology plugin woes In-Reply-To: <1435781734.18746.17.camel@willson.usersys.redhat.com> References: <1435775649.18746.7.camel@willson.usersys.redhat.com> <1435776252.18746.9.camel@willson.usersys.redhat.com> <1435777207.18746.15.camel@willson.usersys.redhat.com> <1435781734.18746.17.camel@willson.usersys.redhat.com> Message-ID: <5594E4F7.8080804@redhat.com> On 07/01/2015 10:15 PM, Simo Sorce wrote: > On Wed, 2015-07-01 at 15:00 -0400, Simo Sorce wrote: >> On Wed, 2015-07-01 at 14:44 -0400, Simo Sorce wrote: >>> On Wed, 2015-07-01 at 14:34 -0400, Simo Sorce wrote: >>>> I am working on the replica promotion code and suddenly the topology >>>> plugin is getting in the way. >>>> >>>> First thing I noticed is that it converted an agreement into a segment >>>> even though my domain level is 0, is this expected ? I thought we'd >>>> enable the plugin only when level -> 1 >>>> >>>> By taking over immediately it will break ipa management tools from older >>>> serves which know nothing about dealing with segments, they only know >>>> about direct removal of replication agreements. >>>> >>>> The other problem is that it seem I can't remove the replication >>>> agreement even if I removed all references to the (failed) replica I >>>> installed. It complains it would cause split brain .. but this is the >>>> last replica and I already removed the master's computer object, why is >>>> the topology plugin not recognizing the master is no more and not >>>> letting me remove the segment ? >>> Ugh, I just found the Domain Level is set to 1 ... ok so it is ok the >>> topology is managed, but why can't I remove the segment if the server >>> object is gone ? >>> >>> Simo. >>> >>> -- >>> Simo Sorce * Red Hat, Inc * New York >>> >> Patch 0018 fully solved this problem, next time I'll dig the uncommitted >> patches before opening my mouth :-) > A followup question though, why is the toplogy plugin not seeing a new > agreement (created by another replica that is being installed) until the > server is restarted ? no, it does not require restart, but the timing may make it look like. If a replica is installed the agreement "meTomasterxxxx" is created in cn=config and the agreement is not yet managed (the replica master entry is not yet added and known to be managed), otherwise the add of the agreement would be rejected. After adding the agreements the replica is initialized from the master and when the replica is coming back online, the topo plugin will check what actions are required by the new data. But because the plugins are coming back online after an initialization in an undefined order (in fact, the multimaster replication plugin is getting active after the topo plugin), the topo plugin has a delay before acting and creating new stuff, otherwise generated modifications will not be replicated further. next the master entry for the replica is added, before the delay had expired, and the replica insatll restarts the server, so the segment is created just after restart. > > Simo. > From jcholast at redhat.com Thu Jul 2 07:17:44 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 2 Jul 2015 09:17:44 +0200 Subject: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package In-Reply-To: <20150702070647.GH11876@redhat.com> References: <5593D93D.7090000@redhat.com> <5593E768.6030401@redhat.com> <5593EA5D.90404@redhat.com> <5594E0BC.8090803@redhat.com> <20150702070647.GH11876@redhat.com> Message-ID: <5594E598.7040400@redhat.com> Dne 2.7.2015 v 09:06 Alexander Bokovoy napsal(a): > On Thu, 02 Jul 2015, Jan Cholasta wrote: >> Dne 1.7.2015 v 15:25 Petr Spacek napsal(a): >>> On 1.7.2015 15:13, Jan Cholasta wrote: >>>> Hi, >>>> >>>> Dne 1.7.2015 v 14:12 Petr Spacek napsal(a): >>>>> Hello, >>>>> >>>>> Create server-dns sub-package. >>>>> >>>>> This allows us to automatically pull in package bind-pkcs11 >>>>> and thus create upgrade path for on CentOS 7.1 -> 7.2. >>>>> >>>>> IPA previously had no requires on BIND packages and these had to be >>>>> installed manually before first ipa-dns-install run. >>>>> We need to pull additional bind-pkcs11 package during RPM upgrade >>>>> so ipa-dns-install cannot help with this. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/4058 >>>> >>>> Can this be done without adding server-core? >>> I'm not aware of such method (except of adding all DNS dependencies as >>> Requires straight into freeipa-server package). >>> >>>> Because it's not server core, >>>> it's the whole thing! Or maybe just rename it to server-common? >>> >>> I'm fine with 'common'. Ticket 4058 calls for sub-package for CA too >>> so my >>> idea was to create 'core' package which will be gradually reduced >>> more and more. >> >> Well, I don't like the fact that in order to install IPA server >> without DNS you have to install freeipa-server-core instead of just >> freeipa-server. Fedora packaging guidelines [1] state that the >> metapackage should be named freeipa-server-compat, so I guess renaming >> freeipa-server to freeipa-server-compat and freeipa-server-core to >> freeipa-server is good enough. > I think you are misunderstanding what the guidelines say. -compat > subpackage is something that only contains Requires: and Obsoletes:, to > help to pull the right packages. It is not supposed to be a > full-featured package with content. With Petr's patch, freeipa-server is exactly that - a metapackage with requires and obsoletes only - hence my suggestion to rename it according to the guidelines. > > I think we are good enough with freeipa-server-dns. We have the same > situation with freeipa-server-trust-ad -- it is not required by the main > package and pulls in Samba-related bits. We also don't have any -compat > or metapackage for it. freeipa-server-dns is fine, what is IMO not fine is that it *is* required by the main freeipa-server package, *unlike* freeipa-server-trust-ad. We don't have a compat metapackage for freeipa-server-trust-ad, because there are no upgrade issues with it, which is what Petr is trying to solve with his patch. > > >> Anyway, if we add DNS subpackage, we should add subpackages for the >> other optional components (CA, KRA) as well, to at least be >> self-consistent. > Yes, in the cases where they are really optional. For example, CA is > installed by default, so claiming it is optional would require us to > change the default to always install without CA or this split wouldn't > have much sense. Perhaps, splitting out CA subpackage is fine for future > when we would be OK to default to not installing CA but until that it is > just a complication. Makes sense, but KRA is still optional. -- Jan Cholasta From abokovoy at redhat.com Thu Jul 2 07:36:05 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 2 Jul 2015 10:36:05 +0300 Subject: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package In-Reply-To: <5594E598.7040400@redhat.com> References: <5593D93D.7090000@redhat.com> <5593E768.6030401@redhat.com> <5593EA5D.90404@redhat.com> <5594E0BC.8090803@redhat.com> <20150702070647.GH11876@redhat.com> <5594E598.7040400@redhat.com> Message-ID: <20150702073605.GI11876@redhat.com> On Thu, 02 Jul 2015, Jan Cholasta wrote: >>>>>Can this be done without adding server-core? >>>>I'm not aware of such method (except of adding all DNS dependencies as >>>>Requires straight into freeipa-server package). >>>> >>>>>Because it's not server core, >>>>>it's the whole thing! Or maybe just rename it to server-common? >>>> >>>>I'm fine with 'common'. Ticket 4058 calls for sub-package for CA too >>>>so my >>>>idea was to create 'core' package which will be gradually reduced >>>>more and more. >>> >>>Well, I don't like the fact that in order to install IPA server >>>without DNS you have to install freeipa-server-core instead of just >>>freeipa-server. Fedora packaging guidelines [1] state that the >>>metapackage should be named freeipa-server-compat, so I guess renaming >>>freeipa-server to freeipa-server-compat and freeipa-server-core to >>>freeipa-server is good enough. >>I think you are misunderstanding what the guidelines say. -compat >>subpackage is something that only contains Requires: and Obsoletes:, to >>help to pull the right packages. It is not supposed to be a >>full-featured package with content. > >With Petr's patch, freeipa-server is exactly that - a metapackage with >requires and obsoletes only - hence my suggestion to rename it >according to the guidelines. That's not good. >>I think we are good enough with freeipa-server-dns. We have the same >>situation with freeipa-server-trust-ad -- it is not required by the main >>package and pulls in Samba-related bits. We also don't have any -compat >>or metapackage for it. > >freeipa-server-dns is fine, what is IMO not fine is that it *is* >required by the main freeipa-server package, *unlike* >freeipa-server-trust-ad. > >We don't have a compat metapackage for freeipa-server-trust-ad, >because there are no upgrade issues with it, which is what Petr is >trying to solve with his patch. So, the issue is that for installed bind+bind-dyndb-ldap combination we need to switch to bind-pkcs11+bind-dyndb-ldap. Maybe instead of modifying main freeipa package we could modify bind-dyndb-ldap package to require bind-pkcs11 and corresponding bits of freeipa packages? -- / Alexander Bokovoy From pspacek at redhat.com Thu Jul 2 07:56:21 2015 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 02 Jul 2015 09:56:21 +0200 Subject: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package In-Reply-To: <20150702073605.GI11876@redhat.com> References: <5593D93D.7090000@redhat.com> <5593E768.6030401@redhat.com> <5593EA5D.90404@redhat.com> <5594E0BC.8090803@redhat.com> <20150702070647.GH11876@redhat.com> <5594E598.7040400@redhat.com> <20150702073605.GI11876@redhat.com> Message-ID: <5594EEA5.3060504@redhat.com> On 2.7.2015 09:36, Alexander Bokovoy wrote: > On Thu, 02 Jul 2015, Jan Cholasta wrote: >>>>>> Can this be done without adding server-core? >>>>> I'm not aware of such method (except of adding all DNS dependencies as >>>>> Requires straight into freeipa-server package). >>>>> >>>>>> Because it's not server core, >>>>>> it's the whole thing! Or maybe just rename it to server-common? >>>>> >>>>> I'm fine with 'common'. Ticket 4058 calls for sub-package for CA too >>>>> so my >>>>> idea was to create 'core' package which will be gradually reduced >>>>> more and more. >>>> >>>> Well, I don't like the fact that in order to install IPA server >>>> without DNS you have to install freeipa-server-core instead of just >>>> freeipa-server. Fedora packaging guidelines [1] state that the >>>> metapackage should be named freeipa-server-compat, so I guess renaming >>>> freeipa-server to freeipa-server-compat and freeipa-server-core to >>>> freeipa-server is good enough. >>> I think you are misunderstanding what the guidelines say. -compat >>> subpackage is something that only contains Requires: and Obsoletes:, to >>> help to pull the right packages. It is not supposed to be a >>> full-featured package with content. >> >> With Petr's patch, freeipa-server is exactly that - a metapackage with >> requires and obsoletes only - hence my suggestion to rename it according to >> the guidelines. > That's not good. > >>> I think we are good enough with freeipa-server-dns. We have the same >>> situation with freeipa-server-trust-ad -- it is not required by the main >>> package and pulls in Samba-related bits. We also don't have any -compat >>> or metapackage for it. >> >> freeipa-server-dns is fine, what is IMO not fine is that it *is* required by >> the main freeipa-server package, *unlike* freeipa-server-trust-ad. >> >> We don't have a compat metapackage for freeipa-server-trust-ad, because >> there are no upgrade issues with it, which is what Petr is trying to solve >> with his patch. > So, the issue is that for installed bind+bind-dyndb-ldap combination we > need to switch to bind-pkcs11+bind-dyndb-ldap. Maybe instead of > modifying main freeipa package we could modify bind-dyndb-ldap package > to require bind-pkcs11 and corresponding bits of freeipa packages? Unfortunately, no. - bind-dyndb-ldap itself is used & supported even without FreeIPA. - bind-pkcs11 depends on properly configured SoftHSM (or other PKCS#11 provider) => upgrade could break non-FreeIPA installations. I'm attempting to rework the patch now, stay tuned. -- Petr^2 Spacek From tbordaz at redhat.com Thu Jul 2 08:34:36 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 02 Jul 2015 10:34:36 +0200 Subject: [Freeipa-devel] [PATCH] 0016 user life cycle: Display the wrong attribute name when mandatory attribute is missing In-Reply-To: <559409BC.4000001@redhat.com> References: <5594065E.4020509@redhat.com> <559409BC.4000001@redhat.com> Message-ID: <5594F79C.1070508@redhat.com> On 07/01/2015 05:39 PM, Tomas Babej wrote: > Hi Thierry, > > I think it would be better to use: > > error=_('Entry has no \'%s\'') % attr > > or even better, use named substitution: > > error=_('Entry has no \'%(attribute)s\'') % dict(attribute=attr) > > This way will generate a more readable strings for translators. > > Tomas Hi Tomas, Thanks for reviewing.. you are right this is the common way of adding values in the such error messages. I followed your recommendations thanks thierry -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbordaz-0016-1-Display-the-wrong-attribute-name-when-mandatory-attr.patch Type: text/x-patch Size: 1131 bytes Desc: not available URL: From mbabinsk at redhat.com Thu Jul 2 09:12:53 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 2 Jul 2015 11:12:53 +0200 Subject: [Freeipa-devel] [PATCHES 0042-45] new commands for adding/removing certificates from entries In-Reply-To: <5593E58A.90801@redhat.com> References: <558947C9.9020509@redhat.com> <559103A2.4080706@redhat.com> <55926999.5020301@redhat.com> <5592797F.6030509@redhat.com> <55928F78.6010408@redhat.com> <5593E58A.90801@redhat.com> Message-ID: <55950095.3000700@redhat.com> On 07/01/2015 03:05 PM, Martin Babinsky wrote: > On 06/30/2015 02:45 PM, Martin Babinsky wrote: >> On 06/30/2015 01:11 PM, Martin Babinsky wrote: >>> On 06/30/2015 12:04 PM, Jan Cholasta wrote: >>>> Dne 29.6.2015 v 10:36 Martin Babinsky napsal(a): >>>>> On 06/23/2015 01:49 PM, Martin Babinsky wrote: >>>>>> This patchset implements new API commands for manipulating >>>>>> user/host/service userCertificate attribute alongside some underlying >>>>>> plumbing. >>>>>> >>>>>> PATCH 0045 is a small test suite that I slapped together since manual >>>>>> testing of this stuff is very cumbersome. It requires my PATCH >>>>>> 0040 to >>>>>> apply and work which was pushed to master recently >>>>>> (commit 74883bbc959058c8bfafd9f63e8fad0e3792ac28). >>>>>> >>>>>> The work is related to >>>>>> http://www.freeipa.org/page/V4/User_Certificates >>>>>> and https://fedorahosted.org/freeipa/ticket/4238 >>>>>> >>>>>> >>>>>> >>>>> Attaching updated patches. >>>>> >>>>> Here are some notes for Jan because I did some things differently than >>>>> we agreed on during review: >>>>> >>>>> >>>>> 1.) I chose not to rename 'usercertificate' to >>>>> 'usercertificate;binary' >>>>> and back in pre/post callbacks. Despite the fact that the correct >>>>> way to >>>>> name the certificate attribute is 'usercertificate;binary', I feel >>>>> that >>>>> suddenly renaming it in the new code is asking for trouble. >>>> >>>> New code is new, there is no renaming, there is naming, and that naming >>>> should follow standards, and the standard is userCertificate;binary. >>>> >>>> (For the record I did not ask for any renaming in *old* host and >>>> service >>>> code.) >>>> >>> OK I will then use 'usercertificate;binary' and try to not break things. >>>>> >>>>> I'm all for changing the mapping between CLI options and actual >>>>> attribute names but it should be done in a systematic fashion. >>>> >>>> +1, shall I post a patch? >>>> >>> That would be great, but I'm not sure if there is time for it. Maybe we >>> can create a ticket for tracking? >>>>> >>>>> 2.) I have kept the `normalize_certs` function. It has the >>>>> potential to >>>>> catch incorrectly formatted/encoded certificates and in a way >>>>> circumvents the slightly demented way the framework deals with >>>>> supposedly binary data. >>>> >>>> One sentence above you asked for doing things in systematic fashion. >>>> This is exactly what it isn't. A systematic solution would be a new >>>> parameter type for certificates. >>>> >>> Ha I didn't notice that incorrect encoding is caught by validator. >>> >>> But I think that we still need to catch malformed certificates that can >>> not be decoded to DER and AFAIK we don't do that anywhere (failing tests >>> when adding a random Base64-encoded string confirm this). >>> >>> All this probably stems from my confusion about the way IPA framework >>> guesses binary data. For example, if I call `api.Command.user_add_cert` >>> and fill 'certificate' option with Base64 blob reencoded to Unicode, >>> everything works as expected. >>> >>> However, filling this option with 'str' leads to another round of Base64 >>> encoding in the framework, leading to 'userCertificate;binary' which is >>> filled by original Base64 blob instead of DER encoded cert. >>> >>>>> >>>>> I have also added two negative test cases which deal with incorrectly >>>>> encoded and formatted certificates. >>>>> >>>> >>>> >>> >>> >> Attaching updated patches (actually only 44 is updated, I added the >> rename to/from 'usercertificate;binary' to user pre/post callbacks). >> >> >> > Another patch update attached (mainly fixing pep8 complaints and > reworking certificate validation). > > > Updated patches attached. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0045.2-test-suite-for-user-host-service-certificate-managem.patch Type: text/x-patch Size: 12207 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0044.3-new-commands-to-manage-user-host-service-certificate.patch Type: text/x-patch Size: 14792 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0043.3-reworked-certificate-normalization-and-revocation.patch Type: text/x-patch Size: 13344 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0042.2-baseldap-add-support-for-API-commands-managing-only-.patch Type: text/x-patch Size: 4804 bytes Desc: not available URL: From ftweedal at redhat.com Thu Jul 2 09:15:46 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 2 Jul 2015 19:15:46 +1000 Subject: [Freeipa-devel] [PATCH] 0024..0025 Add missing certprofile features Message-ID: <20150702091546.GY6584@dhcp-40-8.bne.redhat.com> Attached patches fix a couple of important gaps in certprofile plugin: - Add --out option to export Dogtag profile data to file https://fedorahosted.org/freeipa/ticket/5091 - Add --file option to update existing profile in Dogtag https://fedorahosted.org/freeipa/ticket/5093 Thanks, Fraser -------------- next part -------------- From 095331fdc2f41ea544c4ab0b1247b7c1d1969393 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 2 Jul 2015 03:31:31 -0400 Subject: [PATCH 24/25] certprofile: add option to export profile config Add the `--out=FILENAME' option to `certprofile-show'. When given, it exports the profile configuration from Dogtag and writes it to the named file. Fixes: https://fedorahosted.org/freeipa/ticket/5091 --- API.txt | 3 ++- VERSION | 4 ++-- ipalib/plugins/certprofile.py | 39 ++++++++++++++++++++++++++++++++++++--- ipaserver/plugins/dogtag.py | 8 ++++++++ 4 files changed, 48 insertions(+), 6 deletions(-) diff --git a/API.txt b/API.txt index bccebe55da8a785cbb6ca782904d7523c4a9322f..13977ac74fe1831ebb86c7fb9fd97910e0dde238 100644 --- a/API.txt +++ b/API.txt @@ -747,9 +747,10 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: certprofile_show -args: 1,4,3 +args: 1,5,3 arg: Str('cn', attribute=True, cli_name='id', multivalue=False, primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('out?') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) option: Str('version?', exclude='webui') diff --git a/VERSION b/VERSION index 2f884ff73afad57f35f06ce279add5c078073353..1cadaf4057f2a2d1b882b2df5e84687d6dc989a3 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=136 -# Last change: pvoborni: add topologysuffix-verify command +IPA_API_VERSION_MINOR=137 +# Last change: ftweedal: add certprofile-show --out option diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py index 9e1e47e943f5c14a7e7ce418d3fc2d095331a38a..abb62434eee4cb87356da5568b8a1bb12b762f67 100644 --- a/ipalib/plugins/certprofile.py +++ b/ipalib/plugins/certprofile.py @@ -5,7 +5,7 @@ import re from ipalib import api, Bool, File, Str -from ipalib import output +from ipalib import output, util from ipalib.plugable import Registry from ipalib.plugins.virtual import VirtualCommand from ipalib.plugins.baseldap import ( @@ -175,9 +175,42 @@ class certprofile_find(LDAPSearch): class certprofile_show(LDAPRetrieve): __doc__ = _("Display the properties of a Certificate Profile.") - def execute(self, *args, **kwargs): + has_output_params = LDAPRetrieve.has_output_params + ( + Str('config', + label=_('Profile configuration'), + ), + ) + + takes_options = LDAPRetrieve.takes_options + ( + Str('out?', + doc=_('Write profile configuration to file'), + ), + ) + + def execute(self, *keys, **options): ca_enabled_check() - return super(certprofile_show, self).execute(*args, **kwargs) + result = super(certprofile_show, self).execute(*keys, **options) + + if 'out' in options: + with self.api.Backend.ra_certprofile as profile_api: + result['result']['config'] = profile_api.read_profile(keys[0]) + + return result + + def forward(self, *keys, **options): + if 'out' in options: + util.check_writable_file(options['out']) + + result = super(certprofile_show, self).forward(*keys, **options) + if 'out' in options and 'config' in result['result']: + with open(options['out'], 'w') as f: + f.write(result['result'].pop('config')) + result['summary'] = ( + _("Profile configuration stored in file '%(file)s'") + % dict(file=options['out']) + ) + + return result @register() diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 3dc8f5c93a85a8035921af9ec622c2bcbcc498e0..eb2a6ae8413362ae2a443c672f806ff97356448f 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -2081,6 +2081,14 @@ class ra_certprofile(RestClient): body=profile_data ) + def read_profile(self, profile_id): + """ + Read the profile configuration from Dogtag + """ + status, status_text, resp_headers, resp_body = self._ssldo( + 'GET', profile_id + '/raw') + return resp_body + def enable_profile(self, profile_id): """ Enable the profile in Dogtag -- 2.1.0 -------------- next part -------------- From 5a3a5177aea18c490637d74dfab41947501399f1 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 2 Jul 2015 04:09:31 -0400 Subject: [PATCH 25/25] certprofile: add ability to update profile config in Dogtag Add the `--file=FILENAME' option to `certprofile-mod' which, when given, will update the profile configuration in Dogtag to the contents of the file. Fixes: https://fedorahosted.org/freeipa/ticket/5093 --- API.txt | 3 ++- VERSION | 4 ++-- ipalib/plugins/certprofile.py | 33 ++++++++++++++++++++++++++++++--- ipaserver/plugins/dogtag.py | 12 ++++++++++++ 4 files changed, 46 insertions(+), 6 deletions(-) diff --git a/API.txt b/API.txt index 13977ac74fe1831ebb86c7fb9fd97910e0dde238..5c2c8e43cc158373f0b0f11be7652b891a435836 100644 --- a/API.txt +++ b/API.txt @@ -731,12 +731,13 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: certprofile_mod -args: 1,10,3 +args: 1,11,3 arg: Str('cn', attribute=True, cli_name='id', multivalue=False, primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui') option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) +option: File('file?', cli_name='file') option: Bool('ipacertprofilestoreissued', attribute=True, autofill=False, cli_name='store', default=True, multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('rename', cli_name='rename', multivalue=False, primary_key=True, required=False) diff --git a/VERSION b/VERSION index 1cadaf4057f2a2d1b882b2df5e84687d6dc989a3..086c3a892ea1ceec56d9e6f427f9c48ec30e9571 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=137 -# Last change: ftweedal: add certprofile-show --out option +IPA_API_VERSION_MINOR=138 +# Last change: ftweedal: add certprofile-mod --file option diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py index abb62434eee4cb87356da5568b8a1bb12b762f67..7323565da6783b5300333a5eb2dac6c8dd9f9da6 100644 --- a/ipalib/plugins/certprofile.py +++ b/ipalib/plugins/certprofile.py @@ -13,6 +13,7 @@ from ipalib.plugins.baseldap import ( LDAPDelete, LDAPUpdate, LDAPRetrieve) from ipalib import ngettext from ipalib.text import _ +from ipapython.version import API_VERSION from ipalib import errors @@ -245,7 +246,6 @@ class certprofile_import(LDAPCreate): def post_callback(self, ldap, dn, entry_attrs, *keys, **options): """Import the profile into Dogtag and enable it. - If the operation succeeds, update the LDAP entry to 'enabled'. If the operation fails, remove the LDAP entry. """ try: @@ -281,6 +281,33 @@ class certprofile_mod(LDAPUpdate): __doc__ = _("Modify Certificate Profile configuration.") msg_summary = _('Modified Certificate Profile "%(value)s"') - def execute(self, *args, **kwargs): + takes_options = LDAPUpdate.takes_options + ( + File('file?', + label=_('File containing profile configuration'), + cli_name='file', + flags=('virtual_attribute',), + ), + ) + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): ca_enabled_check() - return super(certprofile_mod, self).execute(*args, **kwargs) + if 'file' in options: + with self.api.Backend.ra_certprofile as profile_api: + profile_api.disable_profile(keys[0]) + profile_api.update_profile(keys[0], options['file']) + profile_api.enable_profile(keys[0]) + + return dn + + def execute(self, *keys, **options): + try: + return super(certprofile_mod, self).execute(*keys, **options) + except errors.EmptyModlist: + if 'file' in options: + # The profile data in Dogtag was updated. + # Do not fail; return result of certprofile-show instead + return self.api.Command.certprofile_show(keys[0], + version=API_VERSION) + else: + # This case is actually an error; re-raise + raise diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index eb2a6ae8413362ae2a443c672f806ff97356448f..47279921a5428f388f84967b7bbe05d758e475bd 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -2089,6 +2089,18 @@ class ra_certprofile(RestClient): 'GET', profile_id + '/raw') return resp_body + def update_profile(self, profile_id, profile_data): + """ + Update the profile configuration in Dogtag + """ + self._ssldo('PUT', profile_id + '/raw', + headers={ + 'Content-type': 'application/xml', + 'Accept': 'application/json', + }, + body=profile_data + ) + def enable_profile(self, profile_id): """ Enable the profile in Dogtag -- 2.1.0 From jcholast at redhat.com Thu Jul 2 09:23:49 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 2 Jul 2015 11:23:49 +0200 Subject: [Freeipa-devel] [PATCH] 0024..0025 Add missing certprofile features In-Reply-To: <20150702091546.GY6584@dhcp-40-8.bne.redhat.com> References: <20150702091546.GY6584@dhcp-40-8.bne.redhat.com> Message-ID: <55950325.9010200@redhat.com> Hi, Dne 2.7.2015 v 11:15 Fraser Tweedale napsal(a): > Attached patches fix a couple of important gaps in certprofile > plugin: > > - Add --out option to export Dogtag profile data to file > https://fedorahosted.org/freeipa/ticket/5091 > > - Add --file option to update existing profile in Dogtag > https://fedorahosted.org/freeipa/ticket/5093 > Just a couple nitpicks: + takes_options = LDAPUpdate.takes_options + ( + File('file?', + label=_('File containing profile configuration'), + cli_name='file', + flags=('virtual_attribute',), + ), + ) 1) Don't set cli_name if it's the same as name. 2) The virtual_attribute flag is meaningless in Commands. 3) Add "include='cli'" to denote that the option is specific to CLI (applies to --out as well). Honza -- Jan Cholasta From mbabinsk at redhat.com Thu Jul 2 09:28:17 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 2 Jul 2015 11:28:17 +0200 Subject: [Freeipa-devel] [PATCHES 0042-45] new commands for adding/removing certificates from entries In-Reply-To: <55950095.3000700@redhat.com> References: <558947C9.9020509@redhat.com> <559103A2.4080706@redhat.com> <55926999.5020301@redhat.com> <5592797F.6030509@redhat.com> <55928F78.6010408@redhat.com> <5593E58A.90801@redhat.com> <55950095.3000700@redhat.com> Message-ID: <55950431.9020505@redhat.com> On 07/02/2015 11:12 AM, Martin Babinsky wrote: > On 07/01/2015 03:05 PM, Martin Babinsky wrote: >> On 06/30/2015 02:45 PM, Martin Babinsky wrote: >>> On 06/30/2015 01:11 PM, Martin Babinsky wrote: >>>> On 06/30/2015 12:04 PM, Jan Cholasta wrote: >>>>> Dne 29.6.2015 v 10:36 Martin Babinsky napsal(a): >>>>>> On 06/23/2015 01:49 PM, Martin Babinsky wrote: >>>>>>> This patchset implements new API commands for manipulating >>>>>>> user/host/service userCertificate attribute alongside some >>>>>>> underlying >>>>>>> plumbing. >>>>>>> >>>>>>> PATCH 0045 is a small test suite that I slapped together since >>>>>>> manual >>>>>>> testing of this stuff is very cumbersome. It requires my PATCH >>>>>>> 0040 to >>>>>>> apply and work which was pushed to master recently >>>>>>> (commit 74883bbc959058c8bfafd9f63e8fad0e3792ac28). >>>>>>> >>>>>>> The work is related to >>>>>>> http://www.freeipa.org/page/V4/User_Certificates >>>>>>> and https://fedorahosted.org/freeipa/ticket/4238 >>>>>>> >>>>>>> >>>>>>> >>>>>> Attaching updated patches. >>>>>> >>>>>> Here are some notes for Jan because I did some things differently >>>>>> than >>>>>> we agreed on during review: >>>>>> >>>>>> >>>>>> 1.) I chose not to rename 'usercertificate' to >>>>>> 'usercertificate;binary' >>>>>> and back in pre/post callbacks. Despite the fact that the correct >>>>>> way to >>>>>> name the certificate attribute is 'usercertificate;binary', I feel >>>>>> that >>>>>> suddenly renaming it in the new code is asking for trouble. >>>>> >>>>> New code is new, there is no renaming, there is naming, and that >>>>> naming >>>>> should follow standards, and the standard is userCertificate;binary. >>>>> >>>>> (For the record I did not ask for any renaming in *old* host and >>>>> service >>>>> code.) >>>>> >>>> OK I will then use 'usercertificate;binary' and try to not break >>>> things. >>>>>> >>>>>> I'm all for changing the mapping between CLI options and actual >>>>>> attribute names but it should be done in a systematic fashion. >>>>> >>>>> +1, shall I post a patch? >>>>> >>>> That would be great, but I'm not sure if there is time for it. Maybe we >>>> can create a ticket for tracking? >>>>>> >>>>>> 2.) I have kept the `normalize_certs` function. It has the >>>>>> potential to >>>>>> catch incorrectly formatted/encoded certificates and in a way >>>>>> circumvents the slightly demented way the framework deals with >>>>>> supposedly binary data. >>>>> >>>>> One sentence above you asked for doing things in systematic fashion. >>>>> This is exactly what it isn't. A systematic solution would be a new >>>>> parameter type for certificates. >>>>> >>>> Ha I didn't notice that incorrect encoding is caught by validator. >>>> >>>> But I think that we still need to catch malformed certificates that can >>>> not be decoded to DER and AFAIK we don't do that anywhere (failing >>>> tests >>>> when adding a random Base64-encoded string confirm this). >>>> >>>> All this probably stems from my confusion about the way IPA framework >>>> guesses binary data. For example, if I call `api.Command.user_add_cert` >>>> and fill 'certificate' option with Base64 blob reencoded to Unicode, >>>> everything works as expected. >>>> >>>> However, filling this option with 'str' leads to another round of >>>> Base64 >>>> encoding in the framework, leading to 'userCertificate;binary' which is >>>> filled by original Base64 blob instead of DER encoded cert. >>>> >>>>>> >>>>>> I have also added two negative test cases which deal with incorrectly >>>>>> encoded and formatted certificates. >>>>>> >>>>> >>>>> >>>> >>>> >>> Attaching updated patches (actually only 44 is updated, I added the >>> rename to/from 'usercertificate;binary' to user pre/post callbacks). >>> >>> >>> >> Another patch update attached (mainly fixing pep8 complaints and >> reworking certificate validation). >> >> >> > > Updated patches attached. > > > I left a a bug in PATCH 0043. Attaching updated version. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0043.4-reworked-certificate-normalization-and-revocation.patch Type: text/x-patch Size: 13347 bytes Desc: not available URL: From tbabej at redhat.com Thu Jul 2 09:54:28 2015 From: tbabej at redhat.com (Tomas Babej) Date: Thu, 02 Jul 2015 11:54:28 +0200 Subject: [Freeipa-devel] [PATCH 0018] allow deletion of segment, if not both nodes are managed In-Reply-To: <1435777163.18746.14.camel@willson.usersys.redhat.com> References: <5593BB87.5070407@redhat.com> <1435777163.18746.14.camel@willson.usersys.redhat.com> Message-ID: <55950A54.3050900@redhat.com> On 07/01/2015 08:59 PM, Simo Sorce wrote: > On Wed, 2015-07-01 at 12:05 +0200, Ludwig Krispenz wrote: >> This fix allows the removal of segments, where not both endpoints of the >> segments are managed. >> These segments can exist after deliberately disconnecting a topology by >> removal of a central node, a fix to automatically remove dangling >> segments is in process, but it cannot handle all situations, especially >> if the removed server is no longer working and the topology is already >> broken before the removal. >> In these cases a manual cleanup must be possible and is addressed in >> this patch >> >> Ludwig > > Tested and works as expected. > Full ACK. > > Simo. > Pushed to master: 6f916b0ac96726eb0219a67f8a06c7df7e59cc86 From tbabej at redhat.com Thu Jul 2 10:01:33 2015 From: tbabej at redhat.com (Tomas Babej) Date: Thu, 02 Jul 2015 12:01:33 +0200 Subject: [Freeipa-devel] [PATCH] 0016 user life cycle: Display the wrong attribute name when mandatory attribute is missing In-Reply-To: <5594F79C.1070508@redhat.com> References: <5594065E.4020509@redhat.com> <559409BC.4000001@redhat.com> <5594F79C.1070508@redhat.com> Message-ID: <55950BFD.60102@redhat.com> On 07/02/2015 10:34 AM, thierry bordaz wrote: > On 07/01/2015 05:39 PM, Tomas Babej wrote: >> Hi Thierry, >> >> I think it would be better to use: >> >> error=_('Entry has no \'%s\'') % attr >> >> or even better, use named substitution: >> >> error=_('Entry has no \'%(attribute)s\'') % dict(attribute=attr) >> >> This way will generate a more readable strings for translators. >> >> Tomas > Hi Tomas, > > Thanks for reviewing.. you are right this is the common way of adding > values in the such error messages. > I followed your recommendations > > thanks > thierry Thanks! ACK. Pushed to master: b5cb95431bffd39475fa82a453ef057890425529 From ftweedal at redhat.com Thu Jul 2 10:12:12 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 2 Jul 2015 20:12:12 +1000 Subject: [Freeipa-devel] [PATCH] 0024..0025 Add missing certprofile features In-Reply-To: <55950325.9010200@redhat.com> References: <20150702091546.GY6584@dhcp-40-8.bne.redhat.com> <55950325.9010200@redhat.com> Message-ID: <20150702101212.GZ6584@dhcp-40-8.bne.redhat.com> On Thu, Jul 02, 2015 at 11:23:49AM +0200, Jan Cholasta wrote: > Hi, > > Dne 2.7.2015 v 11:15 Fraser Tweedale napsal(a): > >Attached patches fix a couple of important gaps in certprofile > >plugin: > > > >- Add --out option to export Dogtag profile data to file > > https://fedorahosted.org/freeipa/ticket/5091 > > > >- Add --file option to update existing profile in Dogtag > > https://fedorahosted.org/freeipa/ticket/5093 > > > > Just a couple nitpicks: > > + takes_options = LDAPUpdate.takes_options + ( > + File('file?', > + label=_('File containing profile configuration'), > + cli_name='file', > + flags=('virtual_attribute',), > + ), > + ) > > 1) Don't set cli_name if it's the same as name. > > 2) The virtual_attribute flag is meaningless in Commands. > > 3) Add "include='cli'" to denote that the option is specific to CLI (applies > to --out as well). > > Honza > > -- > Jan Cholasta > Thanks, updated patches attached. Interdiff below. diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py index 7323565..08a0d1c 100644 --- a/ipalib/plugins/certprofile.py +++ b/ipalib/plugins/certprofile.py @@ -185,6 +185,7 @@ class certprofile_show(LDAPRetrieve): takes_options = LDAPRetrieve.takes_options + ( Str('out?', doc=_('Write profile configuration to file'), + include='cli', ), ) @@ -284,8 +285,7 @@ class certprofile_mod(LDAPUpdate): takes_options = LDAPUpdate.takes_options + ( File('file?', label=_('File containing profile configuration'), - cli_name='file', - flags=('virtual_attribute',), + include='cli', ), ) -------------- next part -------------- From 92aafc1602154dee886c9197ad976cc03ee1bc65 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 2 Jul 2015 03:31:31 -0400 Subject: [PATCH 24/25] certprofile: add option to export profile config Add the `--out=FILENAME' option to `certprofile-show'. When given, it exports the profile configuration from Dogtag and writes it to the named file. Fixes: https://fedorahosted.org/freeipa/ticket/5091 --- API.txt | 3 ++- VERSION | 4 ++-- ipalib/plugins/certprofile.py | 40 +++++++++++++++++++++++++++++++++++++--- ipaserver/plugins/dogtag.py | 8 ++++++++ 4 files changed, 49 insertions(+), 6 deletions(-) diff --git a/API.txt b/API.txt index bccebe55da8a785cbb6ca782904d7523c4a9322f..13977ac74fe1831ebb86c7fb9fd97910e0dde238 100644 --- a/API.txt +++ b/API.txt @@ -747,9 +747,10 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: certprofile_show -args: 1,4,3 +args: 1,5,3 arg: Str('cn', attribute=True, cli_name='id', multivalue=False, primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('out?') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) option: Str('version?', exclude='webui') diff --git a/VERSION b/VERSION index 2f884ff73afad57f35f06ce279add5c078073353..1cadaf4057f2a2d1b882b2df5e84687d6dc989a3 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=136 -# Last change: pvoborni: add topologysuffix-verify command +IPA_API_VERSION_MINOR=137 +# Last change: ftweedal: add certprofile-show --out option diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py index 9e1e47e943f5c14a7e7ce418d3fc2d095331a38a..1a6621815f9aa36974ed08c776d9ad2d09682988 100644 --- a/ipalib/plugins/certprofile.py +++ b/ipalib/plugins/certprofile.py @@ -5,7 +5,7 @@ import re from ipalib import api, Bool, File, Str -from ipalib import output +from ipalib import output, util from ipalib.plugable import Registry from ipalib.plugins.virtual import VirtualCommand from ipalib.plugins.baseldap import ( @@ -175,9 +175,43 @@ class certprofile_find(LDAPSearch): class certprofile_show(LDAPRetrieve): __doc__ = _("Display the properties of a Certificate Profile.") - def execute(self, *args, **kwargs): + has_output_params = LDAPRetrieve.has_output_params + ( + Str('config', + label=_('Profile configuration'), + ), + ) + + takes_options = LDAPRetrieve.takes_options + ( + Str('out?', + doc=_('Write profile configuration to file'), + include='cli', + ), + ) + + def execute(self, *keys, **options): ca_enabled_check() - return super(certprofile_show, self).execute(*args, **kwargs) + result = super(certprofile_show, self).execute(*keys, **options) + + if 'out' in options: + with self.api.Backend.ra_certprofile as profile_api: + result['result']['config'] = profile_api.read_profile(keys[0]) + + return result + + def forward(self, *keys, **options): + if 'out' in options: + util.check_writable_file(options['out']) + + result = super(certprofile_show, self).forward(*keys, **options) + if 'out' in options and 'config' in result['result']: + with open(options['out'], 'w') as f: + f.write(result['result'].pop('config')) + result['summary'] = ( + _("Profile configuration stored in file '%(file)s'") + % dict(file=options['out']) + ) + + return result @register() diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 3dc8f5c93a85a8035921af9ec622c2bcbcc498e0..eb2a6ae8413362ae2a443c672f806ff97356448f 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -2081,6 +2081,14 @@ class ra_certprofile(RestClient): body=profile_data ) + def read_profile(self, profile_id): + """ + Read the profile configuration from Dogtag + """ + status, status_text, resp_headers, resp_body = self._ssldo( + 'GET', profile_id + '/raw') + return resp_body + def enable_profile(self, profile_id): """ Enable the profile in Dogtag -- 2.1.0 -------------- next part -------------- From 044fa537c8a4f247440b0db93c49992fa92a837a Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 2 Jul 2015 04:09:31 -0400 Subject: [PATCH 25/25] certprofile: add ability to update profile config in Dogtag Add the `--file=FILENAME' option to `certprofile-mod' which, when given, will update the profile configuration in Dogtag to the contents of the file. Fixes: https://fedorahosted.org/freeipa/ticket/5093 --- API.txt | 3 ++- VERSION | 4 ++-- ipalib/plugins/certprofile.py | 32 +++++++++++++++++++++++++++++--- ipaserver/plugins/dogtag.py | 12 ++++++++++++ 4 files changed, 45 insertions(+), 6 deletions(-) diff --git a/API.txt b/API.txt index 13977ac74fe1831ebb86c7fb9fd97910e0dde238..5c2c8e43cc158373f0b0f11be7652b891a435836 100644 --- a/API.txt +++ b/API.txt @@ -731,12 +731,13 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: certprofile_mod -args: 1,10,3 +args: 1,11,3 arg: Str('cn', attribute=True, cli_name='id', multivalue=False, primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui') option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) +option: File('file?', cli_name='file') option: Bool('ipacertprofilestoreissued', attribute=True, autofill=False, cli_name='store', default=True, multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('rename', cli_name='rename', multivalue=False, primary_key=True, required=False) diff --git a/VERSION b/VERSION index 1cadaf4057f2a2d1b882b2df5e84687d6dc989a3..086c3a892ea1ceec56d9e6f427f9c48ec30e9571 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=137 -# Last change: ftweedal: add certprofile-show --out option +IPA_API_VERSION_MINOR=138 +# Last change: ftweedal: add certprofile-mod --file option diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py index 1a6621815f9aa36974ed08c776d9ad2d09682988..08a0d1caeaf638ddc10fb178b26323187682729a 100644 --- a/ipalib/plugins/certprofile.py +++ b/ipalib/plugins/certprofile.py @@ -13,6 +13,7 @@ from ipalib.plugins.baseldap import ( LDAPDelete, LDAPUpdate, LDAPRetrieve) from ipalib import ngettext from ipalib.text import _ +from ipapython.version import API_VERSION from ipalib import errors @@ -246,7 +247,6 @@ class certprofile_import(LDAPCreate): def post_callback(self, ldap, dn, entry_attrs, *keys, **options): """Import the profile into Dogtag and enable it. - If the operation succeeds, update the LDAP entry to 'enabled'. If the operation fails, remove the LDAP entry. """ try: @@ -282,6 +282,32 @@ class certprofile_mod(LDAPUpdate): __doc__ = _("Modify Certificate Profile configuration.") msg_summary = _('Modified Certificate Profile "%(value)s"') - def execute(self, *args, **kwargs): + takes_options = LDAPUpdate.takes_options + ( + File('file?', + label=_('File containing profile configuration'), + include='cli', + ), + ) + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): ca_enabled_check() - return super(certprofile_mod, self).execute(*args, **kwargs) + if 'file' in options: + with self.api.Backend.ra_certprofile as profile_api: + profile_api.disable_profile(keys[0]) + profile_api.update_profile(keys[0], options['file']) + profile_api.enable_profile(keys[0]) + + return dn + + def execute(self, *keys, **options): + try: + return super(certprofile_mod, self).execute(*keys, **options) + except errors.EmptyModlist: + if 'file' in options: + # The profile data in Dogtag was updated. + # Do not fail; return result of certprofile-show instead + return self.api.Command.certprofile_show(keys[0], + version=API_VERSION) + else: + # This case is actually an error; re-raise + raise diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index eb2a6ae8413362ae2a443c672f806ff97356448f..47279921a5428f388f84967b7bbe05d758e475bd 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -2089,6 +2089,18 @@ class ra_certprofile(RestClient): 'GET', profile_id + '/raw') return resp_body + def update_profile(self, profile_id, profile_data): + """ + Update the profile configuration in Dogtag + """ + self._ssldo('PUT', profile_id + '/raw', + headers={ + 'Content-type': 'application/xml', + 'Accept': 'application/json', + }, + body=profile_data + ) + def enable_profile(self, profile_id): """ Enable the profile in Dogtag -- 2.1.0 From tbabej at redhat.com Thu Jul 2 10:57:29 2015 From: tbabej at redhat.com (Tomas Babej) Date: Thu, 02 Jul 2015 12:57:29 +0200 Subject: [Freeipa-devel] [PATCH 0274] DNS: Check if dns package is installed In-Reply-To: <5594DF23.8060103@redhat.com> References: <5593EBD3.2000902@redhat.com> <5593FD26.8010903@redhat.com> <55943181.5060604@redhat.com> <5594DF23.8060103@redhat.com> Message-ID: <55951919.6020101@redhat.com> On 07/02/2015 08:50 AM, Petr Spacek wrote: > On 1.7.2015 20:29, Tomas Babej wrote: >> >> >> On 07/01/2015 04:45 PM, Petr Spacek wrote: >>> On 1.7.2015 15:32, Martin Basti wrote: >>>> https://fedorahosted.org/freeipa/ticket/4058 >>>> Requires patch freeipa-pspacek-0052 >>> >>> ACK >>> >> >> I must admit I don't really like wrapping a constant in the method in >> the TaskNamespace object. >> >> We're interested in the constant itself - there's no case I can imagine >> where the name of the freeipa's dns package will be dynamic. >> >> For paths we have BasePathNamespace that contains all the paths, maybe >> we should introduce something similar for the non-path platform >> dependent constants? > > Generally I support this but it seems like a 4.3 material (and out of scope of > #4058). We need to finish 4.2 now. > > Please ACK or NACK ASAP. > It's fairly straightforward to introduce a new platform namespace for constants. See attached patch, it implements the namespace and already contains the proper values for the dns package name. The original patch 274 would only need to use: >>> from ipaplatform.constants import constants >>> constants.DNS_PACKAGE_NAME 'freeipa-server-dns' Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0332-ipaplatform-Add-constants-submodule.patch Type: text/x-patch Size: 5034 bytes Desc: not available URL: From jcholast at redhat.com Thu Jul 2 11:00:15 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 2 Jul 2015 13:00:15 +0200 Subject: [Freeipa-devel] [PATCH 0273] KRA install: check if replica file contains all required certificates In-Reply-To: <5593D97F.1060705@redhat.com> References: <5593D97F.1060705@redhat.com> Message-ID: <559519BF.7000609@redhat.com> Dne 1.7.2015 v 14:13 Martin Basti napsal(a): > Fixes: https://fedorahosted.org/freeipa/ticket/5059 > > Patch attached. Works for me, ACK. Pushed to master: 2e329ecdc7c72045f276319d18df28549a51d4b9 -- Jan Cholasta From tbabej at redhat.com Thu Jul 2 11:07:36 2015 From: tbabej at redhat.com (Tomas Babej) Date: Thu, 02 Jul 2015 13:07:36 +0200 Subject: [Freeipa-devel] [PATCH 0333] ipaplatform: Remove redundant definitions Message-ID: <55951B78.5040706@redhat.com> Hi, I noticed two variables are redundant in the base/paths.py and base/tasks.py in the ipaplatform module. git grep -E 'path_namespace|task_namespace' ipaplatform/base/paths.py:path_namespace = BasePathNamespace ipaplatform/base/tasks.py:task_namespace = BaseTaskNamespace() This patch removes them. Pushed to master, under one-liner rule: ccbf2678725949c527a99cb8c36a1fc9cc1b884f Tomas From tbabej at redhat.com Thu Jul 2 11:23:52 2015 From: tbabej at redhat.com (Tomas Babej) Date: Thu, 02 Jul 2015 13:23:52 +0200 Subject: [Freeipa-devel] [PATCHES 306-316] Automated migration tool from Winsync In-Reply-To: <55942443.3050602@redhat.com> References: <54FD8369.10803@redhat.com> <54FF0F46.3010109@redhat.com> <55005D3C.5090304@redhat.com> <5540B23A.9060404@redhat.com> <5548B13B.60607@redhat.com> <5549CCE6.3010006@redhat.com> <557FDAE8.4000501@redhat.com> <558001ED.6070206@redhat.com> <5592BC07.70406@redhat.com> <55942443.3050602@redhat.com> Message-ID: <55951F48.9020805@redhat.com> On 07/01/2015 07:32 PM, Martin Babinsky wrote: > On 06/30/2015 05:55 PM, Tomas Babej wrote: >> >> >> On 06/16/2015 01:01 PM, Jan Cholasta wrote: >>> Dne 16.6.2015 v 10:14 Martin Babinsky napsal(a): >>>> On 05/06/2015 10:12 AM, Tomas Babej wrote: >>>>> >>>>> >>>>> On 05/05/2015 02:02 PM, Tomas Babej wrote: >>>>>> >>>>>> >>>>>> On 04/29/2015 12:28 PM, Tomas Babej wrote: >>>>>>> >>>>>>> >>>>>>> On 03/11/2015 04:20 PM, Jan Cholasta wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> Dne 10.3.2015 v 16:35 Tomas Babej napsal(a): >>>>>>>>> >>>>>>>>> On 03/09/2015 12:26 PM, Tomas Babej wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> this couple of patches provides a initial implementation of the >>>>>>>>>> winsync migration tool: >>>>>>>>>> >>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4524 >>>>>>>>>> >>>>>>>>>> Some parts could use some polishing, but this is a sound >>>>>>>>>> foundation. >>>>>>>>>> >>>>>>>>>> Tomas >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> Attaching one more patch to the bundle. This one should make the >>>>>>>>> winsync >>>>>>>>> tool readily available after install. >>>>>>>>> >>>>>>>>> Tomas >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> Nitpicks: >>>>>>>> >>>>>>>> The winsync_migrate module should be in ipaserver.install. Also I >>>>>>>> don't see why it has to be a package when there is just one short >>>>>>>> file in it. >>>>>>>> >>>>>>>> By convention, the AdminTool subclass should be named >>>>>>>> WinsyncMigrate, or the tool should be named ipa-migrate-winsync. >>>>>>>> >>>>>>>> Honza >>>>>>>> >>>>>>> >>>>>>> Updated patches attached. >>>>>>> >>>>>>> Tomas >>>>>> >>>>>> Rebased patches with cleaned membership bits. >>>>>> >>>>>> Tomas >>>>> >>>>> I did some self-review, updated patches attached. >>>>> >>>>> >>>> Hi Tomas, >>>> >>>> patches look good and seem to work as expected. I have some comments: >>>> >>>> 1.) When running the tool I get a number of warnings about users not >>>> found (https://paste.fedoraproject.org/232251/43884831/), but in the >>>> end >>>> everything seems to be fine and users are migrated in the external >>>> groups just fine. Is this behavior normal? >>>> >> >> In that case, yes. What happened here is that SSSD in POSIX trust will >> not resolve users that do not have POSIX attributes set. Winsync >> synchornizes all the users, hence the discrepancy. >> >> >>>> 2.) Since both "--realm" and "--server" options are mandatory, I was >>>> thinking if it would be better to use positional arguments, since you >>>> always have to specify them. What are your thought on this? >>> >>> I would rather stay consistent with ipa-server-install and friends and >>> keep them as options. >>> >>>> >>>> 3.) Patches 317-318 seem to just just rename/move things and could be >>>> squashed in the previous ones. But that is just a minor thing and I >>>> leave that to your discretion. >>>> >>>> 4.) After all the renaming and moving around the WinsyncMigrate class >>>> (see previous point) there is an unused file >>>> "ipaserver/winsync_migrate/__init__.py" left. You should remove it in >>>> some patch (e.g. in patch 318 if you decide to keep it). >> >> I removed the file and squashed the change into 318. >> >>> >>> Also please rename the class to "MigrateWinsync", for consistency. >>> >> >> Naming is consistent, the tool is called ipa-winsync-migrate, class is >> called WinsyncMigrate. This is consistent with other IPA tools. >> >> >>>> >>>> 5.) Option "--log-file" seems to be broken. When specified on CLI the >>>> log is created but empty, the program prints out nothing and then exits >>>> without doing anything. However, I suspect that this is AdminTool's >>>> problem, not yours. >>>> >> >> Yep. Please, file a ticket for this more generic issue. >> > > Will do. > > Otherwise ACK. > Pushed to master: 8d30feb5391026a42a2f8da5df8d539311963b86 From pspacek at redhat.com Thu Jul 2 11:34:08 2015 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 02 Jul 2015 13:34:08 +0200 Subject: [Freeipa-devel] [PATCH 0274] DNS: Check if dns package is installed In-Reply-To: <55951919.6020101@redhat.com> References: <5593EBD3.2000902@redhat.com> <5593FD26.8010903@redhat.com> <55943181.5060604@redhat.com> <5594DF23.8060103@redhat.com> <55951919.6020101@redhat.com> Message-ID: <559521B0.8010001@redhat.com> On 2.7.2015 12:57, Tomas Babej wrote: > > > On 07/02/2015 08:50 AM, Petr Spacek wrote: >> On 1.7.2015 20:29, Tomas Babej wrote: >>> >>> >>> On 07/01/2015 04:45 PM, Petr Spacek wrote: >>>> On 1.7.2015 15:32, Martin Basti wrote: >>>>> https://fedorahosted.org/freeipa/ticket/4058 >>>>> Requires patch freeipa-pspacek-0052 >>>> >>>> ACK >>>> >>> >>> I must admit I don't really like wrapping a constant in the method in >>> the TaskNamespace object. >>> >>> We're interested in the constant itself - there's no case I can imagine >>> where the name of the freeipa's dns package will be dynamic. >>> >>> For paths we have BasePathNamespace that contains all the paths, maybe >>> we should introduce something similar for the non-path platform >>> dependent constants? >> >> Generally I support this but it seems like a 4.3 material (and out of scope of >> #4058). We need to finish 4.2 now. >> >> Please ACK or NACK ASAP. >> > > It's fairly straightforward to introduce a new platform namespace for > constants. > > See attached patch, it implements the namespace and already contains the > proper values for the dns package name. > > The original patch 274 would only need to use: > > >>> from ipaplatform.constants import constants > >>> constants.DNS_PACKAGE_NAME > 'freeipa-server-dns' I'm okay with that if Honza or somebody else knowledgable about the whole platform-thingy can ACK this, amend Martin^2's patch 274 and test the whole thing. Unfortunately I do not have time for it myself. If nobody does that please push the original patch (when it's dependency pspacek-0052 gets ACK). -- Petr^2 Spacek From jcholast at redhat.com Thu Jul 2 11:54:12 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 2 Jul 2015 13:54:12 +0200 Subject: [Freeipa-devel] [PATCH 0274] DNS: Check if dns package is installed In-Reply-To: <559521B0.8010001@redhat.com> References: <5593EBD3.2000902@redhat.com> <5593FD26.8010903@redhat.com> <55943181.5060604@redhat.com> <5594DF23.8060103@redhat.com> <55951919.6020101@redhat.com> <559521B0.8010001@redhat.com> Message-ID: <55952664.5030704@redhat.com> Dne 2.7.2015 v 13:34 Petr Spacek napsal(a): > On 2.7.2015 12:57, Tomas Babej wrote: >> >> >> On 07/02/2015 08:50 AM, Petr Spacek wrote: >>> On 1.7.2015 20:29, Tomas Babej wrote: >>>> >>>> >>>> On 07/01/2015 04:45 PM, Petr Spacek wrote: >>>>> On 1.7.2015 15:32, Martin Basti wrote: >>>>>> https://fedorahosted.org/freeipa/ticket/4058 >>>>>> Requires patch freeipa-pspacek-0052 >>>>> >>>>> ACK >>>>> >>>> >>>> I must admit I don't really like wrapping a constant in the method in >>>> the TaskNamespace object. >>>> >>>> We're interested in the constant itself - there's no case I can imagine >>>> where the name of the freeipa's dns package will be dynamic. >>>> >>>> For paths we have BasePathNamespace that contains all the paths, maybe >>>> we should introduce something similar for the non-path platform >>>> dependent constants? >>> >>> Generally I support this but it seems like a 4.3 material (and out of scope of >>> #4058). We need to finish 4.2 now. >>> >>> Please ACK or NACK ASAP. >>> >> >> It's fairly straightforward to introduce a new platform namespace for >> constants. >> >> See attached patch, it implements the namespace and already contains the >> proper values for the dns package name. >> >> The original patch 274 would only need to use: >> >> >>> from ipaplatform.constants import constants >> >>> constants.DNS_PACKAGE_NAME >> 'freeipa-server-dns' > > I'm okay with that if Honza or somebody else knowledgable about the whole > platform-thingy can ACK this, amend Martin^2's patch 274 and test the whole thing. > > Unfortunately I do not have time for it myself. If nobody does that please > push the original patch (when it's dependency pspacek-0052 gets ACK). > I think you are overengineering this a little bit, adding whatever ipaplatform stuff just because of an error message seems rather unnecessary to me. I think changing the error message to "Integrated DNS requires 'freeipa-server-dns' package" or even "Integrated DNS requires IPA DNS server package" would be perfectly fine. BTW the location of ipa-dns-install is /usr/sbin, not /sbin. -- Jan Cholasta From mbabinsk at redhat.com Thu Jul 2 11:58:06 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 2 Jul 2015 13:58:06 +0200 Subject: [Freeipa-devel] [PATCH 0046] add option to skip client API version check and proceed at user's own risk Message-ID: <5595274E.6070503@redhat.com> First attempt at https://fedorahosted.org/freeipa/ticket/4768 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0046-add-option-to-skip-client-API-version-check-and-proc.patch Type: text/x-patch Size: 335004 bytes Desc: not available URL: From pspacek at redhat.com Thu Jul 2 12:03:27 2015 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 02 Jul 2015 14:03:27 +0200 Subject: [Freeipa-devel] [PATCH 0274] DNS: Check if dns package is installed In-Reply-To: <55952664.5030704@redhat.com> References: <5593EBD3.2000902@redhat.com> <5593FD26.8010903@redhat.com> <55943181.5060604@redhat.com> <5594DF23.8060103@redhat.com> <55951919.6020101@redhat.com> <559521B0.8010001@redhat.com> <55952664.5030704@redhat.com> Message-ID: <5595288F.5020906@redhat.com> On 2.7.2015 13:54, Jan Cholasta wrote: > Dne 2.7.2015 v 13:34 Petr Spacek napsal(a): >> On 2.7.2015 12:57, Tomas Babej wrote: >>> >>> >>> On 07/02/2015 08:50 AM, Petr Spacek wrote: >>>> On 1.7.2015 20:29, Tomas Babej wrote: >>>>> >>>>> >>>>> On 07/01/2015 04:45 PM, Petr Spacek wrote: >>>>>> On 1.7.2015 15:32, Martin Basti wrote: >>>>>>> https://fedorahosted.org/freeipa/ticket/4058 >>>>>>> Requires patch freeipa-pspacek-0052 >>>>>> >>>>>> ACK >>>>>> >>>>> >>>>> I must admit I don't really like wrapping a constant in the method in >>>>> the TaskNamespace object. >>>>> >>>>> We're interested in the constant itself - there's no case I can imagine >>>>> where the name of the freeipa's dns package will be dynamic. >>>>> >>>>> For paths we have BasePathNamespace that contains all the paths, maybe >>>>> we should introduce something similar for the non-path platform >>>>> dependent constants? >>>> >>>> Generally I support this but it seems like a 4.3 material (and out of >>>> scope of >>>> #4058). We need to finish 4.2 now. >>>> >>>> Please ACK or NACK ASAP. >>>> >>> >>> It's fairly straightforward to introduce a new platform namespace for >>> constants. >>> >>> See attached patch, it implements the namespace and already contains the >>> proper values for the dns package name. >>> >>> The original patch 274 would only need to use: >>> >>> >>> from ipaplatform.constants import constants >>> >>> constants.DNS_PACKAGE_NAME >>> 'freeipa-server-dns' >> >> I'm okay with that if Honza or somebody else knowledgable about the whole >> platform-thingy can ACK this, amend Martin^2's patch 274 and test the whole >> thing. >> >> Unfortunately I do not have time for it myself. If nobody does that please >> push the original patch (when it's dependency pspacek-0052 gets ACK). >> > > I think you are overengineering this a little bit, adding whatever ipaplatform > stuff just because of an error message seems rather unnecessary to me. I think > changing the error message to "Integrated DNS requires 'freeipa-server-dns' > package" or even "Integrated DNS requires IPA DNS server package" would be > perfectly fine. The message should be as specific as possible but I do not care how it will be implemented. -- Petr^2 Spacek From mbabinsk at redhat.com Thu Jul 2 12:04:24 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 2 Jul 2015 14:04:24 +0200 Subject: [Freeipa-devel] [PATCH 0046] add option to skip client API version check and proceed at user's own risk In-Reply-To: <5595274E.6070503@redhat.com> References: <5595274E.6070503@redhat.com> Message-ID: <559528C8.1020001@redhat.com> On 07/02/2015 01:58 PM, Martin Babinsky wrote: > First attempt at https://fedorahosted.org/freeipa/ticket/4768 > > > self-NACK -- Martin^3 Babinsky From dkupka at redhat.com Thu Jul 2 12:34:38 2015 From: dkupka at redhat.com (David Kupka) Date: Thu, 2 Jul 2015 14:34:38 +0200 Subject: [Freeipa-devel] [PATCH 0054] cermonger: Use private unix socket when DBus SystemBus is not, available. In-Reply-To: <5593F9A5.4080703@redhat.com> References: <5593F9A5.4080703@redhat.com> Message-ID: <55952FDE.8080408@redhat.com> On 01/07/15 16:31, David Kupka wrote: > > > Updated patch attached. -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0054.1-cermonger-Use-private-unix-socket-when-DBus-SystemBu.patch Type: text/x-patch Size: 10737 bytes Desc: not available URL: From mbabinsk at redhat.com Thu Jul 2 12:37:57 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 2 Jul 2015 14:37:57 +0200 Subject: [Freeipa-devel] [PATCHES 0042-45] new commands for adding/removing certificates from entries In-Reply-To: <55950431.9020505@redhat.com> References: <558947C9.9020509@redhat.com> <559103A2.4080706@redhat.com> <55926999.5020301@redhat.com> <5592797F.6030509@redhat.com> <55928F78.6010408@redhat.com> <5593E58A.90801@redhat.com> <55950095.3000700@redhat.com> <55950431.9020505@redhat.com> Message-ID: <559530A5.7060404@redhat.com> On 07/02/2015 11:28 AM, Martin Babinsky wrote: > On 07/02/2015 11:12 AM, Martin Babinsky wrote: >> On 07/01/2015 03:05 PM, Martin Babinsky wrote: >>> On 06/30/2015 02:45 PM, Martin Babinsky wrote: >>>> On 06/30/2015 01:11 PM, Martin Babinsky wrote: >>>>> On 06/30/2015 12:04 PM, Jan Cholasta wrote: >>>>>> Dne 29.6.2015 v 10:36 Martin Babinsky napsal(a): >>>>>>> On 06/23/2015 01:49 PM, Martin Babinsky wrote: >>>>>>>> This patchset implements new API commands for manipulating >>>>>>>> user/host/service userCertificate attribute alongside some >>>>>>>> underlying >>>>>>>> plumbing. >>>>>>>> >>>>>>>> PATCH 0045 is a small test suite that I slapped together since >>>>>>>> manual >>>>>>>> testing of this stuff is very cumbersome. It requires my PATCH >>>>>>>> 0040 to >>>>>>>> apply and work which was pushed to master recently >>>>>>>> (commit 74883bbc959058c8bfafd9f63e8fad0e3792ac28). >>>>>>>> >>>>>>>> The work is related to >>>>>>>> http://www.freeipa.org/page/V4/User_Certificates >>>>>>>> and https://fedorahosted.org/freeipa/ticket/4238 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Attaching updated patches. >>>>>>> >>>>>>> Here are some notes for Jan because I did some things differently >>>>>>> than >>>>>>> we agreed on during review: >>>>>>> >>>>>>> >>>>>>> 1.) I chose not to rename 'usercertificate' to >>>>>>> 'usercertificate;binary' >>>>>>> and back in pre/post callbacks. Despite the fact that the correct >>>>>>> way to >>>>>>> name the certificate attribute is 'usercertificate;binary', I feel >>>>>>> that >>>>>>> suddenly renaming it in the new code is asking for trouble. >>>>>> >>>>>> New code is new, there is no renaming, there is naming, and that >>>>>> naming >>>>>> should follow standards, and the standard is userCertificate;binary. >>>>>> >>>>>> (For the record I did not ask for any renaming in *old* host and >>>>>> service >>>>>> code.) >>>>>> >>>>> OK I will then use 'usercertificate;binary' and try to not break >>>>> things. >>>>>>> >>>>>>> I'm all for changing the mapping between CLI options and actual >>>>>>> attribute names but it should be done in a systematic fashion. >>>>>> >>>>>> +1, shall I post a patch? >>>>>> >>>>> That would be great, but I'm not sure if there is time for it. >>>>> Maybe we >>>>> can create a ticket for tracking? >>>>>>> >>>>>>> 2.) I have kept the `normalize_certs` function. It has the >>>>>>> potential to >>>>>>> catch incorrectly formatted/encoded certificates and in a way >>>>>>> circumvents the slightly demented way the framework deals with >>>>>>> supposedly binary data. >>>>>> >>>>>> One sentence above you asked for doing things in systematic fashion. >>>>>> This is exactly what it isn't. A systematic solution would be a new >>>>>> parameter type for certificates. >>>>>> >>>>> Ha I didn't notice that incorrect encoding is caught by validator. >>>>> >>>>> But I think that we still need to catch malformed certificates that >>>>> can >>>>> not be decoded to DER and AFAIK we don't do that anywhere (failing >>>>> tests >>>>> when adding a random Base64-encoded string confirm this). >>>>> >>>>> All this probably stems from my confusion about the way IPA framework >>>>> guesses binary data. For example, if I call >>>>> `api.Command.user_add_cert` >>>>> and fill 'certificate' option with Base64 blob reencoded to Unicode, >>>>> everything works as expected. >>>>> >>>>> However, filling this option with 'str' leads to another round of >>>>> Base64 >>>>> encoding in the framework, leading to 'userCertificate;binary' >>>>> which is >>>>> filled by original Base64 blob instead of DER encoded cert. >>>>> >>>>>>> >>>>>>> I have also added two negative test cases which deal with >>>>>>> incorrectly >>>>>>> encoded and formatted certificates. >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> Attaching updated patches (actually only 44 is updated, I added the >>>> rename to/from 'usercertificate;binary' to user pre/post callbacks). >>>> >>>> >>>> >>> Another patch update attached (mainly fixing pep8 complaints and >>> reworking certificate validation). >>> >>> >>> >> >> Updated patches attached. >> >> >> > > I left a a bug in PATCH 0043. Attaching updated version. > > > Attaching updated patches. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0045.2-test-suite-for-user-host-service-certificate-managem.patch Type: text/x-patch Size: 12207 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0044.3-new-commands-to-manage-user-host-service-certificate.patch Type: text/x-patch Size: 14792 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0043.5-reworked-certificate-normalization-and-revocation.patch Type: text/x-patch Size: 13406 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0042.2-baseldap-add-support-for-API-commands-managing-only-.patch Type: text/x-patch Size: 4804 bytes Desc: not available URL: From ftweedal at redhat.com Thu Jul 2 14:33:11 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 3 Jul 2015 00:33:11 +1000 Subject: [Freeipa-devel] caacl enforcement for subjectAltName principals Message-ID: <20150702143311.GB6584@dhcp-40-8.bne.redhat.com> Hi all, cert-request ensures that any dNSName values in a CSR subjectAltName requestExtension have a corresponding service/host principal in FreeIPA and that their entries are writable by the bind principal. It currently DOES NOT enforce CA ACLs for these alternative principals, i.e. it does not check that there is a caacl rule allowing issuance of certificates to each alt-principal (using the chosen profile.) Should it? I'm leaning towards "yes" but I want other perspectives. To complete the picture, only the main principal has the issued certificate added to its userCertificate attribute; the alt-principals do not. Thanks, Fraser From mbabinsk at redhat.com Thu Jul 2 14:36:57 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 2 Jul 2015 16:36:57 +0200 Subject: [Freeipa-devel] [PATCHES 0042-45] new commands for adding/removing certificates from entries In-Reply-To: <559530A5.7060404@redhat.com> References: <558947C9.9020509@redhat.com> <559103A2.4080706@redhat.com> <55926999.5020301@redhat.com> <5592797F.6030509@redhat.com> <55928F78.6010408@redhat.com> <5593E58A.90801@redhat.com> <55950095.3000700@redhat.com> <55950431.9020505@redhat.com> <559530A5.7060404@redhat.com> Message-ID: <55954C89.1090804@redhat.com> On 07/02/2015 02:37 PM, Martin Babinsky wrote: > On 07/02/2015 11:28 AM, Martin Babinsky wrote: >> On 07/02/2015 11:12 AM, Martin Babinsky wrote: >>> On 07/01/2015 03:05 PM, Martin Babinsky wrote: >>>> On 06/30/2015 02:45 PM, Martin Babinsky wrote: >>>>> On 06/30/2015 01:11 PM, Martin Babinsky wrote: >>>>>> On 06/30/2015 12:04 PM, Jan Cholasta wrote: >>>>>>> Dne 29.6.2015 v 10:36 Martin Babinsky napsal(a): >>>>>>>> On 06/23/2015 01:49 PM, Martin Babinsky wrote: >>>>>>>>> This patchset implements new API commands for manipulating >>>>>>>>> user/host/service userCertificate attribute alongside some >>>>>>>>> underlying >>>>>>>>> plumbing. >>>>>>>>> >>>>>>>>> PATCH 0045 is a small test suite that I slapped together since >>>>>>>>> manual >>>>>>>>> testing of this stuff is very cumbersome. It requires my PATCH >>>>>>>>> 0040 to >>>>>>>>> apply and work which was pushed to master recently >>>>>>>>> (commit 74883bbc959058c8bfafd9f63e8fad0e3792ac28). >>>>>>>>> >>>>>>>>> The work is related to >>>>>>>>> http://www.freeipa.org/page/V4/User_Certificates >>>>>>>>> and https://fedorahosted.org/freeipa/ticket/4238 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> Attaching updated patches. >>>>>>>> >>>>>>>> Here are some notes for Jan because I did some things differently >>>>>>>> than >>>>>>>> we agreed on during review: >>>>>>>> >>>>>>>> >>>>>>>> 1.) I chose not to rename 'usercertificate' to >>>>>>>> 'usercertificate;binary' >>>>>>>> and back in pre/post callbacks. Despite the fact that the correct >>>>>>>> way to >>>>>>>> name the certificate attribute is 'usercertificate;binary', I feel >>>>>>>> that >>>>>>>> suddenly renaming it in the new code is asking for trouble. >>>>>>> >>>>>>> New code is new, there is no renaming, there is naming, and that >>>>>>> naming >>>>>>> should follow standards, and the standard is userCertificate;binary. >>>>>>> >>>>>>> (For the record I did not ask for any renaming in *old* host and >>>>>>> service >>>>>>> code.) >>>>>>> >>>>>> OK I will then use 'usercertificate;binary' and try to not break >>>>>> things. >>>>>>>> >>>>>>>> I'm all for changing the mapping between CLI options and actual >>>>>>>> attribute names but it should be done in a systematic fashion. >>>>>>> >>>>>>> +1, shall I post a patch? >>>>>>> >>>>>> That would be great, but I'm not sure if there is time for it. >>>>>> Maybe we >>>>>> can create a ticket for tracking? >>>>>>>> >>>>>>>> 2.) I have kept the `normalize_certs` function. It has the >>>>>>>> potential to >>>>>>>> catch incorrectly formatted/encoded certificates and in a way >>>>>>>> circumvents the slightly demented way the framework deals with >>>>>>>> supposedly binary data. >>>>>>> >>>>>>> One sentence above you asked for doing things in systematic fashion. >>>>>>> This is exactly what it isn't. A systematic solution would be a new >>>>>>> parameter type for certificates. >>>>>>> >>>>>> Ha I didn't notice that incorrect encoding is caught by validator. >>>>>> >>>>>> But I think that we still need to catch malformed certificates that >>>>>> can >>>>>> not be decoded to DER and AFAIK we don't do that anywhere (failing >>>>>> tests >>>>>> when adding a random Base64-encoded string confirm this). >>>>>> >>>>>> All this probably stems from my confusion about the way IPA framework >>>>>> guesses binary data. For example, if I call >>>>>> `api.Command.user_add_cert` >>>>>> and fill 'certificate' option with Base64 blob reencoded to Unicode, >>>>>> everything works as expected. >>>>>> >>>>>> However, filling this option with 'str' leads to another round of >>>>>> Base64 >>>>>> encoding in the framework, leading to 'userCertificate;binary' >>>>>> which is >>>>>> filled by original Base64 blob instead of DER encoded cert. >>>>>> >>>>>>>> >>>>>>>> I have also added two negative test cases which deal with >>>>>>>> incorrectly >>>>>>>> encoded and formatted certificates. >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> Attaching updated patches (actually only 44 is updated, I added the >>>>> rename to/from 'usercertificate;binary' to user pre/post callbacks). >>>>> >>>>> >>>>> >>>> Another patch update attached (mainly fixing pep8 complaints and >>>> reworking certificate validation). >>>> >>>> >>>> >>> >>> Updated patches attached. >>> >>> >>> >> >> I left a a bug in PATCH 0043. Attaching updated version. >> >> >> > Attaching updated patches. > > > Attaching revised patchset. It would be nice if Milan could comment on PATCH 0045. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0045.2-test-suite-for-user-host-service-certificate-managem.patch Type: text/x-patch Size: 12207 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0044.4-new-commands-to-manage-user-host-service-certificate.patch Type: text/x-patch Size: 14792 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0043.6-reworked-certificate-normalization-and-revocation.patch Type: text/x-patch Size: 13530 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0042.2-baseldap-add-support-for-API-commands-managing-only-.patch Type: text/x-patch Size: 4804 bytes Desc: not available URL: From jcholast at redhat.com Thu Jul 2 14:44:56 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 2 Jul 2015 16:44:56 +0200 Subject: [Freeipa-devel] [PATCHES 0042-45] new commands for adding/removing certificates from entries In-Reply-To: <55954C89.1090804@redhat.com> References: <558947C9.9020509@redhat.com> <559103A2.4080706@redhat.com> <55926999.5020301@redhat.com> <5592797F.6030509@redhat.com> <55928F78.6010408@redhat.com> <5593E58A.90801@redhat.com> <55950095.3000700@redhat.com> <55950431.9020505@redhat.com> <559530A5.7060404@redhat.com> <55954C89.1090804@redhat.com> Message-ID: <55954E68.3040805@redhat.com> Dne 2.7.2015 v 16:36 Martin Babinsky napsal(a): > On 07/02/2015 02:37 PM, Martin Babinsky wrote: >> On 07/02/2015 11:28 AM, Martin Babinsky wrote: >>> On 07/02/2015 11:12 AM, Martin Babinsky wrote: >>>> On 07/01/2015 03:05 PM, Martin Babinsky wrote: >>>>> On 06/30/2015 02:45 PM, Martin Babinsky wrote: >>>>>> On 06/30/2015 01:11 PM, Martin Babinsky wrote: >>>>>>> On 06/30/2015 12:04 PM, Jan Cholasta wrote: >>>>>>>> Dne 29.6.2015 v 10:36 Martin Babinsky napsal(a): >>>>>>>>> On 06/23/2015 01:49 PM, Martin Babinsky wrote: >>>>>>>>>> This patchset implements new API commands for manipulating >>>>>>>>>> user/host/service userCertificate attribute alongside some >>>>>>>>>> underlying >>>>>>>>>> plumbing. >>>>>>>>>> >>>>>>>>>> PATCH 0045 is a small test suite that I slapped together since >>>>>>>>>> manual >>>>>>>>>> testing of this stuff is very cumbersome. It requires my PATCH >>>>>>>>>> 0040 to >>>>>>>>>> apply and work which was pushed to master recently >>>>>>>>>> (commit 74883bbc959058c8bfafd9f63e8fad0e3792ac28). >>>>>>>>>> >>>>>>>>>> The work is related to >>>>>>>>>> http://www.freeipa.org/page/V4/User_Certificates >>>>>>>>>> and https://fedorahosted.org/freeipa/ticket/4238 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> Attaching updated patches. >>>>>>>>> >>>>>>>>> Here are some notes for Jan because I did some things differently >>>>>>>>> than >>>>>>>>> we agreed on during review: >>>>>>>>> >>>>>>>>> >>>>>>>>> 1.) I chose not to rename 'usercertificate' to >>>>>>>>> 'usercertificate;binary' >>>>>>>>> and back in pre/post callbacks. Despite the fact that the correct >>>>>>>>> way to >>>>>>>>> name the certificate attribute is 'usercertificate;binary', I feel >>>>>>>>> that >>>>>>>>> suddenly renaming it in the new code is asking for trouble. >>>>>>>> >>>>>>>> New code is new, there is no renaming, there is naming, and that >>>>>>>> naming >>>>>>>> should follow standards, and the standard is >>>>>>>> userCertificate;binary. >>>>>>>> >>>>>>>> (For the record I did not ask for any renaming in *old* host and >>>>>>>> service >>>>>>>> code.) >>>>>>>> >>>>>>> OK I will then use 'usercertificate;binary' and try to not break >>>>>>> things. >>>>>>>>> >>>>>>>>> I'm all for changing the mapping between CLI options and actual >>>>>>>>> attribute names but it should be done in a systematic fashion. >>>>>>>> >>>>>>>> +1, shall I post a patch? >>>>>>>> >>>>>>> That would be great, but I'm not sure if there is time for it. >>>>>>> Maybe we >>>>>>> can create a ticket for tracking? >>>>>>>>> >>>>>>>>> 2.) I have kept the `normalize_certs` function. It has the >>>>>>>>> potential to >>>>>>>>> catch incorrectly formatted/encoded certificates and in a way >>>>>>>>> circumvents the slightly demented way the framework deals with >>>>>>>>> supposedly binary data. >>>>>>>> >>>>>>>> One sentence above you asked for doing things in systematic >>>>>>>> fashion. >>>>>>>> This is exactly what it isn't. A systematic solution would be a new >>>>>>>> parameter type for certificates. >>>>>>>> >>>>>>> Ha I didn't notice that incorrect encoding is caught by validator. >>>>>>> >>>>>>> But I think that we still need to catch malformed certificates that >>>>>>> can >>>>>>> not be decoded to DER and AFAIK we don't do that anywhere (failing >>>>>>> tests >>>>>>> when adding a random Base64-encoded string confirm this). >>>>>>> >>>>>>> All this probably stems from my confusion about the way IPA >>>>>>> framework >>>>>>> guesses binary data. For example, if I call >>>>>>> `api.Command.user_add_cert` >>>>>>> and fill 'certificate' option with Base64 blob reencoded to Unicode, >>>>>>> everything works as expected. >>>>>>> >>>>>>> However, filling this option with 'str' leads to another round of >>>>>>> Base64 >>>>>>> encoding in the framework, leading to 'userCertificate;binary' >>>>>>> which is >>>>>>> filled by original Base64 blob instead of DER encoded cert. >>>>>>> >>>>>>>>> >>>>>>>>> I have also added two negative test cases which deal with >>>>>>>>> incorrectly >>>>>>>>> encoded and formatted certificates. >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> Attaching updated patches (actually only 44 is updated, I added the >>>>>> rename to/from 'usercertificate;binary' to user pre/post callbacks). >>>>>> >>>>>> >>>>>> >>>>> Another patch update attached (mainly fixing pep8 complaints and >>>>> reworking certificate validation). >>>>> >>>>> >>>>> >>>> >>>> Updated patches attached. >>>> >>>> >>>> >>> >>> I left a a bug in PATCH 0043. Attaching updated version. >>> >>> >>> >> Attaching updated patches. >> >> >> > Attaching revised patchset. Thanks, ACK on patch 42-44. Pushed to master: 76eea85701af80dc972c47e14aecc7a688b9c846 > > It would be nice if Milan could comment on PATCH 0045. > (I did not push this patch.) -- Jan Cholasta From mkosek at redhat.com Thu Jul 2 14:55:53 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 02 Jul 2015 16:55:53 +0200 Subject: [Freeipa-devel] [PATCH] 886-890 webui: API browser In-Reply-To: <5593FE64.40307@redhat.com> References: <5592C535.8070708@redhat.com> <55939859.4040704@redhat.com> <5593FE64.40307@redhat.com> Message-ID: <559550F9.80201@redhat.com> On 07/01/2015 04:51 PM, Petr Vobornik wrote: > For those of you who don't want to try the patches: > * https://pvoborni.fedorapeople.org/images/api-user-show.png > * https://pvoborni.fedorapeople.org/images/api-user-add.png > > On 07/01/2015 09:35 AM, Martin Kosek wrote: >> On 06/30/2015 06:35 PM, Petr Vobornik wrote: >>> First part of API Browser - displaying the metadata in more consumable way. >>> >>> Second part, how to use it in different languages will be written as wiki pages >>> first. >>> >>> The browser could be later enhanced with more infos and tooltips. >>> >>> Patch 886 extends backend to send more metadata. >>> Patch 887,888,889 are webui fixes and prerequisites >>> Patch 890 is the API browser >> >> Thanks, this is a very good start. I looked at a VM with the patches and have >> couple usability suggestions: >> >> 1) It was hard for me to find where the API Browser is. But "IPA Server" looks >> as a good tab where it should be though. > > could be moved to "Help" tab when it's introduced. For that we need at least > one more link. > >> >> 2) I have strong doubts about the "Objects" tab, this is only understandable to >> users knowledgeable about FreeIPA framework internals. Common API user who just >> want to consume the API and not know about the internals will not know what >> this is. >> >> What I would do is make "API Browser" directly clickable so that it opens the >> Commands tab. This is what most people will use. Other tabs may be stacked on >> the left just like with Staged or Deleted users. For now, I would hide Objects >> as I think it would cause more confusion. If we want to show it, there should >> be some introduction what it is good for and maybe limitation of showed fields >> to only those that has any value for the consumers. > > fixed, there is only "API Browser" and no submenu > >> >> 3) In Commands tab, we will some more explanatory what the attributes of Param >> needs and probably hide some. For example "exclude" is not needed for consumers. >> > > Attributes as follows were kept: label, type, default, default_from, values, > minlength, maxlength, pattern, minvalue, maxvalue, precision, cli_name, > option_group > >> 4) Many attributes have "autofill": True. I wonder how usable it is without >> knowing the actual default for the attribute. Can we show the default? > > default_from now contains list of attrs which are used for the default value, > e.g.: > default value created from: givenname, sn > > >> >> 5) I would hide "Output Params" all together given we don't have them set up >> correctly in FreeIPA framework and they may rather confuse people, with having >> all the HBAC or SUDO with User objects. >> > > Removed from metadata > >> I may think about it more, there were just my couple first thoughts. Others may >> have different opinions here. >> >> Martin >> > > Other changes: > * cli options are shown with dashes as in CLI > * required and multivalued were changed into tags next to option name. 'flags' > which were shown as the tags are not displayed anymore > > > updated patches attached. I like the new version, good job! ACK from my side. From ftweedal at redhat.com Thu Jul 2 15:18:58 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 3 Jul 2015 01:18:58 +1000 Subject: [Freeipa-devel] my remaining 4.2 tickets In-Reply-To: <55929DA0.8030006@redhat.com> References: <20150630130353.GO6584@dhcp-40-8.bne.redhat.com> <55929DA0.8030006@redhat.com> Message-ID: <20150702151858.GC6584@dhcp-40-8.bne.redhat.com> On Tue, Jun 30, 2015 at 03:46:08PM +0200, Martin Kosek wrote: > On 06/30/2015 03:03 PM, Fraser Tweedale wrote: > > Hi Martin, > > > > #4559 [RFE] Support lightweight sub-CAs > > > > Remaining work is not huge but may be more than can be done this > > week even with Christian's help; the largest remaning concern > > being Custodia. > > > > As per discussion in team meeting, I'm going to liaise with Simo > > and determine a plan for the key replication. > > > > > > #2915 ipa-getcert does not allow setting specific EKU on > > certificates > > > > Involves certmonger so I will need to do a bit more > > investigation. > > > > If non-trivial to accomplish this with the default profile, now > > that we have support for multiple profiles it could be done with > > a separate profile, as long as certmonger passes the profile > > propertly with `-T' argument. I will follow up on this tomorrow > > and let you know what I find out. > > Ok. I was not involved when the ticket was filed, but it does not seem to me as > something that should get much priority and your time at this stage. > I haven't looked at this yet. > > #4970 Server certificate profile should always include a Subject > > Alternate name for the host > > > > If a subjectAltName request extension is in CSR, it is checked > > by `cert-request', and copied onto the final certificate by > > Dogtag. In the default profile there is currently no other way > > to specify the SAN. > > > > A possible approach to resolve this with the default profile is > > to update it to include a separate, optional subjectAltName > > request input, which could be filled in if explicit SAN is not > > provided in CSR. There are related lines of investigation. > > Will provide update tomorrow. > > Ok. > I investigated this. My comments are on the ticket: https://fedorahosted.org/freeipa/ticket/4970#comment:7 but in brief: the way our current SAN support is implemented makes this a non-trivial ticket. Thanks, Fraser > > #4752 Provide an IEC 62351-8 / DNP3 ID certificate profile > > > > We can provide a profile that supports DNP3 extension now if it > > is included in a CSR extension request. > > > > The patches for IEC 62351-8 extension is in review. Once that is in > > Dogtag we will be able to provide a profile that supports it > > with an extensionRequest in CSR. > > Ok (can be FreeIP 4.2.x IMO). > > > #3473 Switch to using RESTful interface in dogtag CA interface > > > > Postpone; there is not an urgent need. > > Right, already did :-) > From mkosek at redhat.com Thu Jul 2 15:23:54 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 02 Jul 2015 17:23:54 +0200 Subject: [Freeipa-devel] my remaining 4.2 tickets In-Reply-To: <20150702151858.GC6584@dhcp-40-8.bne.redhat.com> References: <20150630130353.GO6584@dhcp-40-8.bne.redhat.com> <55929DA0.8030006@redhat.com> <20150702151858.GC6584@dhcp-40-8.bne.redhat.com> Message-ID: <5595578A.5090103@redhat.com> On 07/02/2015 05:18 PM, Fraser Tweedale wrote: > On Tue, Jun 30, 2015 at 03:46:08PM +0200, Martin Kosek wrote: >> On 06/30/2015 03:03 PM, Fraser Tweedale wrote: ... >>> #4970 Server certificate profile should always include a Subject >>> Alternate name for the host >>> >>> If a subjectAltName request extension is in CSR, it is checked >>> by `cert-request', and copied onto the final certificate by >>> Dogtag. In the default profile there is currently no other way >>> to specify the SAN. >>> >>> A possible approach to resolve this with the default profile is >>> to update it to include a separate, optional subjectAltName >>> request input, which could be filled in if explicit SAN is not >>> provided in CSR. There are related lines of investigation. >>> Will provide update tomorrow. >> >> Ok. >> > I investigated this. My comments are on the ticket: > https://fedorahosted.org/freeipa/ticket/4970#comment:7 but in brief: > the way our current SAN support is implemented makes this a > non-trivial ticket. Thanks. What we need to do now (in the couple days left before 4.2 GA is to think if there is any problem that we would prevent us from adding this functionality later. If there is no problem, we are mostly done as won't be able to do the Dogtag changes before 4.2 GA I suppose. If yes, that's another story and we would need to plan what can be done before GA. From jcholast at redhat.com Thu Jul 2 15:58:30 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 2 Jul 2015 17:58:30 +0200 Subject: [Freeipa-devel] my remaining 4.2 tickets In-Reply-To: <20150702151858.GC6584@dhcp-40-8.bne.redhat.com> References: <20150630130353.GO6584@dhcp-40-8.bne.redhat.com> <55929DA0.8030006@redhat.com> <20150702151858.GC6584@dhcp-40-8.bne.redhat.com> Message-ID: <55955FA6.6000002@redhat.com> Hi, Dne 2.7.2015 v 17:18 Fraser Tweedale napsal(a): > On Tue, Jun 30, 2015 at 03:46:08PM +0200, Martin Kosek wrote: >> On 06/30/2015 03:03 PM, Fraser Tweedale wrote: >>> #2915 ipa-getcert does not allow setting specific EKU on >>> certificates >>> >>> Involves certmonger so I will need to do a bit more >>> investigation. >>> >>> If non-trivial to accomplish this with the default profile, now >>> that we have support for multiple profiles it could be done with >>> a separate profile, as long as certmonger passes the profile >>> propertly with `-T' argument. I will follow up on this tomorrow >>> and let you know what I find out. >> >> Ok. I was not involved when the ticket was filed, but it does not seem to me as >> something that should get much priority and your time at this stage. >> > I haven't looked at this yet. FYI getcert supports setting EKU in the CSR using the -U option for a long time. It also correctly passes the profile to IPA since 0.78. > >>> #4970 Server certificate profile should always include a Subject >>> Alternate name for the host >>> >>> If a subjectAltName request extension is in CSR, it is checked >>> by `cert-request', and copied onto the final certificate by >>> Dogtag. In the default profile there is currently no other way >>> to specify the SAN. >>> >>> A possible approach to resolve this with the default profile is >>> to update it to include a separate, optional subjectAltName >>> request input, which could be filled in if explicit SAN is not >>> provided in CSR. There are related lines of investigation. >>> Will provide update tomorrow. >> >> Ok. >> > I investigated this. My comments are on the ticket: > https://fedorahosted.org/freeipa/ticket/4970#comment:7 but in brief: > the way our current SAN support is implemented makes this a > non-trivial ticket. On a related note, I think we should also always include kerberos principal name SAN. Honza -- Jan Cholasta From pspacek at redhat.com Thu Jul 2 16:24:12 2015 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 02 Jul 2015 18:24:12 +0200 Subject: [Freeipa-devel] caacl enforcement for subjectAltName principals In-Reply-To: <20150702143311.GB6584@dhcp-40-8.bne.redhat.com> References: <20150702143311.GB6584@dhcp-40-8.bne.redhat.com> Message-ID: <559565AC.7020807@redhat.com> On 2.7.2015 16:33, Fraser Tweedale wrote: > Hi all, > > cert-request ensures that any dNSName values in a CSR subjectAltName > requestExtension have a corresponding service/host principal in > FreeIPA and that their entries are writable by the bind principal. > > It currently DOES NOT enforce CA ACLs for these alternative > principals, i.e. it does not check that there is a caacl rule > allowing issuance of certificates to each alt-principal (using the > chosen profile.) > > Should it? I'm leaning towards "yes" but I want other perspectives. I would say 'it has to!' :-) >From my point of view, subjectAltName allows the entity possessing the private key for the the certificate to impersonate anything mentioned in SubjectAltName and CN ... -- Petr^2 Spacek From dkupka at redhat.com Thu Jul 2 17:42:39 2015 From: dkupka at redhat.com (David Kupka) Date: Thu, 2 Jul 2015 19:42:39 +0200 Subject: [Freeipa-devel] [PATCH] 882 ipa-replica-manage del: relax segment deletement check if, topology is disconnected In-Reply-To: <5592A47B.2080606@redhat.com> References: <5592A47B.2080606@redhat.com> Message-ID: <5595780F.3090203@redhat.com> On 30/06/15 16:15, Petr Vobornik wrote: > Comment from segment deletion check which describes the patch: > > Relax check if topology was or is disconnected. Disconnected topology > can contain segments with already deleted servers. Check only if > segments of servers, which can contact this server, and the deleted > server were removed. > This code should handle a case where there was a topology with > a central node(B): A <-> B <-> C, where A is current server. > After removal of B, topology will be disconnected and removal of > segment B <-> C won't be replicated back to server A, therefore > presence of the segment has to be ignored. > > part of: https://fedorahosted.org/freeipa/ticket/5072 > > patch 883 adds 180s timeout to the check and changes check interval from > 1s to 2s. > > Works for me, ACK. -- David Kupka From dkupka at redhat.com Thu Jul 2 17:42:45 2015 From: dkupka at redhat.com (David Kupka) Date: Thu, 2 Jul 2015 19:42:45 +0200 Subject: [Freeipa-devel] [PATCH] 884 topologysegment: hide direction and enable options In-Reply-To: <5592A49F.7030804@redhat.com> References: <5592A49F.7030804@redhat.com> Message-ID: <55957815.1090000@redhat.com> On 30/06/15 16:15, Petr Vobornik wrote: > These options should not be touched by users yet. > > https://fedorahosted.org/freeipa/ticket/5061 > > Works for me, ACK. -- David Kupka From dkupka at redhat.com Thu Jul 2 17:42:51 2015 From: dkupka at redhat.com (David Kupka) Date: Thu, 2 Jul 2015 19:42:51 +0200 Subject: [Freeipa-devel] [PATCH] 885 topology: make cn of new segment consistent with topology plugin In-Reply-To: <5592A4C5.1000403@redhat.com> References: <5592A4C5.1000403@redhat.com> Message-ID: <5595781B.60409@redhat.com> On 30/06/15 16:16, Petr Vobornik wrote: > SSIA > > Works for me, ACK. -- David Kupka From derny at redhat.com Thu Jul 2 20:07:12 2015 From: derny at redhat.com (Drew Erny) Date: Thu, 2 Jul 2015 16:07:12 -0400 Subject: [Freeipa-devel] [RFC] Community Portal - Where to go next? Message-ID: <559599F0.8040408@redhat.com> Hi, all, The core functionality of the community portal is more-or-less complete. In a local development environment, you can go to a web page, put in information, and have that information reflected in the FreeIPA server. There's definitely some polishing needed (for example, there is no styling to the web pages), but the core functionality is all there. What I need now is for someone to go through the source code, which can be found at github.com/dperny/freeipa-communityportal, and let me know if everything seems sound and sane. I also, perhaps more importantly, need some help on where to go with this next. The core functionality is all there, but how I'm going to deploy this to a live environment is still a bit hazy where I should start to make that happen. There are many ways to deploy a cherrypy web application, and I'm not sure which path is best. Or, if deployment isn't important yet at this stage in the prototype, what should I focus my efforts on now? Thanks, Drew Erny From ftweedal at redhat.com Fri Jul 3 03:14:57 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 3 Jul 2015 13:14:57 +1000 Subject: [Freeipa-devel] caacl enforcement for subjectAltName principals In-Reply-To: <559565AC.7020807@redhat.com> References: <20150702143311.GB6584@dhcp-40-8.bne.redhat.com> <559565AC.7020807@redhat.com> Message-ID: <20150703030805.GD6584@dhcp-40-8.bne.redhat.com> On Thu, Jul 02, 2015 at 06:24:12PM +0200, Petr Spacek wrote: > On 2.7.2015 16:33, Fraser Tweedale wrote: > > Hi all, > > > > cert-request ensures that any dNSName values in a CSR subjectAltName > > requestExtension have a corresponding service/host principal in > > FreeIPA and that their entries are writable by the bind principal. > > > > It currently DOES NOT enforce CA ACLs for these alternative > > principals, i.e. it does not check that there is a caacl rule > > allowing issuance of certificates to each alt-principal (using the > > chosen profile.) > > > > Should it? I'm leaning towards "yes" but I want other perspectives. > > I would say 'it has to!' :-) > > From my point of view, subjectAltName allows the entity possessing the private > key for the the certificate to impersonate anything mentioned in > SubjectAltName and CN ... > Thanks Petr, that's enough corroboration for me. Ticket: https://fedorahosted.org/freeipa/ticket/5096 Expect the patch Friday some time. From dkupka at redhat.com Fri Jul 3 04:17:04 2015 From: dkupka at redhat.com (David Kupka) Date: Fri, 3 Jul 2015 06:17:04 +0200 Subject: [Freeipa-devel] [PATCH 0055] ipa-replica-prepare: Do not create DNS zone it automatically. Message-ID: <55960CC0.4060208@redhat.com> Since ipa-replica-* tools will be soon removed I think this simple check should be enough. -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0055-ipa-replica-prepare-Do-not-create-DNS-zone-it-automa.patch Type: text/x-patch Size: 2127 bytes Desc: not available URL: From dkupka at redhat.com Fri Jul 3 04:28:53 2015 From: dkupka at redhat.com (David Kupka) Date: Fri, 3 Jul 2015 06:28:53 +0200 Subject: [Freeipa-devel] [RFC] Community Portal - Where to go next? In-Reply-To: <559599F0.8040408@redhat.com> References: <559599F0.8040408@redhat.com> Message-ID: <55960F85.2040801@redhat.com> On 02/07/15 22:07, Drew Erny wrote: > Hi, all, > > The core functionality of the community portal is more-or-less complete. > In a local development environment, you can go to a web page, put in > information, and have that information reflected in the FreeIPA server. > There's definitely some polishing needed (for example, there is no > styling to the web pages), but the core functionality is all there. > > What I need now is for someone to go through the source code, which can > be found at github.com/dperny/freeipa-communityportal, and let me know > if everything seems sound and sane. > > I also, perhaps more importantly, need some help on where to go with > this next. The core functionality is all there, but how I'm going to > deploy this to a live environment is still a bit hazy where I should > start to make that happen. There are many ways to deploy a cherrypy web > application, and I'm not sure which path is best. Or, if deployment > isn't important yet at this stage in the prototype, what should I focus > my efforts on now? > > Thanks, > > Drew Erny > Hi Drew, when all the core functionality is done and ready then polish it, pack it, ship it :-) IIUC, the community portal is a part of WebUI so I would package it together, iow in freeipa-server. Or create another package depending on freeipa-server. -- David Kupka From mkosek at redhat.com Fri Jul 3 06:23:45 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 3 Jul 2015 08:23:45 +0200 Subject: [Freeipa-devel] my remaining 4.2 tickets In-Reply-To: <55955FA6.6000002@redhat.com> References: <20150630130353.GO6584@dhcp-40-8.bne.redhat.com> <55929DA0.8030006@redhat.com> <20150702151858.GC6584@dhcp-40-8.bne.redhat.com> <55955FA6.6000002@redhat.com> Message-ID: <55962A71.4050701@redhat.com> On 07/02/2015 05:58 PM, Jan Cholasta wrote: > Hi, > > Dne 2.7.2015 v 17:18 Fraser Tweedale napsal(a): >> On Tue, Jun 30, 2015 at 03:46:08PM +0200, Martin Kosek wrote: >>> On 06/30/2015 03:03 PM, Fraser Tweedale wrote: >>>> #2915 ipa-getcert does not allow setting specific EKU on >>>> certificates >>>> >>>> Involves certmonger so I will need to do a bit more >>>> investigation. >>>> >>>> If non-trivial to accomplish this with the default profile, now >>>> that we have support for multiple profiles it could be done with >>>> a separate profile, as long as certmonger passes the profile >>>> propertly with `-T' argument. I will follow up on this tomorrow >>>> and let you know what I find out. >>> >>> Ok. I was not involved when the ticket was filed, but it does not seem to me as >>> something that should get much priority and your time at this stage. >>> >> I haven't looked at this yet. > > FYI getcert supports setting EKU in the CSR using the -U option for a long > time. It also correctly passes the profile to IPA since 0.78. > >> >>>> #4970 Server certificate profile should always include a Subject >>>> Alternate name for the host >>>> >>>> If a subjectAltName request extension is in CSR, it is checked >>>> by `cert-request', and copied onto the final certificate by >>>> Dogtag. In the default profile there is currently no other way >>>> to specify the SAN. >>>> >>>> A possible approach to resolve this with the default profile is >>>> to update it to include a separate, optional subjectAltName >>>> request input, which could be filled in if explicit SAN is not >>>> provided in CSR. There are related lines of investigation. >>>> Will provide update tomorrow. >>> >>> Ok. >>> >> I investigated this. My comments are on the ticket: >> https://fedorahosted.org/freeipa/ticket/4970#comment:7 but in brief: >> the way our current SAN support is implemented makes this a >> non-trivial ticket. > > On a related note, I think we should also always include kerberos principal > name SAN. That would be nice, how difficult is to enable this with certificates FreeIPA issues? It would also let us make easier principal-based queries for Dogtag certificates. Right? Martin From jcholast at redhat.com Fri Jul 3 06:41:21 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 3 Jul 2015 08:41:21 +0200 Subject: [Freeipa-devel] [PATCH 0054] cermonger: Use private unix socket when DBus SystemBus is not, available. In-Reply-To: <55952FDE.8080408@redhat.com> References: <5593F9A5.4080703@redhat.com> <55952FDE.8080408@redhat.com> Message-ID: <55962E91.4040104@redhat.com> Dne 2.7.2015 v 14:34 David Kupka napsal(a): > On 01/07/15 16:31, David Kupka wrote: >> >> >> > Updated patch attached. Client install works, but uninstall does not: # ipa-client-install --uninstall -U certmonger failed to start: Command ''/bin/systemctl' 'start' 'certmonger.service'' returned non-zero exit status 1 certmonger failed to stop tracking certificate: Failed to start certmonger: Timeouted 2015-07-03 02:38:15 [17242] Error reading PIN from "/etc/ipa/nssdb/pwdfile.txt": No such file or directory. Failed to start certmonger: Timeouted The patch needs a rebase. -- Jan Cholasta From mkosek at redhat.com Fri Jul 3 06:44:47 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 3 Jul 2015 08:44:47 +0200 Subject: [Freeipa-devel] Postponing Topology feature Message-ID: <55962F5F.8090606@redhat.com> Hi all, I had several offline discussions about the Topology feature [1] and what to do with it. Many developers worked pretty hard on making the Topology usable for the upcoming FreeIPA 4.2 release, however, it still misses some of the functionality that would prevent our users from making the best of it. Namely: 1) Dogtag Topology management: https://fedorahosted.org/freeipa/ticket/3053 2) Replica Promotion: https://fedorahosted.org/freeipa/ticket/2888 3) Graphical topology view: https://fedorahosted.org/freeipa/ticket/4286 While 3) is mostly an eye candy, without 1) and 2) the current Topology does not have sufficient value for our users to ship it. Also, there could be upgrade issues when 1) is implemented and we may need to introduce another Domain Level. So what we thought would make most sense for FreeIPA 4.2 is to simply release without Topology functionality and postpone it to next version which could follow FreeIPA 4.2 within 1-2 months. Sorry for the inconvenience, but don't worry - Topology is not going anywhere, it's coming! (Just a bit later and with more bells and whistles) [1] https://fedorahosted.org/freeipa/ticket/4302 -- Martin Kosek Supervisor, Software Engineering - Identity Management Team Red Hat Inc. From mkosek at redhat.com Fri Jul 3 06:46:13 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 3 Jul 2015 08:46:13 +0200 Subject: [Freeipa-devel] [PATCH 0054] cermonger: Use private unix socket when DBus SystemBus is not, available. In-Reply-To: <55962E91.4040104@redhat.com> References: <5593F9A5.4080703@redhat.com> <55952FDE.8080408@redhat.com> <55962E91.4040104@redhat.com> Message-ID: <55962FB5.906@redhat.com> On 07/03/2015 08:41 AM, Jan Cholasta wrote: > Dne 2.7.2015 v 14:34 David Kupka napsal(a): >> On 01/07/15 16:31, David Kupka wrote: >>> >>> >>> >> Updated patch attached. > > Client install works, but uninstall does not: > > # ipa-client-install --uninstall -U > certmonger failed to start: Command ''/bin/systemctl' 'start' > 'certmonger.service'' returned non-zero exit status 1 > certmonger failed to stop tracking certificate: Failed to start certmonger: > Timeouted > 2015-07-03 02:38:15 [17242] Error reading PIN from > "/etc/ipa/nssdb/pwdfile.txt": No such file or directory. > Failed to start certmonger: Timeouted > > The patch needs a rebase. > Also, "Timeouted" is not a word, try "Timed out" instead :-) From tbabej at redhat.com Fri Jul 3 06:48:38 2015 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 03 Jul 2015 08:48:38 +0200 Subject: [Freeipa-devel] [PATCH] 882 ipa-replica-manage del: relax segment deletement check if, topology is disconnected In-Reply-To: <5595780F.3090203@redhat.com> References: <5592A47B.2080606@redhat.com> <5595780F.3090203@redhat.com> Message-ID: <55963046.40008@redhat.com> On 07/02/2015 07:42 PM, David Kupka wrote: > On 30/06/15 16:15, Petr Vobornik wrote: >> Comment from segment deletion check which describes the patch: >> >> Relax check if topology was or is disconnected. Disconnected topology >> can contain segments with already deleted servers. Check only if >> segments of servers, which can contact this server, and the deleted >> server were removed. >> This code should handle a case where there was a topology with >> a central node(B): A <-> B <-> C, where A is current server. >> After removal of B, topology will be disconnected and removal of >> segment B <-> C won't be replicated back to server A, therefore >> presence of the segment has to be ignored. >> >> part of: https://fedorahosted.org/freeipa/ticket/5072 >> >> patch 883 adds 180s timeout to the check and changes check interval from >> 1s to 2s. >> >> > Works for me, ACK. > Pushed to master: fa4954c35d2742606bf0b865d5a48899aa64de99 From tbabej at redhat.com Fri Jul 3 06:49:09 2015 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 03 Jul 2015 08:49:09 +0200 Subject: [Freeipa-devel] [PATCH] 884 topologysegment: hide direction and enable options In-Reply-To: <55957815.1090000@redhat.com> References: <5592A49F.7030804@redhat.com> <55957815.1090000@redhat.com> Message-ID: <55963065.2000601@redhat.com> On 07/02/2015 07:42 PM, David Kupka wrote: > On 30/06/15 16:15, Petr Vobornik wrote: >> These options should not be touched by users yet. >> >> https://fedorahosted.org/freeipa/ticket/5061 >> >> > Works for me, ACK. > Pushed to master: 2b8e1caa7bfda5e540a94fe26fbcdbfd0ea68928 From tbabej at redhat.com Fri Jul 3 06:49:41 2015 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 03 Jul 2015 08:49:41 +0200 Subject: [Freeipa-devel] [PATCH] 885 topology: make cn of new segment consistent with topology plugin In-Reply-To: <5595781B.60409@redhat.com> References: <5592A4C5.1000403@redhat.com> <5595781B.60409@redhat.com> Message-ID: <55963085.50105@redhat.com> On 07/02/2015 07:42 PM, David Kupka wrote: > On 30/06/15 16:16, Petr Vobornik wrote: >> SSIA >> >> > Works for me, ACK. > Pushed to master: 66ea322e7e01266cc916156860b684adb21c618d From tbabej at redhat.com Fri Jul 3 07:03:09 2015 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 03 Jul 2015 09:03:09 +0200 Subject: [Freeipa-devel] [PATCH 0274] DNS: Check if dns package is installed In-Reply-To: <5595288F.5020906@redhat.com> References: <5593EBD3.2000902@redhat.com> <5593FD26.8010903@redhat.com> <55943181.5060604@redhat.com> <5594DF23.8060103@redhat.com> <55951919.6020101@redhat.com> <559521B0.8010001@redhat.com> <55952664.5030704@redhat.com> <5595288F.5020906@redhat.com> Message-ID: <559633AD.7010005@redhat.com> On 07/02/2015 02:03 PM, Petr Spacek wrote: > On 2.7.2015 13:54, Jan Cholasta wrote: >> Dne 2.7.2015 v 13:34 Petr Spacek napsal(a): >>> On 2.7.2015 12:57, Tomas Babej wrote: >>>> >>>> >>>> On 07/02/2015 08:50 AM, Petr Spacek wrote: >>>>> On 1.7.2015 20:29, Tomas Babej wrote: >>>>>> >>>>>> >>>>>> On 07/01/2015 04:45 PM, Petr Spacek wrote: >>>>>>> On 1.7.2015 15:32, Martin Basti wrote: >>>>>>>> https://fedorahosted.org/freeipa/ticket/4058 >>>>>>>> Requires patch freeipa-pspacek-0052 >>>>>>> >>>>>>> ACK >>>>>>> >>>>>> >>>>>> I must admit I don't really like wrapping a constant in the method in >>>>>> the TaskNamespace object. >>>>>> >>>>>> We're interested in the constant itself - there's no case I can imagine >>>>>> where the name of the freeipa's dns package will be dynamic. >>>>>> >>>>>> For paths we have BasePathNamespace that contains all the paths, maybe >>>>>> we should introduce something similar for the non-path platform >>>>>> dependent constants? >>>>> >>>>> Generally I support this but it seems like a 4.3 material (and out of >>>>> scope of >>>>> #4058). We need to finish 4.2 now. >>>>> >>>>> Please ACK or NACK ASAP. >>>>> >>>> >>>> It's fairly straightforward to introduce a new platform namespace for >>>> constants. >>>> >>>> See attached patch, it implements the namespace and already contains the >>>> proper values for the dns package name. >>>> >>>> The original patch 274 would only need to use: >>>> >>>> >>> from ipaplatform.constants import constants >>>> >>> constants.DNS_PACKAGE_NAME >>>> 'freeipa-server-dns' >>> >>> I'm okay with that if Honza or somebody else knowledgable about the whole >>> platform-thingy can ACK this, amend Martin^2's patch 274 and test the whole >>> thing. >>> >>> Unfortunately I do not have time for it myself. If nobody does that please >>> push the original patch (when it's dependency pspacek-0052 gets ACK). >>> >> >> I think you are overengineering this a little bit, adding whatever ipaplatform >> stuff just because of an error message seems rather unnecessary to me. I think >> changing the error message to "Integrated DNS requires 'freeipa-server-dns' >> package" or even "Integrated DNS requires IPA DNS server package" would be >> perfectly fine. > > The message should be as specific as possible but I do not care how it will be > implemented. > Alright, let's not get stuck. Petr insists on specific message on each platform. Given that package name is platform dependent, I think we should keep it as platform constant, task makes little sense. Given that Martin's not available right now, I'll amend his patches and send the updated version. Tomas From jcholast at redhat.com Fri Jul 3 07:48:30 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 3 Jul 2015 09:48:30 +0200 Subject: [Freeipa-devel] [PATCH 0272] Server upgrade: log more into debug log instead of info log In-Reply-To: <5593A619.3000808@redhat.com> References: <5593A619.3000808@redhat.com> Message-ID: <55963E4E.2090303@redhat.com> Hi, Dne 1.7.2015 v 10:34 Martin Basti napsal(a): > Update is logging too much info into info log. > > Patch attached. Works for me, ACK. Pushed to master: 884afb5d38480e23c91ec14876bcf39151a2c2ed -- Jan Cholasta From tbabej at redhat.com Fri Jul 3 08:06:41 2015 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 03 Jul 2015 10:06:41 +0200 Subject: [Freeipa-devel] [PATCH] 886-890 webui: API browser In-Reply-To: <559550F9.80201@redhat.com> References: <5592C535.8070708@redhat.com> <55939859.4040704@redhat.com> <5593FE64.40307@redhat.com> <559550F9.80201@redhat.com> Message-ID: <55964291.4000803@redhat.com> On 07/02/2015 04:55 PM, Martin Kosek wrote: > On 07/01/2015 04:51 PM, Petr Vobornik wrote: >> For those of you who don't want to try the patches: >> * https://pvoborni.fedorapeople.org/images/api-user-show.png >> * https://pvoborni.fedorapeople.org/images/api-user-add.png >> >> On 07/01/2015 09:35 AM, Martin Kosek wrote: >>> On 06/30/2015 06:35 PM, Petr Vobornik wrote: >>>> First part of API Browser - displaying the metadata in more consumable way. >>>> >>>> Second part, how to use it in different languages will be written as wiki pages >>>> first. >>>> >>>> The browser could be later enhanced with more infos and tooltips. >>>> >>>> Patch 886 extends backend to send more metadata. >>>> Patch 887,888,889 are webui fixes and prerequisites >>>> Patch 890 is the API browser >>> >>> Thanks, this is a very good start. I looked at a VM with the patches and have >>> couple usability suggestions: >>> >>> 1) It was hard for me to find where the API Browser is. But "IPA Server" looks >>> as a good tab where it should be though. >> >> could be moved to "Help" tab when it's introduced. For that we need at least >> one more link. >> >>> >>> 2) I have strong doubts about the "Objects" tab, this is only understandable to >>> users knowledgeable about FreeIPA framework internals. Common API user who just >>> want to consume the API and not know about the internals will not know what >>> this is. >>> >>> What I would do is make "API Browser" directly clickable so that it opens the >>> Commands tab. This is what most people will use. Other tabs may be stacked on >>> the left just like with Staged or Deleted users. For now, I would hide Objects >>> as I think it would cause more confusion. If we want to show it, there should >>> be some introduction what it is good for and maybe limitation of showed fields >>> to only those that has any value for the consumers. >> >> fixed, there is only "API Browser" and no submenu >> >>> >>> 3) In Commands tab, we will some more explanatory what the attributes of Param >>> needs and probably hide some. For example "exclude" is not needed for consumers. >>> >> >> Attributes as follows were kept: label, type, default, default_from, values, >> minlength, maxlength, pattern, minvalue, maxvalue, precision, cli_name, >> option_group >> >>> 4) Many attributes have "autofill": True. I wonder how usable it is without >>> knowing the actual default for the attribute. Can we show the default? >> >> default_from now contains list of attrs which are used for the default value, >> e.g.: >> default value created from: givenname, sn >> >> >>> >>> 5) I would hide "Output Params" all together given we don't have them set up >>> correctly in FreeIPA framework and they may rather confuse people, with having >>> all the HBAC or SUDO with User objects. >>> >> >> Removed from metadata >> >>> I may think about it more, there were just my couple first thoughts. Others may >>> have different opinions here. >>> >>> Martin >>> >> >> Other changes: >> * cli options are shown with dashes as in CLI >> * required and multivalued were changed into tags next to option name. 'flags' >> which were shown as the tags are not displayed anymore >> >> >> updated patches attached. > > I like the new version, good job! ACK from my side. > Patchset works fine in my testing. Two (nitpick) questions: 1.) Should we show objects that have defined no methods or params as 'pkinit'? 2.) Relationships and attirbute members are displayed in rather raw form: attribute_members: {"member":["user","group"],"memberindirect":["user","group"],"memberof":["group","netgroup","role","hbacrule","sudorule"],"memberofindirect":["group","netgroup","role","hbacrule","sudorule"]} relationships: {"member":["Member","","no_"],"memberindirect":["Indirect Member",null,"no_indirect_"],"memberof":["Member Of","in_","not_in_"],"memberofindirect":["Indirect Member Of",null,"not_in_indirect_"]} Could we maybe special-case these (or introduce a way how to detect and display a dict of lists as formatted html)? Or are there arguments for the raw view of the API? Tomas From tbabej at redhat.com Fri Jul 3 08:45:39 2015 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 03 Jul 2015 10:45:39 +0200 Subject: [Freeipa-devel] [PATCH] 886-890 webui: API browser In-Reply-To: <55964291.4000803@redhat.com> References: <5592C535.8070708@redhat.com> <55939859.4040704@redhat.com> <5593FE64.40307@redhat.com> <559550F9.80201@redhat.com> <55964291.4000803@redhat.com> Message-ID: <55964BB3.6040308@redhat.com> On 07/03/2015 10:06 AM, Tomas Babej wrote: > > > On 07/02/2015 04:55 PM, Martin Kosek wrote: >> On 07/01/2015 04:51 PM, Petr Vobornik wrote: >>> For those of you who don't want to try the patches: >>> * https://pvoborni.fedorapeople.org/images/api-user-show.png >>> * https://pvoborni.fedorapeople.org/images/api-user-add.png >>> >>> On 07/01/2015 09:35 AM, Martin Kosek wrote: >>>> On 06/30/2015 06:35 PM, Petr Vobornik wrote: >>>>> First part of API Browser - displaying the metadata in more consumable way. >>>>> >>>>> Second part, how to use it in different languages will be written as wiki pages >>>>> first. >>>>> >>>>> The browser could be later enhanced with more infos and tooltips. >>>>> >>>>> Patch 886 extends backend to send more metadata. >>>>> Patch 887,888,889 are webui fixes and prerequisites >>>>> Patch 890 is the API browser >>>> >>>> Thanks, this is a very good start. I looked at a VM with the patches and have >>>> couple usability suggestions: >>>> >>>> 1) It was hard for me to find where the API Browser is. But "IPA Server" looks >>>> as a good tab where it should be though. >>> >>> could be moved to "Help" tab when it's introduced. For that we need at least >>> one more link. >>> >>>> >>>> 2) I have strong doubts about the "Objects" tab, this is only understandable to >>>> users knowledgeable about FreeIPA framework internals. Common API user who just >>>> want to consume the API and not know about the internals will not know what >>>> this is. >>>> >>>> What I would do is make "API Browser" directly clickable so that it opens the >>>> Commands tab. This is what most people will use. Other tabs may be stacked on >>>> the left just like with Staged or Deleted users. For now, I would hide Objects >>>> as I think it would cause more confusion. If we want to show it, there should >>>> be some introduction what it is good for and maybe limitation of showed fields >>>> to only those that has any value for the consumers. >>> >>> fixed, there is only "API Browser" and no submenu >>> >>>> >>>> 3) In Commands tab, we will some more explanatory what the attributes of Param >>>> needs and probably hide some. For example "exclude" is not needed for consumers. >>>> >>> >>> Attributes as follows were kept: label, type, default, default_from, values, >>> minlength, maxlength, pattern, minvalue, maxvalue, precision, cli_name, >>> option_group >>> >>>> 4) Many attributes have "autofill": True. I wonder how usable it is without >>>> knowing the actual default for the attribute. Can we show the default? >>> >>> default_from now contains list of attrs which are used for the default value, >>> e.g.: >>> default value created from: givenname, sn >>> >>> >>>> >>>> 5) I would hide "Output Params" all together given we don't have them set up >>>> correctly in FreeIPA framework and they may rather confuse people, with having >>>> all the HBAC or SUDO with User objects. >>>> >>> >>> Removed from metadata >>> >>>> I may think about it more, there were just my couple first thoughts. Others may >>>> have different opinions here. >>>> >>>> Martin >>>> >>> >>> Other changes: >>> * cli options are shown with dashes as in CLI >>> * required and multivalued were changed into tags next to option name. 'flags' >>> which were shown as the tags are not displayed anymore >>> >>> >>> updated patches attached. >> >> I like the new version, good job! ACK from my side. >> > > Patchset works fine in my testing. > > Two (nitpick) questions: > > 1.) Should we show objects that have defined no methods or params as > 'pkinit'? > > 2.) Relationships and attirbute members are displayed in rather raw form: > > attribute_members: > {"member":["user","group"],"memberindirect":["user","group"],"memberof":["group","netgroup","role","hbacrule","sudorule"],"memberofindirect":["group","netgroup","role","hbacrule","sudorule"]} > > relationships: {"member":["Member","","no_"],"memberindirect":["Indirect > Member",null,"no_indirect_"],"memberof":["Member > Of","in_","not_in_"],"memberofindirect":["Indirect Member > Of",null,"not_in_indirect_"]} > > > Could we maybe special-case these (or introduce a way how to detect and > display a dict of lists as formatted html)? Or are there arguments for > the raw view of the API? > > Tomas > On a second thought, I don't think these issues should block this patchset for now. We can improve/discuss that in 4.2.x. Pushed to master: 2a976334c2160c91a61fb0c477777e7adbbd3150 From edewata at redhat.com Fri Jul 3 12:23:42 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 03 Jul 2015 07:23:42 -0500 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <55938E71.1070405@redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <556CF209.7050404@redhat.com> <556EF05E.90103@redhat.com> <55719260.8080300@redhat.com> <5571FD75.5010708@redhat.com> <557568CB.3040503@redhat.com> <557756EE.8020507@redhat.com> <5577D581.1020800@redhat.com> <557E7D21.2040304@redhat.com> <557F5998.2000103@redhat.com> <55811463.8050802@redhat.com> <5588D21A.1020104@redhat.com> <558B9334.8030104@redhat.com> <558C33DF.6080403@redhat.com> <55938E71.1070405@redhat.com> Message-ID: <55967ECE.90701@redhat.com> On 7/1/2015 1:53 AM, Jan Cholasta wrote: >>>>>>> I think it would be better to use a new attribute type which >>>>>>> inherits >>>>>>> from ipaPublicKey (ipaVaultPublicKey?) rather than ipaPublicKey >>>>>>> directly >>>>>>> for assymetric vault public keys, so that assymetric public key and >>>>>>> escrow public key are on the same level and you can still use >>>>>>> ipaPublicKey to refer to either one: >>>>>>> >>>>>>> ipaPublicKey >>>>>>> ipaVaultPublicKey >>>>>>> ipaEscrowPublicKey >>>>>>> >>>>>> OK. To be consistent the parameters need to be renamed too: >>>>>> --vault-public-key and --vault-public-key-file. >>>>> >>>>> It doesn't need to, there is no requirement for CLI names to always >>>>> match attribute names. (Also I don't insist on the name >>>>> "ipaVaultPublicKey", feel free to change it if you want.) >>>> >>>> It's unchanged for now. In a previous discussion it was advised to >>>> reuse >>>> the existing attribute type whenever possible. >>> >>> Well, in this discussion, it is not. Escrow public key should also reuse >>> ipaPublicKey, but it can't if you use it for vault public key. By using >>> ipaPublicKey subtypes you can distinguish between the two uses and still >>> use ipaPublicKey to refer to either of them. >> >> So what's changed? This is what you said when I posted the same patch >> six months ago: >> >>>> In this patch I'm adding ipaVaultSalt and ipaVaultPublicKey attribute >>>> types to store salt and public key for vault. Are there existing >>>> attribute types that I can use instead? I see there's an ipaPublicKey, >>>> should I use that and maybe add ipaSalt/ipaEncSalt? Thanks. >>> >>> yes, please re-use existing attributes where possible. >>> >>> Honza > > What changed is that I now know there is also escrow public key, which I > didn't know six months ago. Here's patch #368 to be applied on top of patch #357-5, but see comments below. >> Could you show me how to use ipaPublicKey to refer to ipaVaultPublicKey >> and ipaEscrowPublicKey? Under what situation would that be useful? > > For example for ipaPublicKey searches - if ipaVaultPublicKey and > ipaEscrowPublicKey both inherit from ipaPublicKey, then an ipaPublicKey > search will look in both ipaVaultPublicKey and ipaEscrowPublicKey. This > is not something we actually need right now, but once the schema is > done, it can't be fixed and I don't think we should prevent this, > especially since we can get it for free. BTW even the core LDAP schema > does this, see for example how the cn attribute inherits from the more > general name attribute: . I don't think that's how LDAP works. The RFC doesn't say that either. The cn does inherit from name, but if you search for name it won't match/return cn. See queries below: $ ldapsearch -LLL -x -b "dc=example,dc=com" "(cn=Accounting Managers)" dn: cn=Accounting Managers,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames cn: Accounting Managers ou: groups description: People who can manage accounting entries uniqueMember: cn=Directory Manager $ ldapsearch -LLL -x -b "dc=example,dc=com" "(cn=Accounting Managers)" \ name dn: cn=Accounting Managers,ou=Groups,dc=example,dc=com (no cn attribute) $ ldapsearch -LLL -x -b "dc=example,dc=com" "(name=Accounting Managers)" (no result) Assuming this is what you meant, which doesn't seem to be working, is there still a valid reason to add a new ipaVaultPublicKey instead of using the existing ipaPublicKey? >>>> * CLI options will be identical to client and server API options (i.e. >>>> no CLI-only, client-only, or server-only options) >>> >>> Actually, you can create CLI-only options (add include='cli' to the >>> param's kwargs). >> >> I need to look at this more closely. If I understand correctly in >> user_del there are two 'preserve' options, the Bool preserve is for >> client and server API, and the Flag preserve is for CLI. Wouldn't it be >> better if they are stored in separate lists (or maybe separate classes)? >> And it looks like you still need to delete the CLI options explicitly >> anyway. > > Well, it would be better if there was no Flag class at all and flags > were handled by CLI exclusively, because parameter classes should > reflect the data type (bool) and not the presentation (flag). That indicates there should be a separation between client API and the CLI too because, as you see in user_del, they can be different. >> Does the API.txt actually show the CLI options, the client API options, >> or the server API options? I only see the Flag preserve, not the Bool >> preserve. > > It shows CLI options, see how the API object is initialized in makeapi. Does that mean we're only doing the versioning on the CLI, and not the client API or server API? Suppose there are changes in client or server API that do not appear in API.txt but will affect the XML RPC, it might cause a compatibility problem. I think it just shows how convoluted the CLI, client API, and server API are in this framework. >>>> * a plugin will only access one type of data (i.e. LDAP plugin can only >>>> access LDAP data) >>> >>> This is not assumed anywhere in the framework, you can access whatever >>> you want, but you can't expect baseldap to do everything for you. >> >> Nobody is expecting baseldap to do KRA operations. >> >>> As the >>> name implies, it is LDAP specific, if you want something else, you have >>> to implement it yourself. >> >> In the previous patch vault_retrieve inherits from LDAPRetrieve so it >> can rely on baseldap to retrieve the vault entry, then on top of that it >> implements an additional KRA operations (without baseldap obviously). If >> that is not allowed, aren't you basically saying LDAP plugin can only >> access LDAP data? > > Yes, basically, but I'm also saying that you are not limited to doing > LDAP plugins only. I think this logic is flawed. Suppose later we add a code to remove user's vaults when the user is deleted, does it mean the user_del can no longer inherit from LDAPDelete? > You can abuse the callbacks to do anything, including data retrieval > from other sources, but it doesn't make it right, as it only leads to > code duplication, inconsistencies and weird bugs. I have seen too much > of this, hence my reluctance to do it again. I don't think extending the base class to perform additional functionalities can be generalized as 'abuse' or 'hack' or called 'semantically wrong'. Sometimes it is the right solution. Sometimes if the framework is so limiting that the only solution is to extend uncommon methods, it's called a 'workaround'. If there is code duplication we should find a way to refactor it. What's considered inconsistencies are very subjective. Weird bugs are case specific, it cannot be generalized. >>>> * a command name will match the object name (i.e. must use >>>> vaultdata_mod >>>> instead of a more intuitive vault_archive) >>> >>> I don't see how consistency is a bad thing, or how this could limit >>> anyone doing things cleanly. I do agree that vaultdata_mod is ugly, but >>> it's not the only way to achieve the same goal. >> >> Look at it from user's perspective. If you create a vault using >> vault-add , then archive data using vaultdata-mod > name>, how is this consistent? > > Because it's object-verb and not object-verbofsomeotherobject. (Also I > already acknowledged the vaultdata idea is ugly.) In that case, strictly speaking, vault-mod will violate that rule too because you're modifying an attribute, not the object itself like vault-add or vault-del. From user's perspective the secret 'data' is just another attribute in the vault. So similarly, vault-archive is modifying the 'data' attribute in the vault. The fact that the 'data' is stored in KRA rather than in IPA is just implementation details. If we have to expose this distinction to the user, that's a problem with the framework. Also, if you're willing to use vault-archive rather than vaultdata-mod, that means the rule is irrelevant. Consistency should be viewed from user's perspective first, then developer's perspective later (if possible at all). >>>> We know that some use cases do not fit these assumptions. Rather than >>>> compromising the use case, or looking at workarounds as hacks, I'd >>>> suggest finding ideas to improve the framework itself to be more >>>> accommodating. >>> >>> I would personally love to improve the framework (it's just retarded >>> sometimes as you may have noticed), but it does not have high priority >>> right now (not my decision). >> >> We don't have to modify the current framework right now, but we can >> align new codes that don't fit the current framework to match the future >> framework. Although the future framework is not defined yet, some things >> are already clear, for example there should be separate client and >> server APIs. So if a command like vault_add has differing client and >> server options, regardless how insignificant it is, there's no reason to >> force it to be combined. The current framework doesn't prevent >> separation anyway. > > Aligning new code is exactly what I'm aiming to do and why I want people > to look at their APIs from an object oriented perspective rather than > just dumb RPC, because that's the direction the framework is heading. Again, user's perspective first, developer's perspective later, and with the right CLI, client API, and server API separation. -- Endi S. Dewata -------------- next part -------------- >From bf83dfd7d1f140eb26cc3f7a9c265a0d3743fbbb Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 2 Jul 2015 15:27:16 -0400 Subject: [PATCH] Added ipaVaultPublicKey attribute. A new attribute ipaVaultPublicKey has been added to replace the existing ipaPublicKey used to store the vault public key. https://fedorahosted.org/freeipa/ticket/3872 --- API.txt | 6 +++--- VERSION | 4 ++-- install/share/60basev3.ldif | 3 ++- ipalib/plugins/vault.py | 16 ++++++++-------- ipatests/test_xmlrpc/test_vault_plugin.py | 4 ++-- 5 files changed, 17 insertions(+), 16 deletions(-) diff --git a/API.txt b/API.txt index a90e60ad97fa56a304c54fd61a4b02ad7559882f..d0ae1b72c2ae445a4e2cc168da5fd53f9a4de56d 100644 --- a/API.txt +++ b/API.txt @@ -5332,7 +5332,7 @@ arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('description?', cli_name='desc') -option: Bytes('ipapublickey?', cli_name='public_key') +option: Bytes('ipavaultpublickey?', cli_name='public_key') option: Str('ipavaulttype?', cli_name='type') option: Str('password?', cli_name='password') option: Str('password_file?', cli_name='password_file') @@ -5351,7 +5351,7 @@ args: 1,10,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False) -option: Bytes('ipapublickey', attribute=True, cli_name='public_key', multivalue=False, required=False) +option: Bytes('ipavaultpublickey', attribute=True, cli_name='public_key', multivalue=False, required=False) option: Bytes('ipavaultsalt', attribute=True, cli_name='salt', multivalue=False, required=False) option: Str('ipavaulttype', attribute=True, autofill=True, cli_name='type', default=u'standard', multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') @@ -5430,7 +5430,7 @@ option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui') option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) -option: Bytes('ipapublickey', attribute=True, autofill=False, cli_name='public_key', multivalue=False, required=False) +option: Bytes('ipavaultpublickey', attribute=True, autofill=False, cli_name='public_key', multivalue=False, required=False) option: Bytes('ipavaultsalt', attribute=True, autofill=False, cli_name='salt', multivalue=False, required=False) option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', default=u'standard', multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') diff --git a/VERSION b/VERSION index f96638721fb10c5925e9289da4ba41c86e39adeb..f69a5bb880c1141b620159fa3e6ea6f0eb6a30fd 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=136 -# Last change: edewata - added symmetric and asymmetric vaults +IPA_API_VERSION_MINOR=137 +# Last change: edewata - added ipaVaultPublicKey attribute diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index cb159db05a5371c71e421160f60140d85ba5496f..5491f99f5e78f122f94e9215bf5751d487f19d2e 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -58,6 +58,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.70 NAME 'ipaPermTargetTo' DESC 'Destin attributeTypes: (2.16.840.1.113730.3.8.11.71 NAME 'ipaPermTargetFrom' DESC 'Source location from where moving an entry IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.0' ) attributeTypes: (2.16.840.1.113730.3.8.18.2.1 NAME 'ipaVaultType' DESC 'IPA vault type' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2') attributeTypes: (2.16.840.1.113730.3.8.18.2.2 NAME 'ipaVaultSalt' DESC 'IPA vault salt' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.18.2.3 NAME 'ipaVaultPublicKey' DESC 'IPA vault public key' SUP ipaPublicKey X-ORIGIN 'IPA v4.2' ) objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) @@ -81,4 +82,4 @@ objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'Wrap objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' ) objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' ) objectClasses: (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect storage for encoded key material' SUP top AUXILIARY MUST ( ipaSecretKeyRef ) X-ORIGIN 'IPA v4.1' ) -objectClasses: (2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ ipaVaultType $ ipaVaultSalt $ ipaPublicKey ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ ipaVaultType $ ipaVaultSalt $ ipaVaultPublicKey ) X-ORIGIN 'IPA v4.2' ) diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index 193fa5cbb6eb06d22a30d8cfba62e10e9557c1d6..9fcd619d19de9ae036a73bb3af9dc050c6be6c76 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -233,7 +233,7 @@ class vault(LDAPObject): 'description', 'ipavaulttype', 'ipavaultsalt', - 'ipapublickey', + 'ipavaultpublickey', ] search_display_attributes = [ 'cn', @@ -276,7 +276,7 @@ class vault(LDAPObject): flags=['no_search'], ), Bytes( - 'ipapublickey?', + 'ipavaultpublickey?', cli_name='public_key', label=_('Public key'), doc=_('Vault public key'), @@ -509,7 +509,7 @@ class vault_add(PKQuery, Local): doc=_('File containing the vault password'), ), Bytes( - 'ipapublickey?', + 'ipavaultpublickey?', cli_name='public_key', doc=_('Vault public key'), ), @@ -527,7 +527,7 @@ class vault_add(PKQuery, Local): vault_type = options.get('ipavaulttype', u'standard') password = options.get('password') password_file = options.get('password_file') - public_key = options.get('ipapublickey') + public_key = options.get('ipavaultpublickey') public_key_file = options.get('public_key_file') # don't send these parameters to server @@ -584,11 +584,11 @@ class vault_add(PKQuery, Local): public_key = f.read() # store vault public key - options['ipapublickey'] = public_key + options['ipavaultpublickey'] = public_key else: raise errors.ValidationError( - name='ipapublickey', + name='ipavaultpublickey', error=_('Missing vault public key')) # create vault @@ -606,7 +606,7 @@ class vault_add(PKQuery, Local): del opts['ipavaultsalt'] elif vault_type == u'asymmetric': - del opts['ipapublickey'] + del opts['ipavaultpublickey'] # archive blank data self.api.Command.vault_archive(*args, **opts) @@ -920,7 +920,7 @@ class vault_archive(PKQuery, Local): elif vault_type == u'asymmetric': - public_key = vault['ipapublickey'][0].encode('utf-8') + public_key = vault['ipavaultpublickey'][0].encode('utf-8') # generate encryption key encryption_key = base64.b64encode(os.urandom(32)) diff --git a/ipatests/test_xmlrpc/test_vault_plugin.py b/ipatests/test_xmlrpc/test_vault_plugin.py index f8b57855a152c4c86d3a7681e6cc187a85b2c468..3db93b207fac405ba654b84a2a07668d9a69edb6 100644 --- a/ipatests/test_xmlrpc/test_vault_plugin.py +++ b/ipatests/test_xmlrpc/test_vault_plugin.py @@ -634,7 +634,7 @@ class test_vault_plugin(Declarative): [asymmetric_vault_name], { 'ipavaulttype': u'asymmetric', - 'ipapublickey': public_key, + 'ipavaultpublickey': public_key, }, ), 'expected': { @@ -646,7 +646,7 @@ class test_vault_plugin(Declarative): 'objectclass': [u'top', u'ipaVault'], 'cn': [asymmetric_vault_name], 'ipavaulttype': [u'asymmetric'], - 'ipapublickey': [public_key], + 'ipavaultpublickey': [public_key], }, }, }, -- 1.9.3 From ftweedal at redhat.com Fri Jul 3 12:34:07 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 3 Jul 2015 22:34:07 +1000 Subject: [Freeipa-devel] [PATCH] 0024..0025 Add missing certprofile features In-Reply-To: <20150702101212.GZ6584@dhcp-40-8.bne.redhat.com> References: <20150702091546.GY6584@dhcp-40-8.bne.redhat.com> <55950325.9010200@redhat.com> <20150702101212.GZ6584@dhcp-40-8.bne.redhat.com> Message-ID: <20150703123407.GE6584@dhcp-40-8.bne.redhat.com> On Thu, Jul 02, 2015 at 08:12:12PM +1000, Fraser Tweedale wrote: > On Thu, Jul 02, 2015 at 11:23:49AM +0200, Jan Cholasta wrote: > > Hi, > > > > Dne 2.7.2015 v 11:15 Fraser Tweedale napsal(a): > > >Attached patches fix a couple of important gaps in certprofile > > >plugin: > > > > > >- Add --out option to export Dogtag profile data to file > > > https://fedorahosted.org/freeipa/ticket/5091 > > > > > >- Add --file option to update existing profile in Dogtag > > > https://fedorahosted.org/freeipa/ticket/5093 > > > > > > > Just a couple nitpicks: > > > > + takes_options = LDAPUpdate.takes_options + ( > > + File('file?', > > + label=_('File containing profile configuration'), > > + cli_name='file', > > + flags=('virtual_attribute',), > > + ), > > + ) > > > > 1) Don't set cli_name if it's the same as name. > > > > 2) The virtual_attribute flag is meaningless in Commands. > > > > 3) Add "include='cli'" to denote that the option is specific to CLI (applies > > to --out as well). > > > > Honza > > > > -- > > Jan Cholasta > > > Thanks, updated patches attached. Interdiff below. > > diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py > index 7323565..08a0d1c 100644 > --- a/ipalib/plugins/certprofile.py > +++ b/ipalib/plugins/certprofile.py > @@ -185,6 +185,7 @@ class certprofile_show(LDAPRetrieve): > takes_options = LDAPRetrieve.takes_options + ( > Str('out?', > doc=_('Write profile configuration to file'), > + include='cli', > ), > ) > > @@ -284,8 +285,7 @@ class certprofile_mod(LDAPUpdate): > takes_options = LDAPUpdate.takes_options + ( > File('file?', > label=_('File containing profile configuration'), > - cli_name='file', > - flags=('virtual_attribute',), > + include='cli', > ), > ) > NACK on patchset v2; does not work (even after makeapi, which I forgot to include in updated patchset). I keep getting error ``ipa: ERROR: Unknown option: file''. Need to investigate why, but other patches are taking priority right now. Here is patchset v3, which is just v1 rebased on latest master. Thanks, Fraser -------------- next part -------------- From 258f0cbea42b482871d360c33c252ad173c2b0e0 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 2 Jul 2015 03:31:31 -0400 Subject: [PATCH 24/25] certprofile: add option to export profile config Add the `--out=FILENAME' option to `certprofile-show'. When given, it exports the profile configuration from Dogtag and writes it to the named file. Fixes: https://fedorahosted.org/freeipa/ticket/5091 --- API.txt | 3 ++- VERSION | 4 ++-- ipalib/plugins/certprofile.py | 39 ++++++++++++++++++++++++++++++++++++--- ipaserver/plugins/dogtag.py | 8 ++++++++ 4 files changed, 48 insertions(+), 6 deletions(-) diff --git a/API.txt b/API.txt index e226712d3b8f8eda721a906927cd7fac01eac39f..22ae9bb88710366736ee915e6fe6f2f1c09f2449 100644 --- a/API.txt +++ b/API.txt @@ -747,9 +747,10 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: certprofile_show -args: 1,4,3 +args: 1,5,3 arg: Str('cn', attribute=True, cli_name='id', multivalue=False, primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('out?') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) option: Str('version?', exclude='webui') diff --git a/VERSION b/VERSION index 266a04af1a61132637112611b7e86649ff818c2a..5827f05a4b6b07afb91bd193ff8d7bdecdcc5f9a 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=137 -# Last change: mbabinsk: Commands to manage user/host/service certificates +IPA_API_VERSION_MINOR=138 +# Last change: ftweedal: add certprofile-show --out option diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py index 9e1e47e943f5c14a7e7ce418d3fc2d095331a38a..abb62434eee4cb87356da5568b8a1bb12b762f67 100644 --- a/ipalib/plugins/certprofile.py +++ b/ipalib/plugins/certprofile.py @@ -5,7 +5,7 @@ import re from ipalib import api, Bool, File, Str -from ipalib import output +from ipalib import output, util from ipalib.plugable import Registry from ipalib.plugins.virtual import VirtualCommand from ipalib.plugins.baseldap import ( @@ -175,9 +175,42 @@ class certprofile_find(LDAPSearch): class certprofile_show(LDAPRetrieve): __doc__ = _("Display the properties of a Certificate Profile.") - def execute(self, *args, **kwargs): + has_output_params = LDAPRetrieve.has_output_params + ( + Str('config', + label=_('Profile configuration'), + ), + ) + + takes_options = LDAPRetrieve.takes_options + ( + Str('out?', + doc=_('Write profile configuration to file'), + ), + ) + + def execute(self, *keys, **options): ca_enabled_check() - return super(certprofile_show, self).execute(*args, **kwargs) + result = super(certprofile_show, self).execute(*keys, **options) + + if 'out' in options: + with self.api.Backend.ra_certprofile as profile_api: + result['result']['config'] = profile_api.read_profile(keys[0]) + + return result + + def forward(self, *keys, **options): + if 'out' in options: + util.check_writable_file(options['out']) + + result = super(certprofile_show, self).forward(*keys, **options) + if 'out' in options and 'config' in result['result']: + with open(options['out'], 'w') as f: + f.write(result['result'].pop('config')) + result['summary'] = ( + _("Profile configuration stored in file '%(file)s'") + % dict(file=options['out']) + ) + + return result @register() diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 3dc8f5c93a85a8035921af9ec622c2bcbcc498e0..eb2a6ae8413362ae2a443c672f806ff97356448f 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -2081,6 +2081,14 @@ class ra_certprofile(RestClient): body=profile_data ) + def read_profile(self, profile_id): + """ + Read the profile configuration from Dogtag + """ + status, status_text, resp_headers, resp_body = self._ssldo( + 'GET', profile_id + '/raw') + return resp_body + def enable_profile(self, profile_id): """ Enable the profile in Dogtag -- 2.1.0 -------------- next part -------------- From 120f18b55ec3f348065b3e293b43dc69a960dff2 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 2 Jul 2015 04:09:31 -0400 Subject: [PATCH 25/25] certprofile: add ability to update profile config in Dogtag Add the `--file=FILENAME' option to `certprofile-mod' which, when given, will update the profile configuration in Dogtag to the contents of the file. Fixes: https://fedorahosted.org/freeipa/ticket/5093 --- API.txt | 3 ++- VERSION | 4 ++-- ipalib/plugins/certprofile.py | 33 ++++++++++++++++++++++++++++++--- ipaserver/plugins/dogtag.py | 12 ++++++++++++ 4 files changed, 46 insertions(+), 6 deletions(-) diff --git a/API.txt b/API.txt index 22ae9bb88710366736ee915e6fe6f2f1c09f2449..e03b8fb54f7ba128227f37179f5715de86dffdef 100644 --- a/API.txt +++ b/API.txt @@ -731,12 +731,13 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: certprofile_mod -args: 1,10,3 +args: 1,11,3 arg: Str('cn', attribute=True, cli_name='id', multivalue=False, primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui') option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) +option: File('file?', cli_name='file') option: Bool('ipacertprofilestoreissued', attribute=True, autofill=False, cli_name='store', default=True, multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('rename', cli_name='rename', multivalue=False, primary_key=True, required=False) diff --git a/VERSION b/VERSION index 5827f05a4b6b07afb91bd193ff8d7bdecdcc5f9a..5956d3dbf629c61d485d84524960a3f298a9da11 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=138 -# Last change: ftweedal: add certprofile-show --out option +IPA_API_VERSION_MINOR=139 +# Last change: ftweedal: add certprofile-mod --file option diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py index abb62434eee4cb87356da5568b8a1bb12b762f67..7323565da6783b5300333a5eb2dac6c8dd9f9da6 100644 --- a/ipalib/plugins/certprofile.py +++ b/ipalib/plugins/certprofile.py @@ -13,6 +13,7 @@ from ipalib.plugins.baseldap import ( LDAPDelete, LDAPUpdate, LDAPRetrieve) from ipalib import ngettext from ipalib.text import _ +from ipapython.version import API_VERSION from ipalib import errors @@ -245,7 +246,6 @@ class certprofile_import(LDAPCreate): def post_callback(self, ldap, dn, entry_attrs, *keys, **options): """Import the profile into Dogtag and enable it. - If the operation succeeds, update the LDAP entry to 'enabled'. If the operation fails, remove the LDAP entry. """ try: @@ -281,6 +281,33 @@ class certprofile_mod(LDAPUpdate): __doc__ = _("Modify Certificate Profile configuration.") msg_summary = _('Modified Certificate Profile "%(value)s"') - def execute(self, *args, **kwargs): + takes_options = LDAPUpdate.takes_options + ( + File('file?', + label=_('File containing profile configuration'), + cli_name='file', + flags=('virtual_attribute',), + ), + ) + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): ca_enabled_check() - return super(certprofile_mod, self).execute(*args, **kwargs) + if 'file' in options: + with self.api.Backend.ra_certprofile as profile_api: + profile_api.disable_profile(keys[0]) + profile_api.update_profile(keys[0], options['file']) + profile_api.enable_profile(keys[0]) + + return dn + + def execute(self, *keys, **options): + try: + return super(certprofile_mod, self).execute(*keys, **options) + except errors.EmptyModlist: + if 'file' in options: + # The profile data in Dogtag was updated. + # Do not fail; return result of certprofile-show instead + return self.api.Command.certprofile_show(keys[0], + version=API_VERSION) + else: + # This case is actually an error; re-raise + raise diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index eb2a6ae8413362ae2a443c672f806ff97356448f..47279921a5428f388f84967b7bbe05d758e475bd 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -2089,6 +2089,18 @@ class ra_certprofile(RestClient): 'GET', profile_id + '/raw') return resp_body + def update_profile(self, profile_id, profile_data): + """ + Update the profile configuration in Dogtag + """ + self._ssldo('PUT', profile_id + '/raw', + headers={ + 'Content-type': 'application/xml', + 'Accept': 'application/json', + }, + body=profile_data + ) + def enable_profile(self, profile_id): """ Enable the profile in Dogtag -- 2.1.0 From mbabinsk at redhat.com Fri Jul 3 12:49:41 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 3 Jul 2015 14:49:41 +0200 Subject: [Freeipa-devel] [PATCH] 892 webui: add mangedby tab to otptoken In-Reply-To: <55941C56.9060703@redhat.com> References: <55941C56.9060703@redhat.com> Message-ID: <559684E5.8030101@redhat.com> On 07/01/2015 06:59 PM, Petr Vobornik wrote: > Added managedby_user tab to manage users who can manage the token. > > https://fedorahosted.org/freeipa/ticket/5003 > > Nathaniel, I could not reproduce the following part of the ticket: > """ > Careful interaction is required here. In the current code, this also > creates a bug since all UI created tokens are owned but not managed. > When users of these tokens are deleted, their self-created tokens are > orphaned rather than deleted. > > Self-created tokens MUST be both self-owned AND self-managed. > """ > > The self-created tokens which I created in Web UI as admin or normal > user were in both cases managed by the same user who created them. > > (Once again, this time also reply to the list) The patch itself does what it is supposed to. So ACK from me. However, I have found out that the token's manager is correctly set *only* when it is directly created by the user that should own it. In this case when the manager is not specified, the code works as expected and fill in the logged-in user as manager. However, if e.g. admin creates a token for another user and does not set him as the manager explicitly, the 'managedBy' attribute is not set. -- Martin^3 Babinsky From ftweedal at redhat.com Fri Jul 3 13:33:14 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 3 Jul 2015 23:33:14 +1000 Subject: [Freeipa-devel] my remaining 4.2 tickets In-Reply-To: <55962A71.4050701@redhat.com> References: <20150630130353.GO6584@dhcp-40-8.bne.redhat.com> <55929DA0.8030006@redhat.com> <20150702151858.GC6584@dhcp-40-8.bne.redhat.com> <55955FA6.6000002@redhat.com> <55962A71.4050701@redhat.com> Message-ID: <20150703133314.GF6584@dhcp-40-8.bne.redhat.com> On Fri, Jul 03, 2015 at 08:23:45AM +0200, Martin Kosek wrote: > On 07/02/2015 05:58 PM, Jan Cholasta wrote: > >Hi, > > > >Dne 2.7.2015 v 17:18 Fraser Tweedale napsal(a): > >>On Tue, Jun 30, 2015 at 03:46:08PM +0200, Martin Kosek wrote: > >>>On 06/30/2015 03:03 PM, Fraser Tweedale wrote: > >>>>#2915 ipa-getcert does not allow setting specific EKU on > >>>>certificates > >>>> > >>>> Involves certmonger so I will need to do a bit more > >>>> investigation. > >>>> > >>>> If non-trivial to accomplish this with the default profile, now > >>>> that we have support for multiple profiles it could be done with > >>>> a separate profile, as long as certmonger passes the profile > >>>> propertly with `-T' argument. I will follow up on this tomorrow > >>>> and let you know what I find out. > >>> > >>>Ok. I was not involved when the ticket was filed, but it does not seem to me as > >>>something that should get much priority and your time at this stage. > >>> > >>I haven't looked at this yet. > > > >FYI getcert supports setting EKU in the CSR using the -U option for a long > >time. It also correctly passes the profile to IPA since 0.78. > > > >> > >>>>#4970 Server certificate profile should always include a Subject > >>>>Alternate name for the host > >>>> > >>>> If a subjectAltName request extension is in CSR, it is checked > >>>> by `cert-request', and copied onto the final certificate by > >>>> Dogtag. In the default profile there is currently no other way > >>>> to specify the SAN. > >>>> > >>>> A possible approach to resolve this with the default profile is > >>>> to update it to include a separate, optional subjectAltName > >>>> request input, which could be filled in if explicit SAN is not > >>>> provided in CSR. There are related lines of investigation. > >>>> Will provide update tomorrow. > >>> > >>>Ok. > >>> > >>I investigated this. My comments are on the ticket: > >>https://fedorahosted.org/freeipa/ticket/4970#comment:7 but in brief: > >>the way our current SAN support is implemented makes this a > >>non-trivial ticket. > > > >On a related note, I think we should also always include kerberos principal > >name SAN. > > That would be nice, how difficult is to enable this with certificates > FreeIPA issues? It would also let us make easier principal-based queries for > Dogtag certificates. Right? > We could do it with a new ProfileInput class in Dogtag, possibly (probably) also requiring a new ProfileDefault class, and of course and update of the included profile(s) where we want this behaviour. I have a bolder vision for the future of Dogtag/IPA integration. I have had a some thoughts brewing in my mind for a while, ready to unleash after rhel72 crunch, but oh well, now you are making me reveal my ideas, hopefully not too prematurely :) In the medium-term we want to connect Dogtag (components thereof) to the IPA directory to read and enforce caacls. We also wish to use s4u2proxy to avoid all-powerful RA Agent cert and have Dogtag act with authenticated principal's authority. Since we will be talking to the IPA directory, we can create new profile components that read information directly out of the IPA directory. This will make it much simpler to pull fancy extension data or other information into certificates issued by Dogtag, all defined by profiles. These components can even be shipped as part of FreeIPA, as only FreeIPA-provided profiles would use them, and I believe it is fairly straightforward to tell Dogtag about "3rd-party" classes. This gives us agility to include support for pulling data from IPA directory into certificates without depending on Dogtag release cycle. This sort of regime may also make it easier to tackle the desired "profile builder" feature. Finally, since it is JVM .class files we will be shipping we can write it using FP in Scala ^_^ Cheers, Fraser From edewata at redhat.com Fri Jul 3 13:44:12 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 03 Jul 2015 08:44:12 -0500 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <54E1AF55.3060409@redhat.com> References: <54E1AF55.3060409@redhat.com> Message-ID: <559691AC.5030707@redhat.com> Here is the rebased patch for vault access control. -- Endi S. Dewata -------------- next part -------------- >From 6bec99d51552a6415c45d655f95627e341fae44b Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 17 Oct 2014 12:05:34 -0400 Subject: [PATCH] Added vault access control. New LDAP ACIs have been added to allow vault owners to manage the vaults and to allow members to access the vaults. New CLIs have been added to manage the owner and member list. The LDAP schema has been updated as well. https://fedorahosted.org/freeipa/ticket/3872 --- API.txt | 92 ++++++++++++++++++---- VERSION | 4 +- install/share/60basev3.ldif | 2 +- install/share/vault.update | 5 ++ ipalib/plugins/vault.py | 122 ++++++++++++++++++++++++++++-- ipatests/test_xmlrpc/test_vault_plugin.py | 27 +++++-- 6 files changed, 224 insertions(+), 28 deletions(-) diff --git a/API.txt b/API.txt index d0ae1b72c2ae445a4e2cc168da5fd53f9a4de56d..c182098fe1017d46f9f7980c7b6891a1031f1068 100644 --- a/API.txt +++ b/API.txt @@ -5341,27 +5341,58 @@ option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui option: Str('service?') option: Str('setattr*', cli_name='setattr', exclude='webui') option: Flag('shared?', autofill=True, default=False) -option: Str('user?') +option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: vault_add_internal -args: 1,10,3 +args: 1,11,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False) option: Bytes('ipavaultpublickey', attribute=True, cli_name='public_key', multivalue=False, required=False) option: Bytes('ipavaultsalt', attribute=True, cli_name='salt', multivalue=False, required=False) option: Str('ipavaulttype', attribute=True, autofill=True, cli_name='type', default=u'standard', multivalue=False, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('service?') option: Flag('shared?', autofill=True, default=False) -option: Str('user?') +option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) +command: vault_add_member +args: 1,9,3 +arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service?') +option: Flag('shared?', autofill=True, default=False) +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('username?', cli_name='user') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: vault_add_owner +args: 1,9,3 +arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service?') +option: Flag('shared?', autofill=True, default=False) +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('username?', cli_name='user') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vault_archive args: 1,10,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) @@ -5373,7 +5404,7 @@ option: Str('password_file?', cli_name='password_file') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('service?') option: Flag('shared?', autofill=True, default=False) -option: Str('user?') +option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) @@ -5387,7 +5418,7 @@ option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui option: Str('service?') option: Bytes('session_key') option: Flag('shared?', autofill=True, default=False) -option: Str('user?') +option: Str('username?', cli_name='user') option: Bytes('vault_data') option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) @@ -5399,32 +5430,33 @@ arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=True, option: Flag('continue', autofill=True, cli_name='continue', default=False) option: Str('service?') option: Flag('shared?', autofill=True, default=False) -option: Str('user?') +option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') output: Output('result', , None) output: Output('summary', (, ), None) output: ListOfPrimaryKeys('value', None, None) command: vault_find -args: 1,12,4 +args: 1,13,4 arg: Str('criteria?', noextrawhitespace=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('cn', attribute=True, autofill=False, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=False) option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', default=u'standard', multivalue=False, query=True, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('pkey_only?', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('service?') option: Flag('shared?', autofill=True, default=False) option: Int('sizelimit?', autofill=False, minvalue=0) option: Int('timelimit?', autofill=False, minvalue=0) -option: Str('user?') +option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') output: Output('count', , None) output: ListOfEntries('result', (, ), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) output: Output('summary', (, ), None) output: Output('truncated', , None) command: vault_mod -args: 1,14,3 +args: 1,15,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -5433,16 +5465,47 @@ option: Str('description', attribute=True, autofill=False, cli_name='desc', mult option: Bytes('ipavaultpublickey', attribute=True, autofill=False, cli_name='public_key', multivalue=False, required=False) option: Bytes('ipavaultsalt', attribute=True, autofill=False, cli_name='salt', multivalue=False, required=False) option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', default=u'standard', multivalue=False, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) option: Str('service?') option: Str('setattr*', cli_name='setattr', exclude='webui') option: Flag('shared?', autofill=True, default=False) -option: Str('user?') +option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) +command: vault_remove_member +args: 1,9,3 +arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service?') +option: Flag('shared?', autofill=True, default=False) +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('username?', cli_name='user') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: vault_remove_owner +args: 1,9,3 +arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service?') +option: Flag('shared?', autofill=True, default=False) +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('username?', cli_name='user') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vault_retrieve args: 1,11,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) @@ -5455,7 +5518,7 @@ option: Str('private_key_file?', cli_name='private_key_file') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('service?') option: Flag('shared?', autofill=True, default=False) -option: Str('user?') +option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) @@ -5468,20 +5531,21 @@ option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui option: Str('service?') option: Bytes('session_key') option: Flag('shared?', autofill=True, default=False) -option: Str('user?') +option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: vault_show -args: 1,7,3 +args: 1,8,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) option: Str('service?') option: Flag('shared?', autofill=True, default=False) -option: Str('user?') +option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) diff --git a/VERSION b/VERSION index f69a5bb880c1141b620159fa3e6ea6f0eb6a30fd..9b0dde3f7e4c70c50c47d4ac8c69de7f06affe51 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=137 -# Last change: edewata - added ipaVaultPublicKey attribute +IPA_API_VERSION_MINOR=138 +# Last change: edewata - added vault access control diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 5491f99f5e78f122f94e9215bf5751d487f19d2e..cf32a4abc1b69c32af96a1f067d0b9126931b66c 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -82,4 +82,4 @@ objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'Wrap objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' ) objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' ) objectClasses: (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect storage for encoded key material' SUP top AUXILIARY MUST ( ipaSecretKeyRef ) X-ORIGIN 'IPA v4.1' ) -objectClasses: (2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ ipaVaultType $ ipaVaultSalt $ ipaVaultPublicKey ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ ipaVaultType $ ipaVaultSalt $ ipaVaultPublicKey $ owner $ member ) X-ORIGIN 'IPA v4.2' ) diff --git a/install/share/vault.update b/install/share/vault.update index dcd1e2a152b82263f0a2653eb5604a3c76002dd9..a6c649ac12995359dd935675f28a22468cd7f355 100644 --- a/install/share/vault.update +++ b/install/share/vault.update @@ -7,6 +7,11 @@ dn: cn=vaults,cn=kra,$SUFFIX default: objectClass: top default: objectClass: nsContainer default: cn: vaults +default: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow users to create private container"; allow (add) userdn = "ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX";) +default: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";) +default: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";) +default: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#USERDN";) +default: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#GROUPDN";) dn: cn=services,cn=vaults,cn=kra,$SUFFIX default: objectClass: top diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index 9fcd619d19de9ae036a73bb3af9dc050c6be6c76..c10510e63da0353511b788ac625c439fe85eb96b 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -42,7 +42,8 @@ from ipalib import output from ipalib.crud import PKQuery, Retrieve, Update from ipalib.plugable import Registry from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\ - LDAPSearch, LDAPUpdate, LDAPRetrieve, pkey_to_value + LDAPSearch, LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember,\ + pkey_to_value from ipalib.request import context from ipalib.plugins.user import split_principal from ipalib import _, ngettext @@ -195,6 +196,18 @@ EXAMPLES: """) + _(""" Retrieve data from asymmetric vault: ipa vault-retrieve --out data.bin --private-key-file private.pem +""") + _(""" + Add a vault owner: + ipa vault-add-owner --users +""") + _(""" + Delete a vault owner: + ipa vault-remove-owner --users +""") + _(""" + Add a vault member: + ipa vault-add-member --users +""") + _(""" + Delete a vault member: + ipa vault-remove-member --users """) register = Registry() @@ -210,7 +223,8 @@ vault_options = ( doc=_('Shared vault'), ), Str( - 'user?', + 'username?', + cli_name='user', doc=_('Username of the user vault'), ), ) @@ -234,12 +248,18 @@ class vault(LDAPObject): 'ipavaulttype', 'ipavaultsalt', 'ipavaultpublickey', + 'owner', + 'member', ] search_display_attributes = [ 'cn', 'description', 'ipavaulttype', ] + attribute_members = { + 'owner': ['user', 'group'], + 'member': ['user', 'group'], + } label = _('Vaults') label_singular = _('Vault') @@ -282,6 +302,16 @@ class vault(LDAPObject): doc=_('Vault public key'), flags=['no_search'], ), + Str( + 'owner_user?', + label=_('Owner users'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str( + 'owner_group?', + label=_('Owner groups'), + flags=['no_create', 'no_update', 'no_search'], + ), ) def get_dn(self, *keys, **options): @@ -291,7 +321,7 @@ class vault(LDAPObject): service = options.get('service') shared = options.get('shared') - user = options.get('user') + user = options.get('username') count = 0 if service: @@ -337,7 +367,7 @@ class vault(LDAPObject): return DN(rdns, parent_dn) - def create_container(self, dn): + def create_container(self, dn, owner_dn): """ Creates vault container and its parents. """ @@ -356,6 +386,13 @@ class vault(LDAPObject): { 'objectclass': ['nsContainer'], 'cn': rdn['cn'], + 'aci': + '(targetfilter="(objectClass=ipaVault)")' + + '(version 3.0; ' + + 'acl "User can manage private vaults"; ' + + 'allow(read, search, compare, add, delete) ' + + 'userdn="ldap:///%s";)' + % owner_dn }) # if entry can be added, return @@ -631,12 +668,21 @@ class vault_add_internal(LDAPCreate): raise errors.InvocationError( format=_('KRA service is not enabled')) + principal = getattr(context, 'principal') + (name, realm) = split_principal(principal) + if '/' in name: + owner_dn = self.api.Object.service.get_dn(name) + else: + owner_dn = self.api.Object.user.get_dn(name) + try: parent_dn = DN(*dn[1:]) - self.obj.create_container(parent_dn) + self.obj.create_container(parent_dn, owner_dn) except errors.DuplicateEntry, e: pass + entry_attrs['owner'] = owner_dn + return dn @@ -687,6 +733,8 @@ class vault_find(LDAPSearch): takes_options = LDAPSearch.takes_options + vault_options + has_output_params = LDAPSearch.has_output_params + msg_summary = ngettext( '%(count)d vault matched', '%(count)d vaults matched', @@ -742,6 +790,8 @@ class vault_show(LDAPRetrieve): takes_options = LDAPRetrieve.takes_options + vault_options + has_output_params = LDAPRetrieve.has_output_params + def pre_callback(self, ldap, dn, attrs_list, *keys, **options): assert isinstance(dn, DN) @@ -1329,6 +1379,68 @@ class vault_retrieve_internal(PKQuery): @register() +class vault_add_owner(LDAPAddMember): + __doc__ = _('Add owners to a vault.') + + takes_options = LDAPAddMember.takes_options + vault_options + + member_attributes = ['owner'] + member_count_out = ('%i owner added.', '%i owners added.') + + has_output = ( + output.Entry('result'), + output.Output( + 'failed', + type=dict, + doc=_('Owners that could not be added'), + ), + output.Output( + 'completed', + type=int, + doc=_('Number of owners added'), + ), + ) + + + at register() +class vault_remove_owner(LDAPRemoveMember): + __doc__ = _('Remove owners from a vault.') + + takes_options = LDAPRemoveMember.takes_options + vault_options + + member_attributes = ['owner'] + member_count_out = ('%i owner removed.', '%i owners removed.') + + has_output = ( + output.Entry('result'), + output.Output( + 'failed', + type=dict, + doc=_('Owners that could not be removed'), + ), + output.Output( + 'completed', + type=int, + doc=_('Number of owners removed'), + ), + ) + + + at register() +class vault_add_member(LDAPAddMember): + __doc__ = _('Add members to a vault.') + + takes_options = LDAPAddMember.takes_options + vault_options + + + at register() +class vault_remove_member(LDAPRemoveMember): + __doc__ = _('Remove members from a vault.') + + takes_options = LDAPRemoveMember.takes_options + vault_options + + + at register() class kra_is_enabled(Command): NO_CLI = True diff --git a/ipatests/test_xmlrpc/test_vault_plugin.py b/ipatests/test_xmlrpc/test_vault_plugin.py index 3db93b207fac405ba654b84a2a07668d9a69edb6..fe2f2f67d664e0640fdda99fd3e2f068ee61cb01 100644 --- a/ipatests/test_xmlrpc/test_vault_plugin.py +++ b/ipatests/test_xmlrpc/test_vault_plugin.py @@ -89,7 +89,7 @@ class test_vault_plugin(Declarative): 'continue': True }), ('vault_del', [vault_name], {'shared': True, 'continue': True}), - ('vault_del', [vault_name], {'user': user_name, 'continue': True}), + ('vault_del', [vault_name], {'username': user_name, 'continue': True}), ('vault_del', [standard_vault_name], {'continue': True}), ('vault_del', [symmetric_vault_name], {'continue': True}), ('vault_del', [asymmetric_vault_name], {'continue': True}), @@ -113,6 +113,7 @@ class test_vault_plugin(Declarative): 'objectclass': [u'top', u'ipaVault'], 'cn': [vault_name], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -154,6 +155,7 @@ class test_vault_plugin(Declarative): % (vault_name, api.env.basedn), 'cn': [vault_name], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -174,6 +176,7 @@ class test_vault_plugin(Declarative): 'cn': [vault_name], 'description': [u'Test vault'], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -212,6 +215,7 @@ class test_vault_plugin(Declarative): 'objectclass': [u'top', u'ipaVault'], 'cn': [vault_name], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -257,6 +261,7 @@ class test_vault_plugin(Declarative): % (vault_name, service_name, api.env.basedn), 'cn': [vault_name], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -278,6 +283,7 @@ class test_vault_plugin(Declarative): 'cn': [vault_name], 'description': [u'Test vault'], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -318,6 +324,7 @@ class test_vault_plugin(Declarative): 'objectclass': [u'top', u'ipaVault'], 'cn': [vault_name], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -363,6 +370,7 @@ class test_vault_plugin(Declarative): % (vault_name, api.env.basedn), 'cn': [vault_name], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -384,6 +392,7 @@ class test_vault_plugin(Declarative): 'cn': [vault_name], 'description': [u'Test vault'], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -412,7 +421,7 @@ class test_vault_plugin(Declarative): 'vault_add', [vault_name], { - 'user': user_name, + 'username': user_name, }, ), 'expected': { @@ -424,6 +433,7 @@ class test_vault_plugin(Declarative): 'objectclass': [u'top', u'ipaVault'], 'cn': [vault_name], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -434,7 +444,7 @@ class test_vault_plugin(Declarative): 'vault_find', [], { - 'user': user_name, + 'username': user_name, }, ), 'expected': { @@ -458,7 +468,7 @@ class test_vault_plugin(Declarative): 'vault_show', [vault_name], { - 'user': user_name, + 'username': user_name, }, ), 'expected': { @@ -469,6 +479,7 @@ class test_vault_plugin(Declarative): % (vault_name, user_name, api.env.basedn), 'cn': [vault_name], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -479,7 +490,7 @@ class test_vault_plugin(Declarative): 'vault_mod', [vault_name], { - 'user': user_name, + 'username': user_name, 'description': u'Test vault', }, ), @@ -490,6 +501,7 @@ class test_vault_plugin(Declarative): 'cn': [vault_name], 'description': [u'Test vault'], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -500,7 +512,7 @@ class test_vault_plugin(Declarative): 'vault_del', [vault_name], { - 'user': user_name, + 'username': user_name, }, ), 'expected': { @@ -528,6 +540,7 @@ class test_vault_plugin(Declarative): 'objectclass': [u'top', u'ipaVault'], 'cn': [standard_vault_name], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -586,6 +599,7 @@ class test_vault_plugin(Declarative): 'cn': [symmetric_vault_name], 'ipavaulttype': [u'symmetric'], 'ipavaultsalt': [fuzzy_string], + 'owner_user': [u'admin'], }, }, }, @@ -647,6 +661,7 @@ class test_vault_plugin(Declarative): 'cn': [asymmetric_vault_name], 'ipavaulttype': [u'asymmetric'], 'ipavaultpublickey': [public_key], + 'owner_user': [u'admin'], }, }, }, -- 1.9.3 From ftweedal at redhat.com Fri Jul 3 14:26:39 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Sat, 4 Jul 2015 00:26:39 +1000 Subject: [Freeipa-devel] [PATCH] 0026..0027 #5096 enforce caacl for SAN principals Message-ID: <20150703142639.GG6584@dhcp-40-8.bne.redhat.com> The attached patches fix: - a bug that caused caacl false negatives for hosts principals - #5096 cert-request: enforce caacl for subjectAltName principals Thanks, Fraser -------------- next part -------------- From f6d7f8e58a7fcb09261ae18a8722f28da778779c Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 3 Jul 2015 10:05:40 -0400 Subject: [PATCH 26/27] caacl: fix incorrect construction of HbacRequest for hosts The _acl_make_request function is using the 'host/' prefix itself instead of the hostname after it. Use split_any_principal to do the splitting correctly, also taking realm into account. --- ipalib/plugins/caacl.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py index 6bf39d2330c8999726484e1e9fb44fdb7c755767..247d6df143aef1fba9f0ee74a9f7d8386bef5180 100644 --- a/ipalib/plugins/caacl.py +++ b/ipalib/plugins/caacl.py @@ -55,13 +55,15 @@ register = Registry() def _acl_make_request(principal_type, principal, ca_ref, profile_id): """Construct HBAC request for the given principal, CA and profile""" + service, name, realm = split_any_principal(principal) + req = pyhbac.HbacRequest() req.targethost.name = ca_ref req.service.name = profile_id if principal_type == 'user': req.user.name = principal elif principal_type == 'host': - req.user.name = principal[:5] # strip 'host/' + req.user.name = name elif principal_type == 'service': req.user.name = normalize_principal(principal) groups = [] @@ -70,8 +72,7 @@ def _acl_make_request(principal_type, principal, ca_ref, profile_id): groups = user_obj.get('memberof_group', []) groups += user_obj.get('memberofindirect_group', []) elif principal_type == 'host': - service, hostname, realm = split_any_principal(principal) - host_obj = api.Command.host_show(hostname)['result'] + host_obj = api.Command.host_show(name)['result'] groups = host_obj.get('memberof_hostgroup', []) groups += host_obj.get('memberofindirect_hostgroup', []) req.user.groups = sorted(set(groups)) -- 2.1.0 -------------- next part -------------- From c39c0f122310f070997c058aefc5617ca75a7ff2 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 3 Jul 2015 10:15:19 -0400 Subject: [PATCH 27/27] cert-request: enforce caacl for principals in SAN cert-request currently does not enforce caacls for principals included in the subjectAltName requestExtension. Enforce for any dNSName values recognised as hosts/services known to FreeIPA. Fixes: https://fedorahosted.org/freeipa/ticket/5096 --- ipalib/plugins/cert.py | 42 +++++++++++++++++++++++++----------------- 1 file changed, 25 insertions(+), 17 deletions(-) diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index 1878e5ad5f80fa93e1a77b0a88711c1da0016681..743fb4d3930f051c4a2098128b09b241a844cb43 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -220,6 +220,22 @@ def ca_enabled_check(): if not api.Command.ca_is_enabled()['result']: raise errors.NotFound(reason=_('CA is not configured')) +def caacl_check(principal_type, principal_string, ca, profile_id): + principal_type_map = {USER: 'user', HOST: 'host', SERVICE: 'service'} + if not ipalib.plugins.caacl.acl_evaluate( + principal_type_map[principal_type], + principal_string, ca, profile_id): + raise errors.ACIError(info=_( + "Principal '%(principal)s' " + "is not permitted to use CA '%(ca)s' " + "with profile '%(profile_id)s' for certificate issuance." + ) % dict( + principal=principal_string, + ca=ca or '.', + profile_id=profile_id + ) + ) + @register() class cert_request(VirtualCommand): __doc__ = _('Submit a certificate signing request.') @@ -305,6 +321,7 @@ class cert_request(VirtualCommand): add = kw.get('add') request_type = kw.get('request_type') profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE) + ca = '.' # top-level CA hardcoded until subca plugin implemented """ Access control is partially handled by the ACI titled @@ -327,21 +344,7 @@ class cert_request(VirtualCommand): else: principal_type = SERVICE - principal_type_map = {USER: 'user', HOST: 'host', SERVICE: 'service'} - ca = '.' # top-level CA hardcoded until subca plugin implemented - if not ipalib.plugins.caacl.acl_evaluate( - principal_type_map[principal_type], - principal_string, ca, profile_id): - raise errors.ACIError(info=_( - "Principal '%(principal)s' " - "is not permitted to use CA '%(ca)s' " - "with profile '%(profile_id)s' for certificate issuance." - ) % dict( - principal=principal_string, - ca=ca or '.', - profile_id=profile_id - ) - ) + caacl_check(principal_type, principal_string, ca, profile_id) bind_principal = split_any_principal(getattr(context, 'principal')) bind_service, bind_name, bind_realm = bind_principal @@ -439,13 +442,15 @@ class cert_request(VirtualCommand): if name_type == pkcs10.SAN_DNSNAME: name = unicode(name) alt_principal_obj = None + alt_principal_string = None try: if principal_type == HOST: + alt_principal_string = 'host/%s@%s' % (name, realm) alt_principal_obj = api.Command['host_show'](name, all=True) elif principal_type == SERVICE: - altprincipal = '%s/%s@%s' % (servicename, name, realm) + alt_principal_string = '%s/%s@%s' % (servicename, name, realm) alt_principal_obj = api.Command['service_show']( - altprincipal, all=True) + alt_principal_string, all=True) elif principal_type == USER: raise errors.ValidationError( name='csr', @@ -465,6 +470,9 @@ class cert_request(VirtualCommand): raise errors.ACIError(info=_( "Insufficient privilege to create a certificate " "with subject alt name '%s'.") % name) + if alt_principal_string is not None: + caacl_check( + principal_type, alt_principal_string, ca, profile_id) elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME, pkcs10.SAN_OTHERNAME_UPN): if name != principal_string: -- 2.1.0 From ftweedal at redhat.com Fri Jul 3 14:32:40 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Sat, 4 Jul 2015 00:32:40 +1000 Subject: [Freeipa-devel] CA ACL enforcement when authenticated as root In-Reply-To: <20150701060611.GT6584@dhcp-40-8.bne.redhat.com> References: <20150701060611.GT6584@dhcp-40-8.bne.redhat.com> Message-ID: <20150703143240.GH6584@dhcp-40-8.bne.redhat.com> On Wed, Jul 01, 2015 at 04:06:11PM +1000, Fraser Tweedale wrote: > Hi everyone, > > With the addition of CA ACLs, there are now two levels of > permissions checked by the `cert-request' command: > > - LDAP permission checks. This check is performed against the bind > principal; `admin' has permission to write the userCertificate > attribute of any principal. > > - CA ACLs: whether issuing a certificate to a particular principal > using a particular profile is permitted. This check is performed > against the principal for whom the certificate is being requested, > which might or might not be the bind principal. > > Some questions came up after the recent GSS IdM test day: > > 1) It was requested to add a caacl rule to allow `admin' to issue a > certificite for itself via any profile. This is straightforward, > but what are the use cases for the `admin' account issuing > certificates to itself? > > 2) When `admin' (as bind principal) requests a certificate for > another principal and there is no CA ACL allowing issuance of a > certificate for that principal+profile, the request is currently > rejected. Should we change the behaviour to allow `admin' to issue > a certificate to any principal, using any profile? (This would be > accomplished by skipping CA ACL checks in `cert-request' when > authenticated as admin.) > > (Note, if the answer to (2) is "yes", (1) is subsumed.) > > Cheers, > Fraser > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code Ping. Anyone got feels about this? Otherwise a patch will appear implementing (2), because that is a smaller patch :) From mbabinsk at redhat.com Fri Jul 3 14:41:30 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 3 Jul 2015 16:41:30 +0200 Subject: [Freeipa-devel] [PATCH 0046] add option to skip client API version check and proceed at user's own risk In-Reply-To: <5595274E.6070503@redhat.com> References: <5595274E.6070503@redhat.com> Message-ID: <55969F1A.2040400@redhat.com> On 07/02/2015 01:58 PM, Martin Babinsky wrote: > First attempt at https://fedorahosted.org/freeipa/ticket/4768 > > > Attaching reworked patch. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0046.1-add-option-to-skip-client-API-version-check-and-proc.patch Type: text/x-patch Size: 4333 bytes Desc: not available URL: From simo at redhat.com Fri Jul 3 14:50:12 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 03 Jul 2015 10:50:12 -0400 Subject: [Freeipa-devel] Postponing Topology feature In-Reply-To: <55962F5F.8090606@redhat.com> References: <55962F5F.8090606@redhat.com> Message-ID: <1435935012.3312.0.camel@willson.usersys.redhat.com> On Fri, 2015-07-03 at 08:44 +0200, Martin Kosek wrote: > Hi all, > > I had several offline discussions about the Topology feature [1] and what to do > with it. Many developers worked pretty hard on making the Topology usable for > the upcoming FreeIPA 4.2 release, however, it still misses some of the > functionality that would prevent our users from making the best of it. > > Namely: > 1) Dogtag Topology management: https://fedorahosted.org/freeipa/ticket/3053 > 2) Replica Promotion: https://fedorahosted.org/freeipa/ticket/2888 > 3) Graphical topology view: https://fedorahosted.org/freeipa/ticket/4286 > > While 3) is mostly an eye candy, without 1) and 2) the current Topology does > not have sufficient value for our users to ship it. Also, there could be > upgrade issues when 1) is implemented and we may need to introduce another > Domain Level. > > So what we thought would make most sense for FreeIPA 4.2 is to simply release > without Topology functionality and postpone it to next version which could > follow FreeIPA 4.2 within 1-2 months. > > Sorry for the inconvenience, but don't worry - Topology is not going anywhere, > it's coming! (Just a bit later and with more bells and whistles) > > [1] https://fedorahosted.org/freeipa/ticket/4302 > > -- > Martin Kosek > Supervisor, Software Engineering - Identity Management Team > Red Hat Inc. > +1, I am working on (2) and will like to have a few more weeks to plow along as I am discovering various things that may delay it a little bit. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Fri Jul 3 14:53:54 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 03 Jul 2015 10:53:54 -0400 Subject: [Freeipa-devel] CA ACL enforcement when authenticated as root In-Reply-To: <20150703143240.GH6584@dhcp-40-8.bne.redhat.com> References: <20150701060611.GT6584@dhcp-40-8.bne.redhat.com> <20150703143240.GH6584@dhcp-40-8.bne.redhat.com> Message-ID: <1435935234.3312.2.camel@willson.usersys.redhat.com> On Sat, 2015-07-04 at 00:32 +1000, Fraser Tweedale wrote: > On Wed, Jul 01, 2015 at 04:06:11PM +1000, Fraser Tweedale wrote: > > Hi everyone, > > > > With the addition of CA ACLs, there are now two levels of > > permissions checked by the `cert-request' command: > > > > - LDAP permission checks. This check is performed against the bind > > principal; `admin' has permission to write the userCertificate > > attribute of any principal. > > > > - CA ACLs: whether issuing a certificate to a particular principal > > using a particular profile is permitted. This check is performed > > against the principal for whom the certificate is being requested, > > which might or might not be the bind principal. > > > > Some questions came up after the recent GSS IdM test day: > > > > 1) It was requested to add a caacl rule to allow `admin' to issue a > > certificite for itself via any profile. This is straightforward, > > but what are the use cases for the `admin' account issuing > > certificates to itself? > > > > 2) When `admin' (as bind principal) requests a certificate for > > another principal and there is no CA ACL allowing issuance of a > > certificate for that principal+profile, the request is currently > > rejected. Should we change the behaviour to allow `admin' to issue > > a certificate to any principal, using any profile? (This would be > > accomplished by skipping CA ACL checks in `cert-request' when > > authenticated as admin.) > > > > (Note, if the answer to (2) is "yes", (1) is subsumed.) There should be a group (of which admin will be part of by default) that can do this. It is needed to be able to provide certificates to hosts that respond to multiple names, wildcard names and so on. So, yes. Simo. > > Cheers, > > Fraser > > > > -- > > Manage your subscription for the Freeipa-devel mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > > Ping. Anyone got feels about this? Otherwise a patch will appear > implementing (2), because that is a smaller patch :) > -- Simo Sorce * Red Hat, Inc * New York From lkrispen at redhat.com Fri Jul 3 15:10:53 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Fri, 03 Jul 2015 17:10:53 +0200 Subject: [Freeipa-devel] Postponing Topology feature In-Reply-To: <1435935012.3312.0.camel@willson.usersys.redhat.com> References: <55962F5F.8090606@redhat.com> <1435935012.3312.0.camel@willson.usersys.redhat.com> Message-ID: <5596A5FD.7090307@redhat.com> On 07/03/2015 04:50 PM, Simo Sorce wrote: > On Fri, 2015-07-03 at 08:44 +0200, Martin Kosek wrote: >> Hi all, >> >> I had several offline discussions about the Topology feature [1] and what to do >> with it. Many developers worked pretty hard on making the Topology usable for >> the upcoming FreeIPA 4.2 release, however, it still misses some of the >> functionality that would prevent our users from making the best of it. >> >> Namely: >> 1) Dogtag Topology management: https://fedorahosted.org/freeipa/ticket/3053 >> 2) Replica Promotion: https://fedorahosted.org/freeipa/ticket/2888 >> 3) Graphical topology view: https://fedorahosted.org/freeipa/ticket/4286 >> >> While 3) is mostly an eye candy, without 1) and 2) the current Topology does >> not have sufficient value for our users to ship it. Also, there could be >> upgrade issues when 1) is implemented and we may need to introduce another >> Domain Level. >> >> So what we thought would make most sense for FreeIPA 4.2 is to simply release >> without Topology functionality and postpone it to next version which could >> follow FreeIPA 4.2 within 1-2 months. >> >> Sorry for the inconvenience, but don't worry - Topology is not going anywhere, >> it's coming! (Just a bit later and with more bells and whistles) >> >> [1] https://fedorahosted.org/freeipa/ticket/4302 >> >> -- >> Martin Kosek >> Supervisor, Software Engineering - Identity Management Team >> Red Hat Inc. >> > +1, I am working on (2) and will like to have a few more weeks to plow > along as I am discovering various things that may delay it a little bit. I'll work on (1), did update the ticket with first test, what is currently working and what's missing > > Simo. > From jfenal at gmail.com Sat Jul 4 12:03:07 2015 From: jfenal at gmail.com (=?UTF-8?B?SsOpcsO0bWUgRmVuYWw=?=) Date: Sat, 4 Jul 2015 14:03:07 +0200 Subject: [Freeipa-devel] [MAN] [PATCH] 0004 Fix phrasing in man page for stageuser.py Message-ID: Hi all, A quick patch to the man page part of stageuser to avoid ambiguity in the phrasing, spotted while translating the page. Regards, J. -- J?r?me Fenal -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jfenal-0004-Fix-the-man-page-part-for-shorter-sentences-to-avoid.patch Type: text/x-patch Size: 2738 bytes Desc: not available URL: From ftweedal at redhat.com Sat Jul 4 14:58:19 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Sun, 5 Jul 2015 00:58:19 +1000 Subject: [Freeipa-devel] [PATCH] 0024..0025 Add missing certprofile features In-Reply-To: <20150703123407.GE6584@dhcp-40-8.bne.redhat.com> References: <20150702091546.GY6584@dhcp-40-8.bne.redhat.com> <55950325.9010200@redhat.com> <20150702101212.GZ6584@dhcp-40-8.bne.redhat.com> <20150703123407.GE6584@dhcp-40-8.bne.redhat.com> Message-ID: <20150704145819.GI6584@dhcp-40-8.bne.redhat.com> On Fri, Jul 03, 2015 at 10:34:07PM +1000, Fraser Tweedale wrote: > On Thu, Jul 02, 2015 at 08:12:12PM +1000, Fraser Tweedale wrote: > > On Thu, Jul 02, 2015 at 11:23:49AM +0200, Jan Cholasta wrote: > > > Hi, > > > > > > Dne 2.7.2015 v 11:15 Fraser Tweedale napsal(a): > > > >Attached patches fix a couple of important gaps in certprofile > > > >plugin: > > > > > > > >- Add --out option to export Dogtag profile data to file > > > > https://fedorahosted.org/freeipa/ticket/5091 > > > > > > > >- Add --file option to update existing profile in Dogtag > > > > https://fedorahosted.org/freeipa/ticket/5093 > > > > > NACK on patchset v2; does not work (even after makeapi, which I > forgot to include in updated patchset). I keep getting error > ``ipa: ERROR: Unknown option: file''. Need to investigate why, > but other patches are taking priority right now. > > Here is patchset v3, which is just v1 rebased on latest master. > > Thanks, > Fraser > Updated patch 0025 (v4). Profile now gets re-enabled if profile update fails. Patch 0024 remains at v3. Thanks, Fraser -------------- next part -------------- From e2a8c92c73e4b2d119475fc2a93026df2ac60947 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 2 Jul 2015 04:09:31 -0400 Subject: [PATCH] certprofile: add ability to update profile config in Dogtag Add the `--file=FILENAME' option to `certprofile-mod' which, when given, will update the profile configuration in Dogtag to the contents of the file. Fixes: https://fedorahosted.org/freeipa/ticket/5093 --- API.txt | 3 ++- VERSION | 4 ++-- ipalib/plugins/certprofile.py | 35 ++++++++++++++++++++++++++++++++--- ipaserver/plugins/dogtag.py | 12 ++++++++++++ 4 files changed, 48 insertions(+), 6 deletions(-) diff --git a/API.txt b/API.txt index 22ae9bb88710366736ee915e6fe6f2f1c09f2449..e03b8fb54f7ba128227f37179f5715de86dffdef 100644 --- a/API.txt +++ b/API.txt @@ -731,12 +731,13 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: certprofile_mod -args: 1,10,3 +args: 1,11,3 arg: Str('cn', attribute=True, cli_name='id', multivalue=False, primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui') option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) +option: File('file?', cli_name='file') option: Bool('ipacertprofilestoreissued', attribute=True, autofill=False, cli_name='store', default=True, multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('rename', cli_name='rename', multivalue=False, primary_key=True, required=False) diff --git a/VERSION b/VERSION index 5827f05a4b6b07afb91bd193ff8d7bdecdcc5f9a..5956d3dbf629c61d485d84524960a3f298a9da11 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=138 -# Last change: ftweedal: add certprofile-show --out option +IPA_API_VERSION_MINOR=139 +# Last change: ftweedal: add certprofile-mod --file option diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py index abb62434eee4cb87356da5568b8a1bb12b762f67..6f9a41875b2a276b521219156e630817a9c41fdc 100644 --- a/ipalib/plugins/certprofile.py +++ b/ipalib/plugins/certprofile.py @@ -13,6 +13,7 @@ from ipalib.plugins.baseldap import ( LDAPDelete, LDAPUpdate, LDAPRetrieve) from ipalib import ngettext from ipalib.text import _ +from ipapython.version import API_VERSION from ipalib import errors @@ -245,7 +246,6 @@ class certprofile_import(LDAPCreate): def post_callback(self, ldap, dn, entry_attrs, *keys, **options): """Import the profile into Dogtag and enable it. - If the operation succeeds, update the LDAP entry to 'enabled'. If the operation fails, remove the LDAP entry. """ try: @@ -281,6 +281,35 @@ class certprofile_mod(LDAPUpdate): __doc__ = _("Modify Certificate Profile configuration.") msg_summary = _('Modified Certificate Profile "%(value)s"') - def execute(self, *args, **kwargs): + takes_options = LDAPUpdate.takes_options + ( + File('file?', + label=_('File containing profile configuration'), + cli_name='file', + flags=('virtual_attribute',), + ), + ) + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): ca_enabled_check() - return super(certprofile_mod, self).execute(*args, **kwargs) + if 'file' in options: + with self.api.Backend.ra_certprofile as profile_api: + profile_api.disable_profile(keys[0]) + try: + profile_api.update_profile(keys[0], options['file']) + finally: + profile_api.enable_profile(keys[0]) + + return dn + + def execute(self, *keys, **options): + try: + return super(certprofile_mod, self).execute(*keys, **options) + except errors.EmptyModlist: + if 'file' in options: + # The profile data in Dogtag was updated. + # Do not fail; return result of certprofile-show instead + return self.api.Command.certprofile_show(keys[0], + version=API_VERSION) + else: + # This case is actually an error; re-raise + raise diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index eb2a6ae8413362ae2a443c672f806ff97356448f..47279921a5428f388f84967b7bbe05d758e475bd 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -2089,6 +2089,18 @@ class ra_certprofile(RestClient): 'GET', profile_id + '/raw') return resp_body + def update_profile(self, profile_id, profile_data): + """ + Update the profile configuration in Dogtag + """ + self._ssldo('PUT', profile_id + '/raw', + headers={ + 'Content-type': 'application/xml', + 'Accept': 'application/json', + }, + body=profile_data + ) + def enable_profile(self, profile_id): """ Enable the profile in Dogtag -- 2.1.0 From jfenal at gmail.com Sun Jul 5 09:25:51 2015 From: jfenal at gmail.com (=?UTF-8?B?SsOpcsO0bWUgRmVuYWw=?=) Date: Sun, 5 Jul 2015 11:25:51 +0200 Subject: [Freeipa-devel] Meaning of two strings in plugins/service.py Message-ID: Hi, I stumbled upon those two following strings while translating into French, and just cannot figure out the meaning. Str('ipaallowedtoperform_read_keys', label=_('Failed allowed to retrieve keytab'), ), Str('ipaallowedtoperform_write_keys', label=_('Failed allowed to create keytab'), ), Would it be that failure is allowed while retrieving or creating keytab? Or...? Thanks for helping, J?r?me -- J?r?me Fenal From ftweedal at redhat.com Mon Jul 6 09:47:21 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 6 Jul 2015 19:47:21 +1000 Subject: [Freeipa-devel] CA ACL enforcement when authenticated as root In-Reply-To: <1435935234.3312.2.camel@willson.usersys.redhat.com> References: <20150701060611.GT6584@dhcp-40-8.bne.redhat.com> <20150703143240.GH6584@dhcp-40-8.bne.redhat.com> <1435935234.3312.2.camel@willson.usersys.redhat.com> Message-ID: <20150706094721.GK6584@dhcp-40-8.bne.redhat.com> On Fri, Jul 03, 2015 at 10:53:54AM -0400, Simo Sorce wrote: > On Sat, 2015-07-04 at 00:32 +1000, Fraser Tweedale wrote: > > On Wed, Jul 01, 2015 at 04:06:11PM +1000, Fraser Tweedale wrote: > > > Hi everyone, > > > > > > With the addition of CA ACLs, there are now two levels of > > > permissions checked by the `cert-request' command: > > > > > > - LDAP permission checks. This check is performed against the bind > > > principal; `admin' has permission to write the userCertificate > > > attribute of any principal. > > > > > > - CA ACLs: whether issuing a certificate to a particular principal > > > using a particular profile is permitted. This check is performed > > > against the principal for whom the certificate is being requested, > > > which might or might not be the bind principal. > > > > > > Some questions came up after the recent GSS IdM test day: > > > > > > 1) It was requested to add a caacl rule to allow `admin' to issue a > > > certificite for itself via any profile. This is straightforward, > > > but what are the use cases for the `admin' account issuing > > > certificates to itself? > > > > > > 2) When `admin' (as bind principal) requests a certificate for > > > another principal and there is no CA ACL allowing issuance of a > > > certificate for that principal+profile, the request is currently > > > rejected. Should we change the behaviour to allow `admin' to issue > > > a certificate to any principal, using any profile? (This would be > > > accomplished by skipping CA ACL checks in `cert-request' when > > > authenticated as admin.) > > > > > > (Note, if the answer to (2) is "yes", (1) is subsumed.) > > There should be a group (of which admin will be part of by default) that > can do this. It is needed to be able to provide certificates to hosts > that respond to multiple names, wildcard names and so on. > > So, yes. > > Simo. > Thanks; good idea. I filed a ticket: https://fedorahosted.org/freeipa/ticket/5099 > > > > Cheers, > > > Fraser > > > > > > -- > > > Manage your subscription for the Freeipa-devel mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > > > > Ping. Anyone got feels about this? Otherwise a patch will appear > > implementing (2), because that is a smaller patch :) > > > > > -- > Simo Sorce * Red Hat, Inc * New York > From cheimes at redhat.com Mon Jul 6 15:35:23 2015 From: cheimes at redhat.com (Christian Heimes) Date: Mon, 06 Jul 2015 17:35:23 +0200 Subject: [Freeipa-devel] error handling in httpd.service and ipa-httpd-kdcproxy Message-ID: <559AA03B.7030700@redhat.com> Hello, I like to ask for your opinion regarding the pre-exec hook 'ipa-httpd-kdcproxy' in httpd.service. Alex has asked me to handle error cases like LDAP connection timeout more gracefully. At the moment any error causes the script to return a non-zero exit code. This breaks the service and apparently also offline RPM upgrades. How should I handle error cases? I can change httpd.service to simply ignore the exit code of ipa-httpd-kdcproxy. But that might lead to an invalid state. I could modify the script to catch connection errors and to disable kdcproxy in case of an error. The options are: 1) httpd.service ignores exit code of ipa-httpd-kdcproxy 2) ipa-httpd-kdcproxy removes kdcproxy config file in case of a connection error 3) 1 + 2 What do you think? Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From tbabej at redhat.com Tue Jul 7 06:32:11 2015 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 07 Jul 2015 08:32:11 +0200 Subject: [Freeipa-devel] [PATCH] 892 webui: add mangedby tab to otptoken In-Reply-To: <559684E5.8030101@redhat.com> References: <55941C56.9060703@redhat.com> <559684E5.8030101@redhat.com> Message-ID: <559B726B.5060600@redhat.com> On 07/03/2015 02:49 PM, Martin Babinsky wrote: > On 07/01/2015 06:59 PM, Petr Vobornik wrote: >> Added managedby_user tab to manage users who can manage the token. >> >> https://fedorahosted.org/freeipa/ticket/5003 >> >> Nathaniel, I could not reproduce the following part of the ticket: >> """ >> Careful interaction is required here. In the current code, this also >> creates a bug since all UI created tokens are owned but not managed. >> When users of these tokens are deleted, their self-created tokens are >> orphaned rather than deleted. >> >> Self-created tokens MUST be both self-owned AND self-managed. >> """ >> >> The self-created tokens which I created in Web UI as admin or normal >> user were in both cases managed by the same user who created them. >> >> > (Once again, this time also reply to the list) > > The patch itself does what it is supposed to. > > So ACK from me. > > However, I have found out that the token's manager is correctly set > *only* when it is directly created by the user that should own it. In > this case when the manager is not specified, the code works as expected > and fill in the logged-in user as manager. > > However, if e.g. admin creates a token for another user and does not set > him as the manager explicitly, the 'managedBy' attribute is not set. > Pushed to: master: b258bcee8337063259aa38b4387b9bb5721fb380 ipa-4-1: 5439e7a8fa46a8eab0d23689807a4894f20ecea7 From tbabej at redhat.com Tue Jul 7 06:38:44 2015 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 07 Jul 2015 08:38:44 +0200 Subject: [Freeipa-devel] [PATCHES 0252-0253, 268, 50 - 51] DNSSEC: allow to move DNSSEC key master to another IPA server In-Reply-To: <5593C55B.4090500@redhat.com> References: <555CAFAC.2050803@redhat.com> <55717FD9.6010002@redhat.com> <5580275F.1000106@redhat.com> <5581596D.9080209@redhat.com> <55815BF8.50202@redhat.com> <558BEA12.8060601@redhat.com> <55914517.7090404@redhat.com> <55925275.7020708@redhat.com> <5592A1DF.4060601@redhat.com> <5592F78C.3060406@redhat.com> <5593C262.6040906@redhat.com> <5593C55B.4090500@redhat.com> Message-ID: <559B73F4.4060300@redhat.com> On 07/01/2015 12:47 PM, Petr Spacek wrote: > On 1.7.2015 12:35, Martin Basti wrote: >> On 30/06/15 22:09, Petr Spacek wrote: >>> On 30.6.2015 16:04, Martin Basti wrote: >>>> On 30/06/15 10:25, Martin Basti wrote: >>>>> On 29/06/15 15:16, Martin Basti wrote: >>>>>> On 25/06/15 13:46, Petr Spacek wrote: >>>>>>> On 17.6.2015 13:37, Martin Basti wrote: >>>>>>>> On 17/06/15 13:26, Petr Spacek wrote: >>>>>>>>> On 16.6.2015 15:40, Martin Basti wrote: >>>>>>>>>> On 05/06/15 12:54, Petr Spacek wrote: >>>>>>>>>>> On 20.5.2015 18:00, Martin Basti wrote: >>>>>>>>>>>> This patch allows to disable DNSSEC key master on IPA server, or >>>>>>>>>>>> replace >>>>>>>>>>>> current DNSSEC key master with another IPA server. >>>>>>>>>>>> >>>>>>>>>>>> Only for master branch. >>>>>>>>>>>> >>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4657 >>>>>>>>>>>> >>>>>>>>>>>> Patches attached. >>>>>>>>>>> NACK. This happens on DNSSEC key master: >>>>>>>>>>> $ ipa-dns-install --disable-dnssec-master >>>>>>>>>>> >>>>>>>>>>> Do you want to disable current DNSSEC key master? [no]: yes >>>>>>>>>>> Unexpected error - see /var/log/ipaserver-install.log for details: >>>>>>>>>>> TypeError: sequence item 0: expected string, DNSName found >>>>>>>>>>> 2015-06-05T10:52:35Z DEBUG File >>>>>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>>>>>>>>>> line >>>>>>>>>>> 733, in run_script >>>>>>>>>>> return_value = main_function() >>>>>>>>>>> >>>>>>>>>>> File "/sbin/ipa-dns-install", line 128, in main >>>>>>>>>>> dns_installer.disable_dnssec_master(options.unattended) >>>>>>>>>>> >>>>>>>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py", >>>>>>>>>>> line >>>>>>>>>>> 112, >>>>>>>>>>> in disable_dnssec_master >>>>>>>>>>> ", ".join(dnssec_zones)) >>>>>>>>>>> >>>>>>>>>>> 2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed, >>>>>>>>>>> exception: >>>>>>>>>>> TypeError: sequence item 0: expected string, DNSName found >>>>>>>>>>> >>>>>>>>>> Updated patches attached. >>>>>>>>>> >>>>>>>>>> Due new installers, more changes were required. >>>>>>>>> Sorry, NACK, I'm not able to apply this patch set to current master >>>>>>>>> (69607250b9762a6c9b657dd31653b03d54a7b411). >>>>>>>>> >>>>>>>> Rebased patches attached. >>>>>>> NACK. >>>>>>> >>>>>>> >>>>>>> 0) ipa-dns-install --replace-dnssec-master always puts file into >>>>>>> /root/ipa-kasp.db. >>>>>>> >>>>>>> It would be better to put it into local working directory or >>>>>>> /var/lib/ipa (as >>>>>>> with replica files). >>>>>>> >>>>>>> >>>>>>> 1) I installed DNSSEC key master role on the vm-134 but DNSSEC services >>>>>>> were >>>>>>> not stopped by ipactl stop: >>>>>>> >>>>>>> [root at vm-134 review]# ipactl stop >>>>>>> Stopping ipa-otpd Service >>>>>>> Stopping httpd Service >>>>>>> Stopping ipa_memcached Service >>>>>>> Stopping kadmin Service >>>>>>> Stopping krb5kdc Service >>>>>>> Stopping Directory Service >>>>>>> ipa: INFO: The ipactl command was successful >>>>>>> >>>>>>> [root at vm-134 review]# ipactl start >>>>>>> Starting Directory Service >>>>>>> Starting krb5kdc Service >>>>>>> Starting kadmin Service >>>>>>> Starting named Service >>>>>>> Starting ipa_memcached Service >>>>>>> Starting httpd Service >>>>>>> Starting ipa-otpd Service >>>>>>> Starting ipa-ods-exporter Service >>>>>>> Starting ods-enforcerd Service >>>>>>> Starting ipa-dnskeysyncd Service >>>>>>> >>>>>>> Subsequent ipactl stop worked fine, only the first one is affected. >>>>>>> >>>>>>> >>>>>>> 2a) vm-134 was the original master. I ran this: >>>>>>> >>>>>>> [root at vm-134 review]# ipa-dns-install >>>>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com >>>>>>> >>>>>>> ... and then attempted to install master to vm-059: >>>>>>> [root at vm-059 review]# ipa-dns-install --dnssec-master >>>>>>> >>>>>>> This command was accepted despite of missing --kasp-db option and wrong >>>>>>> replica name. >>>>>>> >>>>>>> It should error out and tell the user to run the command with --kasp-db >>>>>>> option. >>>>>>> >>>>>>> Even better, we could get rid of explicit replica name specification in >>>>>>> --replace-dnssec-master option and allow to run installation with >>>>>>> --kasp-db on >>>>>>> any replica as long as the kasp.db file is provided. >>>>>>> >>>>>>> >>>>>>> >>>>>>> 2b) Attempt to move DNSSEC key master from vm-134 to vm-090 *without* >>>>>>> specifying --kasp-db option was accepted. >>>>>>> >>>>>>> [root at vm-090 review]# ipa-dns-install --dnssec-master >>>>>>> >>>>>>> As in case (2a), it should print what user is supposed to do. >>>>>>> >>>>>>> I propose following text: >>>>>>> >>>>>>> Current DNSSEC key master is being >>>>>>> moved to different server. >>>>>>> >>>>>>> You need to copy kasp.db file from >>>>>>> and >>>>>>> run following command to complete the transition: >>>>>>> >>>>>>> # ipa-dns-install --dnssec-master --kasp-db=/path/to/the/copied/kasp.db >>>>>>> >>>>>>> >>>>>>> >>>>>>> 3) [root at vm-134 review]# ipa-dns-install >>>>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com >>>>>>> does not remove ISMASTER option from file /etc/sysconfig/ipa-dnskeysyncd . >>>>>>> >>>>>>> >>>>>>> 4) [root at vm-134 review]# ipa-dns-install >>>>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com >>>>>>> >>>>>>> it is possible to run >>>>>>> >>>>>>> [root at vm-134 review]# ipa-dns-install --dnssec-master >>>>>>> >>>>>>> again without --kasp-db and it is accepted. >>>>>>> >>>>>>> Moreover, in this case ipaConfigString "NEW_DNSSEC_MASTER" is not properly >>>>>>> removed from >>>>>>> cn=DNSKeySync,cn=vm-090.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> 5) Sequence of commands >>>>>>> [root at vm-134 review]# ipa-dns-install >>>>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com >>>>>>> >>>>>>> [root at vm-090 review]# ipa-replica-manage del >>>>>>> vm-134.abc.idm.lab.eng.brq.redhat.com >>>>>>> >>>>>>> allows me to run >>>>>>> [root at vm-090 review]# ipa-dns-install --dnssec-master >>>>>>> >>>>>>> without --kasp-db option, it does not throw an error, and the information >>>>>>> that >>>>>>> some other master existed somewhere is lost. >>>>>>> >>>>>>> It would be probably better to replace this and to use some global >>>>>>> attribute >>>>>>> in cn=dns so similar problems do not happen. >>>>>>> >>>>>>> >>>>>>> >>>>>>> 6) The migration itself seems to work, KASP DB seems to work properly, >>>>>>> however >>>>>>> it is necessary to run 'ods-ksmutil zonelist' command *before* all the >>>>>>> daemons >>>>>>> on the new master are (re)started. This needs do be done to re-generate >>>>>>> file >>>>>>> /etc/opendnssec/zonelist.xml from the new (copied) DB. >>>>>>> >>>>>>> Here please be careful about file permissions. >>>>>>> >>>>>>> The command should be ran under 'ods' user to avoid permission clobbering. >>>>>>> >>>>>>> >>>>>>> Thank you for your hard work on this! >>>>>>> >>>>>> New patches attached. >>>>>> >>>>>> Major part of the code was changed. >>>>>> >>>>>> Please apply patch 268 first. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> Updated patches attached. >>>>> >>>>> I just changed the error log to debug log >>>>> ipautil.run(cmd, runas=ods_enforcerd.get_user_name()) >>>>> - except CalledProcessError as e: >>>>> - root_logger.error("%s", e) >>>>> + except CalledProcessError: >>>>> + root_logger.debug("OpenDNSSEC database has not been >>>>> updated") >>>>> >>>>> As this is not error during uninstall. >>>>> >>>>> -- >>>>> Martin Basti >>>>> >>>>> >>>> Updated patches attached. >>> Cond-NACK. Moving master does not work without additional patching. I'm >>> attaching fix for this + some polish for messages. >>> >>> Please review my amendments, it can be pushed if you are okay with my changes. >>> >> Thank you, it works. I did 2 small changes >> >> 1) >> In patch 51 i moved the check to parser, and fixed error message to proper option >> >> 2) >> in patch 50 I switched: >> if api.env.host not in dnssec_masters and dnssec_masters: >> >> to >> if dnssec_masters and api.env.host not in dnssec_masters: >> >> These patches belong to master branch only. >> All patches attached. > > Seems reasonable, ACK. > Pushed to master: 8ee975b276d0728130a148b01f9bfc0b77524ae0 From tbabej at redhat.com Tue Jul 7 06:44:48 2015 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 07 Jul 2015 08:44:48 +0200 Subject: [Freeipa-devel] [MAN] [PATCH] 0004 Fix phrasing in man page for stageuser.py In-Reply-To: References: Message-ID: <559B7560.3000107@redhat.com> On 07/04/2015 02:03 PM, J?r?me Fenal wrote: > Hi all, > > A quick patch to the man page part of stageuser to avoid ambiguity in > the phrasing, spotted while translating the page. > > Regards, > > J. > > > Thanks, ACK. I will not push this patch to master until we branch off 4.2 development branch as it would disrupt already translated strings in the other languages. Tomas From tbabej at redhat.com Tue Jul 7 07:09:46 2015 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 07 Jul 2015 09:09:46 +0200 Subject: [Freeipa-devel] [PATCHES 330-331] Update translations and introduce Zanata configuration In-Reply-To: <558ABFCC.4040603@redhat.com> References: <558AA505.9080907@redhat.com> <558ABEBF.4010907@redhat.com> <558ABFCC.4040603@redhat.com> Message-ID: <559B7B3A.3030106@redhat.com> On 06/24/2015 04:33 PM, Tomas Babej wrote: > On 06/24/2015 04:29 PM, Martin Basti wrote: >> On 24/06/15 14:39, Tomas Babej wrote: >>> +msgid "Automount location name." >>> +msgstr "Job Title" >>> + >> >> in german po file >> >> +msgid "Automount location name." >> +msgstr "Job Title" >> + >> >> >> AFAIK, this is not german language. >> > > Nice catch! > > You can show off your German language skills by entering the correct > translation here: > > https://fedora.zanata.org/webtrans/Application.seam?project=freeipa&iteration=master&localeId=de&locale=en#view:doc;doc:install/po/ipa;search:Automount%20location%20name > > So far, I removed the wrong translation string in Zanata. > > Tomas > Attaching updated patches, with fresh translations. Thanks to all the translators! Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0330-2-l10n-Add-configuration-file-for-Zanata.patch Type: text/x-patch Size: 1543 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0331-2-l10n-Update-translation-strings.patch Type: text/x-patch Size: 984660 bytes Desc: not available URL: From jcholast at redhat.com Tue Jul 7 07:46:09 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 7 Jul 2015 09:46:09 +0200 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <55967ECE.90701@redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> <553498D1.1020901@redhat.com> <55651209.8020000@redhat.com> <556558AA.6040107@redhat.com> <556CF209.7050404@redhat.com> <556EF05E.90103@redhat.com> <55719260.8080300@redhat.com> <5571FD75.5010708@redhat.com> <557568CB.3040503@redhat.com> <557756EE.8020507@redhat.com> <5577D581.1020800@redhat.com> <557E7D21.2040304@redhat.com> <557F5998.2000103@redhat.com> <55811463.8050802@redhat.com> <5588D21A.1020104@redhat.com> <558B9334.8030104@redhat.com> <558C33DF.6080403@redhat.com> <55938E71.1070405@redhat.com> <55967ECE.90701@redhat.com> Message-ID: <559B83C1.1000209@redhat.com> Dne 3.7.2015 v 14:23 Endi Sukma Dewata napsal(a): > On 7/1/2015 1:53 AM, Jan Cholasta wrote: >>>>>>>> I think it would be better to use a new attribute type which >>>>>>>> inherits >>>>>>>> from ipaPublicKey (ipaVaultPublicKey?) rather than ipaPublicKey >>>>>>>> directly >>>>>>>> for assymetric vault public keys, so that assymetric public key and >>>>>>>> escrow public key are on the same level and you can still use >>>>>>>> ipaPublicKey to refer to either one: >>>>>>>> >>>>>>>> ipaPublicKey >>>>>>>> ipaVaultPublicKey >>>>>>>> ipaEscrowPublicKey >>>>>>>> >>>>>>> OK. To be consistent the parameters need to be renamed too: >>>>>>> --vault-public-key and --vault-public-key-file. >>>>>> >>>>>> It doesn't need to, there is no requirement for CLI names to always >>>>>> match attribute names. (Also I don't insist on the name >>>>>> "ipaVaultPublicKey", feel free to change it if you want.) >>>>> >>>>> It's unchanged for now. In a previous discussion it was advised to >>>>> reuse >>>>> the existing attribute type whenever possible. >>>> >>>> Well, in this discussion, it is not. Escrow public key should also >>>> reuse >>>> ipaPublicKey, but it can't if you use it for vault public key. By using >>>> ipaPublicKey subtypes you can distinguish between the two uses and >>>> still >>>> use ipaPublicKey to refer to either of them. >>> >>> So what's changed? This is what you said when I posted the same patch >>> six months ago: >>> >>>>> In this patch I'm adding ipaVaultSalt and ipaVaultPublicKey attribute >>>>> types to store salt and public key for vault. Are there existing >>>>> attribute types that I can use instead? I see there's an ipaPublicKey, >>>>> should I use that and maybe add ipaSalt/ipaEncSalt? Thanks. >>>> >>>> yes, please re-use existing attributes where possible. >>>> >>>> Honza >> >> What changed is that I now know there is also escrow public key, which I >> didn't know six months ago. > > Here's patch #368 to be applied on top of patch #357-5, but see comments > below. Thanks for the patch. > >>> Could you show me how to use ipaPublicKey to refer to ipaVaultPublicKey >>> and ipaEscrowPublicKey? Under what situation would that be useful? >> >> For example for ipaPublicKey searches - if ipaVaultPublicKey and >> ipaEscrowPublicKey both inherit from ipaPublicKey, then an ipaPublicKey >> search will look in both ipaVaultPublicKey and ipaEscrowPublicKey. This >> is not something we actually need right now, but once the schema is >> done, it can't be fixed and I don't think we should prevent this, >> especially since we can get it for free. BTW even the core LDAP schema >> does this, see for example how the cn attribute inherits from the more >> general name attribute: >> . > > I don't think that's how LDAP works. It is, see . > The RFC doesn't say that either. > The cn does inherit from name, but if you search for name it won't > match/return cn. See queries below: > > $ ldapsearch -LLL -x -b "dc=example,dc=com" "(cn=Accounting Managers)" > dn: cn=Accounting Managers,ou=Groups,dc=example,dc=com > objectClass: top > objectClass: groupOfUniqueNames > cn: Accounting Managers > ou: groups > description: People who can manage accounting entries > uniqueMember: cn=Directory Manager > > $ ldapsearch -LLL -x -b "dc=example,dc=com" "(cn=Accounting Managers)" \ > name > dn: cn=Accounting Managers,ou=Groups,dc=example,dc=com > (no cn attribute) > > $ ldapsearch -LLL -x -b "dc=example,dc=com" "(name=Accounting Managers)" > (no result) This seems like a bug in 389 DS, it works correctly with OpenLDAP: $ ldapsearch -H ldap://localhost -D 'cn=Manager,dc=example,dc=com' -w password -b 'dc=example,dc=com' '(name=Manager)' dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager > > Assuming this is what you meant, which doesn't seem to be working, is > there still a valid reason to add a new ipaVaultPublicKey instead of > using the existing ipaPublicKey? I think everything mentioned in the RFC section I linked above is a good enough reason. > >>>>> * CLI options will be identical to client and server API options (i.e. >>>>> no CLI-only, client-only, or server-only options) >>>> >>>> Actually, you can create CLI-only options (add include='cli' to the >>>> param's kwargs). >>> >>> I need to look at this more closely. If I understand correctly in >>> user_del there are two 'preserve' options, the Bool preserve is for >>> client and server API, and the Flag preserve is for CLI. Wouldn't it be >>> better if they are stored in separate lists (or maybe separate classes)? >>> And it looks like you still need to delete the CLI options explicitly >>> anyway. >> >> Well, it would be better if there was no Flag class at all and flags >> were handled by CLI exclusively, because parameter classes should >> reflect the data type (bool) and not the presentation (flag). > > That indicates there should be a separation between client API and the > CLI too because, as you see in user_del, they can be different. Not really, what there should be is separation between data type and presentation. This is what the web UI already does and so should the CLI. > >>> Does the API.txt actually show the CLI options, the client API options, >>> or the server API options? I only see the Flag preserve, not the Bool >>> preserve. >> >> It shows CLI options, see how the API object is initialized in makeapi. > > Does that mean we're only doing the versioning on the CLI, and not the > client API or server API? Suppose there are changes in client or server > API that do not appear in API.txt but will affect the XML RPC, it might > cause a compatibility problem. I think it just shows how convoluted the > CLI, client API, and server API are in this framework. I agree. > >>>>> * a plugin will only access one type of data (i.e. LDAP plugin can >>>>> only >>>>> access LDAP data) >>>> >>>> This is not assumed anywhere in the framework, you can access whatever >>>> you want, but you can't expect baseldap to do everything for you. >>> >>> Nobody is expecting baseldap to do KRA operations. >>> >>>> As the >>>> name implies, it is LDAP specific, if you want something else, you have >>>> to implement it yourself. >>> >>> In the previous patch vault_retrieve inherits from LDAPRetrieve so it >>> can rely on baseldap to retrieve the vault entry, then on top of that it >>> implements an additional KRA operations (without baseldap obviously). If >>> that is not allowed, aren't you basically saying LDAP plugin can only >>> access LDAP data? >> >> Yes, basically, but I'm also saying that you are not limited to doing >> LDAP plugins only. > > I think this logic is flawed. Suppose later we add a code to remove > user's vaults when the user is deleted, does it mean the user_del can no > longer inherit from LDAPDelete? > >> You can abuse the callbacks to do anything, including data retrieval >> from other sources, but it doesn't make it right, as it only leads to >> code duplication, inconsistencies and weird bugs. I have seen too much >> of this, hence my reluctance to do it again. > > I don't think extending the base class to perform additional > functionalities can be generalized as 'abuse' or 'hack' or called > 'semantically wrong'. Sometimes it is the right solution. Sometimes if > the framework is so limiting that the only solution is to extend > uncommon methods, it's called a 'workaround'. If there is code > duplication we should find a way to refactor it. What's considered > inconsistencies are very subjective. Weird bugs are case specific, it > cannot be generalized. > >>>>> * a command name will match the object name (i.e. must use >>>>> vaultdata_mod >>>>> instead of a more intuitive vault_archive) >>>> >>>> I don't see how consistency is a bad thing, or how this could limit >>>> anyone doing things cleanly. I do agree that vaultdata_mod is ugly, but >>>> it's not the only way to achieve the same goal. >>> >>> Look at it from user's perspective. If you create a vault using >>> vault-add , then archive data using vaultdata-mod >> name>, how is this consistent? >> >> Because it's object-verb and not object-verbofsomeotherobject. (Also I >> already acknowledged the vaultdata idea is ugly.) > > In that case, strictly speaking, vault-mod will violate that rule too > because you're modifying an attribute, not the object itself like > vault-add or vault-del. From user's perspective the secret 'data' is > just another attribute in the vault. So similarly, vault-archive is > modifying the 'data' attribute in the vault. > > The fact that the 'data' is stored in KRA rather than in IPA is just > implementation details. If we have to expose this distinction to the > user, that's a problem with the framework. > > Also, if you're willing to use vault-archive rather than vaultdata-mod, > that means the rule is irrelevant. Consistency should be viewed from > user's perspective first, then developer's perspective later (if > possible at all). > >>>>> We know that some use cases do not fit these assumptions. Rather than >>>>> compromising the use case, or looking at workarounds as hacks, I'd >>>>> suggest finding ideas to improve the framework itself to be more >>>>> accommodating. >>>> >>>> I would personally love to improve the framework (it's just retarded >>>> sometimes as you may have noticed), but it does not have high priority >>>> right now (not my decision). >>> >>> We don't have to modify the current framework right now, but we can >>> align new codes that don't fit the current framework to match the future >>> framework. Although the future framework is not defined yet, some things >>> are already clear, for example there should be separate client and >>> server APIs. So if a command like vault_add has differing client and >>> server options, regardless how insignificant it is, there's no reason to >>> force it to be combined. The current framework doesn't prevent >>> separation anyway. >> >> Aligning new code is exactly what I'm aiming to do and why I want people >> to look at their APIs from an object oriented perspective rather than >> just dumb RPC, because that's the direction the framework is heading. > > Again, user's perspective first, developer's perspective later, and with > the right CLI, client API, and server API separation. I don't agree with the "user's perspective first, developer's perspective later" approach and I think it has already been proven wrong by the existing plugin code in IPA. The plugins work (almost) fine from the user's perspective, but they are (almost) completely unmaintainable spaghetti code balls for developers. I would prefer if the code was both user friendly and maintainable. Anyway, the patches work for me, so ACK. There was one thing that didn't work, but this can be fixed in an additional patch: $ ipa vault-add asymtest --type=asymmetric --public-key=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDR+xRAv5lCgNzJVcY7TW3xwx31+nGbrXSmOZWaH/EywKKH8O2IdSzoEgbFn7L4x+QcXWa4pcq8R5BfabJZs+uDUfPOS09LcB5gQlq+jgUtEKCgGy/u2yNrXiLs712p8cnHfIc4C6VCO3xxY0rZXimJTLjK0KTHzCzaQeDRq04JNQIDAQAB ipa: ERROR: non-public: UnicodeDecodeError: 'utf8' codec can't decode byte 0x81 in position 1: invalid start byte Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 129, in execute result = self.Command[_name](*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 440, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1106, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/plugins/vault.py", line 612, in forward self.api.Command.vault_archive(*args, **opts) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 440, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1106, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/plugins/vault.py", line 923, in forward public_key = vault['ipavaultpublickey'][0].encode('utf-8') UnicodeDecodeError: 'utf8' codec can't decode byte 0x81 in position 1: invalid start byte ipa: ERROR: an internal error has occurred I was able to work around this by removing the faulty ".encode('utf-8')" and replacing load_pem_{public,private}_key by load_der_{public,private}_key. For the record, I still think that the ipaVaultType attribute is a bad design and object classes should have been used to distinguish between the different vault types. Rebased and pushed to master: 475ade4becd4cdb59a9bcf0da7de1d2739e293c8 -- Jan Cholasta From tbabej at redhat.com Tue Jul 7 08:33:02 2015 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 07 Jul 2015 10:33:02 +0200 Subject: [Freeipa-devel] [PATCH 0334] Hide topology and domainlevel features Message-ID: <559B8EBE.1030003@redhat.com> Hi, * Hide topology and domainlevel commands in the CLI * Hide topology and domainlevel in the WebUI * Set maximum allowed domain level to 0 * Do not configure and enable the topology plugin https://fedorahosted.org/freeipa/ticket/5097 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0334-Hide-topology-and-domainlevel-features.patch Type: text/x-patch Size: 7117 bytes Desc: not available URL: From tbabej at redhat.com Tue Jul 7 08:37:26 2015 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 07 Jul 2015 10:37:26 +0200 Subject: [Freeipa-devel] [PATCHES 330-331] Update translations and introduce Zanata configuration In-Reply-To: <559B7B3A.3030106@redhat.com> References: <558AA505.9080907@redhat.com> <558ABEBF.4010907@redhat.com> <558ABFCC.4040603@redhat.com> <559B7B3A.3030106@redhat.com> Message-ID: <559B8FC6.4000002@redhat.com> On 07/07/2015 09:09 AM, Tomas Babej wrote: > > > On 06/24/2015 04:33 PM, Tomas Babej wrote: >> On 06/24/2015 04:29 PM, Martin Basti wrote: >>> On 24/06/15 14:39, Tomas Babej wrote: >>>> +msgid "Automount location name." >>>> +msgstr "Job Title" >>>> + >>> >>> in german po file >>> >>> +msgid "Automount location name." >>> +msgstr "Job Title" >>> + >>> >>> >>> AFAIK, this is not german language. >>> >> >> Nice catch! >> >> You can show off your German language skills by entering the correct >> translation here: >> >> https://fedora.zanata.org/webtrans/Application.seam?project=freeipa&iteration=master&localeId=de&locale=en#view:doc;doc:install/po/ipa;search:Automount%20location%20name >> >> So far, I removed the wrong translation string in Zanata. >> >> Tomas >> > > Attaching updated patches, with fresh translations. > > Thanks to all the translators! > > Tomas > > > There is a small error in the UK translation, line 491 should read: "?? ??????? DNS %(server)s ??..." instead of: "?? ??????? DNS (server)s ??..." Fixed. I am not sending a updated version of the patch to the list, given its size. Tomas From jcholast at redhat.com Tue Jul 7 08:51:30 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 7 Jul 2015 10:51:30 +0200 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <559691AC.5030707@redhat.com> References: <54E1AF55.3060409@redhat.com> <559691AC.5030707@redhat.com> Message-ID: <559B9312.8080709@redhat.com> Dne 3.7.2015 v 15:44 Endi Sukma Dewata napsal(a): > Here is the rebased patch for vault access control. > LGTM, except: @@ -356,6 +386,13 @@ class vault(LDAPObject): { 'objectclass': ['nsContainer'], 'cn': rdn['cn'], + 'aci': + '(targetfilter="(objectClass=ipaVault)")' + + '(version 3.0; ' + + 'acl "User can manage private vaults"; ' + + 'allow(read, search, compare, add, delete) ' + + 'userdn="ldap:///%s";)' + % owner_dn }) # if entry can be added, return I don't think dynamically creating ACIs with hardcoded userdn is something we want to do. This should be handled by a single ACI in cn=vaults. -- Jan Cholasta From dkupka at redhat.com Tue Jul 7 08:54:42 2015 From: dkupka at redhat.com (David Kupka) Date: Tue, 7 Jul 2015 10:54:42 +0200 Subject: [Freeipa-devel] [PATCH 0055] ipa-replica-prepare: Do not create DNS zone it automatically. In-Reply-To: <55960CC0.4060208@redhat.com> References: <55960CC0.4060208@redhat.com> Message-ID: <559B93D2.7020201@redhat.com> On 03/07/15 06:17, David Kupka wrote: > Since ipa-replica-* tools will be soon removed I think this simple check > should be enough. > > > Updated patch attached. -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0055.1-ipa-replica-prepare-Do-not-create-DNS-zone-it-automa.patch Type: text/x-patch Size: 2064 bytes Desc: not available URL: From mbasti at redhat.com Tue Jul 7 09:48:54 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 7 Jul 2015 11:48:54 +0200 Subject: [Freeipa-devel] [PATCHES 330-331] Update translations and introduce Zanata configuration In-Reply-To: <559B8FC6.4000002@redhat.com> References: <558AA505.9080907@redhat.com> <558ABEBF.4010907@redhat.com> <558ABFCC.4040603@redhat.com> <559B7B3A.3030106@redhat.com> <559B8FC6.4000002@redhat.com> Message-ID: <559BA086.1030504@redhat.com> On 07/07/15 10:37, Tomas Babej wrote: > > On 07/07/2015 09:09 AM, Tomas Babej wrote: >> >> On 06/24/2015 04:33 PM, Tomas Babej wrote: >>> On 06/24/2015 04:29 PM, Martin Basti wrote: >>>> On 24/06/15 14:39, Tomas Babej wrote: >>>>> +msgid "Automount location name." >>>>> +msgstr "Job Title" >>>>> + >>>> in german po file >>>> >>>> +msgid "Automount location name." >>>> +msgstr "Job Title" >>>> + >>>> >>>> >>>> AFAIK, this is not german language. >>>> >>> Nice catch! >>> >>> You can show off your German language skills by entering the correct >>> translation here: >>> >>> https://fedora.zanata.org/webtrans/Application.seam?project=freeipa&iteration=master&localeId=de&locale=en#view:doc;doc:install/po/ipa;search:Automount%20location%20name >>> >>> So far, I removed the wrong translation string in Zanata. >>> >>> Tomas >>> >> Attaching updated patches, with fresh translations. >> >> Thanks to all the translators! >> >> Tomas >> >> >> > There is a small error in the UK translation, line 491 should read: > > "?? ??????? DNS %(server)s ??..." > > instead of: > > "?? ??????? DNS (server)s ??..." > > Fixed. I am not sending a updated version of the patch to the list, > given its size. > > Tomas > ACK, we will fix minor issues later. -- Martin Basti From mkosek at redhat.com Tue Jul 7 09:55:41 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 07 Jul 2015 11:55:41 +0200 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <559B9312.8080709@redhat.com> References: <54E1AF55.3060409@redhat.com> <559691AC.5030707@redhat.com> <559B9312.8080709@redhat.com> Message-ID: <559BA21D.6050601@redhat.com> On 07/07/2015 10:51 AM, Jan Cholasta wrote: > Dne 3.7.2015 v 15:44 Endi Sukma Dewata napsal(a): >> Here is the rebased patch for vault access control. >> > > LGTM, except: > > @@ -356,6 +386,13 @@ class vault(LDAPObject): > { > 'objectclass': ['nsContainer'], > 'cn': rdn['cn'], > + 'aci': > + '(targetfilter="(objectClass=ipaVault)")' + > + '(version 3.0; ' + > + 'acl "User can manage private vaults"; ' + > + 'allow(read, search, compare, add, delete) ' + > + 'userdn="ldap:///%s";)' > + % owner_dn > }) > > # if entry can be added, return > > I don't think dynamically creating ACIs with hardcoded userdn is something we > want to do. This should be handled by a single ACI in cn=vaults. +1. Single ACI like +default: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#USERDN";) you already have there is more preferred. From tbabej at redhat.com Tue Jul 7 10:07:48 2015 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 07 Jul 2015 12:07:48 +0200 Subject: [Freeipa-devel] [PATCHES 330-331] Update translations and introduce Zanata configuration In-Reply-To: <559BA086.1030504@redhat.com> References: <558AA505.9080907@redhat.com> <558ABEBF.4010907@redhat.com> <558ABFCC.4040603@redhat.com> <559B7B3A.3030106@redhat.com> <559B8FC6.4000002@redhat.com> <559BA086.1030504@redhat.com> Message-ID: <559BA4F4.1030806@redhat.com> On 07/07/2015 11:48 AM, Martin Basti wrote: > On 07/07/15 10:37, Tomas Babej wrote: >> >> On 07/07/2015 09:09 AM, Tomas Babej wrote: >>> >>> On 06/24/2015 04:33 PM, Tomas Babej wrote: >>>> On 06/24/2015 04:29 PM, Martin Basti wrote: >>>>> On 24/06/15 14:39, Tomas Babej wrote: >>>>>> +msgid "Automount location name." >>>>>> +msgstr "Job Title" >>>>>> + >>>>> in german po file >>>>> >>>>> +msgid "Automount location name." >>>>> +msgstr "Job Title" >>>>> + >>>>> >>>>> >>>>> AFAIK, this is not german language. >>>>> >>>> Nice catch! >>>> >>>> You can show off your German language skills by entering the correct >>>> translation here: >>>> >>>> https://fedora.zanata.org/webtrans/Application.seam?project=freeipa&iteration=master&localeId=de&locale=en#view:doc;doc:install/po/ipa;search:Automount%20location%20name >>>> >>>> >>>> So far, I removed the wrong translation string in Zanata. >>>> >>>> Tomas >>>> >>> Attaching updated patches, with fresh translations. >>> >>> Thanks to all the translators! >>> >>> Tomas >>> >>> >>> >> There is a small error in the UK translation, line 491 should read: >> >> "?? ??????? DNS %(server)s ??..." >> >> instead of: >> >> "?? ??????? DNS (server)s ??..." >> >> Fixed. I am not sending a updated version of the patch to the list, >> given its size. >> >> Tomas >> > ACK, we will fix minor issues later. > Pushed to master: 12b053df300cb58aad157797f4e30283e45033f5 From abokovoy at redhat.com Tue Jul 7 10:35:24 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 7 Jul 2015 13:35:24 +0300 Subject: [Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches Message-ID: <20150707103524.GV11876@redhat.com> Hi, attached are patches to introduce one-way trust support and few more to fix currently outstanding trust-related bugs. More details are in the commit messages. For oddjobd-activated helper, if you want to test the one-way trust setup, you need to put SELinux into permissive. We have bugs for both Fedora and RHEL to add the policy (https://bugzilla.redhat.com/show_bug.cgi?id=1238163 for RHEL7), it is in works. -- / Alexander Bokovoy -------------- next part -------------- From 0e252fb1f8455daa87dccbc6dcba61b08570b444 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 20 May 2015 18:24:52 +0300 Subject: [PATCH 03/11] ipa-kdb: use proper memory chunk size when moving sids Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1222475 --- daemons/ipa-kdb/ipa_kdb_mspac.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 0e53a80..390111f 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -1394,7 +1394,15 @@ static krb5_error_code filter_logon_info(krb5_context context, if (result) { filter_logon_info_log_message(info->info->info3.sids[i].sid); } else { + /* Go over incoming SID blacklist */ for(k = 0; k < domain->len_sid_blacklist_incoming; k++) { + /* if SID is an exact match, filter it out */ + result = dom_sid_check(&domain->sid_blacklist_incoming[k], info->info->info3.sids[i].sid, true); + if (result) { + filter_logon_info_log_message(info->info->info3.sids[i].sid); + break; + } + /* if SID is a suffix of the blacklist element, filter it out*/ result = dom_sid_is_prefix(&domain->sid_blacklist_incoming[k], info->info->info3.sids[i].sid); if (result) { filter_logon_info_log_message(info->info->info3.sids[i].sid); @@ -1403,11 +1411,17 @@ static krb5_error_code filter_logon_info(krb5_context context, } } if (result) { + k = count - i - j - 1; + if (k != 0) { + memmove(info->info->info3.sids+i, + info->info->info3.sids+i+1, + sizeof(struct netr_SidAttr)*k); + } j++; - memmove(info->info->info3.sids+i, info->info->info3.sids+i+1, count-i-1); + } else { + i++; } - i++; - } while (i < count); + } while ((i + j) < count); if (j != 0) { count = count-j; -- 2.4.3 -------------- next part -------------- From a797874359544e431bdd96dd11e26f404c578db0 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 28 May 2015 08:33:51 +0000 Subject: [PATCH 04/11] ipa-kdb: filter out group membership from MS-PAC for exact SID matches too When incoming SID blacklist contains exact SIDs of users and groups, attempt to filter them out as well, according to [MS-PAC] 4.1.1.2. Note that we treat user's SID and primary group RID filtering as violation of the KDC policy because the resulting MS-PAC will have no user SID or primary group and thus will be invalid. For group RIDs we filter them out and in unlikely event of empty list of groups treat that as violation of the KDC policy as well. Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475 --- daemons/ipa-kdb/ipa_kdb_mspac.c | 102 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 101 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 390111f..df19880 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -1317,6 +1317,22 @@ static void filter_logon_info_log_message(struct dom_sid *sid) } } +static void filter_logon_info_log_message_rid(struct dom_sid *sid, uint32_t rid) +{ + char *domstr = NULL; + + domstr = dom_sid_string(NULL, sid); + if (domstr) { + krb5_klog_syslog(LOG_ERR, "PAC filtering issue: SID [%s-%d] is not allowed " + "from a trusted source and will be excluded.", domstr, rid); + talloc_free(domstr); + } else { + krb5_klog_syslog(LOG_ERR, "PAC filtering issue: SID is not allowed " + "from a trusted source and will be excluded." + "Unable to allocate memory to display SID."); + } +} + static krb5_error_code filter_logon_info(krb5_context context, TALLOC_CTX *memctx, krb5_data realm, @@ -1328,9 +1344,21 @@ static krb5_error_code filter_logon_info(krb5_context context, * attempt at getting us to sign fake credentials with the help of a * compromised trusted realm */ + /* NOTE: there are two outcomes from filtering: + * REJECT TICKET -- ticket is rejected if domain SID of + * the principal with MS-PAC is filtered out or + * its primary group RID is filtered out + * + * REMOVE SID -- SIDs are removed from the list of SIDs associated + * with the principal if they are filtered out + * This applies also to secondary RIDs of the principal + * if domain_sid- is filtered out + */ + struct ipadb_context *ipactx; struct ipadb_adtrusts *domain; - int i, j, k, count; + int i, j, k, l, count; + uint32_t rid; bool result; char *domstr = NULL; @@ -1377,6 +1405,78 @@ static krb5_error_code filter_logon_info(krb5_context context, } } + /* Check if this user's SIDs membership is filtered too */ + for(k = 0; k < domain->len_sid_blacklist_incoming; k++) { + /* Short-circuit if there are no RIDs. This may happen if we filtered everything already. + * In normal situation there would be at least primary gid as RID in the RIDs array + * but if we filtered out the primary RID, this MS-PAC is invalid */ + count = info->info->info3.base.groups.count; + if (count == 0) { + krb5_klog_syslog(LOG_ERR, "MS-PAC record of [%s] has no groups, including primary, rejecting.", + info->info->info3.base.account_name.string); + return KRB5KDC_ERR_POLICY; + } + result = dom_sid_is_prefix(info->info->info3.base.domain_sid, + &domain->sid_blacklist_incoming[k]); + if (result) { + i = 0; + j = 0; + if (domain->sid_blacklist_incoming[k].num_auths - info->info->info3.base.domain_sid->num_auths != 1) { + krb5_klog_syslog(LOG_ERR, "Incoming SID blacklist element matching domain [%s with SID %s] " + "has more than one RID component. Invalid check skipped.", + domain->domain_name, domain->domain_sid); + break; + } + rid = domain->sid_blacklist_incoming[k].sub_auths[domain->sid_blacklist_incoming[k].num_auths - 1]; + if (rid == info->info->info3.base.rid) { + filter_logon_info_log_message_rid(info->info->info3.base.domain_sid, rid); + /* Actual user's SID is filtered out */ + return KRB5KDC_ERR_POLICY; + } + do { + if (rid == info->info->info3.base.groups.rids[i].rid) { + filter_logon_info_log_message_rid(info->info->info3.base.domain_sid, rid); + if (rid == info->info->info3.base.primary_gid) { + /* User's primary group SID is filtered out */ + return KRB5KDC_ERR_POLICY; + } + /* If this is just a non-primary RID, we simply remove it from the array of RIDs */ + l = count - i - j - 1; + if (l != 0) { + memmove(info->info->info3.base.groups.rids+i, + info->info->info3.base.groups.rids+i+1, + sizeof(struct samr_RidWithAttribute)*l); + } + j++; + } else { + i++; + } + } while ((i + j) < count); + + if (j != 0) { + count = count-j; + if (count == 0) { + /* All RIDs were filtered out, including the primary one, bail out */ + info->info->info3.base.groups.count = 0; + talloc_free(info->info->info3.base.groups.rids); + info->info->info3.base.groups.rids = NULL; + krb5_klog_syslog(LOG_ERR, "All group membership in MS-PAC of [%s] is filtered. Rejecting.", + info->info->info3.base.account_name.string); + return KRB5KDC_ERR_POLICY; + } else { + info->info->info3.base.groups.rids = talloc_realloc(memctx, + info->info->info3.base.groups.rids, + struct samr_RidWithAttribute, count); + if (!info->info->info3.base.groups.rids) { + info->info->info3.base.groups.count = 0; + return ENOMEM; + } + info->info->info3.base.groups.count = count; + } + } + } + } + /* According to MS-KILE 25.0, info->info->info3.sids may be non zero, so check * should include different possibilities into account * */ -- 2.4.3 -------------- next part -------------- From b7a3b206deb3257b3a78939f0d2a6a114e48b758 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 26 Mar 2015 14:34:06 +0200 Subject: [PATCH 01/11] add one-way trust support to ipasam When trust is established, ipasam module creates a number of objects in LDAP to represent the trust information. Among them, for one-way trust we create a principal named IPA$@AD where IPA is a NetBIOS (flat) name of the IPA forest and AD is a realm of the trusted Active Directory forest root domain. This principal is then used by SSSD on IPA masters to authenticate against trusted Active Directory domain controllers and retrieve information about user and group identities. FreeIPA also uses this principal's credentials to retrieve domain topology. The access to the keys of the principal should be well-protected. We only allow to retrieve the keytab for it for members of cn=adtrust agents group. This group is populated with host/ and cifs/ principals from IPA masters. Starting with FreeIPA 4.2 the group will also have host/ principals of IPA masters where no ipa-adtrust-install was run. To add them, run ipa-adtrust-install on the master which will be configured to be a domain controller (e.g. run Samba with ipasam), and specify --add-agents option to trigger activation of the interactive mode to specify which IPA masters to enable. Fixes https://fedorahosted.org/freeipa/ticket/4962 Part of fixes for https://fedorahosted.org/freeipa/ticket/4546 --- daemons/ipa-sam/ipa_sam.c | 106 +++++++++++++++++++++++++++++++++++++--------- 1 file changed, 85 insertions(+), 21 deletions(-) diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 07249fd..19d0a23 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -147,6 +147,8 @@ void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_i #define LDAP_OBJ_KRB_PRINCIPAL_AUX "krbPrincipalAux" #define LDAP_OBJ_KRB_TICKET_POLICY_AUX "krbTicketPolicyAux" #define LDAP_ATTRIBUTE_KRB_PRINCIPAL "krbPrincipalName" +#define LDAP_ATTRIBUTE_KRB_TICKET_FLAGS "krbTicketFlags" +#define LDAP_ATTRIBUTE_IPAOPALLOW "ipaAllowedToPerform;read_keys" #define LDAP_OBJ_IPAOBJECT "ipaObject" #define LDAP_OBJ_IPAHOST "ipaHost" @@ -157,9 +159,13 @@ void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_i #define LDAP_OBJ_IPAUSERGROUP "ipaUserGroup" #define LDAP_OBJ_POSIXGROUP "posixGroup" #define LDAP_OBJ_DOMAINRELATED "domainRelatedObject" +#define LDAP_OBJ_IPAOPALLOW "ipaAllowedOperations" #define LDAP_CN_REALM_DOMAINS "cn=Realm Domains,cn=ipa,cn=etc" +#define LDAP_CN_ADTRUST_AGENTS "cn=adtrust agents,cn=sysaccounts,cn=etc" +#define LDAP_CN_ADTRUST_ADMINS "cn=trust admins,cn=groups,cn=accounts" + #define HAS_KRB_PRINCIPAL (1<<0) #define HAS_KRB_PRINCIPAL_AUX (1<<1) #define HAS_IPAOBJECT (1<<2) @@ -171,6 +177,9 @@ void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_i #define HAS_POSIXGROUP (1<<8) #define HAS_KRB_TICKET_POLICY_AUX (1<<9) +/* krbTicketFlags flag to don't allow issuing any ticket, keep in decimal form for LDAP use*/ +#define IPASAM_DISALLOW_ALL_TIX 64 + const struct dom_sid global_sid_Builtin = { 1, 1, {0,0,0,0,0,5}, {32,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; @@ -1677,11 +1686,16 @@ static bool search_krb_princ(struct ldapsam_privates *ldap_state, return true; } +#define KRB_PRINC_DEFAULT_ENCTYPES "aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,arcfour-hmac" + static int set_cross_realm_pw(struct ldapsam_privates *ldap_state, TALLOC_CTX *mem_ctx, - const char *princ, const char *pwd, + const char *princ, + const char *saltprinc, + const char *pwd, const char *base_dn) { + int ret; krb5_error_code krberr; krb5_context krbctx; @@ -1699,14 +1713,14 @@ static int set_cross_realm_pw(struct ldapsam_privates *ldap_state, goto done; } - krberr = krb5_parse_name(krbctx, princ, &service_princ); + krberr = krb5_parse_name(krbctx, (saltprinc != NULL) ? saltprinc : princ, &service_princ); if (krberr != 0) { DEBUG(1, ("Invalid Service Principal Name [%s]\n", princ)); ret = krberr; goto done; } - ret = create_keys(krbctx, service_princ, discard_const(pwd), NULL, + ret = create_keys(krbctx, service_princ, discard_const(pwd), KRB_PRINC_DEFAULT_ENCTYPES, &keys, &err_msg); krb5_free_principal(krbctx, service_princ); if (!ret) { @@ -1748,10 +1762,16 @@ done: return ret; } +#define KRB_PRINC_CREATE_DEFAULT 0x00000000 +#define KRB_PRINC_CREATE_DISABLED 0x00000001 +#define KRB_PRINC_CREATE_AGENT_PERMISSION 0x00000002 + static bool set_krb_princ(struct ldapsam_privates *ldap_state, TALLOC_CTX *mem_ctx, - const char *princ, const char *pwd, - const char *base_dn) + const char *princ, const char *saltprinc, + const char *pwd, + const char *base_dn, + uint32_t create_flags) { LDAPMessage *entry = NULL; LDAPMod **mods = NULL; @@ -1805,6 +1825,33 @@ static bool set_krb_princ(struct ldapsam_privates *ldap_state, smbldap_make_mod(priv2ld(ldap_state), entry, &mods, LDAP_ATTRIBUTE_KRB_PRINCIPAL, princ); + if ((create_flags & KRB_PRINC_CREATE_DISABLED)) { + smbldap_make_mod(priv2ld(ldap_state), entry, &mods, + LDAP_ATTRIBUTE_KRB_TICKET_FLAGS, __TALLOC_STRING_LINE2__(IPASAM_DISALLOW_ALL_TIX)); + } + + if ((create_flags & KRB_PRINC_CREATE_AGENT_PERMISSION)) { + char *agent_dn = NULL; + agent_dn = talloc_asprintf(mem_ctx, LDAP_CN_ADTRUST_AGENTS",%s", ldap_state->ipasam_privates->base_dn); + if (agent_dn == NULL) { + DEBUG(1, ("error configuring cross realm principal data!\n")); + return false; + } + smbldap_set_mod(&mods, LDAP_MOD_ADD, + LDAP_ATTRIBUTE_OBJECTCLASS, + LDAP_OBJ_IPAOPALLOW); + smbldap_make_mod(priv2ld(ldap_state), entry, &mods, + LDAP_ATTRIBUTE_IPAOPALLOW, agent_dn); + agent_dn = talloc_asprintf(mem_ctx, LDAP_CN_ADTRUST_ADMINS",%s", ldap_state->ipasam_privates->base_dn); + if (agent_dn == NULL) { + DEBUG(1, ("error configuring cross realm principal data for trust admins!\n")); + return false; + } + smbldap_make_mod(priv2ld(ldap_state), entry, &mods, + LDAP_ATTRIBUTE_IPAOPALLOW, agent_dn); + } + + if (entry == NULL) { ret = smbldap_add(ldap_state->smbldap_state, dn, mods); } else { @@ -1815,7 +1862,7 @@ static bool set_krb_princ(struct ldapsam_privates *ldap_state, return false; } - ret = set_cross_realm_pw(ldap_state, mem_ctx, princ, pwd, base_dn); + ret = set_cross_realm_pw(ldap_state, mem_ctx, princ, saltprinc, pwd, base_dn); if (ret != 0) { DEBUG(1, ("set_cross_realm_pw failed.\n")); return false; @@ -1858,11 +1905,14 @@ enum princ_mod { static bool handle_cross_realm_princs(struct ldapsam_privates *ldap_state, const char *domain, const char *pwd, + uint32_t trust_direction, enum princ_mod mod) { char *trusted_dn; char *princ_l; char *princ_r; + char *princ_tdo; + char *saltprinc_tdo; char *remote_realm; bool ok; TALLOC_CTX *tmp_ctx; @@ -1885,27 +1935,40 @@ static bool handle_cross_realm_princs(struct ldapsam_privates *ldap_state, princ_r = talloc_asprintf(tmp_ctx, "krbtgt/%s@%s", ldap_state->ipasam_privates->realm, remote_realm); - if (trusted_dn == NULL || princ_l == NULL || princ_r == NULL) { + princ_tdo = talloc_asprintf(tmp_ctx, "%s$@%s", + ldap_state->ipasam_privates->flat_name, remote_realm); + + saltprinc_tdo = talloc_asprintf(tmp_ctx, "krbtgt/%s@%s", + ldap_state->ipasam_privates->flat_name, remote_realm); + + if (trusted_dn == NULL || princ_l == NULL || + princ_r == NULL || princ_tdo == NULL || saltprinc_tdo == NULL) { ok = false; goto done; } switch (mod) { case SET_PRINC: - if (!set_krb_princ(ldap_state, tmp_ctx, princ_l, pwd, - trusted_dn) || - !set_krb_princ(ldap_state, tmp_ctx, princ_r, pwd, - trusted_dn)) { - ok = false; + /* Create Kerberos principal for inbound trust, enabled by default */ + ok = set_krb_princ(ldap_state, tmp_ctx, princ_r, NULL, pwd, trusted_dn, KRB_PRINC_CREATE_DEFAULT); + /* Create Kerberos principal corresponding to TDO in AD for SSSD usage, disabled by default */ + ok |= set_krb_princ(ldap_state, tmp_ctx, princ_tdo, saltprinc_tdo, pwd, trusted_dn, + KRB_PRINC_CREATE_DISABLED | KRB_PRINC_CREATE_AGENT_PERMISSION); + if ((trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) != 0) { + /* Create Kerberos principal for outbound trust, enabled by default */ + ok |= set_krb_princ(ldap_state, tmp_ctx, princ_l, NULL, pwd, trusted_dn, KRB_PRINC_CREATE_DEFAULT); + } + if (!ok) { goto done; } break; case DEL_PRINC: - if (!del_krb_princ(ldap_state, tmp_ctx, princ_l, - trusted_dn) || - !del_krb_princ(ldap_state, tmp_ctx, princ_r, - trusted_dn)) { - ok = false; + ok = del_krb_princ(ldap_state, tmp_ctx, princ_r, trusted_dn); + ok |= del_krb_princ(ldap_state, tmp_ctx, princ_tdo, trusted_dn); + if ((trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) != 0) { + ok |= del_krb_princ(ldap_state, tmp_ctx, princ_l, trusted_dn); + } + if (!ok) { goto done; } break; @@ -1922,15 +1985,16 @@ done: } static bool set_cross_realm_princs(struct ldapsam_privates *ldap_state, - const char *domain, const char *pwd) + const char *domain, const char *pwd, uint32_t trust_direction) { - return handle_cross_realm_princs(ldap_state, domain, pwd, SET_PRINC); + return handle_cross_realm_princs(ldap_state, domain, pwd, trust_direction, SET_PRINC); } static bool del_cross_realm_princs(struct ldapsam_privates *ldap_state, const char *domain) { - return handle_cross_realm_princs(ldap_state, domain, NULL, DEL_PRINC); + uint32_t trust_direction = LSA_TRUST_DIRECTION_INBOUND | LSA_TRUST_DIRECTION_OUTBOUND; + return handle_cross_realm_princs(ldap_state, domain, NULL, trust_direction, DEL_PRINC); } static bool get_trusted_domain_int(struct ldapsam_privates *ldap_state, @@ -2518,7 +2582,7 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, goto done; } res = set_cross_realm_princs(ldap_state, td->domain_name, - trustpw); + trustpw, td->trust_direction); memset(trustpw, 0, strlen(trustpw)); if (!res) { DEBUG(1, ("error writing cross realm principals!\n")); -- 2.4.3 -------------- next part -------------- From b850385e6bdfd727cb5a801ae4f341dbd93331fe Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 12 May 2015 12:31:46 +0000 Subject: [PATCH 02/11] ipa-adtrust-install: add IPA master host principal to adtrust agents Fixes https://fedorahosted.org/freeipa/ticket/4951 --- ACI.txt | 2 +- ipalib/plugins/trust.py | 3 ++- ipaserver/install/adtrustinstance.py | 44 ++++++++++++------------------------ ipaserver/install/dsinstance.py | 16 +++++++++++++ ipaserver/install/server/upgrade.py | 21 +++++++++++++++++ ipaserver/install/service.py | 27 ++++++++++++++++++++++ 6 files changed, 81 insertions(+), 32 deletions(-) diff --git a/ACI.txt b/ACI.txt index 9206d76..76a7ff7 100644 --- a/ACI.txt +++ b/ACI.txt @@ -299,7 +299,7 @@ aci: (targetattr = "cmdcategory || cn || createtimestamp || description || entry dn: dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///anyone";) dn: cn=trusts,dc=ipa,dc=example -aci: (targetattr = "cn || createtimestamp || entryusn || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";) +aci: (targetattr = "cn || createtimestamp || entryusn || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrustdirection || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=trusts,dc=ipa,dc=example aci: (targetattr = "gidnumber || krbprincipalname || uidnumber")(version 3.0;acl "permission:System: Read system trust accounts";allow (compare,read,search) groupdn = "ldap:///cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=groups,cn=accounts,dc=ipa,dc=example diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 22fbb9c..5b884ca 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -327,7 +327,8 @@ class trust(LDAPObject): 'cn', 'objectclass', 'ipantflatname', 'ipantsecurityidentifier', 'ipanttrusteddomainsid', 'ipanttrustpartner', - 'ipantsidblacklistincoming', 'ipantsidblacklistoutgoing' + 'ipantsidblacklistincoming', 'ipantsidblacklistoutgoing', + 'ipanttrustdirection' }, }, diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 8591a43..8343f81 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -171,6 +171,9 @@ class ADTRUSTInstance(service.Service): self.cifs_agent = DN(('krbprincipalname', self.cifs_principal.lower()), api.env.container_service, self.suffix) + self.host_princ = DN(('fqdn', self.fqdn), + api.env.container_host, + self.suffix) def __gen_sid_string(self): @@ -450,12 +453,11 @@ class ADTRUSTInstance(service.Service): """ self.__add_plugin_conf('CLDAP', 'ipa_cldap', 'ipa-cldap-conf.ldif') - def __add_sidgen_module(self): + def __add_sidgen_task(self): """ Add sidgen directory server plugin configuration and the related task if they not already exist. """ - self.__add_plugin_conf('Sidgen', 'IPA SIDGEN', 'ipa-sidgen-conf.ldif') self.__add_plugin_conf('Sidgen task', 'ipa-sidgen-task', 'ipa-sidgen-task-conf.ldif') @@ -469,14 +471,6 @@ class ADTRUSTInstance(service.Service): except: pass - def __add_extdom_module(self): - """ - Add directory server configuration for the extdom extended operation - if it not already exists. - """ - self.__add_plugin_conf('Extdom', 'ipa_extdom_extop', - 'ipa-extdom-extop-conf.ldif') - def __add_s4u2proxy_target(self): """ Add CIFS principal to S4U2Proxy target @@ -509,6 +503,13 @@ class ADTRUSTInstance(service.Service): finally: os.remove(tmp_name) + def __setup_group_membership(self): + # Add the CIFS and host principals to the 'adtrust agents' group + # as 389-ds only operates with GroupOfNames, we have to use + # the principal's proper dn as defined in self.cifs_agent + service.add_principals_to_group(self.admin_conn, self.smb_dn, "member", + [self.cifs_agent, self.host_princ]) + def __setup_principal(self): try: api.Command.service_add(unicode(self.cifs_principal)) @@ -520,24 +521,6 @@ class ADTRUSTInstance(service.Service): except Exception, e: self.print_msg("Cannot add CIFS service: %s" % e) - # Add the principal to the 'adtrust agents' group - # as 389-ds only operates with GroupOfNames, we have to use - # the principal's proper dn as defined in self.cifs_agent - try: - current = self.admin_conn.get_entry(self.smb_dn) - members = current.get('member', []) - if not(self.cifs_agent in members): - current["member"] = members + [self.cifs_agent] - self.admin_conn.update_entry(current) - except errors.NotFound: - entry = self.admin_conn.make_entry( - self.smb_dn, - objectclass=["top", "GroupOfNames"], - cn=[self.smb_dn['cn']], - member=[self.cifs_agent], - ) - self.admin_conn.add_entry(entry) - self.clean_samba_keytab() try: @@ -846,14 +829,15 @@ class ADTRUSTInstance(service.Service): self.step("creating samba config registry", self.__write_smb_registry) self.step("writing samba config file", self.__write_smb_conf) self.step("adding cifs Kerberos principal", self.__setup_principal) + self.step("adding cifs and host Kerberos principals to the adtrust agents group", \ + self.__setup_group_membership) self.step("check for cifs services defined on other replicas", self.__check_replica) self.step("adding cifs principal to S4U2Proxy targets", self.__add_s4u2proxy_target) self.step("adding admin(group) SIDs", self.__add_admin_sids) self.step("adding RID bases", self.__add_rid_bases) self.step("updating Kerberos config", self.__update_krb5_conf) self.step("activating CLDAP plugin", self.__add_cldap_module) - self.step("activating sidgen plugin and task", self.__add_sidgen_module) - self.step("activating extdom plugin", self.__add_extdom_module) + self.step("activating sidgen task", self.__add_sidgen_task) self.step("configuring smbd to start on boot", self.__enable) self.step("adding special DNS service records", \ self.__add_dns_service_records) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 9f24189..d561ca5 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -264,6 +264,8 @@ class DsInstance(service.Service): self.step("adding replication acis", self.__add_replication_acis) self.step("enabling compatibility plugin", self.__enable_compat_plugin) + self.step("activating sidgen plugin", self._add_sidgen_plugin) + self.step("activating extdom plugin", self._add_extdom_plugin) self.step("tuning directory server", self.__tuning) self.step("configuring directory to start on boot", self.__enable) @@ -922,6 +924,20 @@ class DsInstance(service.Service): def __add_range_check_plugin(self): self._ldap_mod("range-check-conf.ldif", self.sub_dict) + # These two methods are not local, they are also called from the upgrade code + def _add_sidgen_plugin(self): + """ + Add sidgen directory server plugin configuration if it does not already exist. + """ + self._ldap_mod('ipa-sidgen-conf.ldif', self.sub_dict) + + def _add_extdom_plugin(self): + """ + Add directory server configuration for the extdom extended operation + if it does not already exist. + """ + self._ldap_mod('ipa-extdom-extop-conf.ldif', self.sub_dict) + def replica_populate(self): self.ldap_connect() diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 740f046..84a5b06 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -18,6 +18,7 @@ import ipalib.errors from ipaplatform import services from ipaplatform.tasks import tasks from ipapython import ipautil, sysrestore, version, certdb +from ipapython import ipaldap from ipapython.ipa_log_manager import * from ipapython import certmonger from ipapython import dogtag @@ -1254,6 +1255,18 @@ def update_mod_nss_protocol(http): sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12', True) +def ds_enable_sidgen_extdom_plugins(ds): + """For AD trust agents, make sure we enable sidgen and extdom plugins + """ + root_logger.info('[Enable sidgen and extdom plugins by default]') + + if sysupgrade.get_upgrade_state('ds', 'enable_ds_sidgen_extdom_plugins'): + root_logger.info('sidgen and extdom plugins are enabled already') + return + + ds._add_sidgen_plugin() + ds._add_extdom_plugin() + sysupgrade.set_upgrade_state('ds', 'enable_ds_sidgen_extdom_plugins', True) def ca_upgrade_schema(ca): root_logger.info('[Upgrading CA schema]') @@ -1412,6 +1425,14 @@ def upgrade_configuration(): remove_ds_ra_cert(subject_base) ds.start(ds_serverid) + # Force enabling plugins via LDAPI and external bind + ds.ldapi = True + ds.autobind = ipaldap.AUTOBIND_ENABLED + ds.fqdn = fqdn + ds.realm = api.env.realm + ds.suffix = ipautil.realm_to_suffix(api.env.realm) + ds_enable_sidgen_extdom_plugins(ds) + uninstall_selfsign(ds, http) simple_service_list = ( diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 88307a0..2f5f565 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -71,6 +71,33 @@ def format_seconds(seconds): parts[-1] += 's' return ' '.join(parts) +def add_principals_to_group(admin_conn, group, member_attr, principals): + """Add principals to a GroupOfNames LDAP group + admin_conn -- LDAP connection with admin rights + group -- DN of the group + member_attr -- attribute to represent members + principals -- list of DNs to add as members + """ + try: + current = admin_conn.get_entry(group) + members = current.get(member_attr, []) + if len(members) == 0: + current[member_attr] = [] + for amember in principals: + if not(amember in members): + current[member_attr].extend([amember]) + admin_conn.update_entry(current) + except errors.NotFound: + entry = admin_conn.make_entry( + group, + objectclass=["top", "GroupOfNames"], + cn=[group['cn']], + member=principals, + ) + admin_conn.add_entry(entry) + except errors.EmptyModlist: + # If there are no changes just pass + pass class Service(object): def __init__(self, service_name, service_desc=None, sstore=None, -- 2.4.3 -------------- next part -------------- From 4a856d8ff597ec516cc1eb05f06e062bb4ecca5b Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 28 May 2015 11:49:58 +0000 Subject: [PATCH 05/11] trusts: pass AD DC hostname if specified explicitly Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1222047 --- API.txt | 3 ++- VERSION | 2 +- ipalib/plugins/trust.py | 9 ++++++++- ipaserver/dcerpc.py | 10 +++++++--- 4 files changed, 18 insertions(+), 6 deletions(-) diff --git a/API.txt b/API.txt index e226712..f3b4df8 100644 --- a/API.txt +++ b/API.txt @@ -4998,10 +4998,11 @@ output: Output('result', , None) output: Output('summary', (, ), None) output: ListOfPrimaryKeys('value', None, None) command: trust_fetch_domains -args: 1,4,4 +args: 1,5,4 arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('realm_server?', cli_name='server') option: Flag('rights', autofill=True, default=False) option: Str('version?', exclude='webui') output: Output('count', , None) diff --git a/VERSION b/VERSION index 266a04a..c31ddfc 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=137 +IPA_API_VERSION_MINOR=138 # Last change: mbabinsk: Commands to manage user/host/service certificates diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 5b884ca..13ac52d 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -1302,9 +1302,10 @@ def fetch_domains_from_trust(self, trustinstance, trust_entry, **options): sp.insert(0, trustinstance.remote_domain.info['name']) creds = u"{name}%{password}".format(name="\\".join(sp), password=password) + server = options.get('realm_server', None) domains = ipaserver.dcerpc.fetch_domains(self.api, trustinstance.local_flatname, - trust_name, creds=creds) + trust_name, creds=creds, server=server) result = [] if not domains: return result @@ -1342,6 +1343,12 @@ class trust_fetch_domains(LDAPRetrieve): __doc__ = _('Refresh list of the domains associated with the trust') has_output = output.standard_list_of_entries + takes_options = LDAPRetrieve.takes_options + ( + Str('realm_server?', + cli_name='server', + label=_('Domain controller for the Active Directory domain (optional)'), + ), + ) def execute(self, *keys, **options): if not _bindings_installed: diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 725b2cd..753e10e 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -1046,7 +1046,7 @@ class TrustDomainInstance(object): return False -def fetch_domains(api, mydomain, trustdomain, creds=None): +def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): trust_flags = dict( NETR_TRUST_FLAG_IN_FOREST = 0x00000001, NETR_TRUST_FLAG_OUTBOUND = 0x00000002, @@ -1087,8 +1087,12 @@ def fetch_domains(api, mydomain, trustdomain, creds=None): cr.set_workstation(domain_validator.flatname) netrc = net.Net(creds=cr, lp=td.parm) try: - result = netrc.finddc(domain=trustdomain, - flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) + if server: + result = netrc.finddc(address=server, + flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) + else: + result = netrc.finddc(domain=trustdomain, + flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) except RuntimeError, e: raise assess_dcerpc_exception(message=str(e)) -- 2.4.3 -------------- next part -------------- From c6b834931193b66063c982078dac7bfaeacb950a Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 4 Jun 2015 17:36:32 +0000 Subject: [PATCH 06/11] ipa-sidgen: reduce log level to normal if domain SID is not available To support AD trust agents, we need to run sidgen and extdom plugins on every IPA master. Lack of working configuration, thus, is not a failure so reduce log level to normal as sidgen plugin will not be active if domain SID is missing but it can certainly be kept enabled. Part of https://fedorahosted.org/freeipa/ticket/4951 --- daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c index 135c47a..99e6b85 100644 --- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c +++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c @@ -104,7 +104,7 @@ static int ipa_sidgen_add_post_op(Slapi_PBlock *pb) if (ctx->dom_sid == NULL) { ret = get_dom_sid(ctx->plugin_id, ctx->base_dn, &ctx->dom_sid); if (ret != 0) { - LOG_FATAL("Domain SID not available, nothing to do.\n"); + LOG("Domain SID not available, nothing to do.\n"); ret = 0; goto done; } -- 2.4.3 -------------- next part -------------- From a4e2034028d64a8b2b533af9541e698a68388fb2 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 4 Jun 2015 21:29:36 +0000 Subject: [PATCH 07/11] ipa-adtrust-install: allow configuring of trust agents Trust agents are IPA master without Samba which can serve information about users from trusted forests. Such IPA masters cannot be used to configure trust but they can resolve AD users and groups for IPA clients enrolled to them. Since support from both FreeIPA and SSSD is needed to enable trust agent support, we currently only consider those IPA masters which have been upgraded to FreeIPA 4.2 or later. Part of https://fedorahosted.org/freeipa/ticket/4951 --- install/tools/ipa-adtrust-install | 81 +++++++++++++++++++++++++++++++++ install/tools/man/ipa-adtrust-install.1 | 15 +++++- 2 files changed, 95 insertions(+), 1 deletion(-) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index a412407..5340c31 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -61,6 +61,9 @@ def parse_options(): parser.add_option("--add-sids", dest="add_sids", action="store_true", default=False, help="Add SIDs for existing users and" \ " groups as the final step") + parser.add_option("--add-agents", dest="add_agents", action="store_true", + default=False, help="Add IPA masters to a list of hosts allowed to serve" \ + "information about users from trusted forests") parser.add_option("--enable-compat", dest="enable_compat", default=False, action="store_true", help="Enable support for trusted domains for old clients") @@ -380,6 +383,84 @@ def main(): smb.find_local_id_range() smb.create_instance() + if options.add_agents: + # Find out IPA masters which are not part of the cn=adtrust agents + # and propose them to be added to the list + base_dn = api.env.basedn + masters_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), base_dn) + agents_dn = DN(('cn', 'adtrust agents'), ('cn', 'sysaccounts'), ('cn', 'etc'), base_dn) + new_agents = [] + entries_m = [] + entries_a = [] + try: + # Search only masters which have support for domain levels + # because only these masters will have SSSD recent enough to support AD trust agents + (entries_m, truncated) = smb.admin_conn.find_entries( + filter="(&(objectclass=ipaSupportedDomainLevelConfig)(!(ipaMaxDomainLevel=0)))", + base_dn=masters_dn, attrs_list=['cn'], scope=ldap.SCOPE_ONELEVEL) + except errors.NotFound: + pass + except (errors.DatabaseError, errors.NetworkError), e: + print "Could not retrieve a list of existing IPA masters:" + print unicode(e) + + try: + (entries_a, truncated) = smb.admin_conn.find_entries(filter="", + base_dn=agents_dn, attrs_list=['member'], scope=ldap.SCOPE_BASE) + except errors.NotFound: + pass + except (errors.DatabaseError, errors.NetworkError), e: + print "Could not retrieve a list of adtrust agents:" + print unicode(e) + + if len(entries_m) > 0: + existing_masters = [x['cn'][0] for x in entries_m] + adtrust_agents = entries_a[0]['member'] + potential_agents = [] + for m in existing_masters: + mdn = DN(('fqdn', m), api.env.container_host, api.env.basedn) + found = False + for a in adtrust_agents: + if mdn == a: + found = True + break + if not found: + potential_agents += [[m, mdn]] + + object_count = len(potential_agents) + if object_count > 0: + print "" + print "WARNING: %d IPA masters are not yet able to serve information about users from trusted forests." \ + % (object_count) + print "Installer can add them to the list of IPA masters allowed to access infromation about trusts." + print "If you choose to do so, you also need to restart LDAP service on those masters." + print "Refer to ipa-adtrust-install(1) man page for details." + print "" + if options.unattended: + print "Unattended mode was selected, installer will NOT add other IPA masters to the list of allowed to" + print "access information about trusted forests!" + else: + print "Do you want to allow following IPA masters to serve information about users from trusted forests?" + for (name, dn) in potential_agents: + if name == api.env.host: + # Don't add this host here + # it shouldn't be here as it was added by the adtrustinstance setup code + continue + if ipautil.user_input("IPA master [%s]?" % (name), default=False, allow_empty=False): + new_agents += [[name, dn]] + + if len(new_agents) > 0: + # Add the CIFS and host principals to the 'adtrust agents' group + # as 389-ds only operates with GroupOfNames, we have to use + # the principal's proper dn as defined in self.cifs_agent + service.add_principals_to_group(smb.admin_conn, agents_dn, "member", + [x[1] for x in new_agents]) + print """ +WARNING: you MUST restart (e.g. ipactl restart) the following IPA masters in order +to activate them to serve information about users from trusted forests:""" + for x in new_agents: + print x[0] + print """ ============================================================================= Setup complete diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1 index a32eefb..2658f19 100644 --- a/install/tools/man/ipa-adtrust-install.1 +++ b/install/tools/man/ipa-adtrust-install.1 @@ -76,7 +76,7 @@ are needed for the IPA domain which should point to all IPA servers: \(bu _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs .TP \fB\-\-add\-sids\fR -Add SIDs to existing users and groups as a final step of the +Add SIDs to existing users and groups as on of final steps of the ipa\-adtrust\-install run. If there a many existing users and groups and a couple of replicas in the environment this operation might lead to a high replication traffic and a performance degradation of all IPA servers in the @@ -85,6 +85,19 @@ ipa\-adtrust\-install is run and scheduled independently. To start this task you have to load an edited version of ipa-sidgen-task-run.ldif with the ldapmodify command info the directory server. .TP +\fB\-\-add\-agents\fR +Add IPA masters to the list that allows to serve information about +users from trusted forests. Starting with FreeIPA 4.2, a regular IPA master +can provide this information to SSSD clients. IPA masters aren't added +to the list automatically as restart of the LDAP service on each of them +is required. The host where ipa\-adtrust\-install is being run is added +automatically. +.IP +Note that IPA masters where ipa\-adtrust\-install wasn't run, can serve +information about users from trusted forests only if they are enabled +via \ipa-adtrust\-install run on any other IPA master. At least SSSD +version 1.13 on IPA master is required to be able to perform as a trust agent. +.TP \fB\-U\fR, \fB\-\-unattended\fR An unattended installation that will never prompt for user input .TP -- 2.4.3 -------------- next part -------------- From eb336b43bbd013c2b94a2a60253100a6a8ad2dcf Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 5 Jun 2015 12:57:02 +0000 Subject: [PATCH 08/11] trusts: add support for one-way trust and switch to it by default One-way trust is the default now, use 'trust add --two-way ' to force bidirectional trust https://fedorahosted.org/freeipa/ticket/4959 In case of one-way trust we cannot authenticate using cross-realm TGT against an AD DC. We have to use trusted domain object from within AD domain and access to this object is limited to avoid compromising the whole trust configuration. Instead, IPA framework can call out to oddjob daemon and ask it to run the script which can have access to the TDO object. This script (com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal to retrieve TDO object credentials from IPA LDAP if needed and then authenticate against AD DCs using the TDO object credentials. The script pulls the trust topology out of AD DCs and updates IPA LDAP store. Then IPA framework can pick the updated data from the IPA LDAP under normal access conditions. Part of https://fedorahosted.org/freeipa/ticket/4546 --- API.txt | 3 +- VERSION | 2 +- freeipa.spec.in | 14 +- install/Makefile.am | 1 + install/configure.ac | 1 + install/oddjob/Makefile.am | 28 +++ install/oddjob/com.redhat.idm.trust-fetch-domains | 198 +++++++++++++++++++++ .../etc/dbus-1/system.d/oddjob-ipa-trust.conf | 40 +++++ .../etc/oddjobd.conf.d/oddjobd-ipa-trust.conf | 21 +++ ipalib/plugins/trust.py | 141 +++++++++++---- ipaserver/dcerpc.py | 44 +++-- 11 files changed, 442 insertions(+), 51 deletions(-) create mode 100644 install/oddjob/Makefile.am create mode 100755 install/oddjob/com.redhat.idm.trust-fetch-domains create mode 100644 install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf create mode 100644 install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf diff --git a/API.txt b/API.txt index f3b4df8..020639f 100644 --- a/API.txt +++ b/API.txt @@ -4971,11 +4971,12 @@ arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=Tr option: Str('version?', exclude='webui') output: Output('result', None, None) command: trust_add -args: 1,13,3 +args: 1,14,3 arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Int('base_id?', cli_name='base_id') +option: Bool('bidirectional?', cli_name='two_way', default=False) option: Int('range_size?', cli_name='range_size') option: StrEnum('range_type?', cli_name='range_type', values=(u'ipa-ad-trust-posix', u'ipa-ad-trust')) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') diff --git a/VERSION b/VERSION index c31ddfc..02ad7e2 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=138 +IPA_API_VERSION_MINOR=139 # Last change: mbabinsk: Commands to manage user/host/service certificates diff --git a/freeipa.spec.in b/freeipa.spec.in index 52af50d..46586ed 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -204,6 +204,7 @@ Requires: samba >= %{samba_version} Requires: samba-winbind Requires: libsss_idmap Requires: libsss_nss_idmap-python +Requires: oddjob %if (0%{?fedora} >= 22) Requires: python-sss %endif @@ -581,6 +582,8 @@ fi %post server-trust-ad %{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \ winbind_krb5_locator.so /dev/null 90 +/bin/systemctl reload-or-try-restart dbus +/bin/systemctl reload-or-try-restart oddjobd %posttrans server-trust-ad python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1 @@ -593,6 +596,8 @@ fi %preun server-trust-ad if [ $1 -eq 0 ]; then %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null + /bin/systemctl reload-or-try-restart dbus + /bin/systemctl reload-or-try-restart oddjobd fi %endif # ONLY_CLIENT @@ -830,6 +835,9 @@ fi %attr(755,root,root) %{plugin_dir}/libipa_otp_counter.so %attr(755,root,root) %{plugin_dir}/libipa_otp_lasttoken.so %attr(755,root,root) %{plugin_dir}/libtopology.so +%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so +%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so +%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so %dir %{_localstatedir}/lib/ipa %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore @@ -864,15 +872,15 @@ fi %files server-trust-ad %{_sbindir}/ipa-adtrust-install -%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so %{_usr}/share/ipa/smb.conf.empty %attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so -%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so -%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so %{_mandir}/man1/ipa-adtrust-install.1.gz %{python_sitelib}/ipaserver/dcerpc* %{python_sitelib}/ipaserver/install/adtrustinstance* %ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so +%{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf +%{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf +%%attr(755,root,root) %{_libexecdir}/ipa/com.redhat.idm.trust-fetch-domains %endif # ONLY_CLIENT diff --git a/install/Makefile.am b/install/Makefile.am index c07f571..ac52ad3 100644 --- a/install/Makefile.am +++ b/install/Makefile.am @@ -17,6 +17,7 @@ SUBDIRS = \ po \ restart_scripts \ wsgi \ + oddjob \ $(NULL) install-exec-local: diff --git a/install/configure.ac b/install/configure.ac index 57f4219..cf19758 100644 --- a/install/configure.ac +++ b/install/configure.ac @@ -103,6 +103,7 @@ AC_CONFIG_FILES([ po/Makefile restart_scripts/Makefile wsgi/Makefile + oddjob/Makefile ]) AC_OUTPUT diff --git a/install/oddjob/Makefile.am b/install/oddjob/Makefile.am new file mode 100644 index 0000000..9dde10c --- /dev/null +++ b/install/oddjob/Makefile.am @@ -0,0 +1,28 @@ +NULL = + +oddjobdir = $(libexecdir)/ipa +oddjobconfdir = $(sysconfdir)/oddjobd.conf.d +dbusconfdir = $(sysconfdir)/dbus-1/system.d + +oddjob_SCRIPTS = \ + com.redhat.idm.trust-fetch-domains \ + $(NULL) + +dbusconf_DATA = \ + etc/dbus-1/system.d/oddjob-ipa-trust.conf \ + $(NULL) + +oddjobconf_DATA = \ + etc/oddjobd.conf.d/oddjobd-ipa-trust.conf \ + $(NULL) + + +#EXTRA_DIST = \ +# $(oddjob_SCRIPTS) \ +# $(dbusconf_DATA) \ +# $(oddjobconf_DATA) \ +# $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains new file mode 100755 index 0000000..2571dd0 --- /dev/null +++ b/install/oddjob/com.redhat.idm.trust-fetch-domains @@ -0,0 +1,198 @@ +#!/usr/bin/python2 + +from ipaserver import dcerpc +from ipaserver.install.installutils import is_ipa_configured, ScriptError +from ipapython import config, ipautil +from ipalib import api, errors +from ipapython.dn import DN +from ipalib.config import Env +from ipalib.constants import DEFAULT_CONFIG +from ipalib.krb_utils import KRB5_CCache +import sys +import os, pwd +import krbV +import time + +# This version is different from the original in ipapyton.ipautil +# in the fact that it returns a krbV.CCache object. +def kinit_keytab(principal, keytab, ccache_name, attempts=1): + errors_to_retry = {krbV.KRB5KDC_ERR_SVC_UNAVAILABLE, + krbV.KRB5_KDC_UNREACH} + for attempt in range(1, attempts + 1): + try: + krbcontext = krbV.default_context() + ktab = krbV.Keytab(name=keytab, context=krbcontext) + princ = krbV.Principal(name=principal, context=krbcontext) + ccache = krbV.CCache(name=ccache_name, context=krbcontext, + primary_principal=princ) + ccache.init(princ) + ccache.init_creds_keytab(keytab=ktab, principal=princ) + return ccache + except krbV.Krb5Error as e: + if e.args[0] not in errors_to_retry: + raise + if attempt == attempts: + raise + time.sleep(5) + +def retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal): + getkeytab_args = ["/usr/sbin/ipa-getkeytab", + "-s", api.env.host, + "-p", oneway_principal, + "-k", oneway_keytab_name, + "-r"] + (stdout, stderr, retcode) = ipautil.run(getkeytab_args, + env={'KRB5CCNAME': ccache_name, 'LANG': 'C'}, + raiseonerr=False) + # Make sure SSSD is able to read the keytab + sssd = pwd.getpwnam('sssd') + os.chown(oneway_keytab_name, sssd[2], sssd[3]) + + +def parse_options(): + usage = "%prog \n" + parser = config.IPAOptionParser(usage=usage, + formatter=config.IPAFormatter()) + + parser.add_option("-d", "--debug", action="store_true", dest="debug", + help="Display debugging information") + + options, args = parser.parse_args() + safe_options = parser.get_safe_opts(options) + + return safe_options, options, args + + +if not is_ipa_configured(): + # LSB status code 6: program is not configured + raise ScriptError("IPA is not configured " + + "(see man pages of ipa-server-install for help)", 6) + +if not os.getegid() == 0: + # LSB status code 4: user had insufficient privilege + raise ScriptError("You must be root to run ipactl.", 4) + +safe_options, options, args = parse_options() + +if len(args) != 1: + # LSB status code 2: invalid or excess argument(s) + raise ScriptError("You must specify trusted domain name", 2) + +trusted_domain = unicode(args[0].lower()) + +env = Env() +env._bootstrap(context='server', debug=options.debug, log=None) +env._finalize_core(**dict(DEFAULT_CONFIG)) + +# Initialize the API with the proper debug level +api.bootstrap(context='server', debug=env.debug, log=None) +api.finalize() + +# Only import trust plugin after api is initialized or internal imports +# within the plugin will not work +from ipalib.plugins import trust + +# We have to dance with two different credentials caches: +# ccache_name -- for cifs/ipa.master at IPA.REALM to communicate with LDAP +# oneway_ccache_name -- for IPA$@AD.REALM to communicate with AD DCs +# +# ccache_name may not exist, we'll have to initialize it from Samba's keytab +# +# oneway_ccache_name may not exist either but to initialize it, we need +# to check if oneway_keytab_name keytab exists and fetch it first otherwise. +# +# to fetch oneway_keytab_name keytab, we need to initialize ccache_name ccache first +# and retrieve our own NetBIOS domain name and use cifs/ipa.master at IPA.REALM to +# retrieve the keys to oneway_keytab_name. + +keytab_name = '/etc/samba/samba.keytab' +oneway_keytab_name = '/var/lib/sss/keytabs/' + trusted_domain + '.keytab' + +principal = str('cifs/' + api.env.host) + +oneway_ccache_name = '/var/run/ipa/krb5cc_oddjob_trusts_fetch' +ccache_name = '/var/run/ipa/krb5cc_oddjob_trusts' + +# Standard sequence: +# - check if ccache exists +# - if not, initialize it from Samba's keytab +# - check if ccache contains valid TGT +# - if not, initialize it from Samba's keytab +# - refer the correct ccache object for further use +# +if not os.path.isfile(ccache_name): + ccache = kinit_keytab(principal, keytab_name, ccache_name) + +ccache_check = KRB5_CCache(ccache_name) +if not ccache_check.credential_is_valid(principal): + ccache = kinit_keytab(principal, keytab_name, ccache_name) +else: + ccache = ccache_check.ccache + +old_ccache = os.environ.get('KRB5CCNAME') +api.Backend.ldap2.connect(ccache) + +own_trust_dn = DN(('cn', api.env.domain),('cn','ad'), ('cn', 'etc'), api.env.basedn) +own_trust_entry = api.Backend.ldap2.get_entry(own_trust_dn, ['ipantflatname']) +own_trust_flatname = own_trust_entry['ipantflatname'][0].upper() + +oneway_principal = str('%s$@%s' % (own_trust_flatname, trusted_domain.upper())) + +# If keytab does not exist, retrieve it +if not os.path.isfile(oneway_keytab_name): + retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal) + +oneway_ccache = None +try: + # The keytab may have stale key material (from older trust-add run) + if not os.path.isfile(oneway_ccache_name): + oneway_ccache = kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name) +except krbV.Krb5Error as e: + # If there was failure on using keytab, assume it is stale and retrieve again + retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal) + +if oneway_ccache: + # There wasn existing ccache, validate its content + oneway_ccache_check = KRB5_CCache(oneway_ccache_name) + if not oneway_ccache_check.credential_is_valid(oneway_principal): + # If credentials were invalid, obtain them again + oneway_ccache = kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name) + else: + oneway_ccache = oneway_ccache_check.ccache +else: + oneway_ccache = kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name) + +# We are done: we have ccache with TDO credentials and can fetch domains +ipa_domain = api.env.domain +os.environ['KRB5CCNAME'] = oneway_ccache_name +domains = dcerpc.fetch_domains(api, ipa_domain, trusted_domain, creds=True) + +if domains: + # trust range must exist by the time fetch_domains_from_trust is called + range_name = unicode(trusted_domain.upper() + '_id_range') + old_range = api.Command.idrange_show(range_name, raw=True)['result'] + idrange_type = old_range['iparangetype'][0] + + result = [] + for dom in domains: + dom['trust_type'] = u'ad' + try: + name = dom['cn'] + del dom['cn'] + + res = api.Command.trustdomain_add(trusted_domain, name, **dom) + result.append(res['result']) + + if idrange_type != u'ipa-ad-trust-posix': + range_name = name.upper() + '_id_range' + dom['range_type'] = u'ipa-ad-trust' + trust.add_range(range_name, dom['ipanttrusteddomainsid'], + trusted_domain, name, **dom) + except errors.DuplicateEntry: + # Ignore updating duplicate entries + pass + +if old_ccache: + os.environ['KRB5CCNAME'] = old_ccache + +sys.exit(0) diff --git a/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf b/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf new file mode 100644 index 0000000..2e4c136 --- /dev/null +++ b/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf @@ -0,0 +1,40 @@ + + + + + + + + + + + + + + + + + + + + + diff --git a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf new file mode 100644 index 0000000..17817de --- /dev/null +++ b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf @@ -0,0 +1,21 @@ + + + + + + + + + + + + + + + + + + diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 13ac52d..9fbaf25 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -22,6 +22,7 @@ from ipalib.plugable import Registry from ipalib.plugins.baseldap import * from ipalib.plugins.dns import dns_container_exists from ipapython.ipautil import realm_to_suffix +from ipapython.ipa_log_manager import root_logger from ipalib import api, Str, StrEnum, Password, Bool, _, ngettext from ipalib import Command from ipalib import errors @@ -43,6 +44,8 @@ except Exception, e: if api.env.in_server and api.env.context in ['lite', 'server']: try: import ipaserver.dcerpc #pylint: disable=F0401 + from ipaserver.dcerpc import TRUST_ONEWAY, TRUST_BIDIRECTIONAL + import dbus, dbus.mainloop.glib _bindings_installed = True except ImportError: _bindings_installed = False @@ -161,6 +164,8 @@ _trust_type_option = StrEnum('trust_type', DEFAULT_RANGE_SIZE = 200000 +DBUS_IFACE_TRUST = 'com.redhat.idm.trust' + def trust_type_string(level): """ Returns a string representing a type of the trust. The original field is an enum: @@ -191,7 +196,7 @@ def make_trust_dn(env, trust_type, dn): return DN(dn, container_dn) return dn -def add_range(self, range_name, dom_sid, *keys, **options): +def add_range(myapi, range_name, dom_sid, *keys, **options): """ First, we try to derive the parameters of the ID range based on the information contained in the Active Directory. @@ -224,7 +229,7 @@ def add_range(self, range_name, dom_sid, *keys, **options): + basedn # Get the domain validator - domain_validator = ipaserver.dcerpc.DomainValidator(self.api) + domain_validator = ipaserver.dcerpc.DomainValidator(myapi) if not domain_validator.is_configured(): raise errors.NotFound( reason=_('Cannot search in trusted domains without own ' @@ -251,10 +256,10 @@ def add_range(self, range_name, dom_sid, *keys, **options): if not info_list: # We were unable to gain UNIX specific info from the AD - self.log.debug("Unable to gain POSIX info from the AD") + root_logger.debug("Unable to gain POSIX info from the AD") else: if all(attr in info for attr in required_msSFU_attrs): - self.log.debug("Able to gain POSIX info from the AD") + root_logger.debug("Able to gain POSIX info from the AD") range_type = u'ipa-ad-trust-posix' max_uid = info.get('msSFU30MaxUidNumber') @@ -288,16 +293,43 @@ def add_range(self, range_name, dom_sid, *keys, **options): ) * DEFAULT_RANGE_SIZE # Finally, add new ID range - self.api.Command['idrange_add'](range_name, - ipabaseid=base_id, - ipaidrangesize=range_size, - ipabaserid=0, - iparangetype=range_type, - ipanttrusteddomainsid=dom_sid) + myapi.Command['idrange_add'](range_name, + ipabaseid=base_id, + ipaidrangesize=range_size, + ipabaserid=0, + iparangetype=range_type, + ipanttrusteddomainsid=dom_sid) # Return the values that were generated inside this function return range_type, range_size, base_id +def fetch_trusted_domains_over_dbus(myapi, log, forest_name): + if not _bindings_installed: + return + # Calling oddjobd-activated service via DBus has some quirks: + # - Oddjobd registers multiple canonical names on the same address + # - python-dbus only follows name owner changes when mainloop is in use + # See https://fedorahosted.org/oddjob/ticket/2 for details + dbus.mainloop.glib.DBusGMainLoop(set_as_default=True) + try: + _ret = 0 + _stdout = '' + _stderr = '' + bus = dbus.SystemBus() + intf = bus.get_object(DBUS_IFACE_TRUST,"/", follow_name_owner_changes=True) + fetch_domains_method = intf.get_dbus_method('fetch_domains', dbus_interface=DBUS_IFACE_TRUST) + (_ret, _stdout, _stderr) = fetch_domains_method(forest_name) + except dbus.DBusException, e: + log.error('Failed to call %(iface)s.fetch_domains helper.' + 'DBus exception is %(exc)s.' % dict(iface=DBUS_IFACE_TRUST, exc=str(e))) + if _ret != 0: + log.error('Helper was called for forest %(forest)s, return code is %(ret)d' % dict(forest=forest_name, ret=_ret)) + log.error('Standard output from the helper:\n%s---\n' % (_stdout)) + log.error('Error output from the helper:\n%s--\n' % (_stderr)) + raise errors.ServerCommandError(server=myapi.env.host, + error=_('Fetching domains from trusted forest failed. ' + 'See details in the error_log')) + return @register() class trust(LDAPObject): @@ -463,6 +495,12 @@ sides. .format(vals=', '.join(range_types.keys())))), values=tuple(range_types.keys()), ), + Bool('bidirectional?', + label=_('Two-way trust'), + cli_name='two_way', + doc=(_('Establish bi-directional trust. By default trust is inbound one-way only.')), + default=False, + ), ) msg_summary = _('Added Active Directory trust for realm "%(value)s"') @@ -478,7 +516,7 @@ sides. # Store the created range type, since for POSIX trusts no # ranges for the subdomains should be added, POSIX attributes # provide a global mapping across all subdomains - (created_range_type, _, _) = add_range(self, range_name, dom_sid, + (created_range_type, _, _) = add_range(self.api, range_name, dom_sid, *keys, **options) else: created_range_type = old_range['result']['iparangetype'][0] @@ -486,19 +524,35 @@ sides. trust_filter = "cn=%s" % result['value'] ldap = self.obj.backend (trusts, truncated) = ldap.find_entries( - base_dn=DN(api.env.container_trusts, api.env.basedn), + base_dn=DN(self.api.env.container_trusts, self.api.env.basedn), filter=trust_filter) result['result'] = entry_to_dict(trusts[0], **options) # Fetch topology of the trust forest -- we need always to do it # for AD trusts, regardless of the type of idranges associated with it - # Note that fetch_domains_from_trust will add needed ranges for + # Note that add_new_domains_from_trust will add needed ranges for # the algorithmic ID mapping case. if (options.get('trust_type') == u'ad' and options.get('trust_secret') is None): - domains = fetch_domains_from_trust(self, self.trustinstance, + if options.get('bidirectional') == True: + # Bidirectional trust allows us to use cross-realm TGT, so we can + # run the call under original user's credentials + res = fetch_domains_from_trust(self.api, self.trustinstance, result['result'], **options) + domains = add_new_domains_from_trust(self.api, self.trustinstance, + result['result'], res, **options) + else: + # One-way trust is more complex. We don't have cross-realm TGT + # and cannot use IPA principals to authenticate against AD. + # Instead, we have to use our trusted domain object's (TDO) + # account in AD. Access to the credentials is limited and IPA + # framework cannot access it directly. Instead, we call out to + # oddjobd-activated higher privilege process that will use TDO + # object credentials to authenticate to AD with Kerberos, + # run DCE RPC calls to do discovery and will call + # add_new_domains_from_trust() on its own. + fetch_trusted_domains_over_dbus(self.api, self.log, result['value']) # Format the output into human-readable values result['result']['trusttype'] = [trust_type_string( @@ -570,7 +624,7 @@ sides. # If domain name and realm does not match, IPA server is not be able # to establish trust with Active Directory. - realm_not_matching_domain = (api.env.domain.upper() != api.env.realm) + realm_not_matching_domain = (self.api.env.domain.upper() != self.api.env.realm) if options['trust_type'] == u'ad' and realm_not_matching_domain: raise errors.ValidationError( @@ -627,7 +681,7 @@ sides. range_type = options.get('range_type') try: - old_range = api.Command['idrange_show'](range_name, raw=True) + old_range = self.api.Command['idrange_show'](range_name, raw=True) except errors.NotFound: old_range = None @@ -699,6 +753,9 @@ sides. except errors.NotFound: dn = None + trust_type = TRUST_ONEWAY + if options.get('bidirectional', False): + trust_type = TRUST_BIDIRECTIONAL # 1. Full access to the remote domain. Use admin credentials and # generate random trustdom password to do work on both sides if full_join: @@ -707,14 +764,15 @@ sides. keys[-1], self.realm_server, self.realm_admin, - self.realm_passwd + self.realm_passwd, + trust_type ) except errors.NotFound: error_message=_("Unable to resolve domain controller for '%s' domain. ") % (keys[-1]) instructions=[] if dns_container_exists(self.obj.backend): try: - dns_zone = api.Command.dnszone_show(keys[-1])['result'] + dns_zone = self.api.Command.dnszone_show(keys[-1])['result'] if ('idnsforwardpolicy' in dns_zone) and dns_zone['idnsforwardpolicy'][0] == u'only': instructions.append(_("Forward policy is defined for it in IPA DNS, " "perhaps forwarder points to incorrect host?")) @@ -755,7 +813,8 @@ sides. result = self.trustinstance.join_ad_ipa_half( keys[-1], self.realm_server, - options['trust_secret'] + options['trust_secret'], + trust_type ) ret = dict( value=pkey_to_value( @@ -940,7 +999,7 @@ class trustconfig(LDAPObject): group, ['posixgroup'], [''], - DN(api.env.container_group, api.env.basedn)) + DN(self.api.env.container_group, self.api.env.basedn)) except errors.NotFound: self.api.Object['group'].handle_not_found(group) else: @@ -1066,11 +1125,11 @@ class adtrust_is_enabled(Command): ldap = self.api.Backend.ldap2 adtrust_dn = DN( ('cn', 'ADTRUST'), - ('cn', api.env.host), + ('cn', self.api.env.host), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), - api.env.basedn + self.api.env.basedn ) try: @@ -1281,7 +1340,7 @@ class trustdomain_del(LDAPDelete): raise errors.ValidationError(name='domain', error=_("cannot delete root domain of the trust, use trust-del to delete the trust itself")) try: - res = api.Command.trustdomain_enable(keys[0], domain) + res = self.api.Command.trustdomain_enable(keys[0], domain) except errors.AlreadyActive: pass result = super(trustdomain_del, self).execute(*keys, **options) @@ -1291,7 +1350,7 @@ class trustdomain_del(LDAPDelete): -def fetch_domains_from_trust(self, trustinstance, trust_entry, **options): +def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options): trust_name = trust_entry['cn'][0] creds = None password = options.get('realm_passwd', None) @@ -1303,16 +1362,20 @@ def fetch_domains_from_trust(self, trustinstance, trust_entry, **options): creds = u"{name}%{password}".format(name="\\".join(sp), password=password) server = options.get('realm_server', None) - domains = ipaserver.dcerpc.fetch_domains(self.api, + domains = ipaserver.dcerpc.fetch_domains(myapi, trustinstance.local_flatname, trust_name, creds=creds, server=server) + return domains + +def add_new_domains_from_trust(myapi, trustinstance, trust_entry, domains, **options): result = [] if not domains: return result - # trust range must exist by the time fetch_domains_from_trust is called + trust_name = trust_entry['cn'][0] + # trust range must exist by the time add_new_domains_from_trust is called range_name = trust_name.upper() + '_id_range' - old_range = api.Command.idrange_show(range_name, raw=True)['result'] + old_range = myapi.Command.idrange_show(range_name, raw=True)['result'] idrange_type = old_range['iparangetype'][0] for dom in domains: @@ -1325,13 +1388,13 @@ def fetch_domains_from_trust(self, trustinstance, trust_entry, **options): if 'raw' in options: dom['raw'] = options['raw'] - res = self.api.Command.trustdomain_add(trust_name, name, **dom) + res = myapi.Command.trustdomain_add(trust_name, name, **dom) result.append(res['result']) if idrange_type != u'ipa-ad-trust-posix': range_name = name.upper() + '_id_range' dom['range_type'] = u'ipa-ad-trust' - add_range(self, range_name, dom['ipanttrusteddomainsid'], + add_range(myapi, range_name, dom['ipanttrusteddomainsid'], trust_name, name, **dom) except errors.DuplicateEntry: # Ignore updating duplicate entries @@ -1362,6 +1425,17 @@ class trust_fetch_domains(LDAPRetrieve): ) trust = self.api.Command.trust_show(keys[0], raw=True)['result'] + result = dict() + result['result'] = [] + result['count'] = 0 + result['truncated'] = False + + # For one-way trust fetch over DBus. we don't get the list in this case. + if trust['ipanttrustdirection'] & TRUST_BIDIRECTIONAL != TRUST_BIDIRECTIONAL: + fetch_trusted_domains_over_dbus(self.api, self.log, keys[0]) + result['summary'] = unicode(_('List of trust domains successfully refreshed. Use trustdomain-find command to list them.')) + return result + trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api) if not trustinstance.configured: raise errors.NotFound( @@ -1372,8 +1446,8 @@ class trust_fetch_domains(LDAPRetrieve): 'on the IPA server first' ) ) - domains = fetch_domains_from_trust(self, trustinstance, trust) - result = dict() + res = fetch_domains_from_trust(self.api, trustinstance, trust, **options) + domains = add_new_domains_from_trust(self.api, trustinstance, trust, res, **options) if len(domains) > 0: result['summary'] = unicode(_('List of trust domains successfully refreshed')) @@ -1382,7 +1456,6 @@ class trust_fetch_domains(LDAPRetrieve): result['result'] = domains result['count'] = len(domains) - result['truncated'] = False return result @@ -1413,7 +1486,7 @@ class trustdomain_enable(LDAPQuery): trust_entry['ipantsidblacklistincoming'].remove(sid) ldap.update_entry(trust_entry) # Force MS-PAC cache re-initialization on KDC side - domval = ipaserver.dcerpc.DomainValidator(api) + domval = ipaserver.dcerpc.DomainValidator(self.api) (ccache_name, principal) = domval.kinit_as_http(keys[0]) else: raise errors.AlreadyActive() @@ -1453,7 +1526,7 @@ class trustdomain_disable(LDAPQuery): trust_entry['ipantsidblacklistincoming'].append(sid) ldap.update_entry(trust_entry) # Force MS-PAC cache re-initialization on KDC side - domval = ipaserver.dcerpc.DomainValidator(api) + domval = ipaserver.dcerpc.DomainValidator(self.api) (ccache_name, principal) = domval.kinit_as_http(keys[0]) else: raise errors.AlreadyInactive() diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 753e10e..b11233d 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -66,6 +66,10 @@ The code in this module relies heavily on samba4-python package and Samba4 python bindings. """) +# Both constants can be used as masks against trust direction +# because bi-directional has two lower bits set. +TRUST_ONEWAY = 1 +TRUST_BIDIRECTIONAL = 3 def is_sid_valid(sid): try: @@ -949,7 +953,7 @@ class TrustDomainInstance(object): # We can ignore the error here -- setting up name suffix routes may fail pass - def establish_trust(self, another_domain, trustdom_secret): + def establish_trust(self, another_domain, trustdom_secret, trust_type='bidirectional'): """ Establishes trust between our and another domain Input: another_domain -- instance of TrustDomainInstance, initialized with #retrieve call @@ -967,7 +971,9 @@ class TrustDomainInstance(object): info.domain_name.string = another_domain.info['dns_domain'] info.netbios_name.string = another_domain.info['name'] info.sid = security.dom_sid(another_domain.info['sid']) - info.trust_direction = lsa.LSA_TRUST_DIRECTION_INBOUND | lsa.LSA_TRUST_DIRECTION_OUTBOUND + info.trust_direction = lsa.LSA_TRUST_DIRECTION_INBOUND + if trust_type == TRUST_BIDIRECTIONAL: + info.trust_direction |= lsa.LSA_TRUST_DIRECTION_OUTBOUND info.trust_type = lsa.LSA_TRUST_TYPE_UPLEVEL info.trust_attributes = 0 @@ -1005,7 +1011,8 @@ class TrustDomainInstance(object): pass try: - info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE + info = self._pipe.QueryTrustedDomainInfo(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX) + info.trust_attributes |= lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE self._pipe.SetInformationTrustedDomain(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX, info) except RuntimeError, e: root_logger.error('unable to set trust to transitive: %s' % (str(e))) @@ -1014,10 +1021,10 @@ class TrustDomainInstance(object): self.update_ftinfo(another_domain) def verify_trust(self, another_domain): - def retrieve_netlogon_info_2(domain, function_code, data): + def retrieve_netlogon_info_2(logon_server, domain, function_code, data): try: netr_pipe = netlogon.netlogon(domain.binding, domain.parm, domain.creds) - result = netr_pipe.netr_LogonControl2Ex(logon_server=None, + result = netr_pipe.netr_LogonControl2Ex(logon_server=logon_server, function_code=function_code, level=2, data=data @@ -1026,7 +1033,7 @@ class TrustDomainInstance(object): except RuntimeError, (num, message): raise assess_dcerpc_exception(num=num, message=message) - result = retrieve_netlogon_info_2(self, + result = retrieve_netlogon_info_2(None, self, netlogon.NETLOGON_CONTROL_TC_VERIFY, another_domain.info['dns_domain']) if (result and (result.flags and netlogon.NETLOGON_VERIFY_STATUS_RETURNED)): @@ -1098,6 +1105,7 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): td.info['dc'] = unicode(result.pdc_dns_name) if creds is None: + # Attempt to authenticate as HTTP/ipa.master and use cross-forest trust domval = DomainValidator(api) (ccache_name, principal) = domval.kinit_as_http(trustdomain) td.creds = credentials.Credentials() @@ -1107,7 +1115,15 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): td.creds.guess(td.parm) td.creds.set_workstation(domain_validator.flatname) domains = communicate(td) + elif type(creds) is bool: + # Rely on existing Kerberos credentials in the environment + td.creds = credentials.Credentials() + td.creds.set_kerberos_state(credentials.MUST_USE_KERBEROS) + td.creds.guess(td.parm) + td.creds.set_workstation(domain_validator.flatname) + domains = communicate(td) else: + # Assume we've got credentials as a string user%password td.creds = credentials.Credentials() td.creds.set_kerberos_state(credentials.DONT_USE_KERBEROS) td.creds.guess(td.parm) @@ -1220,7 +1236,7 @@ class TrustDomainJoins(object): ftinfo['rec_type'] = lsa.LSA_FOREST_TRUST_TOP_LEVEL_NAME self.local_domain.ftinfo_records.append(ftinfo) - def join_ad_full_credentials(self, realm, realm_server, realm_admin, realm_passwd): + def join_ad_full_credentials(self, realm, realm_server, realm_admin, realm_passwd, trust_type): if not self.configured: return None @@ -1238,13 +1254,17 @@ class TrustDomainJoins(object): if not self.remote_domain.read_only: trustdom_pass = samba.generate_random_password(128, 128) self.get_realmdomains() - self.remote_domain.establish_trust(self.local_domain, trustdom_pass) - self.local_domain.establish_trust(self.remote_domain, trustdom_pass) - result = self.remote_domain.verify_trust(self.local_domain) + self.remote_domain.establish_trust(self.local_domain, trustdom_pass, trust_type) + self.local_domain.establish_trust(self.remote_domain, trustdom_pass, trust_type) + # if trust is inbound, we don't need to verify it because AD DC will respond + # with WERR_NO_SUCH_DOMAIN -- in only does verification for outbound trusts. + result = True + if trust_type == TRUST_BIDIRECTIONAL: + result = self.remote_domain.verify_trust(self.local_domain) return dict(local=self.local_domain, remote=self.remote_domain, verified=result) return None - def join_ad_ipa_half(self, realm, realm_server, trustdom_passwd): + def join_ad_ipa_half(self, realm, realm_server, trustdom_passwd, trust_type): if not self.configured: return None @@ -1254,5 +1274,5 @@ class TrustDomainJoins(object): if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']: raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain']) - self.local_domain.establish_trust(self.remote_domain, trustdom_passwd) + self.local_domain.establish_trust(self.remote_domain, trustdom_passwd, trust_type) return dict(local=self.local_domain, remote=self.remote_domain, verified=False) -- 2.4.3 -------------- next part -------------- From 1494495fbfdc1c7d14f05825a437e0020c2b5f94 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 5 Jun 2015 15:31:32 +0000 Subject: [PATCH 09/11] ipa-pwd-extop: expand error message to tell what user is not allowed to fetch keytab When retrieving keytab, it is useful to know what user was attempting to fetch the keyts and failed. This is useful to debug one-way trust where SSSD forks out a process of ipa-getkeytab and it might be using a wrong credentials cache for authentication purposes. Part of https://fedorahosted.org/freeipa/ticket/4959 --- daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 09c877f..dc657cc 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -1612,8 +1612,8 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) READKEYS_OP_CHECK, NULL, SLAPI_ACL_READ); if (!acl_ok) { - LOG_FATAL("Not allowed to retrieve keytab on [%s]!\n", - service_name); + LOG_FATAL("Not allowed to retrieve keytab on [%s] as user [%s]!\n", + service_name, bind_dn); err_msg = "Insufficient access rights\n"; rc = LDAP_INSUFFICIENT_ACCESS; goto free_and_return; -- 2.4.3 -------------- next part -------------- From 992b5dbd372c3c7b2cb7ff7a3713810e3f59515e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 5 Jun 2015 17:56:12 +0000 Subject: [PATCH 10/11] trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabs Part of https://fedorahosted.org/freeipa/ticket/4959 --- install/updates/60-trusts.update | 1 + 1 file changed, 1 insertion(+) diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update index d11c765..df9468e 100644 --- a/install/updates/60-trusts.update +++ b/install/updates/60-trusts.update @@ -27,6 +27,7 @@ default: cn: trusts # 1. cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX can manage trusts, to allow modification via CIFS # 2. cn=trust admins,cn=groups,cn=accounts,$SUFFIX can manage trusts (via ipa tools) dn: cn=trusts,$SUFFIX +add:aci: (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Allow trust agents to retrieve keytab keys for cross realm principals"; allow(read) userattr="ipaAllowedToPerform;read_keys#GROUPDN";) add:aci: (target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";) replace:aci:(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";) replace:aci:(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";) -- 2.4.3 -------------- next part -------------- From 3628ba9002bbea9c94f2a89c11ba3740bff64882 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 6 Jul 2015 14:46:24 +0000 Subject: [PATCH 11/11] trust: support retrieving POSIX IDs with one-way trust during trust-add With one-way trust we cannot rely on cross-realm TGT as there will be none. Thus, if we have AD administrator credentials we should reuse them. Additionally, such use should be done over Kerberos. Fixes: https://fedorahosted.org/freeipa/ticket/4960 https://fedorahosted.org/freeipa/ticket/4959 --- install/oddjob/com.redhat.idm.trust-fetch-domains | 4 +- ipalib/plugins/trust.py | 65 ++++++++++++++---- ipaserver/dcerpc.py | 83 ++++++++++++++++++----- 3 files changed, 119 insertions(+), 33 deletions(-) diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains index 2571dd0..85e3cc9 100755 --- a/install/oddjob/com.redhat.idm.trust-fetch-domains +++ b/install/oddjob/com.redhat.idm.trust-fetch-domains @@ -186,7 +186,9 @@ if domains: if idrange_type != u'ipa-ad-trust-posix': range_name = name.upper() + '_id_range' dom['range_type'] = u'ipa-ad-trust' - trust.add_range(range_name, dom['ipanttrusteddomainsid'], + # Do not pass ipaserver.dcerpc.TrustInstance to trust.add_range + # to force it using existing credentials cache + trust.add_range(None, range_name, dom['ipanttrusteddomainsid'], trusted_domain, name, **dom) except errors.DuplicateEntry: # Ignore updating duplicate entries diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 9fbaf25..196df59 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -166,6 +166,9 @@ DEFAULT_RANGE_SIZE = 200000 DBUS_IFACE_TRUST = 'com.redhat.idm.trust' +CRED_STYLE_SAMBA = 1 +CRED_STYLE_KERBEROS = 2 + def trust_type_string(level): """ Returns a string representing a type of the trust. The original field is an enum: @@ -196,7 +199,44 @@ def make_trust_dn(env, trust_type, dn): return DN(dn, container_dn) return dn -def add_range(myapi, range_name, dom_sid, *keys, **options): +def generate_creds(trustinstance, style, **options): + """ + Generate string representing credentials using trust instance + Input: + trustinstance -- ipaserver.dcerpc.TrustInstance object + style -- style of credentials + CRED_STYLE_SAMBA -- for using with Samba bindings + CRED_STYLE_KERBEROS -- for obtaining Kerberos ticket + **options -- options with realm_admin and realm_passwd keys + + Result: + a string representing credentials with first % separating username and password + None is returned if realm_passwd key returns nothing from options + """ + creds = None + password = options.get('realm_passwd', None) + if password: + admin_name = options.get('realm_admin') + sp = [] + sep = '@' + if style == CRED_STYLE_SAMBA: + sep = "\\" + sp = admin_name.split(sep) + if len(sp) == 1: + sp.insert(0, trustinstance.remote_domain.info['name']) + elif style == CRED_STYLE_KERBEROS: + sp = admin_name.split('\\') + if len(sp) > 1: + sp = [sp[1]] + else: + sp = admin_name.split(sep) + if len(sp) == 1: + sp.append(trustinstance.remote_domain.info['dns_forest'].upper()) + creds = u"{name}%{password}".format(name=sep.join(sp), + password=password) + return creds + +def add_range(myapi, trustinstance, range_name, dom_sid, *keys, **options): """ First, we try to derive the parameters of the ID range based on the information contained in the Active Directory. @@ -236,6 +276,12 @@ def add_range(myapi, range_name, dom_sid, *keys, **options): 'domain configured. Make sure you have run ' 'ipa-adtrust-install on the IPA server first')) + creds = None + if trustinstance: + # Re-use AD administrator credentials if they were provided + creds = generate_creds(trustinstance, style=CRED_STYLE_KERBEROS, **options) + if creds: + domain_validator._admin_creds = creds # KDC might not get refreshed data at the first time, # retry several times for retry in range(10): @@ -516,7 +562,8 @@ sides. # Store the created range type, since for POSIX trusts no # ranges for the subdomains should be added, POSIX attributes # provide a global mapping across all subdomains - (created_range_type, _, _) = add_range(self.api, range_name, dom_sid, + (created_range_type, _, _) = add_range(self.api, self.trustinstance, + range_name, dom_sid, *keys, **options) else: created_range_type = old_range['result']['iparangetype'][0] @@ -1348,19 +1395,9 @@ class trustdomain_del(LDAPDelete): return result - - def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options): trust_name = trust_entry['cn'][0] - creds = None - password = options.get('realm_passwd', None) - if password: - admin_name = options.get('realm_admin') - sp = admin_name.split('\\') - if len(sp) == 1: - sp.insert(0, trustinstance.remote_domain.info['name']) - creds = u"{name}%{password}".format(name="\\".join(sp), - password=password) + creds = generate_creds(trustinstance, style=CRED_STYLE_SAMBA, **options) server = options.get('realm_server', None) domains = ipaserver.dcerpc.fetch_domains(myapi, trustinstance.local_flatname, @@ -1394,7 +1431,7 @@ def add_new_domains_from_trust(myapi, trustinstance, trust_entry, domains, **opt if idrange_type != u'ipa-ad-trust-posix': range_name = name.upper() + '_id_range' dom['range_type'] = u'ipa-ad-trust' - add_range(myapi, range_name, dom['ipanttrusteddomainsid'], + add_range(myapi, trustinstance, range_name, dom['ipanttrusteddomainsid'], trust_name, name, **dom) except errors.DuplicateEntry: # Ignore updating duplicate entries diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index b11233d..bc75a60 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -151,6 +151,7 @@ class DomainValidator(object): self._domains = None self._info = dict() self._creds = None + self._admin_creds = None self._parm = None def is_configured(self): @@ -565,6 +566,52 @@ class DomainValidator(object): % (stdout, stderr)) return (None, None) + def kinit_as_administrator(self, domain): + """ + Initializes ccache with http service credentials. + + Applies session code defaults for ccache directory and naming prefix. + Session code uses krbccache_prefix+, we use + krbccache_prefix++ so there is no clash. + + Returns tuple (ccache path, principal) where (None, None) signifes an + error on ccache initialization + """ + + if self._admin_creds == None: + return (None, None) + + domain_suffix = domain.replace('.', '-') + + ccache_name = "%sTDA%s" % (krbccache_prefix, domain_suffix) + ccache_path = os.path.join(krbccache_dir, ccache_name) + + (principal, password) = self._admin_creds.split('%', 1) + + # Destroy the contents of the ccache + root_logger.debug('Destroying the contents of the separate ccache') + + (stdout, stderr, returncode) = ipautil.run( + [paths.KDESTROY, '-A', '-c', ccache_path], + env={'KRB5CCNAME': ccache_path}, + raiseonerr=False) + + # Destroy the contents of the ccache + root_logger.debug('Running kinit with credentials of AD administrator') + + (stdout, stderr, returncode) = ipautil.run( + [paths.KINIT, principal], + env={'KRB5CCNAME': ccache_path}, + stdin=password, + raiseonerr=False) + + if returncode == 0: + return (ccache_path, principal) + else: + root_logger.debug('Kinit failed, stout: %s, stderr: %s' + % (stdout, stderr)) + return (None, None) + def search_in_dc(self, domain, filter, attrs, scope, basedn=None, quiet=False): """ @@ -597,7 +644,8 @@ class DomainValidator(object): Returns LDAP result or None. """ - (ccache_name, principal) = self.kinit_as_http(info['dns_domain']) + if self._admin_creds: + (ccache_name, principal) = self.kinit_as_administrator(info['dns_domain']) if ccache_name: with ipautil.private_ccache(path=ccache_name): @@ -1104,10 +1152,24 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): raise assess_dcerpc_exception(message=str(e)) td.info['dc'] = unicode(result.pdc_dns_name) - if creds is None: + if type(creds) is bool: + # Rely on existing Kerberos credentials in the environment + td.creds = credentials.Credentials() + td.creds.set_kerberos_state(credentials.MUST_USE_KERBEROS) + td.creds.guess(td.parm) + td.creds.set_workstation(domain_validator.flatname) + domains = communicate(td) + else: # Attempt to authenticate as HTTP/ipa.master and use cross-forest trust + # or as passed-in user in case of a one-way trust domval = DomainValidator(api) - (ccache_name, principal) = domval.kinit_as_http(trustdomain) + ccache_name = None + principal = None + if creds: + domval._admin_creds = creds + (ccache_name, principal) = domval.kinit_as_administrator(trustdomain) + else: + (ccache_name, principal) = domval.kinit_as_http(trustdomain) td.creds = credentials.Credentials() td.creds.set_kerberos_state(credentials.MUST_USE_KERBEROS) if ccache_name: @@ -1115,21 +1177,6 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): td.creds.guess(td.parm) td.creds.set_workstation(domain_validator.flatname) domains = communicate(td) - elif type(creds) is bool: - # Rely on existing Kerberos credentials in the environment - td.creds = credentials.Credentials() - td.creds.set_kerberos_state(credentials.MUST_USE_KERBEROS) - td.creds.guess(td.parm) - td.creds.set_workstation(domain_validator.flatname) - domains = communicate(td) - else: - # Assume we've got credentials as a string user%password - td.creds = credentials.Credentials() - td.creds.set_kerberos_state(credentials.DONT_USE_KERBEROS) - td.creds.guess(td.parm) - td.creds.parse_string(creds) - td.creds.set_workstation(domain_validator.flatname) - domains = communicate(td) if domains is None: return None -- 2.4.3 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: not available URL: From abokovoy at redhat.com Tue Jul 7 10:57:29 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 7 Jul 2015 13:57:29 +0300 Subject: [Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches In-Reply-To: <20150707103524.GV11876@redhat.com> References: <20150707103524.GV11876@redhat.com> Message-ID: <20150707105729.GA21928@redhat.com> On Tue, 07 Jul 2015, Alexander Bokovoy wrote: > Hi, > > attached are patches to introduce one-way trust support and few more to > fix currently outstanding trust-related bugs. > > More details are in the commit messages. > > For oddjobd-activated helper, if you want to test the one-way trust > setup, you need to put SELinux into permissive. We have bugs for both > Fedora and RHEL to add the policy > (https://bugzilla.redhat.com/show_bug.cgi?id=1238163 for RHEL7), it is > in works. Attached is a rebase of two patches that modified VERSION as it conflicted with last minute push that Tomas did. -- / Alexander Bokovoy -------------- next part -------------- From 07bd53b528abd39aac6f11f47eec38ff5a73c5e3 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 28 May 2015 11:49:58 +0000 Subject: [PATCH 05/11] trusts: pass AD DC hostname if specified explicitly Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1222047 --- API.txt | 3 ++- VERSION | 4 ++-- ipalib/plugins/trust.py | 9 ++++++++- ipaserver/dcerpc.py | 10 +++++++--- 4 files changed, 19 insertions(+), 7 deletions(-) diff --git a/API.txt b/API.txt index 99fa528..a76458b 100644 --- a/API.txt +++ b/API.txt @@ -4998,10 +4998,11 @@ output: Output('result', , None) output: Output('summary', (, ), None) output: ListOfPrimaryKeys('value', None, None) command: trust_fetch_domains -args: 1,4,4 +args: 1,5,4 arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('realm_server?', cli_name='server') option: Flag('rights', autofill=True, default=False) option: Str('version?', exclude='webui') output: Output('count', , None) diff --git a/VERSION b/VERSION index 2d9ad26..bf68be2 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=139 -# Last change: edewata - added ipaVaultPublicKey attribute +IPA_API_VERSION_MINOR=140 +# Last change: ab - trusts: pass AD DC hostname if specified explicitly diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 5b884ca..13ac52d 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -1302,9 +1302,10 @@ def fetch_domains_from_trust(self, trustinstance, trust_entry, **options): sp.insert(0, trustinstance.remote_domain.info['name']) creds = u"{name}%{password}".format(name="\\".join(sp), password=password) + server = options.get('realm_server', None) domains = ipaserver.dcerpc.fetch_domains(self.api, trustinstance.local_flatname, - trust_name, creds=creds) + trust_name, creds=creds, server=server) result = [] if not domains: return result @@ -1342,6 +1343,12 @@ class trust_fetch_domains(LDAPRetrieve): __doc__ = _('Refresh list of the domains associated with the trust') has_output = output.standard_list_of_entries + takes_options = LDAPRetrieve.takes_options + ( + Str('realm_server?', + cli_name='server', + label=_('Domain controller for the Active Directory domain (optional)'), + ), + ) def execute(self, *keys, **options): if not _bindings_installed: diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 725b2cd..753e10e 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -1046,7 +1046,7 @@ class TrustDomainInstance(object): return False -def fetch_domains(api, mydomain, trustdomain, creds=None): +def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): trust_flags = dict( NETR_TRUST_FLAG_IN_FOREST = 0x00000001, NETR_TRUST_FLAG_OUTBOUND = 0x00000002, @@ -1087,8 +1087,12 @@ def fetch_domains(api, mydomain, trustdomain, creds=None): cr.set_workstation(domain_validator.flatname) netrc = net.Net(creds=cr, lp=td.parm) try: - result = netrc.finddc(domain=trustdomain, - flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) + if server: + result = netrc.finddc(address=server, + flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) + else: + result = netrc.finddc(domain=trustdomain, + flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) except RuntimeError, e: raise assess_dcerpc_exception(message=str(e)) -- 2.4.3 -------------- next part -------------- From 850566818840e5aa37a08ff0cc50d503d78c3b63 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 5 Jun 2015 12:57:02 +0000 Subject: [PATCH 08/11] trusts: add support for one-way trust and switch to it by default One-way trust is the default now, use 'trust add --two-way ' to force bidirectional trust https://fedorahosted.org/freeipa/ticket/4959 In case of one-way trust we cannot authenticate using cross-realm TGT against an AD DC. We have to use trusted domain object from within AD domain and access to this object is limited to avoid compromising the whole trust configuration. Instead, IPA framework can call out to oddjob daemon and ask it to run the script which can have access to the TDO object. This script (com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal to retrieve TDO object credentials from IPA LDAP if needed and then authenticate against AD DCs using the TDO object credentials. The script pulls the trust topology out of AD DCs and updates IPA LDAP store. Then IPA framework can pick the updated data from the IPA LDAP under normal access conditions. Part of https://fedorahosted.org/freeipa/ticket/4546 --- API.txt | 3 +- VERSION | 4 +- freeipa.spec.in | 14 +- install/Makefile.am | 1 + install/configure.ac | 1 + install/oddjob/Makefile.am | 28 +++ install/oddjob/com.redhat.idm.trust-fetch-domains | 198 +++++++++++++++++++++ .../etc/dbus-1/system.d/oddjob-ipa-trust.conf | 40 +++++ .../etc/oddjobd.conf.d/oddjobd-ipa-trust.conf | 21 +++ ipalib/plugins/trust.py | 141 +++++++++++---- ipaserver/dcerpc.py | 44 +++-- 11 files changed, 443 insertions(+), 52 deletions(-) create mode 100644 install/oddjob/Makefile.am create mode 100755 install/oddjob/com.redhat.idm.trust-fetch-domains create mode 100644 install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf create mode 100644 install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf diff --git a/API.txt b/API.txt index a76458b..5108bed 100644 --- a/API.txt +++ b/API.txt @@ -4971,11 +4971,12 @@ arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=Tr option: Str('version?', exclude='webui') output: Output('result', None, None) command: trust_add -args: 1,13,3 +args: 1,14,3 arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Int('base_id?', cli_name='base_id') +option: Bool('bidirectional?', cli_name='two_way', default=False) option: Int('range_size?', cli_name='range_size') option: StrEnum('range_type?', cli_name='range_type', values=(u'ipa-ad-trust-posix', u'ipa-ad-trust')) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') diff --git a/VERSION b/VERSION index bf68be2..e7f087e 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=140 -# Last change: ab - trusts: pass AD DC hostname if specified explicitly +IPA_API_VERSION_MINOR=141 +# Last change: ab - trusts: add support for one-way trust and switch to it by default diff --git a/freeipa.spec.in b/freeipa.spec.in index 8fee33b..415a875 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -205,6 +205,7 @@ Requires: samba >= %{samba_version} Requires: samba-winbind Requires: libsss_idmap Requires: libsss_nss_idmap-python +Requires: oddjob %if (0%{?fedora} >= 22) Requires: python-sss %endif @@ -583,6 +584,8 @@ fi %post server-trust-ad %{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \ winbind_krb5_locator.so /dev/null 90 +/bin/systemctl reload-or-try-restart dbus +/bin/systemctl reload-or-try-restart oddjobd %posttrans server-trust-ad python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1 @@ -595,6 +598,8 @@ fi %preun server-trust-ad if [ $1 -eq 0 ]; then %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null + /bin/systemctl reload-or-try-restart dbus + /bin/systemctl reload-or-try-restart oddjobd fi %endif # ONLY_CLIENT @@ -832,6 +837,9 @@ fi %attr(755,root,root) %{plugin_dir}/libipa_otp_counter.so %attr(755,root,root) %{plugin_dir}/libipa_otp_lasttoken.so %attr(755,root,root) %{plugin_dir}/libtopology.so +%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so +%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so +%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so %dir %{_localstatedir}/lib/ipa %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore @@ -866,15 +874,15 @@ fi %files server-trust-ad %{_sbindir}/ipa-adtrust-install -%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so %{_usr}/share/ipa/smb.conf.empty %attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so -%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so -%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so %{_mandir}/man1/ipa-adtrust-install.1.gz %{python_sitelib}/ipaserver/dcerpc* %{python_sitelib}/ipaserver/install/adtrustinstance* %ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so +%{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf +%{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf +%%attr(755,root,root) %{_libexecdir}/ipa/com.redhat.idm.trust-fetch-domains %endif # ONLY_CLIENT diff --git a/install/Makefile.am b/install/Makefile.am index c07f571..ac52ad3 100644 --- a/install/Makefile.am +++ b/install/Makefile.am @@ -17,6 +17,7 @@ SUBDIRS = \ po \ restart_scripts \ wsgi \ + oddjob \ $(NULL) install-exec-local: diff --git a/install/configure.ac b/install/configure.ac index 57f4219..cf19758 100644 --- a/install/configure.ac +++ b/install/configure.ac @@ -103,6 +103,7 @@ AC_CONFIG_FILES([ po/Makefile restart_scripts/Makefile wsgi/Makefile + oddjob/Makefile ]) AC_OUTPUT diff --git a/install/oddjob/Makefile.am b/install/oddjob/Makefile.am new file mode 100644 index 0000000..9dde10c --- /dev/null +++ b/install/oddjob/Makefile.am @@ -0,0 +1,28 @@ +NULL = + +oddjobdir = $(libexecdir)/ipa +oddjobconfdir = $(sysconfdir)/oddjobd.conf.d +dbusconfdir = $(sysconfdir)/dbus-1/system.d + +oddjob_SCRIPTS = \ + com.redhat.idm.trust-fetch-domains \ + $(NULL) + +dbusconf_DATA = \ + etc/dbus-1/system.d/oddjob-ipa-trust.conf \ + $(NULL) + +oddjobconf_DATA = \ + etc/oddjobd.conf.d/oddjobd-ipa-trust.conf \ + $(NULL) + + +#EXTRA_DIST = \ +# $(oddjob_SCRIPTS) \ +# $(dbusconf_DATA) \ +# $(oddjobconf_DATA) \ +# $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains new file mode 100755 index 0000000..2571dd0 --- /dev/null +++ b/install/oddjob/com.redhat.idm.trust-fetch-domains @@ -0,0 +1,198 @@ +#!/usr/bin/python2 + +from ipaserver import dcerpc +from ipaserver.install.installutils import is_ipa_configured, ScriptError +from ipapython import config, ipautil +from ipalib import api, errors +from ipapython.dn import DN +from ipalib.config import Env +from ipalib.constants import DEFAULT_CONFIG +from ipalib.krb_utils import KRB5_CCache +import sys +import os, pwd +import krbV +import time + +# This version is different from the original in ipapyton.ipautil +# in the fact that it returns a krbV.CCache object. +def kinit_keytab(principal, keytab, ccache_name, attempts=1): + errors_to_retry = {krbV.KRB5KDC_ERR_SVC_UNAVAILABLE, + krbV.KRB5_KDC_UNREACH} + for attempt in range(1, attempts + 1): + try: + krbcontext = krbV.default_context() + ktab = krbV.Keytab(name=keytab, context=krbcontext) + princ = krbV.Principal(name=principal, context=krbcontext) + ccache = krbV.CCache(name=ccache_name, context=krbcontext, + primary_principal=princ) + ccache.init(princ) + ccache.init_creds_keytab(keytab=ktab, principal=princ) + return ccache + except krbV.Krb5Error as e: + if e.args[0] not in errors_to_retry: + raise + if attempt == attempts: + raise + time.sleep(5) + +def retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal): + getkeytab_args = ["/usr/sbin/ipa-getkeytab", + "-s", api.env.host, + "-p", oneway_principal, + "-k", oneway_keytab_name, + "-r"] + (stdout, stderr, retcode) = ipautil.run(getkeytab_args, + env={'KRB5CCNAME': ccache_name, 'LANG': 'C'}, + raiseonerr=False) + # Make sure SSSD is able to read the keytab + sssd = pwd.getpwnam('sssd') + os.chown(oneway_keytab_name, sssd[2], sssd[3]) + + +def parse_options(): + usage = "%prog \n" + parser = config.IPAOptionParser(usage=usage, + formatter=config.IPAFormatter()) + + parser.add_option("-d", "--debug", action="store_true", dest="debug", + help="Display debugging information") + + options, args = parser.parse_args() + safe_options = parser.get_safe_opts(options) + + return safe_options, options, args + + +if not is_ipa_configured(): + # LSB status code 6: program is not configured + raise ScriptError("IPA is not configured " + + "(see man pages of ipa-server-install for help)", 6) + +if not os.getegid() == 0: + # LSB status code 4: user had insufficient privilege + raise ScriptError("You must be root to run ipactl.", 4) + +safe_options, options, args = parse_options() + +if len(args) != 1: + # LSB status code 2: invalid or excess argument(s) + raise ScriptError("You must specify trusted domain name", 2) + +trusted_domain = unicode(args[0].lower()) + +env = Env() +env._bootstrap(context='server', debug=options.debug, log=None) +env._finalize_core(**dict(DEFAULT_CONFIG)) + +# Initialize the API with the proper debug level +api.bootstrap(context='server', debug=env.debug, log=None) +api.finalize() + +# Only import trust plugin after api is initialized or internal imports +# within the plugin will not work +from ipalib.plugins import trust + +# We have to dance with two different credentials caches: +# ccache_name -- for cifs/ipa.master at IPA.REALM to communicate with LDAP +# oneway_ccache_name -- for IPA$@AD.REALM to communicate with AD DCs +# +# ccache_name may not exist, we'll have to initialize it from Samba's keytab +# +# oneway_ccache_name may not exist either but to initialize it, we need +# to check if oneway_keytab_name keytab exists and fetch it first otherwise. +# +# to fetch oneway_keytab_name keytab, we need to initialize ccache_name ccache first +# and retrieve our own NetBIOS domain name and use cifs/ipa.master at IPA.REALM to +# retrieve the keys to oneway_keytab_name. + +keytab_name = '/etc/samba/samba.keytab' +oneway_keytab_name = '/var/lib/sss/keytabs/' + trusted_domain + '.keytab' + +principal = str('cifs/' + api.env.host) + +oneway_ccache_name = '/var/run/ipa/krb5cc_oddjob_trusts_fetch' +ccache_name = '/var/run/ipa/krb5cc_oddjob_trusts' + +# Standard sequence: +# - check if ccache exists +# - if not, initialize it from Samba's keytab +# - check if ccache contains valid TGT +# - if not, initialize it from Samba's keytab +# - refer the correct ccache object for further use +# +if not os.path.isfile(ccache_name): + ccache = kinit_keytab(principal, keytab_name, ccache_name) + +ccache_check = KRB5_CCache(ccache_name) +if not ccache_check.credential_is_valid(principal): + ccache = kinit_keytab(principal, keytab_name, ccache_name) +else: + ccache = ccache_check.ccache + +old_ccache = os.environ.get('KRB5CCNAME') +api.Backend.ldap2.connect(ccache) + +own_trust_dn = DN(('cn', api.env.domain),('cn','ad'), ('cn', 'etc'), api.env.basedn) +own_trust_entry = api.Backend.ldap2.get_entry(own_trust_dn, ['ipantflatname']) +own_trust_flatname = own_trust_entry['ipantflatname'][0].upper() + +oneway_principal = str('%s$@%s' % (own_trust_flatname, trusted_domain.upper())) + +# If keytab does not exist, retrieve it +if not os.path.isfile(oneway_keytab_name): + retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal) + +oneway_ccache = None +try: + # The keytab may have stale key material (from older trust-add run) + if not os.path.isfile(oneway_ccache_name): + oneway_ccache = kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name) +except krbV.Krb5Error as e: + # If there was failure on using keytab, assume it is stale and retrieve again + retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal) + +if oneway_ccache: + # There wasn existing ccache, validate its content + oneway_ccache_check = KRB5_CCache(oneway_ccache_name) + if not oneway_ccache_check.credential_is_valid(oneway_principal): + # If credentials were invalid, obtain them again + oneway_ccache = kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name) + else: + oneway_ccache = oneway_ccache_check.ccache +else: + oneway_ccache = kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name) + +# We are done: we have ccache with TDO credentials and can fetch domains +ipa_domain = api.env.domain +os.environ['KRB5CCNAME'] = oneway_ccache_name +domains = dcerpc.fetch_domains(api, ipa_domain, trusted_domain, creds=True) + +if domains: + # trust range must exist by the time fetch_domains_from_trust is called + range_name = unicode(trusted_domain.upper() + '_id_range') + old_range = api.Command.idrange_show(range_name, raw=True)['result'] + idrange_type = old_range['iparangetype'][0] + + result = [] + for dom in domains: + dom['trust_type'] = u'ad' + try: + name = dom['cn'] + del dom['cn'] + + res = api.Command.trustdomain_add(trusted_domain, name, **dom) + result.append(res['result']) + + if idrange_type != u'ipa-ad-trust-posix': + range_name = name.upper() + '_id_range' + dom['range_type'] = u'ipa-ad-trust' + trust.add_range(range_name, dom['ipanttrusteddomainsid'], + trusted_domain, name, **dom) + except errors.DuplicateEntry: + # Ignore updating duplicate entries + pass + +if old_ccache: + os.environ['KRB5CCNAME'] = old_ccache + +sys.exit(0) diff --git a/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf b/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf new file mode 100644 index 0000000..2e4c136 --- /dev/null +++ b/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf @@ -0,0 +1,40 @@ + + + + + + + + + + + + + + + + + + + + + diff --git a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf new file mode 100644 index 0000000..17817de --- /dev/null +++ b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf @@ -0,0 +1,21 @@ + + + + + + + + + + + + + + + + + + diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 13ac52d..9fbaf25 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -22,6 +22,7 @@ from ipalib.plugable import Registry from ipalib.plugins.baseldap import * from ipalib.plugins.dns import dns_container_exists from ipapython.ipautil import realm_to_suffix +from ipapython.ipa_log_manager import root_logger from ipalib import api, Str, StrEnum, Password, Bool, _, ngettext from ipalib import Command from ipalib import errors @@ -43,6 +44,8 @@ except Exception, e: if api.env.in_server and api.env.context in ['lite', 'server']: try: import ipaserver.dcerpc #pylint: disable=F0401 + from ipaserver.dcerpc import TRUST_ONEWAY, TRUST_BIDIRECTIONAL + import dbus, dbus.mainloop.glib _bindings_installed = True except ImportError: _bindings_installed = False @@ -161,6 +164,8 @@ _trust_type_option = StrEnum('trust_type', DEFAULT_RANGE_SIZE = 200000 +DBUS_IFACE_TRUST = 'com.redhat.idm.trust' + def trust_type_string(level): """ Returns a string representing a type of the trust. The original field is an enum: @@ -191,7 +196,7 @@ def make_trust_dn(env, trust_type, dn): return DN(dn, container_dn) return dn -def add_range(self, range_name, dom_sid, *keys, **options): +def add_range(myapi, range_name, dom_sid, *keys, **options): """ First, we try to derive the parameters of the ID range based on the information contained in the Active Directory. @@ -224,7 +229,7 @@ def add_range(self, range_name, dom_sid, *keys, **options): + basedn # Get the domain validator - domain_validator = ipaserver.dcerpc.DomainValidator(self.api) + domain_validator = ipaserver.dcerpc.DomainValidator(myapi) if not domain_validator.is_configured(): raise errors.NotFound( reason=_('Cannot search in trusted domains without own ' @@ -251,10 +256,10 @@ def add_range(self, range_name, dom_sid, *keys, **options): if not info_list: # We were unable to gain UNIX specific info from the AD - self.log.debug("Unable to gain POSIX info from the AD") + root_logger.debug("Unable to gain POSIX info from the AD") else: if all(attr in info for attr in required_msSFU_attrs): - self.log.debug("Able to gain POSIX info from the AD") + root_logger.debug("Able to gain POSIX info from the AD") range_type = u'ipa-ad-trust-posix' max_uid = info.get('msSFU30MaxUidNumber') @@ -288,16 +293,43 @@ def add_range(self, range_name, dom_sid, *keys, **options): ) * DEFAULT_RANGE_SIZE # Finally, add new ID range - self.api.Command['idrange_add'](range_name, - ipabaseid=base_id, - ipaidrangesize=range_size, - ipabaserid=0, - iparangetype=range_type, - ipanttrusteddomainsid=dom_sid) + myapi.Command['idrange_add'](range_name, + ipabaseid=base_id, + ipaidrangesize=range_size, + ipabaserid=0, + iparangetype=range_type, + ipanttrusteddomainsid=dom_sid) # Return the values that were generated inside this function return range_type, range_size, base_id +def fetch_trusted_domains_over_dbus(myapi, log, forest_name): + if not _bindings_installed: + return + # Calling oddjobd-activated service via DBus has some quirks: + # - Oddjobd registers multiple canonical names on the same address + # - python-dbus only follows name owner changes when mainloop is in use + # See https://fedorahosted.org/oddjob/ticket/2 for details + dbus.mainloop.glib.DBusGMainLoop(set_as_default=True) + try: + _ret = 0 + _stdout = '' + _stderr = '' + bus = dbus.SystemBus() + intf = bus.get_object(DBUS_IFACE_TRUST,"/", follow_name_owner_changes=True) + fetch_domains_method = intf.get_dbus_method('fetch_domains', dbus_interface=DBUS_IFACE_TRUST) + (_ret, _stdout, _stderr) = fetch_domains_method(forest_name) + except dbus.DBusException, e: + log.error('Failed to call %(iface)s.fetch_domains helper.' + 'DBus exception is %(exc)s.' % dict(iface=DBUS_IFACE_TRUST, exc=str(e))) + if _ret != 0: + log.error('Helper was called for forest %(forest)s, return code is %(ret)d' % dict(forest=forest_name, ret=_ret)) + log.error('Standard output from the helper:\n%s---\n' % (_stdout)) + log.error('Error output from the helper:\n%s--\n' % (_stderr)) + raise errors.ServerCommandError(server=myapi.env.host, + error=_('Fetching domains from trusted forest failed. ' + 'See details in the error_log')) + return @register() class trust(LDAPObject): @@ -463,6 +495,12 @@ sides. .format(vals=', '.join(range_types.keys())))), values=tuple(range_types.keys()), ), + Bool('bidirectional?', + label=_('Two-way trust'), + cli_name='two_way', + doc=(_('Establish bi-directional trust. By default trust is inbound one-way only.')), + default=False, + ), ) msg_summary = _('Added Active Directory trust for realm "%(value)s"') @@ -478,7 +516,7 @@ sides. # Store the created range type, since for POSIX trusts no # ranges for the subdomains should be added, POSIX attributes # provide a global mapping across all subdomains - (created_range_type, _, _) = add_range(self, range_name, dom_sid, + (created_range_type, _, _) = add_range(self.api, range_name, dom_sid, *keys, **options) else: created_range_type = old_range['result']['iparangetype'][0] @@ -486,19 +524,35 @@ sides. trust_filter = "cn=%s" % result['value'] ldap = self.obj.backend (trusts, truncated) = ldap.find_entries( - base_dn=DN(api.env.container_trusts, api.env.basedn), + base_dn=DN(self.api.env.container_trusts, self.api.env.basedn), filter=trust_filter) result['result'] = entry_to_dict(trusts[0], **options) # Fetch topology of the trust forest -- we need always to do it # for AD trusts, regardless of the type of idranges associated with it - # Note that fetch_domains_from_trust will add needed ranges for + # Note that add_new_domains_from_trust will add needed ranges for # the algorithmic ID mapping case. if (options.get('trust_type') == u'ad' and options.get('trust_secret') is None): - domains = fetch_domains_from_trust(self, self.trustinstance, + if options.get('bidirectional') == True: + # Bidirectional trust allows us to use cross-realm TGT, so we can + # run the call under original user's credentials + res = fetch_domains_from_trust(self.api, self.trustinstance, result['result'], **options) + domains = add_new_domains_from_trust(self.api, self.trustinstance, + result['result'], res, **options) + else: + # One-way trust is more complex. We don't have cross-realm TGT + # and cannot use IPA principals to authenticate against AD. + # Instead, we have to use our trusted domain object's (TDO) + # account in AD. Access to the credentials is limited and IPA + # framework cannot access it directly. Instead, we call out to + # oddjobd-activated higher privilege process that will use TDO + # object credentials to authenticate to AD with Kerberos, + # run DCE RPC calls to do discovery and will call + # add_new_domains_from_trust() on its own. + fetch_trusted_domains_over_dbus(self.api, self.log, result['value']) # Format the output into human-readable values result['result']['trusttype'] = [trust_type_string( @@ -570,7 +624,7 @@ sides. # If domain name and realm does not match, IPA server is not be able # to establish trust with Active Directory. - realm_not_matching_domain = (api.env.domain.upper() != api.env.realm) + realm_not_matching_domain = (self.api.env.domain.upper() != self.api.env.realm) if options['trust_type'] == u'ad' and realm_not_matching_domain: raise errors.ValidationError( @@ -627,7 +681,7 @@ sides. range_type = options.get('range_type') try: - old_range = api.Command['idrange_show'](range_name, raw=True) + old_range = self.api.Command['idrange_show'](range_name, raw=True) except errors.NotFound: old_range = None @@ -699,6 +753,9 @@ sides. except errors.NotFound: dn = None + trust_type = TRUST_ONEWAY + if options.get('bidirectional', False): + trust_type = TRUST_BIDIRECTIONAL # 1. Full access to the remote domain. Use admin credentials and # generate random trustdom password to do work on both sides if full_join: @@ -707,14 +764,15 @@ sides. keys[-1], self.realm_server, self.realm_admin, - self.realm_passwd + self.realm_passwd, + trust_type ) except errors.NotFound: error_message=_("Unable to resolve domain controller for '%s' domain. ") % (keys[-1]) instructions=[] if dns_container_exists(self.obj.backend): try: - dns_zone = api.Command.dnszone_show(keys[-1])['result'] + dns_zone = self.api.Command.dnszone_show(keys[-1])['result'] if ('idnsforwardpolicy' in dns_zone) and dns_zone['idnsforwardpolicy'][0] == u'only': instructions.append(_("Forward policy is defined for it in IPA DNS, " "perhaps forwarder points to incorrect host?")) @@ -755,7 +813,8 @@ sides. result = self.trustinstance.join_ad_ipa_half( keys[-1], self.realm_server, - options['trust_secret'] + options['trust_secret'], + trust_type ) ret = dict( value=pkey_to_value( @@ -940,7 +999,7 @@ class trustconfig(LDAPObject): group, ['posixgroup'], [''], - DN(api.env.container_group, api.env.basedn)) + DN(self.api.env.container_group, self.api.env.basedn)) except errors.NotFound: self.api.Object['group'].handle_not_found(group) else: @@ -1066,11 +1125,11 @@ class adtrust_is_enabled(Command): ldap = self.api.Backend.ldap2 adtrust_dn = DN( ('cn', 'ADTRUST'), - ('cn', api.env.host), + ('cn', self.api.env.host), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), - api.env.basedn + self.api.env.basedn ) try: @@ -1281,7 +1340,7 @@ class trustdomain_del(LDAPDelete): raise errors.ValidationError(name='domain', error=_("cannot delete root domain of the trust, use trust-del to delete the trust itself")) try: - res = api.Command.trustdomain_enable(keys[0], domain) + res = self.api.Command.trustdomain_enable(keys[0], domain) except errors.AlreadyActive: pass result = super(trustdomain_del, self).execute(*keys, **options) @@ -1291,7 +1350,7 @@ class trustdomain_del(LDAPDelete): -def fetch_domains_from_trust(self, trustinstance, trust_entry, **options): +def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options): trust_name = trust_entry['cn'][0] creds = None password = options.get('realm_passwd', None) @@ -1303,16 +1362,20 @@ def fetch_domains_from_trust(self, trustinstance, trust_entry, **options): creds = u"{name}%{password}".format(name="\\".join(sp), password=password) server = options.get('realm_server', None) - domains = ipaserver.dcerpc.fetch_domains(self.api, + domains = ipaserver.dcerpc.fetch_domains(myapi, trustinstance.local_flatname, trust_name, creds=creds, server=server) + return domains + +def add_new_domains_from_trust(myapi, trustinstance, trust_entry, domains, **options): result = [] if not domains: return result - # trust range must exist by the time fetch_domains_from_trust is called + trust_name = trust_entry['cn'][0] + # trust range must exist by the time add_new_domains_from_trust is called range_name = trust_name.upper() + '_id_range' - old_range = api.Command.idrange_show(range_name, raw=True)['result'] + old_range = myapi.Command.idrange_show(range_name, raw=True)['result'] idrange_type = old_range['iparangetype'][0] for dom in domains: @@ -1325,13 +1388,13 @@ def fetch_domains_from_trust(self, trustinstance, trust_entry, **options): if 'raw' in options: dom['raw'] = options['raw'] - res = self.api.Command.trustdomain_add(trust_name, name, **dom) + res = myapi.Command.trustdomain_add(trust_name, name, **dom) result.append(res['result']) if idrange_type != u'ipa-ad-trust-posix': range_name = name.upper() + '_id_range' dom['range_type'] = u'ipa-ad-trust' - add_range(self, range_name, dom['ipanttrusteddomainsid'], + add_range(myapi, range_name, dom['ipanttrusteddomainsid'], trust_name, name, **dom) except errors.DuplicateEntry: # Ignore updating duplicate entries @@ -1362,6 +1425,17 @@ class trust_fetch_domains(LDAPRetrieve): ) trust = self.api.Command.trust_show(keys[0], raw=True)['result'] + result = dict() + result['result'] = [] + result['count'] = 0 + result['truncated'] = False + + # For one-way trust fetch over DBus. we don't get the list in this case. + if trust['ipanttrustdirection'] & TRUST_BIDIRECTIONAL != TRUST_BIDIRECTIONAL: + fetch_trusted_domains_over_dbus(self.api, self.log, keys[0]) + result['summary'] = unicode(_('List of trust domains successfully refreshed. Use trustdomain-find command to list them.')) + return result + trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api) if not trustinstance.configured: raise errors.NotFound( @@ -1372,8 +1446,8 @@ class trust_fetch_domains(LDAPRetrieve): 'on the IPA server first' ) ) - domains = fetch_domains_from_trust(self, trustinstance, trust) - result = dict() + res = fetch_domains_from_trust(self.api, trustinstance, trust, **options) + domains = add_new_domains_from_trust(self.api, trustinstance, trust, res, **options) if len(domains) > 0: result['summary'] = unicode(_('List of trust domains successfully refreshed')) @@ -1382,7 +1456,6 @@ class trust_fetch_domains(LDAPRetrieve): result['result'] = domains result['count'] = len(domains) - result['truncated'] = False return result @@ -1413,7 +1486,7 @@ class trustdomain_enable(LDAPQuery): trust_entry['ipantsidblacklistincoming'].remove(sid) ldap.update_entry(trust_entry) # Force MS-PAC cache re-initialization on KDC side - domval = ipaserver.dcerpc.DomainValidator(api) + domval = ipaserver.dcerpc.DomainValidator(self.api) (ccache_name, principal) = domval.kinit_as_http(keys[0]) else: raise errors.AlreadyActive() @@ -1453,7 +1526,7 @@ class trustdomain_disable(LDAPQuery): trust_entry['ipantsidblacklistincoming'].append(sid) ldap.update_entry(trust_entry) # Force MS-PAC cache re-initialization on KDC side - domval = ipaserver.dcerpc.DomainValidator(api) + domval = ipaserver.dcerpc.DomainValidator(self.api) (ccache_name, principal) = domval.kinit_as_http(keys[0]) else: raise errors.AlreadyInactive() diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 753e10e..b11233d 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -66,6 +66,10 @@ The code in this module relies heavily on samba4-python package and Samba4 python bindings. """) +# Both constants can be used as masks against trust direction +# because bi-directional has two lower bits set. +TRUST_ONEWAY = 1 +TRUST_BIDIRECTIONAL = 3 def is_sid_valid(sid): try: @@ -949,7 +953,7 @@ class TrustDomainInstance(object): # We can ignore the error here -- setting up name suffix routes may fail pass - def establish_trust(self, another_domain, trustdom_secret): + def establish_trust(self, another_domain, trustdom_secret, trust_type='bidirectional'): """ Establishes trust between our and another domain Input: another_domain -- instance of TrustDomainInstance, initialized with #retrieve call @@ -967,7 +971,9 @@ class TrustDomainInstance(object): info.domain_name.string = another_domain.info['dns_domain'] info.netbios_name.string = another_domain.info['name'] info.sid = security.dom_sid(another_domain.info['sid']) - info.trust_direction = lsa.LSA_TRUST_DIRECTION_INBOUND | lsa.LSA_TRUST_DIRECTION_OUTBOUND + info.trust_direction = lsa.LSA_TRUST_DIRECTION_INBOUND + if trust_type == TRUST_BIDIRECTIONAL: + info.trust_direction |= lsa.LSA_TRUST_DIRECTION_OUTBOUND info.trust_type = lsa.LSA_TRUST_TYPE_UPLEVEL info.trust_attributes = 0 @@ -1005,7 +1011,8 @@ class TrustDomainInstance(object): pass try: - info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE + info = self._pipe.QueryTrustedDomainInfo(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX) + info.trust_attributes |= lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE self._pipe.SetInformationTrustedDomain(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX, info) except RuntimeError, e: root_logger.error('unable to set trust to transitive: %s' % (str(e))) @@ -1014,10 +1021,10 @@ class TrustDomainInstance(object): self.update_ftinfo(another_domain) def verify_trust(self, another_domain): - def retrieve_netlogon_info_2(domain, function_code, data): + def retrieve_netlogon_info_2(logon_server, domain, function_code, data): try: netr_pipe = netlogon.netlogon(domain.binding, domain.parm, domain.creds) - result = netr_pipe.netr_LogonControl2Ex(logon_server=None, + result = netr_pipe.netr_LogonControl2Ex(logon_server=logon_server, function_code=function_code, level=2, data=data @@ -1026,7 +1033,7 @@ class TrustDomainInstance(object): except RuntimeError, (num, message): raise assess_dcerpc_exception(num=num, message=message) - result = retrieve_netlogon_info_2(self, + result = retrieve_netlogon_info_2(None, self, netlogon.NETLOGON_CONTROL_TC_VERIFY, another_domain.info['dns_domain']) if (result and (result.flags and netlogon.NETLOGON_VERIFY_STATUS_RETURNED)): @@ -1098,6 +1105,7 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): td.info['dc'] = unicode(result.pdc_dns_name) if creds is None: + # Attempt to authenticate as HTTP/ipa.master and use cross-forest trust domval = DomainValidator(api) (ccache_name, principal) = domval.kinit_as_http(trustdomain) td.creds = credentials.Credentials() @@ -1107,7 +1115,15 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): td.creds.guess(td.parm) td.creds.set_workstation(domain_validator.flatname) domains = communicate(td) + elif type(creds) is bool: + # Rely on existing Kerberos credentials in the environment + td.creds = credentials.Credentials() + td.creds.set_kerberos_state(credentials.MUST_USE_KERBEROS) + td.creds.guess(td.parm) + td.creds.set_workstation(domain_validator.flatname) + domains = communicate(td) else: + # Assume we've got credentials as a string user%password td.creds = credentials.Credentials() td.creds.set_kerberos_state(credentials.DONT_USE_KERBEROS) td.creds.guess(td.parm) @@ -1220,7 +1236,7 @@ class TrustDomainJoins(object): ftinfo['rec_type'] = lsa.LSA_FOREST_TRUST_TOP_LEVEL_NAME self.local_domain.ftinfo_records.append(ftinfo) - def join_ad_full_credentials(self, realm, realm_server, realm_admin, realm_passwd): + def join_ad_full_credentials(self, realm, realm_server, realm_admin, realm_passwd, trust_type): if not self.configured: return None @@ -1238,13 +1254,17 @@ class TrustDomainJoins(object): if not self.remote_domain.read_only: trustdom_pass = samba.generate_random_password(128, 128) self.get_realmdomains() - self.remote_domain.establish_trust(self.local_domain, trustdom_pass) - self.local_domain.establish_trust(self.remote_domain, trustdom_pass) - result = self.remote_domain.verify_trust(self.local_domain) + self.remote_domain.establish_trust(self.local_domain, trustdom_pass, trust_type) + self.local_domain.establish_trust(self.remote_domain, trustdom_pass, trust_type) + # if trust is inbound, we don't need to verify it because AD DC will respond + # with WERR_NO_SUCH_DOMAIN -- in only does verification for outbound trusts. + result = True + if trust_type == TRUST_BIDIRECTIONAL: + result = self.remote_domain.verify_trust(self.local_domain) return dict(local=self.local_domain, remote=self.remote_domain, verified=result) return None - def join_ad_ipa_half(self, realm, realm_server, trustdom_passwd): + def join_ad_ipa_half(self, realm, realm_server, trustdom_passwd, trust_type): if not self.configured: return None @@ -1254,5 +1274,5 @@ class TrustDomainJoins(object): if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']: raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain']) - self.local_domain.establish_trust(self.remote_domain, trustdom_passwd) + self.local_domain.establish_trust(self.remote_domain, trustdom_passwd, trust_type) return dict(local=self.local_domain, remote=self.remote_domain, verified=False) -- 2.4.3 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: not available URL: From abokovoy at redhat.com Tue Jul 7 11:02:30 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 7 Jul 2015 14:02:30 +0300 Subject: [Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches In-Reply-To: <20150707103524.GV11876@redhat.com> References: <20150707103524.GV11876@redhat.com> Message-ID: <20150707110230.GB21928@redhat.com> On Tue, 07 Jul 2015, Alexander Bokovoy wrote: >From 4a856d8ff597ec516cc1eb05f06e062bb4ecca5b Mon Sep 17 00:00:00 2001 >From: Alexander Bokovoy >Date: Thu, 28 May 2015 11:49:58 +0000 >Subject: [PATCH 05/11] trusts: pass AD DC hostname if specified explicitly > >Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1222047 This is upstream ticket https://fedorahosted.org/freeipa/ticket/5031 -- / Alexander Bokovoy From abokovoy at redhat.com Tue Jul 7 11:05:15 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 7 Jul 2015 14:05:15 +0300 Subject: [Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches In-Reply-To: <20150707103524.GV11876@redhat.com> References: <20150707103524.GV11876@redhat.com> Message-ID: <20150707110515.GC21928@redhat.com> On Tue, 07 Jul 2015, Alexander Bokovoy wrote: >From a4e2034028d64a8b2b533af9541e698a68388fb2 Mon Sep 17 00:00:00 2001 >From: Alexander Bokovoy >Date: Thu, 4 Jun 2015 21:29:36 +0000 >Subject: [PATCH 07/11] ipa-adtrust-install: allow configuring of trust agents > >Trust agents are IPA master without Samba which can serve >information about users from trusted forests. Such IPA masters >cannot be used to configure trust but they can resolve AD users and groups >for IPA clients enrolled to them. > >Since support from both FreeIPA and SSSD is needed to enable >trust agent support, we currently only consider those IPA masters >which have been upgraded to FreeIPA 4.2 or later. > >Part of https://fedorahosted.org/freeipa/ticket/4951 And also fixes https://fedorahosted.org/freeipa/ticket/5004 which is more specific ticket for host principals. -- / Alexander Bokovoy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: not available URL: From abokovoy at redhat.com Tue Jul 7 11:53:54 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 7 Jul 2015 14:53:54 +0300 Subject: [Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches In-Reply-To: <20150707103524.GV11876@redhat.com> References: <20150707103524.GV11876@redhat.com> Message-ID: <20150707115354.GD21928@redhat.com> On Tue, 07 Jul 2015, Alexander Bokovoy wrote: >From b7a3b206deb3257b3a78939f0d2a6a114e48b758 Mon Sep 17 00:00:00 2001 >From: Alexander Bokovoy >Date: Thu, 26 Mar 2015 14:34:06 +0200 >Subject: [PATCH 01/11] add one-way trust support to ipasam > >When trust is established, ipasam module creates a number of objects in LDAP >to represent the trust information. Among them, for one-way trust we create >a principal named IPA$@AD where IPA is a NetBIOS (flat) name of the IPA forest >and AD is a realm of the trusted Active Directory forest root domain. > >This principal is then used by SSSD on IPA masters to authenticate against >trusted Active Directory domain controllers and retrieve information about >user and group identities. > >FreeIPA also uses this principal's credentials to retrieve domain topology. > >The access to the keys of the principal should be well-protected. We only >allow to retrieve the keytab for it for members of cn=adtrust agents group. >This group is populated with host/ and cifs/ principals from IPA masters. > >Starting with FreeIPA 4.2 the group will also have host/ principals of IPA masters >where no ipa-adtrust-install was run. To add them, run ipa-adtrust-install >on the master which will be configured to be a domain controller (e.g. >run Samba with ipasam), and specify --add-agents option to trigger activation >of the interactive mode to specify which IPA masters to enable. > >Fixes https://fedorahosted.org/freeipa/ticket/4962 >Part of fixes for https://fedorahosted.org/freeipa/ticket/4546 ... and fixes ticket https://fedorahosted.org/freeipa/ticket/5005 too -- / Alexander Bokovoy From npmccallum at redhat.com Tue Jul 7 12:48:09 2015 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Tue, 7 Jul 2015 08:48:09 -0400 Subject: [Freeipa-devel] error handling in httpd.service and ipa-httpd-kdcproxy In-Reply-To: <559AA03B.7030700@redhat.com> References: <559AA03B.7030700@redhat.com> Message-ID: <85D05384-E18A-4061-B7FE-1C7DD35E1D57@redhat.com> > On Jul 6, 2015, at 11:35 AM, Christian Heimes wrote: > > Hello, > > I like to ask for your opinion regarding the pre-exec hook > 'ipa-httpd-kdcproxy' in httpd.service. Alex has asked me to handle error > cases like LDAP connection timeout more gracefully. At the moment any > error causes the script to return a non-zero exit code. This breaks the > service and apparently also offline RPM upgrades. > > How should I handle error cases? I can change httpd.service to simply > ignore the exit code of ipa-httpd-kdcproxy. But that might lead to an > invalid state. I could modify the script to catch connection errors and > to disable kdcproxy in case of an error. > > The options are: > > 1) httpd.service ignores exit code of ipa-httpd-kdcproxy > 2) ipa-httpd-kdcproxy removes kdcproxy config file in case of a > connection error > 3) 1 + 2 > > What do you think? If ipa-httpd-kdcproxy cannot contact LDAP, kdcproxy MUST NOT be enabled. So #2. However, ipa-httpd-kdcproxy should leave error codes to real catastrophic failures and http.service should be aware of these. So not #1. Nathaniel From simo at redhat.com Tue Jul 7 13:41:07 2015 From: simo at redhat.com (Simo Sorce) Date: Tue, 07 Jul 2015 09:41:07 -0400 Subject: [Freeipa-devel] error handling in httpd.service and ipa-httpd-kdcproxy In-Reply-To: <85D05384-E18A-4061-B7FE-1C7DD35E1D57@redhat.com> References: <559AA03B.7030700@redhat.com> <85D05384-E18A-4061-B7FE-1C7DD35E1D57@redhat.com> Message-ID: <1436276467.7030.68.camel@willson.usersys.redhat.com> On Tue, 2015-07-07 at 08:48 -0400, Nathaniel McCallum wrote: > > On Jul 6, 2015, at 11:35 AM, Christian Heimes wrote: > > > > Hello, > > > > I like to ask for your opinion regarding the pre-exec hook > > 'ipa-httpd-kdcproxy' in httpd.service. Alex has asked me to handle error > > cases like LDAP connection timeout more gracefully. At the moment any > > error causes the script to return a non-zero exit code. This breaks the > > service and apparently also offline RPM upgrades. > > > > How should I handle error cases? I can change httpd.service to simply > > ignore the exit code of ipa-httpd-kdcproxy. But that might lead to an > > invalid state. I could modify the script to catch connection errors and > > to disable kdcproxy in case of an error. > > > > The options are: > > > > 1) httpd.service ignores exit code of ipa-httpd-kdcproxy > > 2) ipa-httpd-kdcproxy removes kdcproxy config file in case of a > > connection error > > 3) 1 + 2 > > > > What do you think? > > If ipa-httpd-kdcproxy cannot contact LDAP, kdcproxy MUST NOT be > enabled. So #2. > > However, ipa-httpd-kdcproxy should leave error codes to real > catastrophic failures and http.service should be aware of these. So > not #1. > > Nathaniel > IMO it is ok for httpd to fail to start if the kdc-proxy cannot contact LDAP, because other stuff will fail too if that's the case anyway. In fact I had to change my replica promotion patches to account for this as it was failing here, for various reasons, on one restart during the install. :-) Simo. -- Simo Sorce * Red Hat, Inc * New York From sbose at redhat.com Tue Jul 7 13:47:05 2015 From: sbose at redhat.com (Sumit Bose) Date: Tue, 7 Jul 2015 15:47:05 +0200 Subject: [Freeipa-devel] [PATCH 144] extdom: add unit-test for get_user_grouplist() In-Reply-To: <20150526114702.GF19176@redhat.com> References: <20150526112119.GO3943@p.redhat.com> <556457EE.5040508@redhat.com> <20150526114004.GQ3943@p.redhat.com> <20150526114702.GF19176@redhat.com> Message-ID: <20150707134705.GG22480@p.redhat.com> On Tue, May 26, 2015 at 02:47:02PM +0300, Alexander Bokovoy wrote: > On Tue, 26 May 2015, Sumit Bose wrote: > >On Tue, May 26, 2015 at 01:24:30PM +0200, Petr Vobornik wrote: > >>On 05/26/2015 01:21 PM, Sumit Bose wrote: > >>>Hi, > >>> > >>>this tests should have gone together with > >>>c1114ef82516002de08e004a930b5ba4a1791b25 but got lost somehow during the > >>>bugzilla processing. > >>> > >>>bye, > >>>Sumit > >>> > >> > >>So it has been acked? And we can push it? > > > >I have to admit that I'm not sure, there were just to many related > >tickets. Alexander, do you remember seeing this patch? If not, I think > >it would be good if someone can review it. Since it is "only" a > >unit-test, it is not urgent. > I've seen this patch and I thought I've acked it by the time... New version rebased on one-way trust patches is attached. bye, Sumit > -- > / Alexander Bokovoy -------------- next part -------------- From 5b5c9250416bf1e55a453c5430ac6be914054aa9 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 26 Feb 2015 14:08:06 +0100 Subject: [PATCH 144/148] extdom: add unit-test for get_user_grouplist() --- .../ipa-extdom-extop/ipa_extdom.h | 2 + .../ipa-extdom-extop/ipa_extdom_cmocka_tests.c | 41 + .../ipa-extdom-extop/ipa_extdom_common.c | 4 +- .../ipa-extdom-extop/test_data/group | 1000 ++++++++++++++++++++ 4 files changed, 1045 insertions(+), 2 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h index 65dd43ea35726db6231386a0fcbba9be1bd71412..a77711977186b702caafa2729dc13090c6031791 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h @@ -185,6 +185,8 @@ int getgrnam_r_wrapper(size_t buf_max, const char *name, struct group *grp, char **_buf, size_t *_buf_len); int getgrgid_r_wrapper(size_t buf_max, gid_t gid, struct group *grp, char **_buf, size_t *_buf_len); +int get_user_grouplist(const char *name, gid_t gid, + size_t *_ngroups, gid_t **_groups); int pack_ber_sid(const char *sid, struct berval **berval); int pack_ber_name(const char *domain_name, const char *name, struct berval **berval); diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c index 42d588d08a96f8a26345f85aade9523e05f6f56e..ec553fe62c27738f258defc267fe761c72157df0 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c @@ -213,6 +213,46 @@ void test_getgrgid_r_wrapper(void **state) free(buf); } +void test_get_user_grouplist(void **state) +{ + int ret; + size_t ngroups; + gid_t *groups; + size_t c; + + /* This is a bit odd behaviour of getgrouplist() it does not check if the + * user exists, only if memberships of the user can be found. */ + ret = get_user_grouplist("non_exisiting_user", 23456, &ngroups, &groups); + assert_int_equal(ret, LDAP_SUCCESS); + assert_int_equal(ngroups, 1); + assert_int_equal(groups[0], 23456); + free(groups); + + ret = get_user_grouplist("member0001", 23456, &ngroups, &groups); + assert_int_equal(ret, LDAP_SUCCESS); + assert_int_equal(ngroups, 3); + assert_int_equal(groups[0], 23456); + assert_int_equal(groups[1], 11111); + assert_int_equal(groups[2], 22222); + free(groups); + + ret = get_user_grouplist("member0003", 23456, &ngroups, &groups); + assert_int_equal(ret, LDAP_SUCCESS); + assert_int_equal(ngroups, 2); + assert_int_equal(groups[0], 23456); + assert_int_equal(groups[1], 22222); + free(groups); + + ret = get_user_grouplist("user_big", 23456, &ngroups, &groups); + assert_int_equal(ret, LDAP_SUCCESS); + assert_int_equal(ngroups, 1001); + assert_int_equal(groups[0], 23456); + for (c = 1; c < ngroups; c++) { + assert_int_equal(groups[c], 29999 + c); + } + free(groups); +} + struct test_data { struct extdom_req *req; struct ipa_extdom_ctx *ctx; @@ -398,6 +438,7 @@ int main(int argc, const char *argv[]) unit_test(test_getpwuid_r_wrapper), unit_test(test_getgrnam_r_wrapper), unit_test(test_getgrgid_r_wrapper), + unit_test(test_get_user_grouplist), unit_test_setup_teardown(test_set_err_msg, extdom_req_setup, extdom_req_teardown), unit_test_setup_teardown(test_encode, diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index b2e690471cd045154454a26aa6756c2628bbc262..f5905c78e5f6eb635fcd0acf0afeda3bdb3b9baa 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -400,8 +400,8 @@ int check_request(struct extdom_req *req, enum extdom_version version) return LDAP_SUCCESS; } -static int get_user_grouplist(const char *name, gid_t gid, - size_t *_ngroups, gid_t **_groups ) +int get_user_grouplist(const char *name, gid_t gid, + size_t *_ngroups, gid_t **_groups) { int ret; int ngroups; diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group index 8d1b012871b21cc9d5ffdba2168f35ef3e8a5f81..8394789f9ab89cda928af7a3e2b03de1f2a98395 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group @@ -1,2 +1,1002 @@ group:x:11111:member0001,member0002 group_big:x:22222:member0001,member0002,member0003,member0004,member0005,member0006,member0007,member0008,member0009,member0010,member0011,member0012,member0013,member0014,member0015,member0016,member0017,member0018,member0019,member0020,member0021,member0022,member0023,member0024,member0025,member0026,member0027,member0028,member0029,member0030,member0031,member0032,member0033,member0034,member0035,member0036,member0037,member0038,member0039,member0040,member0041,member0042,member0043,member0044,member0045,member0046,member0047,member0048,member0049,member0050,member0051,member0052,member0053,member0054,member0055,member0056,member0057,member0058,member0059,member0060,member0061,member0062,member0063,member0064,member0065,member0066,member0067,member0068,member0069,member0070,member0071,member0072,member0073,member0074,member0075,member0076,member0077,member0078,member0079,member0080,member0081,member0082,member0083,member0084,member0085,member0086,member0087,member0088,member0089,member0090,member0091,member0092,member0093,member0094,member0095,member0096,member0097,member0098,member0099,member0100,member0101,member0102,member0103,member0104,member0105,member0106,member0107,member0108,member0109,member0110,member0111,member0112,member0113,member0114,member0115,member0116,member0117,member0118,member0119,member0120,member0121,member0122,member0123,member0124,member0125,member0126,member0127,member0128,member0129,member0130,member0131,member0132,member0133,member0134,member0135,member0136,member0137,member0138,member0139,member0140,member0141,member0142,member0143,member0144,member0145,member0146,member0147,member0148,member0149,member0150,member0151,member0152,member0153,member0154,member0155,member0156,member0157,member0158,member0159,member0160,member0161,member0162,member0163,member0164,member0165,member0166,member0167,member0168,member0169,member0170,member0171,member0172,member0173,member0174,member0175,member0176,member0177,member0178,member0179,member0180,member0181,member0182,member0183,member0184,member0185,member0186,member0187,member0188,member0189,member0190,member0191,member0192,member0193,member0194,member0195,member0196,member0197,member0198,member0199,member0200,member0201,member0202,member0203,member0204,member0205,member0206,member0207,member0208,member0209,member0210,member0211,member0212,member0213,member0214,member0215,member0216,member0217,member0218,member0219,member0220,member0221,member0222,member0223,member0224,member0225,member0226,member0227,member0228,member0229,member0230,member0231,member0232,member0233,member0234,member0235,member0236,member0237,member0238,member0239,member0240,member0241,member0242,member0243,member0244,member0245,member0246,member0247,member0248,member0249,member0250,member0251,member0252,member0253,member0254,member0255,member0256,member0257,member0258,member0259,member0260,member0261,member0262,member0263,member0264,member0265,member0266,member0267,member0268,member0269,member0270,member0271,member0272,member0273,member0274,member0275,member0276,member0277,member0278,member0279,member0280,member0281,member0282,member0283,member0284,member0285,member0286,member0287,member0288,member0289,member0290,member0291,member0292,member0293,member0294,member0295,member0296,member0297,member0298,member0299,member0300,member0301,member0302,member0303,member0304,member0305,member0306,member0307,member0308,member0309,member0310,member0311,member0312,member0313,member0314,member0315,member0316,member0317,member0318,member0319,member0320,member0321,member0322,member0323,member0324,member0325,member0326,member0327,member0328,member0329,member0330,member0331,member0332,member0333,member0334,member0335,member0336,member0337,member0338,member0339,member0340,member0341,member0342,member0343,member0344,member0345,member0346,member0347,member0348,member0349,member0350,member0351,member0352,member0353,member0354,member0355,member0356,member0357,member0358,member0359,member0360,member0361,member0362,member0363,member0364,member0365,member0366,member0367,member0368,member0369,member0370,member0371,member0372,member0373,member0374,member0375,member0376,member0377,member0378,member0379,member0380,member0381,member0382,member0383,member0384,member0385,member0386,member0387,member0388,member0389,member0390,member0391,member0392,member0393,member0394,member0395,member0396,member0397,member0398,member0399,member0400,member0401,member0402,member0403,member0404,member0405,member0406,member0407,member0408,member0409,member0410,member0411,member0412,member0413,member0414,member0415,member0416,member0417,member0418,member0419,member0420,member0421,member0422,member0423,member0424,member0425,member0426,member0427,member0428,member0429,member0430,member0431,member0432,member0433,member0434,member0435,member0436,member0437,member0438,member0439,member0440,member0441,member0442,member0443,member0444,member0445,member0446,member0447,member0448,member0449,member0450,member0451,member0452,member0453,member0454,member0455,member0456,member0457,member0458,member0459,member0460,member0461,member0462,member0463,member0464,member0465,member0466,member0467,member0468,member0469,member0470,member0471,member0472,member0473,member0474,member0475,member0476,member0477,member0478,member0479,member0480,member0481,member0482,member0483,member0484,member0485,member0486,member0487,member0488,member0489,member0490,member0491,member0492,member0493,member0494,member0495,member0496,member0497,member0498,member0499,member0500,member0501,member0502,member0503,member0504,member0505,member0506,member0507,member0508,member0509,member0510,member0511,member0512,member0513,member0514,member0515,member0516,member0517,member0518,member0519,member0520,member0521,member0522,member0523,member0524,member0525,member0526,member0527,member0528,member0529,member0530,member0531,member0532,member0533,member0534,member0535,member0536,member0537,member0538,member0539,member0540,member0541,member0542,member0543,member0544,member0545,member0546,member0547,member0548,member0549,member0550,member0551,member0552,member0553,member0554,member0555,member0556,member0557,member0558,member0559,member0560,member0561,member0562,member0563,member0564,member0565,member0566,member0567,member0568,member0569,member0570,member0571,member0572,member0573,member0574,member0575,member0576,member0577,member0578,member0579,member0580,member0581,member0582,member0583,member0584,member0585,member0586,member0587,member0588,member0589,member0590,member0591,member0592,member0593,member0594,member0595,member0596,member0597,member0598,member0599,member0600,member0601,member0602,member0603,member0604,member0605,member0606,member0607,member0608,member0609,member0610,member0611,member0612,member0613,member0614,member0615,member0616,member0617,member0618,member0619,member0620,member0621,member0622,member0623,member0624,member0625,member0626,member0627,member0628,member0629,member0630,member0631,member0632,member0633,member0634,member0635,member0636,member0637,member0638,member0639,member0640,member0641,member0642,member0643,member0644,member0645,member0646,member0647,member0648,member0649,member0650,member0651,member0652,member0653,member0654,member0655,member0656,member0657,member0658,member0659,member0660,member0661,member0662,member0663,member0664,member0665,member0666,member0667,member0668,member0669,member0670,member0671,member0672,member0673,member0674,member0675,member0676,member0677,member0678,member0679,member0680,member0681,member0682,member0683,member0684,member0685,member0686,member0687,member0688,member0689,member0690,member0691,member0692,member0693,member0694,member0695,member0696,member0697,member0698,member0699,member0700,member0701,member0702,member0703,member0704,member0705,member0706,member0707,member0708,member0709,member0710,member0711,member0712,member0713,member0714,member0715,member0716,member0717,member0718,member0719,member0720,member0721,member0722,member0723,member0724,member0725,member0726,member0727,member0728,member0729,member0730,member0731,member0732,member0733,member0734,member0735,member0736,member0737,member0738,member0739,member0740,member0741,member0742,member0743,member0744,member0745,member0746,member0747,member0748,member0749,member0750,member0751,member0752,member0753,member0754,member0755,member0756,member0757,member0758,member0759,member0760,member0761,member0762,member0763,member0764,member0765,member0766,member0767,member0768,member0769,member0770,member0771,member0772,member0773,member0774,member0775,member0776,member0777,member0778,member0779,member0780,member0781,member0782,member0783,member0784,member0785,member0786,member0787,member0788,member0789,member0790,member0791,member0792,member0793,member0794,member0795,member0796,member0797,member0798,member0799,member0800,member0801,member0802,member0803,member0804,member0805,member0806,member0807,member0808,member0809,member0810,member0811,member0812,member0813,member0814,member0815,member0816,member0817,member0818,member0819,member0820,member0821,member0822,member0823,member0824,member0825,member0826,member0827,member0828,member0829,member0830,member0831,member0832,member0833,member0834,member0835,member0836,member0837,member0838,member0839,member0840,member0841,member0842,member0843,member0844,member0845,member0846,member0847,member0848,member0849,member0850,member0851,member0852,member0853,member0854,member0855,member0856,member0857,member0858,member0859,member0860,member0861,member0862,member0863,member0864,member0865,member0866,member0867,member0868,member0869,member0870,member0871,member0872,member0873,member0874,member0875,member0876,member0877,member0878,member0879,member0880,member0881,member0882,member0883,member0884,member0885,member0886,member0887,member0888,member0889,member0890,member0891,member0892,member0893,member0894,member0895,member0896,member0897,member0898,member0899,member0900,member0901,member0902,member0903,member0904,member0905,member0906,member0907,member0908,member0909,member0910,member0911,member0912,member0913,member0914,member0915,member0916,member0917,member0918,member0919,member0920,member0921,member0922,member0923,member0924,member0925,member0926,member0927,member0928,member0929,member0930,member0931,member0932,member0933,member0934,member0935,member0936,member0937,member0938,member0939,member0940,member0941,member0942,member0943,member0944,member0945,member0946,member0947,member0948,member0949,member0950,member0951,member0952,member0953,member0954,member0955,member0956,member0957,member0958,member0959,member0960,member0961,member0962,member0963,member0964,member0965,member0966,member0967,member0968,member0969,member0970,member0971,member0972,member0973,member0974,member0975,member0976,member0977,member0978,member0979,member0980,member0981,member0982,member0983,member0984,member0985,member0986,member0987,member0988,member0989,member0990,member0991,member0992,member0993,member0994,member0995,member0996,member0997,member0998,member0999,member1000,member1001,member1002,member1003,member1004,member1005,member1006,member1007,member1008,member1009,member1010,member1011,member1012,member1013,member1014,member1015,member1016,member1017,member1018,member1019,member1020,member1021,member1022,member1023,member1024,member1025,member1026,member1027,member1028,member1029,member1030,member1031,member1032,member1033,member1034,member1035,member1036,member1037,member1038,member1039,member1040,member1041,member1042,member1043,member1044,member1045,member1046,member1047,member1048,member1049,member1050,member1051,member1052,member1053,member1054,member1055,member1056,member1057,member1058,member1059,member1060,member1061,member1062,member1063,member1064,member1065,member1066,member1067,member1068,member1069,member1070,member1071,member1072,member1073,member1074,member1075,member1076,member1077,member1078,member1079,member1080,member1081,member1082,member1083,member1084,member1085,member1086,member1087,member1088,member1089,member1090,member1091,member1092,member1093,member1094,member1095,member1096,member1097,member1098,member1099,member1100,member1101,member1102,member1103,member1104,member1105,member1106,member1107,member1108,member1109,member1110,member1111,member1112,member1113,member1114,member1115,member1116,member1117,member1118,member1119,member1120,member1121,member1122,member1123,member1124,member1125,member1126,member1127,member1128,member1129,member1130,member1131,member1132,member1133,member1134,member1135,member1136,member1137,member1138,member1139,member1140,member1141,member1142,member1143,member1144,member1145,member1146,member1147,member1148,member1149,member1150,member1151,member1152,member1153,member1154,member1155,member1156,member1157,member1158,member1159,member1160,member1161,member1162,member1163,member1164,member1165,member1166,member1167,member1168,member1169,member1170,member1171,member1172,member1173,member1174,member1175,member1176,member1177,member1178,member1179,member1180,member1181,member1182,member1183,member1184,member1185,member1186,member1187,member1188,member1189,member1190,member1191,member1192,member1193,member1194,member1195,member1196,member1197,member1198,member1199,member1200,member1201,member1202,member1203,member1204,member1205,member1206,member1207,member1208,member1209,member1210,member1211,member1212,member1213,member1214,member1215,member1216,member1217,member1218,member1219,member1220,member1221,member1222,member1223,member1224,member1225,member1226,member1227,member1228,member1229,member1230,member1231,member1232,member1233,member1234,member1235,member1236,member1237,member1238,member1239,member1240,member1241,member1242,member1243,member1244,member1245,member1246,member1247,member1248,member1249,member1250,member1251,member1252,member1253,member1254,member1255,member1256,member1257,member1258,member1259,member1260,member1261,member1262,member1263,member1264,member1265,member1266,member1267,member1268,member1269,member1270,member1271,member1272,member1273,member1274,member1275,member1276,member1277,member1278,member1279,member1280,member1281,member1282,member1283,member1284,member1285,member1286,member1287,member1288,member1289,member1290,member1291,member1292,member1293,member1294,member1295,member1296,member1297,member1298,member1299,member1300,member1301,member1302,member1303,member1304,member1305,member1306,member1307,member1308,member1309,member1310,member1311,member1312,member1313,member1314,member1315,member1316,member1317,member1318,member1319,member1320,member1321,member1322,member1323,member1324,member1325,member1326,member1327,member1328,member1329,member1330,member1331,member1332,member1333,member1334,member1335,member1336,member1337,member1338,member1339,member1340,member1341,member1342,member1343,member1344,member1345,member1346,member1347,member1348,member1349,member1350,member1351,member1352,member1353,member1354,member1355,member1356,member1357,member1358,member1359,member1360,member1361,member1362,member1363,member1364,member1365,member1366,member1367,member1368,member1369,member1370,member1371,member1372,member1373,member1374,member1375,member1376,member1377,member1378,member1379,member1380,member1381,member1382,member1383,member1384,member1385,member1386,member1387,member1388,member1389,member1390,member1391,member1392,member1393,member1394,member1395,member1396,member1397,member1398,member1399,member1400,member1401,member1402,member1403,member1404,member1405,member1406,member1407,member1408,member1409,member1410,member1411,member1412,member1413,member1414,member1415,member1416,member1417,member1418,member1419,member1420,member1421,member1422,member1423,member1424,member1425,member1426,member1427,member1428,member1429,member1430,member1431,member1432,member1433,member1434,member1435,member1436,member1437,member1438,member1439,member1440,member1441,member1442,member1443,member1444,member1445,member1446,member1447,member1448,member1449,member1450,member1451,member1452,member1453,member1454,member1455,member1456,member1457,member1458,member1459,member1460,member1461,member1462,member1463,member1464,member1465,member1466,member1467,member1468,member1469,member1470,member1471,member1472,member1473,member1474,member1475,member1476,member1477,member1478,member1479,member1480,member1481,member1482,member1483,member1484,member1485,member1486,member1487,member1488,member1489,member1490,member1491,member1492,member1493,member1494,member1495,member1496,member1497,member1498,member1499,member1500,member1501,member1502,member1503,member1504,member1505,member1506,member1507,member1508,member1509,member1510,member1511,member1512,member1513,member1514,member1515,member1516,member1517,member1518,member1519,member1520,member1521,member1522,member1523,member1524,member1525,member1526,member1527,member1528,member1529,member1530,member1531,member1532,member1533,member1534,member1535,member1536,member1537,member1538,member1539,member1540,member1541,member1542,member1543,member1544,member1545,member1546,member1547,member1548,member1549,member1550,member1551,member1552,member1553,member1554,member1555,member1556,member1557,member1558,member1559,member1560,member1561,member1562,member1563,member1564,member1565,member1566,member1567,member1568,member1569,member1570,member1571,member1572,member1573,member1574,member1575,member1576,member1577,member1578,member1579,member1580,member1581,member1582,member1583,member1584,member1585,member1586,member1587,member1588,member1589,member1590,member1591,member1592,member1593,member1594,member1595,member1596,member1597,member1598,member1599,member1600,member1601,member1602,member1603,member1604,member1605,member1606,member1607,member1608,member1609,member1610,member1611,member1612,member1613,member1614,member1615,member1616,member1617,member1618,member1619,member1620,member1621,member1622,member1623,member1624,member1625,member1626,member1627,member1628,member1629,member1630,member1631,member1632,member1633,member1634,member1635,member1636,member1637,member1638,member1639,member1640,member1641,member1642,member1643,member1644,member1645,member1646,member1647,member1648,member1649,member1650,member1651,member1652,member1653,member1654,member1655,member1656,member1657,member1658,member1659,member1660,member1661,member1662,member1663,member1664,member1665,member1666,member1667,member1668,member1669,member1670,member1671,member1672,member1673,member1674,member1675,member1676,member1677,member1678,member1679,member1680,member1681,member1682,member1683,member1684,member1685,member1686,member1687,member1688,member1689,member1690,member1691,member1692,member1693,member1694,member1695,member1696,member1697,member1698,member1699,member1700,member1701,member1702,member1703,member1704,member1705,member1706,member1707,member1708,member1709,member1710,member1711,member1712,member1713,member1714,member1715,member1716,member1717,member1718,member1719,member1720,member1721,member1722,member1723,member1724,member1725,member1726,member1727,member1728,member1729,member1730,member1731,member1732,member1733,member1734,member1735,member1736,member1737,member1738,member1739,member1740,member1741,member1742,member1743,member1744,member1745,member1746,member1747,member1748,member1749,member1750,member1751,member1752,member1753,member1754,member1755,member1756,member1757,member1758,member1759,member1760,member1761,member1762,member1763,member1764,member1765,member1766,member1767,member1768,member1769,member1770,member1771,member1772,member1773,member1774,member1775,member1776,member1777,member1778,member1779,member1780,member1781,member1782,member1783,member1784,member1785,member1786,member1787,member1788,member1789,member1790,member1791,member1792,member1793,member1794,member1795,member1796,member1797,member1798,member1799,member1800,member1801,member1802,member1803,member1804,member1805,member1806,member1807,member1808,member1809,member1810,member1811,member1812,member1813,member1814,member1815,member1816,member1817,member1818,member1819,member1820,member1821,member1822,member1823,member1824,member1825,member1826,member1827,member1828,member1829,member1830,member1831,member1832,member1833,member1834,member1835,member1836,member1837,member1838,member1839,member1840,member1841,member1842,member1843,member1844,member1845,member1846,member1847,member1848,member1849,member1850,member1851,member1852,member1853,member1854,member1855,member1856,member1857,member1858,member1859,member1860,member1861,member1862,member1863,member1864,member1865,member1866,member1867,member1868,member1869,member1870,member1871,member1872,member1873,member1874,member1875,member1876,member1877,member1878,member1879,member1880,member1881,member1882,member1883,member1884,member1885,member1886,member1887,member1888,member1889,member1890,member1891,member1892,member1893,member1894,member1895,member1896,member1897,member1898,member1899,member1900,member1901,member1902,member1903,member1904,member1905,member1906,member1907,member1908,member1909,member1910,member1911,member1912,member1913,member1914,member1915,member1916,member1917,member1918,member1919,member1920,member1921,member1922,member1923,member1924,member1925,member1926,member1927,member1928,member1929,member1930,member1931,member1932,member1933,member1934,member1935,member1936,member1937,member1938,member1939,member1940,member1941,member1942,member1943,member1944,member1945,member1946,member1947,member1948,member1949,member1950,member1951,member1952,member1953,member1954,member1955,member1956,member1957,member1958,member1959,member1960,member1961,member1962,member1963,member1964,member1965,member1966,member1967,member1968,member1969,member1970,member1971,member1972,member1973,member1974,member1975,member1976,member1977,member1978,member1979,member1980,member1981,member1982,member1983,member1984,member1985,member1986,member1987,member1988,member1989,member1990,member1991,member1992,member1993,member1994,member1995,member1996,member1997,member1998,member1999,member2000, +group30000:x:30000:user_big +group30001:x:30001:user_big +group30002:x:30002:user_big +group30003:x:30003:user_big +group30004:x:30004:user_big +group30005:x:30005:user_big +group30006:x:30006:user_big +group30007:x:30007:user_big +group30008:x:30008:user_big +group30009:x:30009:user_big +group30010:x:30010:user_big +group30011:x:30011:user_big +group30012:x:30012:user_big +group30013:x:30013:user_big +group30014:x:30014:user_big +group30015:x:30015:user_big +group30016:x:30016:user_big +group30017:x:30017:user_big +group30018:x:30018:user_big +group30019:x:30019:user_big +group30020:x:30020:user_big +group30021:x:30021:user_big +group30022:x:30022:user_big +group30023:x:30023:user_big +group30024:x:30024:user_big +group30025:x:30025:user_big +group30026:x:30026:user_big +group30027:x:30027:user_big +group30028:x:30028:user_big +group30029:x:30029:user_big +group30030:x:30030:user_big +group30031:x:30031:user_big +group30032:x:30032:user_big +group30033:x:30033:user_big +group30034:x:30034:user_big +group30035:x:30035:user_big +group30036:x:30036:user_big +group30037:x:30037:user_big +group30038:x:30038:user_big +group30039:x:30039:user_big +group30040:x:30040:user_big +group30041:x:30041:user_big +group30042:x:30042:user_big +group30043:x:30043:user_big +group30044:x:30044:user_big +group30045:x:30045:user_big +group30046:x:30046:user_big +group30047:x:30047:user_big +group30048:x:30048:user_big +group30049:x:30049:user_big +group30050:x:30050:user_big +group30051:x:30051:user_big +group30052:x:30052:user_big +group30053:x:30053:user_big +group30054:x:30054:user_big +group30055:x:30055:user_big +group30056:x:30056:user_big +group30057:x:30057:user_big +group30058:x:30058:user_big +group30059:x:30059:user_big +group30060:x:30060:user_big +group30061:x:30061:user_big +group30062:x:30062:user_big +group30063:x:30063:user_big +group30064:x:30064:user_big +group30065:x:30065:user_big +group30066:x:30066:user_big +group30067:x:30067:user_big +group30068:x:30068:user_big +group30069:x:30069:user_big +group30070:x:30070:user_big +group30071:x:30071:user_big +group30072:x:30072:user_big +group30073:x:30073:user_big +group30074:x:30074:user_big +group30075:x:30075:user_big +group30076:x:30076:user_big +group30077:x:30077:user_big +group30078:x:30078:user_big +group30079:x:30079:user_big +group30080:x:30080:user_big +group30081:x:30081:user_big +group30082:x:30082:user_big +group30083:x:30083:user_big +group30084:x:30084:user_big +group30085:x:30085:user_big +group30086:x:30086:user_big +group30087:x:30087:user_big +group30088:x:30088:user_big +group30089:x:30089:user_big +group30090:x:30090:user_big +group30091:x:30091:user_big +group30092:x:30092:user_big +group30093:x:30093:user_big +group30094:x:30094:user_big +group30095:x:30095:user_big +group30096:x:30096:user_big +group30097:x:30097:user_big +group30098:x:30098:user_big +group30099:x:30099:user_big +group30100:x:30100:user_big +group30101:x:30101:user_big +group30102:x:30102:user_big +group30103:x:30103:user_big +group30104:x:30104:user_big +group30105:x:30105:user_big +group30106:x:30106:user_big +group30107:x:30107:user_big +group30108:x:30108:user_big +group30109:x:30109:user_big +group30110:x:30110:user_big +group30111:x:30111:user_big +group30112:x:30112:user_big +group30113:x:30113:user_big +group30114:x:30114:user_big +group30115:x:30115:user_big +group30116:x:30116:user_big +group30117:x:30117:user_big +group30118:x:30118:user_big +group30119:x:30119:user_big +group30120:x:30120:user_big +group30121:x:30121:user_big +group30122:x:30122:user_big +group30123:x:30123:user_big +group30124:x:30124:user_big +group30125:x:30125:user_big +group30126:x:30126:user_big +group30127:x:30127:user_big +group30128:x:30128:user_big +group30129:x:30129:user_big +group30130:x:30130:user_big +group30131:x:30131:user_big +group30132:x:30132:user_big +group30133:x:30133:user_big +group30134:x:30134:user_big +group30135:x:30135:user_big +group30136:x:30136:user_big +group30137:x:30137:user_big +group30138:x:30138:user_big +group30139:x:30139:user_big +group30140:x:30140:user_big +group30141:x:30141:user_big +group30142:x:30142:user_big +group30143:x:30143:user_big +group30144:x:30144:user_big +group30145:x:30145:user_big +group30146:x:30146:user_big +group30147:x:30147:user_big +group30148:x:30148:user_big +group30149:x:30149:user_big +group30150:x:30150:user_big +group30151:x:30151:user_big +group30152:x:30152:user_big +group30153:x:30153:user_big +group30154:x:30154:user_big +group30155:x:30155:user_big +group30156:x:30156:user_big +group30157:x:30157:user_big +group30158:x:30158:user_big +group30159:x:30159:user_big +group30160:x:30160:user_big +group30161:x:30161:user_big +group30162:x:30162:user_big +group30163:x:30163:user_big +group30164:x:30164:user_big +group30165:x:30165:user_big +group30166:x:30166:user_big +group30167:x:30167:user_big +group30168:x:30168:user_big +group30169:x:30169:user_big +group30170:x:30170:user_big +group30171:x:30171:user_big +group30172:x:30172:user_big +group30173:x:30173:user_big +group30174:x:30174:user_big +group30175:x:30175:user_big +group30176:x:30176:user_big +group30177:x:30177:user_big +group30178:x:30178:user_big +group30179:x:30179:user_big +group30180:x:30180:user_big +group30181:x:30181:user_big +group30182:x:30182:user_big +group30183:x:30183:user_big +group30184:x:30184:user_big +group30185:x:30185:user_big +group30186:x:30186:user_big +group30187:x:30187:user_big +group30188:x:30188:user_big +group30189:x:30189:user_big +group30190:x:30190:user_big +group30191:x:30191:user_big +group30192:x:30192:user_big +group30193:x:30193:user_big +group30194:x:30194:user_big +group30195:x:30195:user_big +group30196:x:30196:user_big +group30197:x:30197:user_big +group30198:x:30198:user_big +group30199:x:30199:user_big +group30200:x:30200:user_big +group30201:x:30201:user_big +group30202:x:30202:user_big +group30203:x:30203:user_big +group30204:x:30204:user_big +group30205:x:30205:user_big +group30206:x:30206:user_big +group30207:x:30207:user_big +group30208:x:30208:user_big +group30209:x:30209:user_big +group30210:x:30210:user_big +group30211:x:30211:user_big +group30212:x:30212:user_big +group30213:x:30213:user_big +group30214:x:30214:user_big +group30215:x:30215:user_big +group30216:x:30216:user_big +group30217:x:30217:user_big +group30218:x:30218:user_big +group30219:x:30219:user_big +group30220:x:30220:user_big +group30221:x:30221:user_big +group30222:x:30222:user_big +group30223:x:30223:user_big +group30224:x:30224:user_big +group30225:x:30225:user_big +group30226:x:30226:user_big +group30227:x:30227:user_big +group30228:x:30228:user_big +group30229:x:30229:user_big +group30230:x:30230:user_big +group30231:x:30231:user_big +group30232:x:30232:user_big +group30233:x:30233:user_big +group30234:x:30234:user_big +group30235:x:30235:user_big +group30236:x:30236:user_big +group30237:x:30237:user_big +group30238:x:30238:user_big +group30239:x:30239:user_big +group30240:x:30240:user_big +group30241:x:30241:user_big +group30242:x:30242:user_big +group30243:x:30243:user_big +group30244:x:30244:user_big +group30245:x:30245:user_big +group30246:x:30246:user_big +group30247:x:30247:user_big +group30248:x:30248:user_big +group30249:x:30249:user_big +group30250:x:30250:user_big +group30251:x:30251:user_big +group30252:x:30252:user_big +group30253:x:30253:user_big +group30254:x:30254:user_big +group30255:x:30255:user_big +group30256:x:30256:user_big +group30257:x:30257:user_big +group30258:x:30258:user_big +group30259:x:30259:user_big +group30260:x:30260:user_big +group30261:x:30261:user_big +group30262:x:30262:user_big +group30263:x:30263:user_big +group30264:x:30264:user_big +group30265:x:30265:user_big +group30266:x:30266:user_big +group30267:x:30267:user_big +group30268:x:30268:user_big +group30269:x:30269:user_big +group30270:x:30270:user_big +group30271:x:30271:user_big +group30272:x:30272:user_big +group30273:x:30273:user_big +group30274:x:30274:user_big +group30275:x:30275:user_big +group30276:x:30276:user_big +group30277:x:30277:user_big +group30278:x:30278:user_big +group30279:x:30279:user_big +group30280:x:30280:user_big +group30281:x:30281:user_big +group30282:x:30282:user_big +group30283:x:30283:user_big +group30284:x:30284:user_big +group30285:x:30285:user_big +group30286:x:30286:user_big +group30287:x:30287:user_big +group30288:x:30288:user_big +group30289:x:30289:user_big +group30290:x:30290:user_big +group30291:x:30291:user_big +group30292:x:30292:user_big +group30293:x:30293:user_big +group30294:x:30294:user_big +group30295:x:30295:user_big +group30296:x:30296:user_big +group30297:x:30297:user_big +group30298:x:30298:user_big +group30299:x:30299:user_big +group30300:x:30300:user_big +group30301:x:30301:user_big +group30302:x:30302:user_big +group30303:x:30303:user_big +group30304:x:30304:user_big +group30305:x:30305:user_big +group30306:x:30306:user_big +group30307:x:30307:user_big +group30308:x:30308:user_big +group30309:x:30309:user_big +group30310:x:30310:user_big +group30311:x:30311:user_big +group30312:x:30312:user_big +group30313:x:30313:user_big +group30314:x:30314:user_big +group30315:x:30315:user_big +group30316:x:30316:user_big +group30317:x:30317:user_big +group30318:x:30318:user_big +group30319:x:30319:user_big +group30320:x:30320:user_big +group30321:x:30321:user_big +group30322:x:30322:user_big +group30323:x:30323:user_big +group30324:x:30324:user_big +group30325:x:30325:user_big +group30326:x:30326:user_big +group30327:x:30327:user_big +group30328:x:30328:user_big +group30329:x:30329:user_big +group30330:x:30330:user_big +group30331:x:30331:user_big +group30332:x:30332:user_big +group30333:x:30333:user_big +group30334:x:30334:user_big +group30335:x:30335:user_big +group30336:x:30336:user_big +group30337:x:30337:user_big +group30338:x:30338:user_big +group30339:x:30339:user_big +group30340:x:30340:user_big +group30341:x:30341:user_big +group30342:x:30342:user_big +group30343:x:30343:user_big +group30344:x:30344:user_big +group30345:x:30345:user_big +group30346:x:30346:user_big +group30347:x:30347:user_big +group30348:x:30348:user_big +group30349:x:30349:user_big +group30350:x:30350:user_big +group30351:x:30351:user_big +group30352:x:30352:user_big +group30353:x:30353:user_big +group30354:x:30354:user_big +group30355:x:30355:user_big +group30356:x:30356:user_big +group30357:x:30357:user_big +group30358:x:30358:user_big +group30359:x:30359:user_big +group30360:x:30360:user_big +group30361:x:30361:user_big +group30362:x:30362:user_big +group30363:x:30363:user_big +group30364:x:30364:user_big +group30365:x:30365:user_big +group30366:x:30366:user_big +group30367:x:30367:user_big +group30368:x:30368:user_big +group30369:x:30369:user_big +group30370:x:30370:user_big +group30371:x:30371:user_big +group30372:x:30372:user_big +group30373:x:30373:user_big +group30374:x:30374:user_big +group30375:x:30375:user_big +group30376:x:30376:user_big +group30377:x:30377:user_big +group30378:x:30378:user_big +group30379:x:30379:user_big +group30380:x:30380:user_big +group30381:x:30381:user_big +group30382:x:30382:user_big +group30383:x:30383:user_big +group30384:x:30384:user_big +group30385:x:30385:user_big +group30386:x:30386:user_big +group30387:x:30387:user_big +group30388:x:30388:user_big +group30389:x:30389:user_big +group30390:x:30390:user_big +group30391:x:30391:user_big +group30392:x:30392:user_big +group30393:x:30393:user_big +group30394:x:30394:user_big +group30395:x:30395:user_big +group30396:x:30396:user_big +group30397:x:30397:user_big +group30398:x:30398:user_big +group30399:x:30399:user_big +group30400:x:30400:user_big +group30401:x:30401:user_big +group30402:x:30402:user_big +group30403:x:30403:user_big +group30404:x:30404:user_big +group30405:x:30405:user_big +group30406:x:30406:user_big +group30407:x:30407:user_big +group30408:x:30408:user_big +group30409:x:30409:user_big +group30410:x:30410:user_big +group30411:x:30411:user_big +group30412:x:30412:user_big +group30413:x:30413:user_big +group30414:x:30414:user_big +group30415:x:30415:user_big +group30416:x:30416:user_big +group30417:x:30417:user_big +group30418:x:30418:user_big +group30419:x:30419:user_big +group30420:x:30420:user_big +group30421:x:30421:user_big +group30422:x:30422:user_big +group30423:x:30423:user_big +group30424:x:30424:user_big +group30425:x:30425:user_big +group30426:x:30426:user_big +group30427:x:30427:user_big +group30428:x:30428:user_big +group30429:x:30429:user_big +group30430:x:30430:user_big +group30431:x:30431:user_big +group30432:x:30432:user_big +group30433:x:30433:user_big +group30434:x:30434:user_big +group30435:x:30435:user_big +group30436:x:30436:user_big +group30437:x:30437:user_big +group30438:x:30438:user_big +group30439:x:30439:user_big +group30440:x:30440:user_big +group30441:x:30441:user_big +group30442:x:30442:user_big +group30443:x:30443:user_big +group30444:x:30444:user_big +group30445:x:30445:user_big +group30446:x:30446:user_big +group30447:x:30447:user_big +group30448:x:30448:user_big +group30449:x:30449:user_big +group30450:x:30450:user_big +group30451:x:30451:user_big +group30452:x:30452:user_big +group30453:x:30453:user_big +group30454:x:30454:user_big +group30455:x:30455:user_big +group30456:x:30456:user_big +group30457:x:30457:user_big +group30458:x:30458:user_big +group30459:x:30459:user_big +group30460:x:30460:user_big +group30461:x:30461:user_big +group30462:x:30462:user_big +group30463:x:30463:user_big +group30464:x:30464:user_big +group30465:x:30465:user_big +group30466:x:30466:user_big +group30467:x:30467:user_big +group30468:x:30468:user_big +group30469:x:30469:user_big +group30470:x:30470:user_big +group30471:x:30471:user_big +group30472:x:30472:user_big +group30473:x:30473:user_big +group30474:x:30474:user_big +group30475:x:30475:user_big +group30476:x:30476:user_big +group30477:x:30477:user_big +group30478:x:30478:user_big +group30479:x:30479:user_big +group30480:x:30480:user_big +group30481:x:30481:user_big +group30482:x:30482:user_big +group30483:x:30483:user_big +group30484:x:30484:user_big +group30485:x:30485:user_big +group30486:x:30486:user_big +group30487:x:30487:user_big +group30488:x:30488:user_big +group30489:x:30489:user_big +group30490:x:30490:user_big +group30491:x:30491:user_big +group30492:x:30492:user_big +group30493:x:30493:user_big +group30494:x:30494:user_big +group30495:x:30495:user_big +group30496:x:30496:user_big +group30497:x:30497:user_big +group30498:x:30498:user_big +group30499:x:30499:user_big +group30500:x:30500:user_big +group30501:x:30501:user_big +group30502:x:30502:user_big +group30503:x:30503:user_big +group30504:x:30504:user_big +group30505:x:30505:user_big +group30506:x:30506:user_big +group30507:x:30507:user_big +group30508:x:30508:user_big +group30509:x:30509:user_big +group30510:x:30510:user_big +group30511:x:30511:user_big +group30512:x:30512:user_big +group30513:x:30513:user_big +group30514:x:30514:user_big +group30515:x:30515:user_big +group30516:x:30516:user_big +group30517:x:30517:user_big +group30518:x:30518:user_big +group30519:x:30519:user_big +group30520:x:30520:user_big +group30521:x:30521:user_big +group30522:x:30522:user_big +group30523:x:30523:user_big +group30524:x:30524:user_big +group30525:x:30525:user_big +group30526:x:30526:user_big +group30527:x:30527:user_big +group30528:x:30528:user_big +group30529:x:30529:user_big +group30530:x:30530:user_big +group30531:x:30531:user_big +group30532:x:30532:user_big +group30533:x:30533:user_big +group30534:x:30534:user_big +group30535:x:30535:user_big +group30536:x:30536:user_big +group30537:x:30537:user_big +group30538:x:30538:user_big +group30539:x:30539:user_big +group30540:x:30540:user_big +group30541:x:30541:user_big +group30542:x:30542:user_big +group30543:x:30543:user_big +group30544:x:30544:user_big +group30545:x:30545:user_big +group30546:x:30546:user_big +group30547:x:30547:user_big +group30548:x:30548:user_big +group30549:x:30549:user_big +group30550:x:30550:user_big +group30551:x:30551:user_big +group30552:x:30552:user_big +group30553:x:30553:user_big +group30554:x:30554:user_big +group30555:x:30555:user_big +group30556:x:30556:user_big +group30557:x:30557:user_big +group30558:x:30558:user_big +group30559:x:30559:user_big +group30560:x:30560:user_big +group30561:x:30561:user_big +group30562:x:30562:user_big +group30563:x:30563:user_big +group30564:x:30564:user_big +group30565:x:30565:user_big +group30566:x:30566:user_big +group30567:x:30567:user_big +group30568:x:30568:user_big +group30569:x:30569:user_big +group30570:x:30570:user_big +group30571:x:30571:user_big +group30572:x:30572:user_big +group30573:x:30573:user_big +group30574:x:30574:user_big +group30575:x:30575:user_big +group30576:x:30576:user_big +group30577:x:30577:user_big +group30578:x:30578:user_big +group30579:x:30579:user_big +group30580:x:30580:user_big +group30581:x:30581:user_big +group30582:x:30582:user_big +group30583:x:30583:user_big +group30584:x:30584:user_big +group30585:x:30585:user_big +group30586:x:30586:user_big +group30587:x:30587:user_big +group30588:x:30588:user_big +group30589:x:30589:user_big +group30590:x:30590:user_big +group30591:x:30591:user_big +group30592:x:30592:user_big +group30593:x:30593:user_big +group30594:x:30594:user_big +group30595:x:30595:user_big +group30596:x:30596:user_big +group30597:x:30597:user_big +group30598:x:30598:user_big +group30599:x:30599:user_big +group30600:x:30600:user_big +group30601:x:30601:user_big +group30602:x:30602:user_big +group30603:x:30603:user_big +group30604:x:30604:user_big +group30605:x:30605:user_big +group30606:x:30606:user_big +group30607:x:30607:user_big +group30608:x:30608:user_big +group30609:x:30609:user_big +group30610:x:30610:user_big +group30611:x:30611:user_big +group30612:x:30612:user_big +group30613:x:30613:user_big +group30614:x:30614:user_big +group30615:x:30615:user_big +group30616:x:30616:user_big +group30617:x:30617:user_big +group30618:x:30618:user_big +group30619:x:30619:user_big +group30620:x:30620:user_big +group30621:x:30621:user_big +group30622:x:30622:user_big +group30623:x:30623:user_big +group30624:x:30624:user_big +group30625:x:30625:user_big +group30626:x:30626:user_big +group30627:x:30627:user_big +group30628:x:30628:user_big +group30629:x:30629:user_big +group30630:x:30630:user_big +group30631:x:30631:user_big +group30632:x:30632:user_big +group30633:x:30633:user_big +group30634:x:30634:user_big +group30635:x:30635:user_big +group30636:x:30636:user_big +group30637:x:30637:user_big +group30638:x:30638:user_big +group30639:x:30639:user_big +group30640:x:30640:user_big +group30641:x:30641:user_big +group30642:x:30642:user_big +group30643:x:30643:user_big +group30644:x:30644:user_big +group30645:x:30645:user_big +group30646:x:30646:user_big +group30647:x:30647:user_big +group30648:x:30648:user_big +group30649:x:30649:user_big +group30650:x:30650:user_big +group30651:x:30651:user_big +group30652:x:30652:user_big +group30653:x:30653:user_big +group30654:x:30654:user_big +group30655:x:30655:user_big +group30656:x:30656:user_big +group30657:x:30657:user_big +group30658:x:30658:user_big +group30659:x:30659:user_big +group30660:x:30660:user_big +group30661:x:30661:user_big +group30662:x:30662:user_big +group30663:x:30663:user_big +group30664:x:30664:user_big +group30665:x:30665:user_big +group30666:x:30666:user_big +group30667:x:30667:user_big +group30668:x:30668:user_big +group30669:x:30669:user_big +group30670:x:30670:user_big +group30671:x:30671:user_big +group30672:x:30672:user_big +group30673:x:30673:user_big +group30674:x:30674:user_big +group30675:x:30675:user_big +group30676:x:30676:user_big +group30677:x:30677:user_big +group30678:x:30678:user_big +group30679:x:30679:user_big +group30680:x:30680:user_big +group30681:x:30681:user_big +group30682:x:30682:user_big +group30683:x:30683:user_big +group30684:x:30684:user_big +group30685:x:30685:user_big +group30686:x:30686:user_big +group30687:x:30687:user_big +group30688:x:30688:user_big +group30689:x:30689:user_big +group30690:x:30690:user_big +group30691:x:30691:user_big +group30692:x:30692:user_big +group30693:x:30693:user_big +group30694:x:30694:user_big +group30695:x:30695:user_big +group30696:x:30696:user_big +group30697:x:30697:user_big +group30698:x:30698:user_big +group30699:x:30699:user_big +group30700:x:30700:user_big +group30701:x:30701:user_big +group30702:x:30702:user_big +group30703:x:30703:user_big +group30704:x:30704:user_big +group30705:x:30705:user_big +group30706:x:30706:user_big +group30707:x:30707:user_big +group30708:x:30708:user_big +group30709:x:30709:user_big +group30710:x:30710:user_big +group30711:x:30711:user_big +group30712:x:30712:user_big +group30713:x:30713:user_big +group30714:x:30714:user_big +group30715:x:30715:user_big +group30716:x:30716:user_big +group30717:x:30717:user_big +group30718:x:30718:user_big +group30719:x:30719:user_big +group30720:x:30720:user_big +group30721:x:30721:user_big +group30722:x:30722:user_big +group30723:x:30723:user_big +group30724:x:30724:user_big +group30725:x:30725:user_big +group30726:x:30726:user_big +group30727:x:30727:user_big +group30728:x:30728:user_big +group30729:x:30729:user_big +group30730:x:30730:user_big +group30731:x:30731:user_big +group30732:x:30732:user_big +group30733:x:30733:user_big +group30734:x:30734:user_big +group30735:x:30735:user_big +group30736:x:30736:user_big +group30737:x:30737:user_big +group30738:x:30738:user_big +group30739:x:30739:user_big +group30740:x:30740:user_big +group30741:x:30741:user_big +group30742:x:30742:user_big +group30743:x:30743:user_big +group30744:x:30744:user_big +group30745:x:30745:user_big +group30746:x:30746:user_big +group30747:x:30747:user_big +group30748:x:30748:user_big +group30749:x:30749:user_big +group30750:x:30750:user_big +group30751:x:30751:user_big +group30752:x:30752:user_big +group30753:x:30753:user_big +group30754:x:30754:user_big +group30755:x:30755:user_big +group30756:x:30756:user_big +group30757:x:30757:user_big +group30758:x:30758:user_big +group30759:x:30759:user_big +group30760:x:30760:user_big +group30761:x:30761:user_big +group30762:x:30762:user_big +group30763:x:30763:user_big +group30764:x:30764:user_big +group30765:x:30765:user_big +group30766:x:30766:user_big +group30767:x:30767:user_big +group30768:x:30768:user_big +group30769:x:30769:user_big +group30770:x:30770:user_big +group30771:x:30771:user_big +group30772:x:30772:user_big +group30773:x:30773:user_big +group30774:x:30774:user_big +group30775:x:30775:user_big +group30776:x:30776:user_big +group30777:x:30777:user_big +group30778:x:30778:user_big +group30779:x:30779:user_big +group30780:x:30780:user_big +group30781:x:30781:user_big +group30782:x:30782:user_big +group30783:x:30783:user_big +group30784:x:30784:user_big +group30785:x:30785:user_big +group30786:x:30786:user_big +group30787:x:30787:user_big +group30788:x:30788:user_big +group30789:x:30789:user_big +group30790:x:30790:user_big +group30791:x:30791:user_big +group30792:x:30792:user_big +group30793:x:30793:user_big +group30794:x:30794:user_big +group30795:x:30795:user_big +group30796:x:30796:user_big +group30797:x:30797:user_big +group30798:x:30798:user_big +group30799:x:30799:user_big +group30800:x:30800:user_big +group30801:x:30801:user_big +group30802:x:30802:user_big +group30803:x:30803:user_big +group30804:x:30804:user_big +group30805:x:30805:user_big +group30806:x:30806:user_big +group30807:x:30807:user_big +group30808:x:30808:user_big +group30809:x:30809:user_big +group30810:x:30810:user_big +group30811:x:30811:user_big +group30812:x:30812:user_big +group30813:x:30813:user_big +group30814:x:30814:user_big +group30815:x:30815:user_big +group30816:x:30816:user_big +group30817:x:30817:user_big +group30818:x:30818:user_big +group30819:x:30819:user_big +group30820:x:30820:user_big +group30821:x:30821:user_big +group30822:x:30822:user_big +group30823:x:30823:user_big +group30824:x:30824:user_big +group30825:x:30825:user_big +group30826:x:30826:user_big +group30827:x:30827:user_big +group30828:x:30828:user_big +group30829:x:30829:user_big +group30830:x:30830:user_big +group30831:x:30831:user_big +group30832:x:30832:user_big +group30833:x:30833:user_big +group30834:x:30834:user_big +group30835:x:30835:user_big +group30836:x:30836:user_big +group30837:x:30837:user_big +group30838:x:30838:user_big +group30839:x:30839:user_big +group30840:x:30840:user_big +group30841:x:30841:user_big +group30842:x:30842:user_big +group30843:x:30843:user_big +group30844:x:30844:user_big +group30845:x:30845:user_big +group30846:x:30846:user_big +group30847:x:30847:user_big +group30848:x:30848:user_big +group30849:x:30849:user_big +group30850:x:30850:user_big +group30851:x:30851:user_big +group30852:x:30852:user_big +group30853:x:30853:user_big +group30854:x:30854:user_big +group30855:x:30855:user_big +group30856:x:30856:user_big +group30857:x:30857:user_big +group30858:x:30858:user_big +group30859:x:30859:user_big +group30860:x:30860:user_big +group30861:x:30861:user_big +group30862:x:30862:user_big +group30863:x:30863:user_big +group30864:x:30864:user_big +group30865:x:30865:user_big +group30866:x:30866:user_big +group30867:x:30867:user_big +group30868:x:30868:user_big +group30869:x:30869:user_big +group30870:x:30870:user_big +group30871:x:30871:user_big +group30872:x:30872:user_big +group30873:x:30873:user_big +group30874:x:30874:user_big +group30875:x:30875:user_big +group30876:x:30876:user_big +group30877:x:30877:user_big +group30878:x:30878:user_big +group30879:x:30879:user_big +group30880:x:30880:user_big +group30881:x:30881:user_big +group30882:x:30882:user_big +group30883:x:30883:user_big +group30884:x:30884:user_big +group30885:x:30885:user_big +group30886:x:30886:user_big +group30887:x:30887:user_big +group30888:x:30888:user_big +group30889:x:30889:user_big +group30890:x:30890:user_big +group30891:x:30891:user_big +group30892:x:30892:user_big +group30893:x:30893:user_big +group30894:x:30894:user_big +group30895:x:30895:user_big +group30896:x:30896:user_big +group30897:x:30897:user_big +group30898:x:30898:user_big +group30899:x:30899:user_big +group30900:x:30900:user_big +group30901:x:30901:user_big +group30902:x:30902:user_big +group30903:x:30903:user_big +group30904:x:30904:user_big +group30905:x:30905:user_big +group30906:x:30906:user_big +group30907:x:30907:user_big +group30908:x:30908:user_big +group30909:x:30909:user_big +group30910:x:30910:user_big +group30911:x:30911:user_big +group30912:x:30912:user_big +group30913:x:30913:user_big +group30914:x:30914:user_big +group30915:x:30915:user_big +group30916:x:30916:user_big +group30917:x:30917:user_big +group30918:x:30918:user_big +group30919:x:30919:user_big +group30920:x:30920:user_big +group30921:x:30921:user_big +group30922:x:30922:user_big +group30923:x:30923:user_big +group30924:x:30924:user_big +group30925:x:30925:user_big +group30926:x:30926:user_big +group30927:x:30927:user_big +group30928:x:30928:user_big +group30929:x:30929:user_big +group30930:x:30930:user_big +group30931:x:30931:user_big +group30932:x:30932:user_big +group30933:x:30933:user_big +group30934:x:30934:user_big +group30935:x:30935:user_big +group30936:x:30936:user_big +group30937:x:30937:user_big +group30938:x:30938:user_big +group30939:x:30939:user_big +group30940:x:30940:user_big +group30941:x:30941:user_big +group30942:x:30942:user_big +group30943:x:30943:user_big +group30944:x:30944:user_big +group30945:x:30945:user_big +group30946:x:30946:user_big +group30947:x:30947:user_big +group30948:x:30948:user_big +group30949:x:30949:user_big +group30950:x:30950:user_big +group30951:x:30951:user_big +group30952:x:30952:user_big +group30953:x:30953:user_big +group30954:x:30954:user_big +group30955:x:30955:user_big +group30956:x:30956:user_big +group30957:x:30957:user_big +group30958:x:30958:user_big +group30959:x:30959:user_big +group30960:x:30960:user_big +group30961:x:30961:user_big +group30962:x:30962:user_big +group30963:x:30963:user_big +group30964:x:30964:user_big +group30965:x:30965:user_big +group30966:x:30966:user_big +group30967:x:30967:user_big +group30968:x:30968:user_big +group30969:x:30969:user_big +group30970:x:30970:user_big +group30971:x:30971:user_big +group30972:x:30972:user_big +group30973:x:30973:user_big +group30974:x:30974:user_big +group30975:x:30975:user_big +group30976:x:30976:user_big +group30977:x:30977:user_big +group30978:x:30978:user_big +group30979:x:30979:user_big +group30980:x:30980:user_big +group30981:x:30981:user_big +group30982:x:30982:user_big +group30983:x:30983:user_big +group30984:x:30984:user_big +group30985:x:30985:user_big +group30986:x:30986:user_big +group30987:x:30987:user_big +group30988:x:30988:user_big +group30989:x:30989:user_big +group30990:x:30990:user_big +group30991:x:30991:user_big +group30992:x:30992:user_big +group30993:x:30993:user_big +group30994:x:30994:user_big +group30995:x:30995:user_big +group30996:x:30996:user_big +group30997:x:30997:user_big +group30998:x:30998:user_big +group30999:x:30999:user_big -- 2.1.0 From sbose at redhat.com Tue Jul 7 13:49:13 2015 From: sbose at redhat.com (Sumit Bose) Date: Tue, 7 Jul 2015 15:49:13 +0200 Subject: [Freeipa-devel] [PATCHES 145-148] ipa-kdb: add unit-test for filter_logon_info() In-Reply-To: <55645AC3.9050304@redhat.com> References: <20150526113340.GP3943@p.redhat.com> <55645AC3.9050304@redhat.com> Message-ID: <20150707134913.GH22480@p.redhat.com> On Tue, May 26, 2015 at 01:36:35PM +0200, Martin Kosek wrote: > On 05/26/2015 01:33 PM, Sumit Bose wrote: > >Hi, > > > >these patches add some unit tests and some additional improvements > >related to the issues described in > >https://bugzilla.redhat.com/show_bug.cgi?id=1222475 . The original issue > >is fixed by a patch from Alexander attached to the ticket. > > > >The first patch converts the existing check-based test to cmocka. If I > >see it correctly all check-based test are converted now. > > Cool! Before pushing, we should also reference ticket > https://fedorahosted.org/freeipa/ticket/4922 > in the patch (no need to rebase right now). > > > > >The second adds tests for filter_logon_info() where the original issue > >occurred. The wrong behavior in filter_logon_info() caused a crash in > >dom_sid_string() which is made a bit more robust together with > >string_to_sid() in the 3rd patch. The last patch add unit tests for > >those two calls as well. New version rebased on one-way trust patches attached. Please note that the unit-test will fail with the initial version of the one-way trust patches which does not allow an empty group list in the PAC. bye, Sumit -------------- next part -------------- From 4a31cfdd848e0ef51ee32817e634340d1e90c97f Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 20 May 2015 18:31:19 +0200 Subject: [PATCH 145/148] ipa-kdb: convert test to cmocka --- daemons/ipa-kdb/Makefile.am | 6 +- daemons/ipa-kdb/tests/ipa_kdb_tests.c | 129 ++++++++++++---------------------- 2 files changed, 48 insertions(+), 87 deletions(-) diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am index 80747491f8315a9cb0b38965423ba5d160946278..a4ea366b01b248d3f0fbc0b694e02d00c2e4c3d1 100644 --- a/daemons/ipa-kdb/Makefile.am +++ b/daemons/ipa-kdb/Makefile.am @@ -55,7 +55,7 @@ ipadb_la_LIBADD = \ $(NSS_LIBS) \ $(NULL) -if HAVE_CHECK +if HAVE_CMOCKA TESTS = ipa_kdb_tests check_PROGRAMS = ipa_kdb_tests endif @@ -73,9 +73,9 @@ ipa_kdb_tests_SOURCES = \ ipa_kdb_audit_as.c \ $(KRB5_UTIL_SRCS) \ $(NULL) -ipa_kdb_tests_CFLAGS = $(CHECK_CFLAGS) +ipa_kdb_tests_CFLAGS = $(CMOCKA_CFLAGS) ipa_kdb_tests_LDADD = \ - $(CHECK_LIBS) \ + $(CMOCKA_LIBS) \ $(KRB5_LIBS) \ $(LDAP_LIBS) \ $(NDRPAC_LIBS) \ diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c index e1ae06a6e359e65873241116581f028f1a4e1bf3..1ff1cd49a4e409545ee908f0f7842520ae82e0a0 100644 --- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c +++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c @@ -1,49 +1,30 @@ -/** BEGIN COPYRIGHT BLOCK - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - * - * Additional permission under GPLv3 section 7: - * - * In the following paragraph, "GPL" means the GNU General Public - * License, version 3 or any later version, and "Non-GPL Code" means - * code that is governed neither by the GPL nor a license - * compatible with the GPL. - * - * You may link the code of this Program with Non-GPL Code and convey - * linked combinations including the two, provided that such Non-GPL - * Code only links to the code of this Program through those well - * defined interfaces identified in the file named EXCEPTION found in - * the source code files (the "Approved Interfaces"). The files of - * Non-GPL Code may instantiate templates or use macros or inline - * functions from the Approved Interfaces without causing the resulting - * work to be covered by the GPL. Only the copyright holders of this - * Program may make changes or additions to the list of Approved - * Interfaces. - * - * Authors: - * Sumit Bose - * - * Copyright (C) 2013 Red Hat, Inc. - * All rights reserved. - * END COPYRIGHT BLOCK **/ +/* + Authors: + Sumit Bose -#include -#include + Copyright (C) 2015 Red Hat + + ipa-kdb tests + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include #include -#include -#include -#include -#include +#include +#include +#include #include "ipa-kdb/ipa_kdb.h" @@ -74,7 +55,7 @@ int krb5_klog_syslog(int l, const char *format, ...) extern void get_authz_data_types(krb5_context context, krb5_db_entry *entry, bool *with_pac, bool *with_pad); -START_TEST(test_get_authz_data_types) +void test_get_authz_data_types(void **state) { bool with_pac; bool with_pad; @@ -100,40 +81,40 @@ START_TEST(test_get_authz_data_types) with_pad = true; get_authz_data_types(NULL, NULL, NULL, &with_pad); - fail_unless(!with_pad, "with_pad not false with NULL inuput."); + assert_false(with_pad); with_pac = true; get_authz_data_types(NULL, NULL, &with_pac, NULL); - fail_unless(!with_pac, "with_pac not false with NULL inuput."); + assert_false(with_pad); with_pad = true; with_pac = true; get_authz_data_types(NULL, NULL, &with_pac, &with_pad); - fail_unless(!with_pad, "with_pad not false with NULL inuput."); - fail_unless(!with_pac, "with_pac not false with NULL inuput."); + assert_false(with_pac); + assert_false(with_pad); entry = calloc(1, sizeof(krb5_db_entry)); - fail_unless(entry != NULL, "calloc krb5_db_entry failed."); + assert_non_null(entry); ied = calloc(1, sizeof(struct ipadb_e_data)); - fail_unless(ied != NULL, "calloc struct ipadb_e_data failed."); + assert_non_null(ied); entry->e_data = (void *) ied; kerr = krb5_init_context(&krb5_ctx); - fail_unless(kerr == 0, "krb5_init_context failed."); + assert_int_equal(kerr, 0); kerr = krb5_db_setup_lib_handle(krb5_ctx); - fail_unless(kerr == 0, "krb5_db_setup_lib_handle failed.\n"); + assert_int_equal(kerr, 0); ipa_ctx = calloc(1, sizeof(struct ipadb_context)); - fail_unless(ipa_ctx != NULL, "calloc failed.\n"); + assert_non_null(ipa_ctx); ipa_ctx->kcontext = krb5_ctx; kerr = krb5_db_set_context(krb5_ctx, ipa_ctx); - fail_unless(kerr == 0, "krb5_db_set_context failed.\n"); + assert_int_equal(kerr, 0); kerr = krb5_parse_name(krb5_ctx, NFS_PRINC_STRING, &nfs_princ); - fail_unless(kerr == 0, "krb5_parse_name failed."); + assert_int_equal(kerr, 0); kerr = krb5_parse_name(krb5_ctx, NON_NFS_PRINC_STRING, &non_nfs_princ); - fail_unless(kerr == 0, "krb5_parse_name failed."); + assert_int_equal(kerr, 0); struct test_set { char **authz_data; @@ -179,12 +160,8 @@ START_TEST(test_get_authz_data_types) ipa_ctx->config.last_update = time(NULL); entry->princ = test_set[c].princ; get_authz_data_types(krb5_ctx, entry, &with_pac, &with_pad); - fail_unless(with_pad == test_set[c].exp_with_pad, "with_pad not %s %s.", - test_set[c].exp_with_pad ? "true" : "false", - test_set[c].err_msg); - fail_unless(with_pac == test_set[c].exp_with_pac, "with_pac not %s %s.", - test_set[c].exp_with_pac ? "true" : "false", - test_set[c].err_msg); + assert_true(with_pad == test_set[c].exp_with_pad); + assert_true(with_pac == test_set[c].exp_with_pac); } krb5_free_principal(krb5_ctx, nfs_princ); @@ -192,28 +169,12 @@ START_TEST(test_get_authz_data_types) krb5_db_fini(krb5_ctx); krb5_free_context(krb5_ctx); } -END_TEST -Suite * ipa_kdb_suite(void) +int main(int argc, const char *argv[]) { - Suite *s = suite_create("IPA kdb"); + const UnitTest tests[] = { + unit_test(test_get_authz_data_types), + }; - TCase *tc_helper = tcase_create("Helper functions"); - tcase_add_test(tc_helper, test_get_authz_data_types); - suite_add_tcase(s, tc_helper); - - return s; -} - -int main(void) -{ - int number_failed; - - Suite *s = ipa_kdb_suite (); - SRunner *sr = srunner_create (s); - srunner_run_all (sr, CK_VERBOSE); - number_failed = srunner_ntests_failed (sr); - srunner_free (sr); - - return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE; + return run_tests(tests); } -- 2.1.0 -------------- next part -------------- From b34502fc964f197b0792b8d387bdb99c0b7f8521 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 26 May 2015 10:26:28 +0200 Subject: [PATCH 146/148] ipa-kdb: add unit-test for filter_logon_info() --- daemons/ipa-kdb/ipa_kdb_mspac.c | 41 ++--- daemons/ipa-kdb/ipa_kdb_mspac_private.h | 57 +++++++ daemons/ipa-kdb/tests/ipa_kdb_tests.c | 275 +++++++++++++++++++++++++++++--- 3 files changed, 323 insertions(+), 50 deletions(-) create mode 100644 daemons/ipa-kdb/ipa_kdb_mspac_private.h diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index df19880d37f9c006c6ec3a5e392d9eeecb1e45cb..ca110fd662990835aa7ef27f99148f3c47a43942 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -28,31 +28,7 @@ #include "util/time.h" #include "gen_ndr/ndr_krb5pac.h" -struct ipadb_adtrusts { - char *domain_name; - char *flat_name; - char *domain_sid; - struct dom_sid domsid; - struct dom_sid *sid_blacklist_incoming; - int len_sid_blacklist_incoming; - struct dom_sid *sid_blacklist_outgoing; - int len_sid_blacklist_outgoing; - struct ipadb_adtrusts *parent; - char *parent_name; -}; - -struct ipadb_mspac { - char *flat_domain_name; - char *flat_server_name; - struct dom_sid domsid; - - char *fallback_group; - uint32_t fallback_rid; - - int num_trusts; - struct ipadb_adtrusts *trusts; - time_t last_update; -}; +#include "ipa_kdb_mspac_private.h" static char *user_pac_attrs[] = { "objectClass", @@ -113,10 +89,11 @@ static struct { #define AUTHZ_DATA_TYPE_PAD "PAD" #define AUTHZ_DATA_TYPE_NONE "NONE" -static int string_to_sid(char *str, struct dom_sid *sid) +int string_to_sid(const char *str, struct dom_sid *sid) { unsigned long val; - char *s, *t; + const char *s; + char *t; int i; memset(sid, '\0', sizeof(struct dom_sid)); @@ -174,7 +151,7 @@ static int string_to_sid(char *str, struct dom_sid *sid) return 0; } -static char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid) +char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid) { size_t c; size_t len; @@ -1333,10 +1310,10 @@ static void filter_logon_info_log_message_rid(struct dom_sid *sid, uint32_t rid) } } -static krb5_error_code filter_logon_info(krb5_context context, - TALLOC_CTX *memctx, - krb5_data realm, - struct PAC_LOGON_INFO_CTR *info) +krb5_error_code filter_logon_info(krb5_context context, + TALLOC_CTX *memctx, + krb5_data realm, + struct PAC_LOGON_INFO_CTR *info) { /* We must refuse a PAC that comes signed with a cross realm TGT diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h new file mode 100644 index 0000000000000000000000000000000000000000..be04071762316643d687e80986db0d7510e53ded --- /dev/null +++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h @@ -0,0 +1,57 @@ +/* + * MIT Kerberos KDC database backend for FreeIPA + * This head file contains private declarations for ipa_kdb_mspac.c and should + * be used only there or in unit-test. + * + * Authors: Sumit Bose + * + * see file 'COPYING' for use and warranty information + * + * This program is free software you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + + +#ifndef _IPA_KDB_MSPAC_PRIVATE_H_ +#define _IPA_KDB_MSPAC_PRIVATE_H_ + +struct ipadb_mspac { + char *flat_domain_name; + char *flat_server_name; + struct dom_sid domsid; + + char *fallback_group; + uint32_t fallback_rid; + + int num_trusts; + struct ipadb_adtrusts *trusts; + time_t last_update; +}; + +struct ipadb_adtrusts { + char *domain_name; + char *flat_name; + char *domain_sid; + struct dom_sid domsid; + struct dom_sid *sid_blacklist_incoming; + int len_sid_blacklist_incoming; + struct dom_sid *sid_blacklist_outgoing; + int len_sid_blacklist_outgoing; + struct ipadb_adtrusts *parent; + char *parent_name; +}; + +int string_to_sid(const char *str, struct dom_sid *sid); +char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid); + +#endif /* _IPA_KDB_MSPAC_PRIVATE_H_ */ diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c index 1ff1cd49a4e409545ee908f0f7842520ae82e0a0..7b9b85d2cf7fcc2478a522eccf686b3e2582447e 100644 --- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c +++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c @@ -22,11 +22,19 @@ #include #include +#include #include +#include #include #include +#include + +#include "gen_ndr/ndr_krb5pac.h" +#include "gen_ndr/netlogon.h" + #include "ipa-kdb/ipa_kdb.h" +#include "ipa-kdb/ipa_kdb_mspac_private.h" #define NFS_PRINC_STRING "nfs/fully.qualified.host.name at REALM.NAME" #define NON_NFS_PRINC_STRING "abcdef/fully.qualified.host.name at REALM.NAME" @@ -52,6 +60,240 @@ int krb5_klog_syslog(int l, const char *format, ...) return 0; } +struct test_ctx { + krb5_context krb5_ctx; +}; + +#define DOMAIN_NAME "my.domain" +#define REALM "MY.DOMAIN" +#define REALM_LEN (sizeof(REALM) - 1) +#define FLAT_NAME "MYDOM" +#define DOM_SID "S-1-5-21-1-2-3" +#define DOM_SID_TRUST "S-1-5-21-4-5-6" +#define BLACKLIST_SID "S-1-5-1" + +void setup(void **state) +{ + int ret; + krb5_context krb5_ctx; + krb5_error_code kerr; + struct ipadb_context *ipa_ctx; + struct test_ctx *test_ctx; + + kerr = krb5_init_context(&krb5_ctx); + assert_int_equal(kerr, 0); + kerr = krb5_db_setup_lib_handle(krb5_ctx); + assert_int_equal(kerr, 0); + + ipa_ctx = calloc(1, sizeof(struct ipadb_context)); + assert_non_null(ipa_ctx); + + ipa_ctx->mspac = calloc(1, sizeof(struct ipadb_mspac)); + assert_non_null(ipa_ctx->mspac); + + /* make sure data is not read from LDAP */ + ipa_ctx->mspac->last_update = time(NULL) - 1; + + ret = string_to_sid(DOM_SID, &ipa_ctx->mspac->domsid); + assert_int_equal(ret, 0); + + ipa_ctx->mspac->num_trusts = 1; + ipa_ctx->mspac->trusts = calloc(1, sizeof(struct ipadb_adtrusts)); + assert_non_null(ipa_ctx->mspac->trusts); + + ipa_ctx->mspac->trusts[0].domain_name = strdup(DOMAIN_NAME); + assert_non_null(ipa_ctx->mspac->trusts[0].domain_name); + + ipa_ctx->mspac->trusts[0].flat_name = strdup(FLAT_NAME); + assert_non_null(ipa_ctx->mspac->trusts[0].flat_name); + + ipa_ctx->mspac->trusts[0].domain_sid = strdup(DOM_SID_TRUST); + assert_non_null(ipa_ctx->mspac->trusts[0].domain_sid); + + ret = string_to_sid(DOM_SID_TRUST, &ipa_ctx->mspac->trusts[0].domsid); + assert_int_equal(ret, 0); + + ipa_ctx->mspac->trusts[0].len_sid_blacklist_incoming = 1; + ipa_ctx->mspac->trusts[0].sid_blacklist_incoming = calloc( + ipa_ctx->mspac->trusts[0].len_sid_blacklist_incoming, + sizeof(struct dom_sid)); + assert_non_null(ipa_ctx->mspac->trusts[0].sid_blacklist_incoming); + ret = string_to_sid(BLACKLIST_SID, + &ipa_ctx->mspac->trusts[0].sid_blacklist_incoming[0]); + assert_int_equal(ret, 0); + + struct dom_sid *sid_blacklist_incoming; + int len_sid_blacklist_incoming; + + ipa_ctx->kcontext = krb5_ctx; + kerr = krb5_db_set_context(krb5_ctx, ipa_ctx); + assert_int_equal(kerr, 0); + + test_ctx = talloc(NULL, struct test_ctx); + assert_non_null(test_ctx); + + test_ctx->krb5_ctx = krb5_ctx; + + *state = test_ctx; +} + +void teardown(void **state) +{ + struct test_ctx *test_ctx; + struct ipadb_context *ipa_ctx; + + test_ctx = (struct test_ctx *) *state; + + ipa_ctx = ipadb_get_context(test_ctx->krb5_ctx); + assert_non_null(ipa_ctx); + ipadb_mspac_struct_free(&ipa_ctx->mspac); + + krb5_db_fini(test_ctx->krb5_ctx); + krb5_free_context(test_ctx->krb5_ctx); + + talloc_free(test_ctx); +} + +extern krb5_error_code filter_logon_info(krb5_context context, + TALLOC_CTX *memctx, + krb5_data realm, + struct PAC_LOGON_INFO_CTR *info); + +void test_filter_logon_info(void **state) +{ + krb5_error_code kerr; + krb5_data realm = {KV5M_DATA, REALM_LEN, REALM}; + struct test_ctx *test_ctx; + struct PAC_LOGON_INFO_CTR *info; + int ret; + struct dom_sid dom_sid; + size_t c; + size_t d; + + test_ctx = (struct test_ctx *) *state; + + info = talloc_zero(test_ctx, struct PAC_LOGON_INFO_CTR); + assert_non_null(info); + info->info = talloc_zero(info, struct PAC_LOGON_INFO); + assert_non_null(info->info); + + /* wrong flat name */ + info->info->info3.base.logon_domain.string = talloc_strdup(info->info, + "WRONG"); + assert_non_null(info->info->info3.base.logon_domain.string); + + kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info); + assert_int_equal(kerr, EINVAL); + + info->info->info3.base.logon_domain.string = talloc_strdup(info->info, + FLAT_NAME); + assert_non_null(info->info->info3.base.logon_domain.string); + + /* missing domain SID */ + kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info); + assert_int_equal(kerr, EINVAL); + + /* wrong domain SID */ + ret = string_to_sid("S-1-5-21-1-1-1", &dom_sid); + assert_int_equal(ret, 0); + info->info->info3.base.domain_sid = &dom_sid; + + kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info); + assert_int_equal(kerr, EINVAL); + + /* matching domain SID */ + ret = string_to_sid(DOM_SID_TRUST, &dom_sid); + assert_int_equal(ret, 0); + info->info->info3.base.domain_sid = &dom_sid; + + kerr = filter_logon_info(test_ctx->krb5_ctx, test_ctx, realm, info); + assert_int_equal(kerr, 0); + + /* empty SIDs */ + info->info->info3.sidcount = 3; + info->info->info3.sids = talloc_zero_array(info->info, + struct netr_SidAttr, + info->info->info3.sidcount); + assert_non_null(info->info->info3.sids); + for(c = 0; c < info->info->info3.sidcount; c++) { + info->info->info3.sids[c].sid = talloc_zero(info->info->info3.sids, + struct dom_sid2); + assert_non_null(info->info->info3.sids[c].sid); + } + + kerr = filter_logon_info(test_ctx->krb5_ctx, NULL, realm, info); + assert_int_equal(kerr, 0); + assert_int_equal(info->info->info3.sidcount, 3); + + struct test_data { + size_t sidcount; + const char *sids[3]; + size_t exp_sidcount; + const char *exp_sids[3]; + } test_data[] = { + /* only allowed SIDs */ + {3, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"}, + 3, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"}}, + /* last SID filtered */ + {3, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001", BLACKLIST_SID"-1002"}, + 2, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1001"}}, + /* center SID filtered */ + {3, {DOM_SID_TRUST"-1000", BLACKLIST_SID"-1001", DOM_SID_TRUST"-1002"}, + 2, {DOM_SID_TRUST"-1000", DOM_SID_TRUST"-1002"}}, + /* first SID filtered */ + {3, {BLACKLIST_SID"-1000", DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"}, + 2, {DOM_SID_TRUST"-1001", DOM_SID_TRUST"-1002"}}, + /* first and last SID filtered */ + {3, {BLACKLIST_SID"-1000", DOM_SID_TRUST"-1001", BLACKLIST_SID"-1002"}, + 1, {DOM_SID_TRUST"-1001"}}, + /* two SIDs in a rwo filtered */ + {3, {BLACKLIST_SID"-1000", BLACKLIST_SID"-1001", DOM_SID_TRUST"-1002"}, + 1, {DOM_SID_TRUST"-1002"}}, + /* all SIDs filtered*/ + {3, {BLACKLIST_SID"-1000", BLACKLIST_SID"-1001", BLACKLIST_SID"-1002"}, + 0, NULL}, + {0, NULL, 0 , NULL} + }; + + for (c = 0; test_data[c].sidcount != 0; c++) { + talloc_free(info->info->info3.sids); + + info->info->info3.sidcount = test_data[c].sidcount; + info->info->info3.sids = talloc_zero_array(info->info, + struct netr_SidAttr, + info->info->info3.sidcount); + assert_non_null(info->info->info3.sids); + for(d = 0; d < info->info->info3.sidcount; d++) { + info->info->info3.sids[d].sid = talloc_zero(info->info->info3.sids, + struct dom_sid2); + assert_non_null(info->info->info3.sids[d].sid); + } + + for (d = 0; d < info->info->info3.sidcount; d++) { + ret = string_to_sid(test_data[c].sids[d], + info->info->info3.sids[d].sid); + assert_int_equal(ret, 0); + } + + kerr = filter_logon_info(test_ctx->krb5_ctx, NULL, realm, info); + assert_int_equal(kerr, 0); + assert_int_equal(info->info->info3.sidcount, test_data[c].exp_sidcount); + if (test_data[c].exp_sidcount == 0) { + assert_null(info->info->info3.sids); + } else { + for (d = 0; d < test_data[c].exp_sidcount; d++) { + assert_string_equal(test_data[c].exp_sids[d], + dom_sid_string(info->info->info3.sids, + info->info->info3.sids[d].sid)); + } + } + } + + + talloc_free(info); + +} + extern void get_authz_data_types(krb5_context context, krb5_db_entry *entry, bool *with_pac, bool *with_pad); @@ -76,6 +318,11 @@ void test_get_authz_data_types(void **state) struct ipadb_context *ipa_ctx; krb5_principal nfs_princ; krb5_principal non_nfs_princ; + struct test_ctx *test_ctx; + + test_ctx = (struct test_ctx *) *state; + ipa_ctx = ipadb_get_context(test_ctx->krb5_ctx); + assert_non_null(ipa_ctx); get_authz_data_types(NULL, NULL, NULL, NULL); @@ -100,20 +347,11 @@ void test_get_authz_data_types(void **state) assert_non_null(ied); entry->e_data = (void *) ied; - kerr = krb5_init_context(&krb5_ctx); - assert_int_equal(kerr, 0); - kerr = krb5_db_setup_lib_handle(krb5_ctx); - assert_int_equal(kerr, 0); - ipa_ctx = calloc(1, sizeof(struct ipadb_context)); - assert_non_null(ipa_ctx); - ipa_ctx->kcontext = krb5_ctx; - kerr = krb5_db_set_context(krb5_ctx, ipa_ctx); - assert_int_equal(kerr, 0); - - kerr = krb5_parse_name(krb5_ctx, NFS_PRINC_STRING, &nfs_princ); + kerr = krb5_parse_name(test_ctx->krb5_ctx, NFS_PRINC_STRING, &nfs_princ); assert_int_equal(kerr, 0); - kerr = krb5_parse_name(krb5_ctx, NON_NFS_PRINC_STRING, &non_nfs_princ); + kerr = krb5_parse_name(test_ctx->krb5_ctx, NON_NFS_PRINC_STRING, + &non_nfs_princ); assert_int_equal(kerr, 0); struct test_set { @@ -159,21 +397,22 @@ void test_get_authz_data_types(void **state) /* Set last_update to avoid LDAP lookups during tests */ ipa_ctx->config.last_update = time(NULL); entry->princ = test_set[c].princ; - get_authz_data_types(krb5_ctx, entry, &with_pac, &with_pad); + get_authz_data_types(test_ctx->krb5_ctx, entry, &with_pac, &with_pad); assert_true(with_pad == test_set[c].exp_with_pad); assert_true(with_pac == test_set[c].exp_with_pac); } - krb5_free_principal(krb5_ctx, nfs_princ); - krb5_free_principal(krb5_ctx, non_nfs_princ); - krb5_db_fini(krb5_ctx); - krb5_free_context(krb5_ctx); + free(ied); + free(entry); + krb5_free_principal(test_ctx->krb5_ctx, nfs_princ); + krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ); } int main(int argc, const char *argv[]) { const UnitTest tests[] = { - unit_test(test_get_authz_data_types), + unit_test_setup_teardown(test_get_authz_data_types, setup, teardown), + unit_test_setup_teardown(test_filter_logon_info, setup, teardown), }; return run_tests(tests); -- 2.1.0 -------------- next part -------------- From e4c6a3b480b8b3a3d655f47ba5b758a5279981e8 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 26 May 2015 13:00:26 +0200 Subject: [PATCH 147/148] ipa-kdb: make string_to_sid() and dom_sid_string() more robust --- daemons/ipa-kdb/ipa_kdb_mspac.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index ca110fd662990835aa7ef27f99148f3c47a43942..abbc7ac7f0adf76da5823d0813ecf2e10622cd7d 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -96,6 +96,10 @@ int string_to_sid(const char *str, struct dom_sid *sid) char *t; int i; + if (str == NULL) { + return EINVAL; + } + memset(sid, '\0', sizeof(struct dom_sid)); s = str; @@ -159,13 +163,18 @@ char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid) uint32_t ia; char *buf; - if (dom_sid == NULL) { + if (dom_sid == NULL + || dom_sid->num_auths < 0 + || dom_sid->num_auths > SID_SUB_AUTHS) { return NULL; } len = 25 + dom_sid->num_auths * 11; buf = talloc_zero_size(memctx, len); + if (buf == NULL) { + return NULL; + } ia = (dom_sid->id_auth[5]) + (dom_sid->id_auth[4] << 8 ) + -- 2.1.0 -------------- next part -------------- From aff3c985a7e3ea6bef691db3d0578aae1a7013a1 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 26 May 2015 13:01:13 +0200 Subject: [PATCH 148/148] ipa-kdb: add unit_tests for string_to_sid() and dom_sid_string() --- daemons/ipa-kdb/tests/ipa_kdb_tests.c | 60 +++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c index 7b9b85d2cf7fcc2478a522eccf686b3e2582447e..edd4ae0975628d6b3abe9bab2852c990c9a8c590 100644 --- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c +++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c @@ -408,11 +408,71 @@ void test_get_authz_data_types(void **state) krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ); } +void test_string_to_sid(void **state) +{ + int ret; + struct dom_sid sid; + struct dom_sid exp_sid = {1, 5, {0, 0, 0, 0, 0, 5}, + {21, 2127521184, 1604012920, 1887927527, 72713, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}; + + ret = string_to_sid(NULL, &sid); + assert_int_equal(ret, EINVAL); + + ret = string_to_sid("abc", &sid); + assert_int_equal(ret, EINVAL); + + ret = string_to_sid("S-", &sid); + assert_int_equal(ret, EINVAL); + + ret = string_to_sid("S-ABC", &sid); + assert_int_equal(ret, EINVAL); + + ret = string_to_sid("S-123", &sid); + assert_int_equal(ret, EINVAL); + + ret = string_to_sid("S-1-123-1-2-3-4-5-6-7-8-9-0-1-2-3-4-5-6", &sid); + assert_int_equal(ret, EINVAL); + + ret = string_to_sid("S-1-5-21-2127521184-1604012920-1887927527-72713", + &sid); + assert_int_equal(ret, 0); + assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid)); +} + +void test_dom_sid_string(void **state) +{ + struct test_ctx *test_ctx; + char *str_sid; + struct dom_sid test_sid = {1, 5, {0, 0, 0, 0, 0, 5}, + {21, 2127521184, 1604012920, 1887927527, 72713, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}; + + test_ctx = (struct test_ctx *) *state; + + str_sid = dom_sid_string(test_ctx, NULL); + assert_null(str_sid); + + str_sid = dom_sid_string(test_ctx, &test_sid); + assert_non_null(str_sid); + assert_string_equal(str_sid, + "S-1-5-21-2127521184-1604012920-1887927527-72713"); + + test_sid.num_auths = -3; + str_sid = dom_sid_string(test_ctx, &test_sid); + + test_sid.num_auths = 16; + str_sid = dom_sid_string(test_ctx, &test_sid); +} + + int main(int argc, const char *argv[]) { const UnitTest tests[] = { unit_test_setup_teardown(test_get_authz_data_types, setup, teardown), unit_test_setup_teardown(test_filter_logon_info, setup, teardown), + unit_test(test_string_to_sid), + unit_test_setup_teardown(test_dom_sid_string, setup, teardown), }; return run_tests(tests); -- 2.1.0 From cheimes at redhat.com Tue Jul 7 14:05:08 2015 From: cheimes at redhat.com (Christian Heimes) Date: Tue, 07 Jul 2015 16:05:08 +0200 Subject: [Freeipa-devel] error handling in httpd.service and ipa-httpd-kdcproxy In-Reply-To: <1436276467.7030.68.camel@willson.usersys.redhat.com> References: <559AA03B.7030700@redhat.com> <85D05384-E18A-4061-B7FE-1C7DD35E1D57@redhat.com> <1436276467.7030.68.camel@willson.usersys.redhat.com> Message-ID: <559BDC94.3020206@redhat.com> On 2015-07-07 15:41, Simo Sorce wrote: > On Tue, 2015-07-07 at 08:48 -0400, Nathaniel McCallum wrote: >>> On Jul 6, 2015, at 11:35 AM, Christian Heimes wrote: >>> >>> Hello, >>> >>> I like to ask for your opinion regarding the pre-exec hook >>> 'ipa-httpd-kdcproxy' in httpd.service. Alex has asked me to handle error >>> cases like LDAP connection timeout more gracefully. At the moment any >>> error causes the script to return a non-zero exit code. This breaks the >>> service and apparently also offline RPM upgrades. >>> >>> How should I handle error cases? I can change httpd.service to simply >>> ignore the exit code of ipa-httpd-kdcproxy. But that might lead to an >>> invalid state. I could modify the script to catch connection errors and >>> to disable kdcproxy in case of an error. >>> >>> The options are: >>> >>> 1) httpd.service ignores exit code of ipa-httpd-kdcproxy >>> 2) ipa-httpd-kdcproxy removes kdcproxy config file in case of a >>> connection error >>> 3) 1 + 2 >>> >>> What do you think? >> >> If ipa-httpd-kdcproxy cannot contact LDAP, kdcproxy MUST NOT be >> enabled. So #2. >> >> However, ipa-httpd-kdcproxy should leave error codes to real >> catastrophic failures and http.service should be aware of these. So >> not #1. >> >> Nathaniel >> > > IMO it is ok for httpd to fail to start if the kdc-proxy cannot contact > LDAP, because other stuff will fail too if that's the case anyway. > > In fact I had to change my replica promotion patches to account for this > as it was failing here, for various reasons, on one restart during the > install. :-) Without LDAP non of the IPA services in Apache are usable. From that perspective it doesn't make much of a difference. However Alexander is worried about a different thing. When LDAP isn't running or GSSAPI fails, then the service can't be restarted and offline RPM update fails. We can either fix the offline update problem in the spec file (ignore systemctl failures) or in the ipa-httpd-kdcproxy script. Since my script is new and changes behavior, I'm reluctant to say that I'm to blame. :) Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From cheimes at redhat.com Tue Jul 7 14:11:53 2015 From: cheimes at redhat.com (Christian Heimes) Date: Tue, 07 Jul 2015 16:11:53 +0200 Subject: [Freeipa-devel] [PATCH] 004 Improve error handling in ipa-httpd-kdcproxy Message-ID: <559BDE29.9030208@redhat.com> Hi, the patch addresses the error handling of ipa-httpd-kdcproxy as discussed in the other thread. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0004-Improve-error-handling-in-ipa-httpd-kdcproxy.patch Type: text/x-patch Size: 5280 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From npmccallum at redhat.com Tue Jul 7 14:17:32 2015 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Tue, 7 Jul 2015 10:17:32 -0400 Subject: [Freeipa-devel] [PATCH] 004 Improve error handling in ipa-httpd-kdcproxy In-Reply-To: <559BDE29.9030208@redhat.com> References: <559BDE29.9030208@redhat.com> Message-ID: This LGTM. However, I?ll let Alexander give the ACK. > On Jul 7, 2015, at 10:11 AM, Christian Heimes wrote: > > Hi, > > the patch addresses the error handling of ipa-httpd-kdcproxy as > discussed in the other thread. > > Christian > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From abokovoy at redhat.com Tue Jul 7 14:28:23 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 7 Jul 2015 17:28:23 +0300 Subject: [Freeipa-devel] [PATCH] 004 Improve error handling in ipa-httpd-kdcproxy In-Reply-To: References: <559BDE29.9030208@redhat.com> Message-ID: <20150707142823.GE21928@redhat.com> On Tue, 07 Jul 2015, Nathaniel McCallum wrote: >This LGTM. However, I?ll let Alexander give the ACK. Looks good for me too. -- / Alexander Bokovoy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: not available URL: From tbabej at redhat.com Tue Jul 7 14:28:50 2015 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 07 Jul 2015 16:28:50 +0200 Subject: [Freeipa-devel] [PATCH 0051] Clear SSSD caches when uninstalling the client In-Reply-To: <1435678824.7621.58.camel@willson.usersys.redhat.com> References: <5571BA2C.4050601@redhat.com> <20150605150836.GK9480@hendrix.arn.redhat.com> <20150605155324.GL9480@hendrix.arn.redhat.com> <20150629114639.GB6442@hendrix.redhat.com> <55914D1E.2070600@redhat.com> <559276BE.5080801@redhat.com> <559278A3.7010005@redhat.com> <55927B34.1080603@redhat.com> <1435668459.7621.53.camel@willson.usersys.redhat.com> <55929713.40409@redhat.com> <5592A361.2020804@redhat.com> <1435678824.7621.58.camel@willson.usersys.redhat.com> Message-ID: <559BE222.1020405@redhat.com> On 06/30/2015 05:40 PM, Simo Sorce wrote: > On Tue, 2015-06-30 at 16:10 +0200, Martin Basti wrote: >> On 30/06/15 15:18, Martin Basti wrote: >>> On 30/06/15 14:47, Simo Sorce wrote: >>>> On Tue, 2015-06-30 at 13:19 +0200, Tomas Babej wrote: >>>>> On 06/30/2015 01:08 PM, Martin Basti wrote: >>>>>> On 30/06/15 13:00, Tomas Babej wrote: >>>>>>> On 06/29/2015 03:50 PM, Martin Basti wrote: >>>>>>>> On 29/06/15 13:46, Jakub Hrozek wrote: >>>>>>>>> On Fri, Jun 05, 2015 at 11:31:54AM -0600, Gabe Alford wrote: >>>>>>>>>> Thanks. Updated patch attached. >>>>>>>>>> >>>>>>>>>> On Fri, Jun 5, 2015 at 9:53 AM, Jakub Hrozek >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> On Fri, Jun 05, 2015 at 09:46:05AM -0600, Gabe Alford wrote: >>>>>>>>>>>> How should ? >>>>>>>>>>>> https://www.redhat.com/archives/freeipa-users/2015-June/msg00116.html >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> be >>>>>>>>>>>> handled where the user cleared out the db cache? >>>>>>>>>>> Ah, I confused that one with another issue Jan Pazdziora had, >>>>>>>>>>> which was >>>>>>>>>>> incidentally about client uninstall as well. >>>>>>>>>>> >>>>>>>>>>> In that case, you can just remove the single ldb file that >>>>>>>>>>> corresponds >>>>>>>>>>> to the domain that the client is leaving. Maybe it would be safer >>>>>>>>>>> to mv >>>>>>>>>>> the files instead of remove them, but I guess if you run >>>>>>>>>>> --uninstall, >>>>>>>>>>> you really want just to purge everything.. >>>>>>>>>>> >>>>>>>>>>> btw do the ipa installer tools support multiple domains at all? >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Manage your subscription for the Freeipa-devel mailing list: >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>>>>>>> Contribute to FreeIPA: >>>>>>>>>>> http://www.freeipa.org/page/Contribute/Code >>>>>>>>>>> >>>>>>>>>> From 40f7c3780baaf0b42d10c94c8527c9359a42247f Mon Sep 17 >>>>>>>>>> 00:00:00 >>>>>>>>>> 2001 >>>>>>>>>> From: Gabe >>>>>>>>>> Date: Fri, 5 Jun 2015 11:27:46 -0600 >>>>>>>>>> Subject: [PATCH] Clear SSSD caches when uninstalling the client >>>>>>>>>> >>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5049 >>>>>>>>> Conceptually LGTM, but I haven't tested the patch. >>>>>>>>> >>>>>>>> ACK, I did testing. >>>>>>>> >>>>>>> Pushed to master: 37729936dd6fe9c3396cbb8a682a4674af8b5537 >>>>>>> >>>>>>> For ipa-4-1 the patch requires a rebase. >>>>>> Rebased patch for ipa-4-1 attached. >>>>>> >>>>> Pushed to ipa-4-1: 222427cb37a037f24ca76a9bcf614a2711a2ba96 >>>>> >>>> This patch break ipa-client-install --uninstall when the first part of >>>> sssd uninstall fails, and exception is thrown and we 'pass', but then >>>> domain is not set and we use it. >>>> >>>> Please revert or fix it. >>>> >>>> Simo. >>>> >>> I will fix it. >>> >> Fix attached. > > Tested on my server and it seem to work correctly. > Code-wise also LGTM. > > ACK. > Simo. > Pushed to master: 6fa123447f8acfbbdb442a1cbac38997a8e81208 Pushed to ipa-4-1: 56db66371eaa4995fa2a672663d9b8ff1520f63d From abokovoy at redhat.com Tue Jul 7 14:31:07 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 7 Jul 2015 17:31:07 +0300 Subject: [Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches In-Reply-To: <20150707103524.GV11876@redhat.com> References: <20150707103524.GV11876@redhat.com> Message-ID: <20150707143107.GF21928@redhat.com> On Tue, 07 Jul 2015, Alexander Bokovoy wrote: > Hi, > > attached are patches to introduce one-way trust support and few more to > fix currently outstanding trust-related bugs. > > More details are in the commit messages. > > For oddjobd-activated helper, if you want to test the one-way trust > setup, you need to put SELinux into permissive. We have bugs for both > Fedora and RHEL to add the policy > (https://bugzilla.redhat.com/show_bug.cgi?id=1238163 for RHEL7), it is > in works. Updated patch 0181 after discussion with Simo and Sumit about empty rid array. -- / Alexander Bokovoy -------------- next part -------------- From e5b073d0a4cb75ef79eb199352f95f29594a4740 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 28 May 2015 08:33:51 +0000 Subject: [PATCH 02/11] ipa-kdb: filter out group membership from MS-PAC for exact SID matches too When incoming SID blacklist contains exact SIDs of users and groups, attempt to filter them out as well, according to [MS-PAC] 4.1.1.2. Note that we treat user's SID and primary group RID filtering as violation of the KDC policy because the resulting MS-PAC will have no user SID or primary group and thus will be invalid. For group RIDs we filter them out. According to [MS-KILE] 3.3.5.6.3.1 it is OK to have empty group RIDs array as GroupCount SHOULD be equal to Groups.MembershipCount returned by SamrGetGroupsForUser [MS-SAMR] 3.1.5.9.1, not MUST, thus it may be empty. Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475 --- daemons/ipa-kdb/ipa_kdb_mspac.c | 100 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 99 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 390111f..b1490ef 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -1317,6 +1317,22 @@ static void filter_logon_info_log_message(struct dom_sid *sid) } } +static void filter_logon_info_log_message_rid(struct dom_sid *sid, uint32_t rid) +{ + char *domstr = NULL; + + domstr = dom_sid_string(NULL, sid); + if (domstr) { + krb5_klog_syslog(LOG_ERR, "PAC filtering issue: SID [%s-%d] is not allowed " + "from a trusted source and will be excluded.", domstr, rid); + talloc_free(domstr); + } else { + krb5_klog_syslog(LOG_ERR, "PAC filtering issue: SID is not allowed " + "from a trusted source and will be excluded." + "Unable to allocate memory to display SID."); + } +} + static krb5_error_code filter_logon_info(krb5_context context, TALLOC_CTX *memctx, krb5_data realm, @@ -1328,9 +1344,21 @@ static krb5_error_code filter_logon_info(krb5_context context, * attempt at getting us to sign fake credentials with the help of a * compromised trusted realm */ + /* NOTE: there are two outcomes from filtering: + * REJECT TICKET -- ticket is rejected if domain SID of + * the principal with MS-PAC is filtered out or + * its primary group RID is filtered out + * + * REMOVE SID -- SIDs are removed from the list of SIDs associated + * with the principal if they are filtered out + * This applies also to secondary RIDs of the principal + * if domain_sid- is filtered out + */ + struct ipadb_context *ipactx; struct ipadb_adtrusts *domain; - int i, j, k, count; + int i, j, k, l, count; + uint32_t rid; bool result; char *domstr = NULL; @@ -1377,6 +1405,76 @@ static krb5_error_code filter_logon_info(krb5_context context, } } + /* Check if this user's SIDs membership is filtered too */ + for(k = 0; k < domain->len_sid_blacklist_incoming; k++) { + /* Short-circuit if there are no RIDs. This may happen if we filtered everything already. + * In normal situation there would be at least primary gid as RID in the RIDs array + * but if we filtered out the primary RID, this MS-PAC is invalid */ + count = info->info->info3.base.groups.count; + result = dom_sid_is_prefix(info->info->info3.base.domain_sid, + &domain->sid_blacklist_incoming[k]); + if (result) { + i = 0; + j = 0; + if (domain->sid_blacklist_incoming[k].num_auths - info->info->info3.base.domain_sid->num_auths != 1) { + krb5_klog_syslog(LOG_ERR, "Incoming SID blacklist element matching domain [%s with SID %s] " + "has more than one RID component. Invalid check skipped.", + domain->domain_name, domain->domain_sid); + break; + } + rid = domain->sid_blacklist_incoming[k].sub_auths[domain->sid_blacklist_incoming[k].num_auths - 1]; + if (rid == info->info->info3.base.rid) { + filter_logon_info_log_message_rid(info->info->info3.base.domain_sid, rid); + /* Actual user's SID is filtered out */ + return KRB5KDC_ERR_POLICY; + } + if (rid == info->info->info3.base.primary_gid) { + /* User's primary group SID is filtered out */ + return KRB5KDC_ERR_POLICY; + } + if (count == 0) { + /* Having checked actual user's SID and primary group SID, and having no other RIDs, + * skip checks below and continue to next blacklist element */ + continue; + } + + do { + if (rid == info->info->info3.base.groups.rids[i].rid) { + filter_logon_info_log_message_rid(info->info->info3.base.domain_sid, rid); + /* If this is just a non-primary RID, we simply remove it from the array of RIDs */ + l = count - i - j - 1; + if (l != 0) { + memmove(info->info->info3.base.groups.rids+i, + info->info->info3.base.groups.rids+i+1, + sizeof(struct samr_RidWithAttribute)*l); + } + j++; + } else { + i++; + } + } while ((i + j) < count); + + if (j != 0) { + count = count-j; + if (count == 0) { + /* All RIDs were filtered out. Unusual but MS-KILE 3.3.5.6.3.1 says SHOULD, not MUST for GroupCount */ + info->info->info3.base.groups.count = 0; + talloc_free(info->info->info3.base.groups.rids); + info->info->info3.base.groups.rids = NULL; + } else { + info->info->info3.base.groups.rids = talloc_realloc(memctx, + info->info->info3.base.groups.rids, + struct samr_RidWithAttribute, count); + if (!info->info->info3.base.groups.rids) { + info->info->info3.base.groups.count = 0; + return ENOMEM; + } + info->info->info3.base.groups.count = count; + } + } + } + } + /* According to MS-KILE 25.0, info->info->info3.sids may be non zero, so check * should include different possibilities into account * */ -- 2.4.3 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: not available URL: From tbabej at redhat.com Tue Jul 7 14:32:04 2015 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 07 Jul 2015 16:32:04 +0200 Subject: [Freeipa-devel] [PATCH] 004 Improve error handling in ipa-httpd-kdcproxy In-Reply-To: <20150707142823.GE21928@redhat.com> References: <559BDE29.9030208@redhat.com> <20150707142823.GE21928@redhat.com> Message-ID: <559BE2E4.20803@redhat.com> On 07/07/2015 04:28 PM, Alexander Bokovoy wrote: > On Tue, 07 Jul 2015, Nathaniel McCallum wrote: >> This LGTM. However, I?ll let Alexander give the ACK. > Looks good for me too. > > > Pushed to master: 25d1afdc54284c6bcf1caf08beae2e66ceb7f4e8 From edewata at redhat.com Tue Jul 7 14:42:04 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 7 Jul 2015 10:42:04 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <559BA21D.6050601@redhat.com> References: <54E1AF55.3060409@redhat.com> <559691AC.5030707@redhat.com> <559B9312.8080709@redhat.com> <559BA21D.6050601@redhat.com> Message-ID: <1310862668.37034217.1436280124935.JavaMail.zimbra@redhat.com> ----- Original Message ----- > On 07/07/2015 10:51 AM, Jan Cholasta wrote: > > Dne 3.7.2015 v 15:44 Endi Sukma Dewata napsal(a): > >> Here is the rebased patch for vault access control. > >> > > > > LGTM, except: > > > > @@ -356,6 +386,13 @@ class vault(LDAPObject): > > { > > 'objectclass': ['nsContainer'], > > 'cn': rdn['cn'], > > + 'aci': > > + '(targetfilter="(objectClass=ipaVault)")' + > > + '(version 3.0; ' + > > + 'acl "User can manage private vaults"; ' + > > + 'allow(read, search, compare, add, delete) ' + > > + 'userdn="ldap:///%s";)' > > + % owner_dn > > }) > > > > # if entry can be added, return > > > > I don't think dynamically creating ACIs with hardcoded userdn is something > > we > > want to do. This should be handled by a single ACI in cn=vaults. > > +1. Single ACI like > > +default: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl > "Vault > owners can manage the vault"; allow(read, search, compare, write) > userattr="owner#USERDN";) > > you already have there is more preferred. New patch attached. For this to work the container itself needs an 'owner' attribute, so I changed the nsContainer into ipaVaultContainer. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0355-8-Added-vault-access-control.patch Type: text/x-patch Size: 31142 bytes Desc: not available URL: From dkupka at redhat.com Tue Jul 7 14:51:22 2015 From: dkupka at redhat.com (David Kupka) Date: Tue, 7 Jul 2015 16:51:22 +0200 Subject: [Freeipa-devel] [PATCH 0054] cermonger: Use private unix socket when DBus SystemBus is not, available. In-Reply-To: <55962FB5.906@redhat.com> References: <5593F9A5.4080703@redhat.com> <55952FDE.8080408@redhat.com> <55962E91.4040104@redhat.com> <55962FB5.906@redhat.com> Message-ID: <559BE76A.9040505@redhat.com> On 03/07/15 08:46, Martin Kosek wrote: > On 07/03/2015 08:41 AM, Jan Cholasta wrote: >> Dne 2.7.2015 v 14:34 David Kupka napsal(a): >>> On 01/07/15 16:31, David Kupka wrote: >>>> >>>> >>>> >>> Updated patch attached. >> >> Client install works, but uninstall does not: >> >> # ipa-client-install --uninstall -U >> certmonger failed to start: Command ''/bin/systemctl' 'start' >> 'certmonger.service'' returned non-zero exit status 1 >> certmonger failed to stop tracking certificate: Failed to start >> certmonger: >> Timeouted >> 2015-07-03 02:38:15 [17242] Error reading PIN from >> "/etc/ipa/nssdb/pwdfile.txt": No such file or directory. >> Failed to start certmonger: Timeouted >> >> The patch needs a rebase. >> > > Also, "Timeouted" is not a word, try "Timed out" instead :-) Updated patch attached. Also attaching patch that removes unneeded certmonger (re)starting and DBus starting from ipa-client-install. -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0054.2-cermonger-Use-private-unix-socket-when-DBus-SystemBu.patch Type: text/x-patch Size: 10858 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0056-ipa-client-install-Do-not-re-start-certmonger-and-DB.patch Type: text/x-patch Size: 5200 bytes Desc: not available URL: From cheimes at redhat.com Tue Jul 7 16:40:13 2015 From: cheimes at redhat.com (Christian Heimes) Date: Tue, 07 Jul 2015 18:40:13 +0200 Subject: [Freeipa-devel] [PATCH] otptoken: use ipapython.nsslib instead of Python's ssl module Message-ID: <559C00ED.4090408@redhat.com> Hello, the patch removes the dependency on Python's ssl module and python-backports-ssl_match_hostname. https://fedorahosted.org/freeipa/ticket/5068 Open question ------------- Is paths.IPA_NSSDB_DIR the correct NSSDB? Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0005-otptoken-use-ipapython.nsslib-instead-of-Python-ssl.patch Type: text/x-patch Size: 4596 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From mbasti at redhat.com Tue Jul 7 17:16:13 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 7 Jul 2015 19:16:13 +0200 Subject: [Freeipa-devel] [PATCH 0055] ipa-replica-prepare: Do not create DNS zone it automatically. In-Reply-To: <55960CC0.4060208@redhat.com> References: <55960CC0.4060208@redhat.com> Message-ID: <559C095D.1080206@redhat.com> On 03/07/15 06:17, David Kupka wrote: > Since ipa-replica-* tools will be soon removed I think this simple > check should be enough. > > > ACK -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Jul 7 17:16:48 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 7 Jul 2015 19:16:48 +0200 Subject: [Freeipa-devel] [PATCH 0334] Hide topology and domainlevel features In-Reply-To: <559B8EBE.1030003@redhat.com> References: <559B8EBE.1030003@redhat.com> Message-ID: <559C0980.2000701@redhat.com> On 07/07/15 10:33, Tomas Babej wrote: > Hi, > > * Hide topology and domainlevel commands in the CLI > * Hide topology and domainlevel in the WebUI > * Set maximum allowed domain level to 0 > * Do not configure and enable the topology plugin > > https://fedorahosted.org/freeipa/ticket/5097 > > ACK -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Jul 7 17:30:19 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 7 Jul 2015 19:30:19 +0200 Subject: [Freeipa-devel] [PATCH] 0024..0025 Add missing certprofile features In-Reply-To: <20150704145819.GI6584@dhcp-40-8.bne.redhat.com> References: <20150702091546.GY6584@dhcp-40-8.bne.redhat.com> <55950325.9010200@redhat.com> <20150702101212.GZ6584@dhcp-40-8.bne.redhat.com> <20150703123407.GE6584@dhcp-40-8.bne.redhat.com> <20150704145819.GI6584@dhcp-40-8.bne.redhat.com> Message-ID: <559C0CAB.9060900@redhat.com> On 04/07/15 16:58, Fraser Tweedale wrote: > On Fri, Jul 03, 2015 at 10:34:07PM +1000, Fraser Tweedale wrote: >> On Thu, Jul 02, 2015 at 08:12:12PM +1000, Fraser Tweedale wrote: >>> On Thu, Jul 02, 2015 at 11:23:49AM +0200, Jan Cholasta wrote: >>>> Hi, >>>> >>>> Dne 2.7.2015 v 11:15 Fraser Tweedale napsal(a): >>>>> Attached patches fix a couple of important gaps in certprofile >>>>> plugin: >>>>> >>>>> - Add --out option to export Dogtag profile data to file >>>>> https://fedorahosted.org/freeipa/ticket/5091 >>>>> >>>>> - Add --file option to update existing profile in Dogtag >>>>> https://fedorahosted.org/freeipa/ticket/5093 >>>>> >> NACK on patchset v2; does not work (even after makeapi, which I >> forgot to include in updated patchset). I keep getting error >> ``ipa: ERROR: Unknown option: file''. Need to investigate why, >> but other patches are taking priority right now. >> >> Here is patchset v3, which is just v1 rebased on latest master. >> >> Thanks, >> Fraser >> > Updated patch 0025 (v4). Profile now gets re-enabled if profile > update fails. Patch 0024 remains at v3. > > Thanks, > Fraser > > ACK -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Jul 7 17:36:51 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 7 Jul 2015 19:36:51 +0200 Subject: [Freeipa-devel] [PATCH 0276] Fix: ipa-dns-install will add CA records if CA is installed Message-ID: <559C0E33.50405@redhat.com> https://fedorahosted.org/freeipa/ticket/5101 Patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0276-Fix-regression-ipa-dns-install-will-add-CA-records-i.patch Type: text/x-patch Size: 929 bytes Desc: not available URL: From mbasti at redhat.com Tue Jul 7 17:49:19 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 7 Jul 2015 19:49:19 +0200 Subject: [Freeipa-devel] [PATCH 0046] add option to skip client API version check and proceed at user's own risk In-Reply-To: <55969F1A.2040400@redhat.com> References: <5595274E.6070503@redhat.com> <55969F1A.2040400@redhat.com> Message-ID: <559C111F.2030705@redhat.com> On 03/07/15 16:41, Martin Babinsky wrote: > On 07/02/2015 01:58 PM, Martin Babinsky wrote: >> First attempt at https://fedorahosted.org/freeipa/ticket/4768 >> >> >> > Attaching reworked patch. > > > ACK -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbabej at redhat.com Tue Jul 7 22:09:43 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 08 Jul 2015 00:09:43 +0200 Subject: [Freeipa-devel] [PATCH 0334] Hide topology and domainlevel features In-Reply-To: <559C0980.2000701@redhat.com> References: <559B8EBE.1030003@redhat.com> <559C0980.2000701@redhat.com> Message-ID: <559C4E27.60007@redhat.com> On 07/07/2015 07:16 PM, Martin Basti wrote: > On 07/07/15 10:33, Tomas Babej wrote: >> Hi, >> >> * Hide topology and domainlevel commands in the CLI >> * Hide topology and domainlevel in the WebUI >> * Set maximum allowed domain level to 0 >> * Do not configure and enable the topology plugin >> >> https://fedorahosted.org/freeipa/ticket/5097 >> >> > ACK > > -- > Martin Basti > Pushed to master: 62e8002bc43ddd890c3db35a123cb7daf35e3121 From tbabej at redhat.com Tue Jul 7 22:28:26 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 08 Jul 2015 00:28:26 +0200 Subject: [Freeipa-devel] [PATCH] 0024..0025 Add missing certprofile features In-Reply-To: <559C0CAB.9060900@redhat.com> References: <20150702091546.GY6584@dhcp-40-8.bne.redhat.com> <55950325.9010200@redhat.com> <20150702101212.GZ6584@dhcp-40-8.bne.redhat.com> <20150703123407.GE6584@dhcp-40-8.bne.redhat.com> <20150704145819.GI6584@dhcp-40-8.bne.redhat.com> <559C0CAB.9060900@redhat.com> Message-ID: <559C528A.40307@redhat.com> On 07/07/2015 07:30 PM, Martin Basti wrote: > On 04/07/15 16:58, Fraser Tweedale wrote: >> On Fri, Jul 03, 2015 at 10:34:07PM +1000, Fraser Tweedale wrote: >>> On Thu, Jul 02, 2015 at 08:12:12PM +1000, Fraser Tweedale wrote: >>>> On Thu, Jul 02, 2015 at 11:23:49AM +0200, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> Dne 2.7.2015 v 11:15 Fraser Tweedale napsal(a): >>>>>> Attached patches fix a couple of important gaps in certprofile >>>>>> plugin: >>>>>> >>>>>> - Add --out option to export Dogtag profile data to file >>>>>> https://fedorahosted.org/freeipa/ticket/5091 >>>>>> >>>>>> - Add --file option to update existing profile in Dogtag >>>>>> https://fedorahosted.org/freeipa/ticket/5093 >>>>>> >>> NACK on patchset v2; does not work (even after makeapi, which I >>> forgot to include in updated patchset). I keep getting error >>> ``ipa: ERROR: Unknown option: file''. Need to investigate why, >>> but other patches are taking priority right now. >>> >>> Here is patchset v3, which is just v1 rebased on latest master. >>> >>> Thanks, >>> Fraser >>> >> Updated patch 0025 (v4). Profile now gets re-enabled if profile >> update fails. Patch 0024 remains at v3. >> >> Thanks, >> Fraser >> >> > ACK > > -- > Martin Basti > > > Patches required a little API rebase due to stale minor API number reference. Pushed to master: 462e0b9eb16f52b66b723744c4b42c19ef4782c3 From tbabej at redhat.com Tue Jul 7 22:33:31 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 08 Jul 2015 00:33:31 +0200 Subject: [Freeipa-devel] [PATCH 0276] Fix: ipa-dns-install will add CA records if CA is installed In-Reply-To: <559C0E33.50405@redhat.com> References: <559C0E33.50405@redhat.com> Message-ID: <559C53BB.3020407@redhat.com> On 07/07/2015 07:36 PM, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5101 > > Patch attached. > > > ACK. Pushed to master: 1d9bdb240943527e1e19704acd183eae254267ae From tbabej at redhat.com Tue Jul 7 22:37:10 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 08 Jul 2015 00:37:10 +0200 Subject: [Freeipa-devel] [PATCH 0046] add option to skip client API version check and proceed at user's own risk In-Reply-To: <559C111F.2030705@redhat.com> References: <5595274E.6070503@redhat.com> <55969F1A.2040400@redhat.com> <559C111F.2030705@redhat.com> Message-ID: <559C5496.3070603@redhat.com> On 07/07/2015 07:49 PM, Martin Basti wrote: > On 03/07/15 16:41, Martin Babinsky wrote: >> On 07/02/2015 01:58 PM, Martin Babinsky wrote: >>> First attempt at https://fedorahosted.org/freeipa/ticket/4768 >>> >>> >>> >> Attaching reworked patch. >> >> >> > ACK > > -- > Martin Basti > > > Pushed to master: ea7f392bb98c1f1c4558ec5d6e84ee7a7c613474 From tbabej at redhat.com Tue Jul 7 22:38:16 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 08 Jul 2015 00:38:16 +0200 Subject: [Freeipa-devel] [PATCH 0055] ipa-replica-prepare: Do not create DNS zone it automatically. In-Reply-To: <559C095D.1080206@redhat.com> References: <55960CC0.4060208@redhat.com> <559C095D.1080206@redhat.com> Message-ID: <559C54D8.30509@redhat.com> On 07/07/2015 07:16 PM, Martin Basti wrote: > On 03/07/15 06:17, David Kupka wrote: >> Since ipa-replica-* tools will be soon removed I think this simple >> check should be enough. >> >> >> > ACK > > -- > Martin Basti > > > Pushed to master: 6a91893ff50fee6d7c71d9bc982d85a3ec8b7583 From tbabej at redhat.com Wed Jul 8 00:04:32 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 08 Jul 2015 02:04:32 +0200 Subject: [Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches In-Reply-To: <20150707143107.GF21928@redhat.com> References: <20150707103524.GV11876@redhat.com> <20150707143107.GF21928@redhat.com> Message-ID: <559C6910.7050308@redhat.com> On 07/07/2015 04:31 PM, Alexander Bokovoy wrote: > On Tue, 07 Jul 2015, Alexander Bokovoy wrote: >> Hi, >> >> attached are patches to introduce one-way trust support and few more to >> fix currently outstanding trust-related bugs. >> >> More details are in the commit messages. >> >> For oddjobd-activated helper, if you want to test the one-way trust >> setup, you need to put SELinux into permissive. We have bugs for both >> Fedora and RHEL to add the policy >> (https://bugzilla.redhat.com/show_bug.cgi?id=1238163 for RHEL7), it is >> in works. > Updated patch 0181 after discussion with Simo and Sumit about empty rid > array. > > > Works fine for me, thanks. ACK. Pushed to master: 5017726ebaf6eea3dedb1325efe00c0d6c4b6187 During review, I also pushed the attached oneliner. Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: 0335-dcerpc-Raise-ACIError-correctly.patch Type: text/x-patch Size: 1581 bytes Desc: not available URL: From tbabej at redhat.com Wed Jul 8 00:05:31 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 08 Jul 2015 02:05:31 +0200 Subject: [Freeipa-devel] [PATCH 144] extdom: add unit-test for get_user_grouplist() In-Reply-To: <20150707134705.GG22480@p.redhat.com> References: <20150526112119.GO3943@p.redhat.com> <556457EE.5040508@redhat.com> <20150526114004.GQ3943@p.redhat.com> <20150526114702.GF19176@redhat.com> <20150707134705.GG22480@p.redhat.com> Message-ID: <559C694B.80303@redhat.com> On 07/07/2015 03:47 PM, Sumit Bose wrote: > On Tue, May 26, 2015 at 02:47:02PM +0300, Alexander Bokovoy wrote: >> On Tue, 26 May 2015, Sumit Bose wrote: >>> On Tue, May 26, 2015 at 01:24:30PM +0200, Petr Vobornik wrote: >>>> On 05/26/2015 01:21 PM, Sumit Bose wrote: >>>>> Hi, >>>>> >>>>> this tests should have gone together with >>>>> c1114ef82516002de08e004a930b5ba4a1791b25 but got lost somehow during the >>>>> bugzilla processing. >>>>> >>>>> bye, >>>>> Sumit >>>>> >>>> >>>> So it has been acked? And we can push it? >>> >>> I have to admit that I'm not sure, there were just to many related >>> tickets. Alexander, do you remember seeing this patch? If not, I think >>> it would be good if someone can review it. Since it is "only" a >>> unit-test, it is not urgent. >> I've seen this patch and I thought I've acked it by the time... > > New version rebased on one-way trust patches is attached. > > bye, > Sumit > >> -- >> / Alexander Bokovoy >> >> ACK. Pushed to master: 7b524e783515a16102aeffdb69fa9ed5fca07c1b From tbabej at redhat.com Wed Jul 8 00:06:05 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 08 Jul 2015 02:06:05 +0200 Subject: [Freeipa-devel] [PATCHES 145-148] ipa-kdb: add unit-test for filter_logon_info() In-Reply-To: <20150707134913.GH22480@p.redhat.com> References: <20150526113340.GP3943@p.redhat.com> <55645AC3.9050304@redhat.com> <20150707134913.GH22480@p.redhat.com> Message-ID: <559C696D.6000500@redhat.com> On 07/07/2015 03:49 PM, Sumit Bose wrote: > On Tue, May 26, 2015 at 01:36:35PM +0200, Martin Kosek wrote: >> On 05/26/2015 01:33 PM, Sumit Bose wrote: >>> Hi, >>> >>> these patches add some unit tests and some additional improvements >>> related to the issues described in >>> https://bugzilla.redhat.com/show_bug.cgi?id=1222475 . The original issue >>> is fixed by a patch from Alexander attached to the ticket. >>> >>> The first patch converts the existing check-based test to cmocka. If I >>> see it correctly all check-based test are converted now. >> >> Cool! Before pushing, we should also reference ticket >> https://fedorahosted.org/freeipa/ticket/4922 >> in the patch (no need to rebase right now). >> >>> >>> The second adds tests for filter_logon_info() where the original issue >>> occurred. The wrong behavior in filter_logon_info() caused a crash in >>> dom_sid_string() which is made a bit more robust together with >>> string_to_sid() in the 3rd patch. The last patch add unit tests for >>> those two calls as well. > > New version rebased on one-way trust patches attached. > > Please note that the unit-test will fail with the initial version of the > one-way trust patches which does not allow an empty group list in the > PAC. > > bye, > Sumit > > > ACK. Pushed to master: 5017726ebaf6eea3dedb1325efe00c0d6c4b6187 Tomas From jcholast at redhat.com Wed Jul 8 05:43:31 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 8 Jul 2015 07:43:31 +0200 Subject: [Freeipa-devel] [PATCH 0046] add option to skip client API version check and proceed at user's own risk In-Reply-To: <559C5496.3070603@redhat.com> References: <5595274E.6070503@redhat.com> <55969F1A.2040400@redhat.com> <559C111F.2030705@redhat.com> <559C5496.3070603@redhat.com> Message-ID: <559CB883.6040600@redhat.com> Dne 8.7.2015 v 00:37 Tomas Babej napsal(a): > > > On 07/07/2015 07:49 PM, Martin Basti wrote: >> On 03/07/15 16:41, Martin Babinsky wrote: >>> On 07/02/2015 01:58 PM, Martin Babinsky wrote: >>>> First attempt at https://fedorahosted.org/freeipa/ticket/4768 >>>> >>>> >>>> >>> Attaching reworked patch. >>> >>> >>> >> ACK >> >> -- >> Martin Basti >> >> >> > > Pushed to master: ea7f392bb98c1f1c4558ec5d6e84ee7a7c613474 > NACK! This won't work, as it breaks capabilities. -- Jan Cholasta From jcholast at redhat.com Wed Jul 8 06:30:49 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 08 Jul 2015 08:30:49 +0200 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <1310862668.37034217.1436280124935.JavaMail.zimbra@redhat.com> References: <54E1AF55.3060409@redhat.com> <559691AC.5030707@redhat.com> <559B9312.8080709@redhat.com> <559BA21D.6050601@redhat.com> <1310862668.37034217.1436280124935.JavaMail.zimbra@redhat.com> Message-ID: <559CC399.2020009@redhat.com> Dne 7.7.2015 v 16:42 Endi Sukma Dewata napsal(a): > ----- Original Message ----- >> On 07/07/2015 10:51 AM, Jan Cholasta wrote: >>> Dne 3.7.2015 v 15:44 Endi Sukma Dewata napsal(a): >>>> Here is the rebased patch for vault access control. >>>> >>> >>> LGTM, except: >>> >>> @@ -356,6 +386,13 @@ class vault(LDAPObject): >>> { >>> 'objectclass': ['nsContainer'], >>> 'cn': rdn['cn'], >>> + 'aci': >>> + '(targetfilter="(objectClass=ipaVault)")' + >>> + '(version 3.0; ' + >>> + 'acl "User can manage private vaults"; ' + >>> + 'allow(read, search, compare, add, delete) ' + >>> + 'userdn="ldap:///%s";)' >>> + % owner_dn >>> }) >>> >>> # if entry can be added, return >>> >>> I don't think dynamically creating ACIs with hardcoded userdn is something >>> we >>> want to do. This should be handled by a single ACI in cn=vaults. >> >> +1. Single ACI like >> >> +default: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl >> "Vault >> owners can manage the vault"; allow(read, search, compare, write) >> userattr="owner#USERDN";) >> >> you already have there is more preferred. > > New patch attached. For this to work the container itself needs an 'owner' attribute, so I changed the nsContainer into ipaVaultContainer. I don't think that's really necessary on the top-level containers. Anyway, the patch works, so ACK. Pushed to master: bf6df3df9b388753a52a0040d9c15b1eabce41ca -- Jan Cholasta From mkosek at redhat.com Wed Jul 8 07:26:17 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 08 Jul 2015 09:26:17 +0200 Subject: [Freeipa-devel] Final preparations for FreeIPA 4.2 GA Message-ID: <559CD099.3070409@redhat.com> Hello all, Let us do final check before FreeIPA 4.2 GA! With One-Way patch set and KRA final patch pushed, there is just a little bit of work left. From FreeIPA 4.2 milestone tickets, I see: #4238 [RFE] Provide ability to map CAC identity certificates to users in IdM #5045 Add support for multiple host/service certificates in webUI #5046 Add support for user certificates in WebUI - Waiting on Petr Vobornik's final touch. #5103 Update 4.2 Requires in the spec file - This is a must, not every feature owner updated spec file with the lastest version (like certmonger or sssd for One-Way Trusts). Please double check spec file and provide the right minimal versions to avoid RPM issues. #5095 Be able to request certificates without certmonger service running - WIP by Honza and David. Not a must for GA though, can be postponed to 4.2.1 #5096 cert-request: enforce caacl for subjectAltName principals - Patch on review #4768 [RFE] Add option to skip the verify_client_version and proceed at own risk - Honza found a problem with this patch, working a repair right now. If anyone knows about anything blocking GA, please reply to this thread. I would like to encourage everyone to at least smoke test their and other features, so that we capture any last problem before tagging and release. Finally, I prepared 4.2.0 release notes draft, updates welcome: http://www.freeipa.org/page/Releases/4.2.0 I also updated http://www.freeipa.org/page/Releases/4.2.0.alpha1 with regards to postponed Topology feature. Thanks for help! -- Martin Kosek Supervisor, Software Engineering - Identity Management Team Red Hat Inc. From dkupka at redhat.com Wed Jul 8 07:31:40 2015 From: dkupka at redhat.com (David Kupka) Date: Wed, 8 Jul 2015 09:31:40 +0200 Subject: [Freeipa-devel] Meaning of two strings in plugins/service.py In-Reply-To: References: Message-ID: <559CD1DC.5070803@redhat.com> On 05/07/15 11:25, J?r?me Fenal wrote: > Hi, > > I stumbled upon those two following strings while translating into > French, and just cannot figure out the meaning. > > Str('ipaallowedtoperform_read_keys', > label=_('Failed allowed to retrieve keytab'), > ), > Str('ipaallowedtoperform_write_keys', > label=_('Failed allowed to create keytab'), > ), > > Would it be that failure is allowed while retrieving or creating keytab? > Or...? > > Thanks for helping, > > J?r?me > Hi J?r?me, I guess it should be "Failed to allow retrieval/creation of keytab". But Petr (added) is author of this code and should know better. -- David Kupka From pvoborni at redhat.com Wed Jul 8 07:45:10 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 8 Jul 2015 09:45:10 +0200 Subject: [Freeipa-devel] Meaning of two strings in plugins/service.py In-Reply-To: <559CD1DC.5070803@redhat.com> References: <559CD1DC.5070803@redhat.com> Message-ID: <559CD506.6090007@redhat.com> On 07/08/2015 09:31 AM, David Kupka wrote: > On 05/07/15 11:25, J?r?me Fenal wrote: >> Hi, >> >> I stumbled upon those two following strings while translating into >> French, and just cannot figure out the meaning. >> >> Str('ipaallowedtoperform_read_keys', >> label=_('Failed allowed to retrieve keytab'), >> ), >> Str('ipaallowedtoperform_write_keys', >> label=_('Failed allowed to create keytab'), >> ), >> >> Would it be that failure is allowed while retrieving or creating keytab? >> Or...? >> >> Thanks for helping, >> >> J?r?me >> > > Hi J?r?me, > I guess it should be "Failed to allow retrieval/creation of keytab". > But Petr (added) is author of this code and should know better. > It's used in a following way (user abc does not exist): ipa host-allow-create-keytab vm-121.example.com --users=abc Host name: vm-121.example.com.com Principal name: host/vm-121.example.com at EXAMPLE.COM Managed by: vm-121.example.com.com Failed allowed to create keytab: member user: abc: no such entry member group: member host: member host group: ------------------------- Number of members added 0 ------------------------- I.e., host groups, hosts, user groups, users who were not added as the ones who are allowed to to retrieve/create keytab. -- Petr Vobornik From jfenal at gmail.com Wed Jul 8 07:48:35 2015 From: jfenal at gmail.com (=?UTF-8?B?SsOpcsO0bWUgRmVuYWw=?=) Date: Wed, 8 Jul 2015 09:48:35 +0200 Subject: [Freeipa-devel] Meaning of two strings in plugins/service.py In-Reply-To: <559CD506.6090007@redhat.com> References: <559CD1DC.5070803@redhat.com> <559CD506.6090007@redhat.com> Message-ID: 2015-07-08 9:45 GMT+02:00 Petr Vobornik : > On 07/08/2015 09:31 AM, David Kupka wrote: >> >> On 05/07/15 11:25, J?r?me Fenal wrote: >>> >>> Hi, >>> >>> I stumbled upon those two following strings while translating into >>> French, and just cannot figure out the meaning. >>> >>> Str('ipaallowedtoperform_read_keys', >>> label=_('Failed allowed to retrieve keytab'), >>> ), >>> Str('ipaallowedtoperform_write_keys', >>> label=_('Failed allowed to create keytab'), >>> ), >>> >>> Would it be that failure is allowed while retrieving or creating keytab? >>> Or...? >>> >>> Thanks for helping, >>> >>> J?r?me >>> >> >> Hi J?r?me, >> I guess it should be "Failed to allow retrieval/creation of keytab". >> But Petr (added) is author of this code and should know better. >> > > It's used in a following way (user abc does not exist): > > ipa host-allow-create-keytab vm-121.example.com --users=abc > Host name: vm-121.example.com.com > Principal name: host/vm-121.example.com at EXAMPLE.COM > Managed by: vm-121.example.com.com > Failed allowed to create keytab: > member user: abc: no such entry > member group: > member host: > member host group: > ------------------------- > Number of members added 0 > ------------------------- > > I.e., host groups, hosts, user groups, users who were not added as the ones > who are allowed to to retrieve/create keytab. So I guess it'd be more "Failed to allow retrieval/creation of keytab". Should I propose a patch to change the sentence? Regards, J. -- J?r?me Fenal From pvoborni at redhat.com Wed Jul 8 08:37:33 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 8 Jul 2015 10:37:33 +0200 Subject: [Freeipa-devel] [PATCH] 893 move session_logout command to ipalib/plugins directory Message-ID: <559CE14D.5060502@redhat.com> API refactoring caused that session_logout command was not registered. Commands in ipalib/plugins directory are automatically registered. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0893-move-session_logout-command-to-ipalib-plugins-direct.patch Type: text/x-patch Size: 3250 bytes Desc: not available URL: From pvoborni at redhat.com Wed Jul 8 10:20:38 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 8 Jul 2015 12:20:38 +0200 Subject: [Freeipa-devel] [PATCH] 893 move session_logout command to ipalib/plugins directory In-Reply-To: <559CE14D.5060502@redhat.com> References: <559CE14D.5060502@redhat.com> Message-ID: <559CF976.1050903@redhat.com> On 07/08/2015 10:37 AM, Petr Vobornik wrote: > API refactoring caused that session_logout command was not registered. > > Commands in ipalib/plugins directory are automatically registered. > > Added NO_CLI = True to hide the command in CLI. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0893-1-move-session_logout-command-to-ipalib-plugins-direct.patch Type: text/x-patch Size: 3270 bytes Desc: not available URL: From mbasti at redhat.com Wed Jul 8 10:51:37 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 8 Jul 2015 12:51:37 +0200 Subject: [Freeipa-devel] [PATCH] 893 move session_logout command to ipalib/plugins directory In-Reply-To: <559CF976.1050903@redhat.com> References: <559CE14D.5060502@redhat.com> <559CF976.1050903@redhat.com> Message-ID: <559D00B9.50906@redhat.com> On 08/07/15 12:20, Petr Vobornik wrote: > On 07/08/2015 10:37 AM, Petr Vobornik wrote: >> API refactoring caused that session_logout command was not registered. >> >> Commands in ipalib/plugins directory are automatically registered. >> >> > > Added NO_CLI = True to hide the command in CLI. > > Works for me. -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Jul 8 10:58:20 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 8 Jul 2015 12:58:20 +0200 Subject: [Freeipa-devel] [PATCH 0277] Upgrade: Do not show upgrade failed message during RPM transaction when IPA is not installed Message-ID: <559D024C.5010603@redhat.com> Patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0277-Upgrade-Do-not-show-upgrade-failed-message-when-IPA-.patch Type: text/x-patch Size: 2171 bytes Desc: not available URL: From jcholast at redhat.com Wed Jul 8 11:08:58 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 8 Jul 2015 13:08:58 +0200 Subject: [Freeipa-devel] [PATCH 0046] add option to skip client API version check and proceed at user's own risk In-Reply-To: <559CB883.6040600@redhat.com> References: <5595274E.6070503@redhat.com> <55969F1A.2040400@redhat.com> <559C111F.2030705@redhat.com> <559C5496.3070603@redhat.com> <559CB883.6040600@redhat.com> Message-ID: <559D04CA.709@redhat.com> Dne 8.7.2015 v 07:43 Jan Cholasta napsal(a): > Dne 8.7.2015 v 00:37 Tomas Babej napsal(a): >> >> >> On 07/07/2015 07:49 PM, Martin Basti wrote: >>> On 03/07/15 16:41, Martin Babinsky wrote: >>>> On 07/02/2015 01:58 PM, Martin Babinsky wrote: >>>>> First attempt at https://fedorahosted.org/freeipa/ticket/4768 >>>>> >>>>> >>>>> >>>> Attaching reworked patch. >>>> >>>> >>>> >>> ACK >>> >>> -- >>> Martin Basti >>> >>> >>> >> >> Pushed to master: ea7f392bb98c1f1c4558ec5d6e84ee7a7c613474 >> > > NACK! This won't work, as it breaks capabilities. > Fixed, see the attached patch. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-462-ipalib-Fix-skip_version_check-option.patch Type: text/x-patch Size: 3651 bytes Desc: not available URL: From mbasti at redhat.com Wed Jul 8 11:20:22 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 8 Jul 2015 13:20:22 +0200 Subject: [Freeipa-devel] [PATCH] 893 move session_logout command to ipalib/plugins directory In-Reply-To: <559D00B9.50906@redhat.com> References: <559CE14D.5060502@redhat.com> <559CF976.1050903@redhat.com> <559D00B9.50906@redhat.com> Message-ID: <559D0776.7040104@redhat.com> On 08/07/15 12:51, Martin Basti wrote: > On 08/07/15 12:20, Petr Vobornik wrote: >> On 07/08/2015 10:37 AM, Petr Vobornik wrote: >>> API refactoring caused that session_logout command was not registered. >>> >>> Commands in ipalib/plugins directory are automatically registered. >>> >>> >> >> Added NO_CLI = True to hide the command in CLI. >> >> > Works for me. > > -- > Martin Basti > > NACK, It works but you should update API.txt Command session_logout in ipalib, not in API There are one or more new commands defined. Update API.txt and increment the minor version in VERSION. -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Wed Jul 8 11:24:43 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 8 Jul 2015 13:24:43 +0200 Subject: [Freeipa-devel] [PATCH 463] spec file: Update minimal versions of required packages Message-ID: <559D087B.7060408@redhat.com> Hi, the attached patch fixes . Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-463-spec-file-Update-minimal-versions-of-required-packag.patch Type: text/x-patch Size: 2107 bytes Desc: not available URL: From abokovoy at redhat.com Wed Jul 8 11:28:02 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 8 Jul 2015 14:28:02 +0300 Subject: [Freeipa-devel] [PATCH 463] spec file: Update minimal versions of required packages In-Reply-To: <559D087B.7060408@redhat.com> References: <559D087B.7060408@redhat.com> Message-ID: <20150708112802.GL21928@redhat.com> On Wed, 08 Jul 2015, Jan Cholasta wrote: >Hi, > >the attached patch fixes . ACK. -- / Alexander Bokovoy From pvoborni at redhat.com Wed Jul 8 11:46:18 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 8 Jul 2015 13:46:18 +0200 Subject: [Freeipa-devel] [PATCH] 893 move session_logout command to ipalib/plugins directory In-Reply-To: <559D0776.7040104@redhat.com> References: <559CE14D.5060502@redhat.com> <559CF976.1050903@redhat.com> <559D00B9.50906@redhat.com> <559D0776.7040104@redhat.com> Message-ID: <559D0D8A.5070302@redhat.com> On 07/08/2015 01:20 PM, Martin Basti wrote: > On 08/07/15 12:51, Martin Basti wrote: >> On 08/07/15 12:20, Petr Vobornik wrote: >>> On 07/08/2015 10:37 AM, Petr Vobornik wrote: >>>> API refactoring caused that session_logout command was not registered. >>>> >>>> Commands in ipalib/plugins directory are automatically registered. >>>> >>>> >>>ercategory User category the ACL applies to >>> Added NO_CLI = True to hide the command in CLI. >>> >>> >> Works for me. >> >> -- >> Martin Basti >> >> > NACK, It works but you should update API.txt > > Command session_logout in ipalib, not in API > > There are one or more new commands defined. > Update API.txt and increment the minor version in VERSION. > updated patch attached. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0893-2-move-session_logout-command-to-ipalib-plugins-direct.patch Type: text/x-patch Size: 4514 bytes Desc: not available URL: From mbasti at redhat.com Wed Jul 8 12:18:58 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 8 Jul 2015 14:18:58 +0200 Subject: [Freeipa-devel] [PATCH 0278] Fix API logging Message-ID: <559D1532.2060907@redhat.com> log must be initilized before first usage in API, otherwise traceback is shown: # ipa -e random-nonexistent-key=1 user-find Traceback (most recent call last): File "/bin/ipa", line 32, in cli.run(api) File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1346, in run api.log.exception('%s: %s', e.__class__.__name__, str(e)) AttributeError: 'API' object has no attribute 'log' Patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0278-Fix-logging-in-API.patch Type: text/x-patch Size: 1009 bytes Desc: not available URL: From pvoborni at redhat.com Wed Jul 8 12:24:56 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 8 Jul 2015 14:24:56 +0200 Subject: [Freeipa-devel] [PATCH] 894-896 webui: certificate profiles and acls Message-ID: <559D1698.5080403@redhat.com> add Web UI for new certificate objects [PATCH] 894 webui: certificate profiles [PATCH] 895 webui: caacl [PATCH] 896 webui: hide facet tab in certificate details facet -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0896-webui-hide-facet-tab-in-certificate-details-facet.patch Type: text/x-patch Size: 853 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0895-webui-caacl.patch Type: text/x-patch Size: 17776 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0894-webui-certificate-profiles.patch Type: text/x-patch Size: 6136 bytes Desc: not available URL: From mbasti at redhat.com Wed Jul 8 12:33:31 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 8 Jul 2015 14:33:31 +0200 Subject: [Freeipa-devel] [PATCH] 893 move session_logout command to ipalib/plugins directory In-Reply-To: <559D0D8A.5070302@redhat.com> References: <559CE14D.5060502@redhat.com> <559CF976.1050903@redhat.com> <559D00B9.50906@redhat.com> <559D0776.7040104@redhat.com> <559D0D8A.5070302@redhat.com> Message-ID: <559D189B.1030700@redhat.com> On 08/07/15 13:46, Petr Vobornik wrote: > On 07/08/2015 01:20 PM, Martin Basti wrote: >> On 08/07/15 12:51, Martin Basti wrote: >>> On 08/07/15 12:20, Petr Vobornik wrote: >>>> On 07/08/2015 10:37 AM, Petr Vobornik wrote: >>>>> API refactoring caused that session_logout command was not >>>>> registered. >>>>> >>>>> Commands in ipalib/plugins directory are automatically registered. >>>>> >>>>> >>>> ercategory > > User category the ACL applies to > > >>>> Added NO_CLI = True to hide the command in CLI. >>>> >>>> >>> Works for me. >>> >>> -- >>> Martin Basti >>> >>> >> NACK, It works but you should update API.txt >> >> Command session_logout in ipalib, not in API >> >> There are one or more new commands defined. >> Update API.txt and increment the minor version in VERSION. >> > > updated patch attached. ACK -- Martin Basti From jcholast at redhat.com Wed Jul 8 12:35:11 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 8 Jul 2015 14:35:11 +0200 Subject: [Freeipa-devel] [PATCH 0277] Upgrade: Do not show upgrade failed message during RPM transaction when IPA is not installed In-Reply-To: <559D024C.5010603@redhat.com> References: <559D024C.5010603@redhat.com> Message-ID: <559D18FF.7090807@redhat.com> Hi, Dne 8.7.2015 v 12:58 Martin Basti napsal(a): > Patch attached. > Use self.log instead of root_logger. Otherwise ACK. Honza -- Jan Cholasta From mbasti at redhat.com Wed Jul 8 12:34:52 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 8 Jul 2015 14:34:52 +0200 Subject: [Freeipa-devel] [PATCH 0046] add option to skip client API version check and proceed at user's own risk In-Reply-To: <559D04CA.709@redhat.com> References: <5595274E.6070503@redhat.com> <55969F1A.2040400@redhat.com> <559C111F.2030705@redhat.com> <559C5496.3070603@redhat.com> <559CB883.6040600@redhat.com> <559D04CA.709@redhat.com> Message-ID: <559D18EC.7000600@redhat.com> On 08/07/15 13:08, Jan Cholasta wrote: > Dne 8.7.2015 v 07:43 Jan Cholasta napsal(a): >> Dne 8.7.2015 v 00:37 Tomas Babej napsal(a): >>> >>> >>> On 07/07/2015 07:49 PM, Martin Basti wrote: >>>> On 03/07/15 16:41, Martin Babinsky wrote: >>>>> On 07/02/2015 01:58 PM, Martin Babinsky wrote: >>>>>> First attempt at https://fedorahosted.org/freeipa/ticket/4768 >>>>>> >>>>>> >>>>>> >>>>> Attaching reworked patch. >>>>> >>>>> >>>>> >>>> ACK >>>> >>>> -- >>>> Martin Basti >>>> >>>> >>>> >>> >>> Pushed to master: ea7f392bb98c1f1c4558ec5d6e84ee7a7c613474 >>> >> >> NACK! This won't work, as it breaks capabilities. >> > > Fixed, see the attached patch. > ACK -- Martin Basti From jcholast at redhat.com Wed Jul 8 12:36:43 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 8 Jul 2015 14:36:43 +0200 Subject: [Freeipa-devel] [PATCH 0046] add option to skip client API version check and proceed at user's own risk In-Reply-To: <559D18EC.7000600@redhat.com> References: <5595274E.6070503@redhat.com> <55969F1A.2040400@redhat.com> <559C111F.2030705@redhat.com> <559C5496.3070603@redhat.com> <559CB883.6040600@redhat.com> <559D04CA.709@redhat.com> <559D18EC.7000600@redhat.com> Message-ID: <559D195B.1080401@redhat.com> Dne 8.7.2015 v 14:34 Martin Basti napsal(a): > On 08/07/15 13:08, Jan Cholasta wrote: >> Dne 8.7.2015 v 07:43 Jan Cholasta napsal(a): >>> Dne 8.7.2015 v 00:37 Tomas Babej napsal(a): >>>> >>>> >>>> On 07/07/2015 07:49 PM, Martin Basti wrote: >>>>> On 03/07/15 16:41, Martin Babinsky wrote: >>>>>> On 07/02/2015 01:58 PM, Martin Babinsky wrote: >>>>>>> First attempt at https://fedorahosted.org/freeipa/ticket/4768 >>>>>>> >>>>>>> >>>>>>> >>>>>> Attaching reworked patch. >>>>>> >>>>>> >>>>>> >>>>> ACK >>>>> >>>>> -- >>>>> Martin Basti >>>>> >>>>> >>>>> >>>> >>>> Pushed to master: ea7f392bb98c1f1c4558ec5d6e84ee7a7c613474 >>>> >>> >>> NACK! This won't work, as it breaks capabilities. >>> >> >> Fixed, see the attached patch. >> > ACK > Pushed to master: 232458a222435c80c28d6179f164673de67e2544 -- Jan Cholasta From mbasti at redhat.com Wed Jul 8 12:43:25 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 8 Jul 2015 14:43:25 +0200 Subject: [Freeipa-devel] [PATCH 0277] Upgrade: Do not show upgrade failed message during RPM transaction when IPA is not installed In-Reply-To: <559D18FF.7090807@redhat.com> References: <559D024C.5010603@redhat.com> <559D18FF.7090807@redhat.com> Message-ID: <559D1AED.9000905@redhat.com> On 08/07/15 14:35, Jan Cholasta wrote: > Hi, > > Dne 8.7.2015 v 12:58 Martin Basti napsal(a): >> Patch attached. >> > > Use self.log instead of root_logger. Otherwise ACK. > > Honza > Updated patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0277.2-Upgrade-Do-not-show-upgrade-failed-message-when-IPA-.patch Type: text/x-patch Size: 1912 bytes Desc: not available URL: From jcholast at redhat.com Wed Jul 8 12:58:57 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 8 Jul 2015 14:58:57 +0200 Subject: [Freeipa-devel] [PATCH 0277] Upgrade: Do not show upgrade failed message during RPM transaction when IPA is not installed In-Reply-To: <559D1AED.9000905@redhat.com> References: <559D024C.5010603@redhat.com> <559D18FF.7090807@redhat.com> <559D1AED.9000905@redhat.com> Message-ID: <559D1E91.1090505@redhat.com> Dne 8.7.2015 v 14:43 Martin Basti napsal(a): > On 08/07/15 14:35, Jan Cholasta wrote: >> Hi, >> >> Dne 8.7.2015 v 12:58 Martin Basti napsal(a): >>> Patch attached. >>> >> >> Use self.log instead of root_logger. Otherwise ACK. >> >> Honza >> > Updated patch attached. > Pushed to master: 07d314070ae647254eb47708d7543c4d995fd885 -- Jan Cholasta From pvoborni at redhat.com Wed Jul 8 13:11:58 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 8 Jul 2015 15:11:58 +0200 Subject: [Freeipa-devel] [PATCH] 894-896 webui: certificate profiles and acls In-Reply-To: <559D1698.5080403@redhat.com> References: <559D1698.5080403@redhat.com> Message-ID: <559D219E.2020805@redhat.com> On 07/08/2015 02:24 PM, Petr Vobornik wrote: > add Web UI for new certificate objects > > [PATCH] 894 webui: certificate profiles > [PATCH] 895 webui: caacl > [PATCH] 896 webui: hide facet tab in certificate details facet > > Fixed bug (adding profiles to caacl) in patch 895. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0895-1-webui-caacl.patch Type: text/x-patch Size: 17782 bytes Desc: not available URL: From redhatrises at gmail.com Wed Jul 8 14:09:04 2015 From: redhatrises at gmail.com (Gabe Alford) Date: Wed, 8 Jul 2015 08:09:04 -0600 Subject: [Freeipa-devel] [PATCH 0050] Fix client ca.crt to match the server's cert In-Reply-To: <5593AABB.607@redhat.com> References: <5592ACFE.8020803@redhat.com> <5593913D.8000303@redhat.com> <5593AABB.607@redhat.com> Message-ID: Thanks, Martin. Update patch attached. I was getting an 'No newline at the end of file' in my environment hence an extra '\n' at the end. Please let me know if you see the same thing. Thanks, Gabe On Wed, Jul 1, 2015 at 2:54 AM, Martin Basti wrote: > On 01/07/15 09:05, Martin Basti wrote: > > On 30/06/15 17:31, Gabe Alford wrote: > > On Tue, Jun 30, 2015 at 8:51 AM, Martin Basti wrote: > >> On 16/06/15 16:58, Gabe Alford wrote: >> >> I know you guys are busy. Bump for review. >> >> Thanks, >> >> Gabe >> >> On Tue, May 26, 2015 at 8:16 AM, Gabe Alford < >> redhatrises at gmail.com> wrote: >> >>> Hello, >>> >>> Fix for https://fedorahosted.org/freeipa/ticket/3809 >>> >>> Thanks, >>> >>> Gabe >>> >> >> >> >> I'm getting certificate on server without extra '\n' at the end. >> >> So certificate files are not the same. >> > > I assume you did a diff of the server /etc/ipa/ca.crt and the client > /etc/ipa/ca.crt, right? Did you setup a server and then connect a client > (just wonder what your steps were so that I can also reproduce)? > > > Yes. I did that. > > I will retest it today. > > Retested and ca.cert on client has extra '\n' at the end. > > > >> >> -- >> Martin Basti >> >> > > > -- > Martin Basti > > > > > > -- > Martin Basti > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rga-0050-2-Fix-client-ca.crt-to-match-the-server-s-cert.patch Type: text/x-patch Size: 960 bytes Desc: not available URL: From tbabej at redhat.com Wed Jul 8 14:09:18 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 08 Jul 2015 16:09:18 +0200 Subject: [Freeipa-devel] [PATCH 463] spec file: Update minimal versions of required packages In-Reply-To: <20150708112802.GL21928@redhat.com> References: <559D087B.7060408@redhat.com> <20150708112802.GL21928@redhat.com> Message-ID: <559D2F0E.4000604@redhat.com> On 07/08/2015 01:28 PM, Alexander Bokovoy wrote: > On Wed, 08 Jul 2015, Jan Cholasta wrote: >> Hi, >> >> the attached patch fixes . > ACK. > Pushed to master: 7c0e7f7e3ca3a971d4db64f80f02d4f79e5f5c4d From dkupka at redhat.com Wed Jul 8 14:30:24 2015 From: dkupka at redhat.com (David Kupka) Date: Wed, 8 Jul 2015 16:30:24 +0200 Subject: [Freeipa-devel] [PATCH] 0026..0027 #5096 enforce caacl for SAN principals In-Reply-To: <20150703142639.GG6584@dhcp-40-8.bne.redhat.com> References: <20150703142639.GG6584@dhcp-40-8.bne.redhat.com> Message-ID: <559D3400.3020705@redhat.com> On 03/07/15 16:26, Fraser Tweedale wrote: > The attached patches fix: > > - a bug that caused caacl false negatives for hosts principals > - #5096 cert-request: enforce caacl for subjectAltName principals > > Thanks, > Fraser > > > Works for me, ACK. -- David Kupka From mbasti at redhat.com Wed Jul 8 14:54:20 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 8 Jul 2015 16:54:20 +0200 Subject: [Freeipa-devel] [PATCH] 894-896 webui: certificate profiles and acls In-Reply-To: <559D219E.2020805@redhat.com> References: <559D1698.5080403@redhat.com> <559D219E.2020805@redhat.com> Message-ID: <559D399C.2010209@redhat.com> On 08/07/15 15:11, Petr Vobornik wrote: > On 07/08/2015 02:24 PM, Petr Vobornik wrote: >> add Web UI for new certificate objects >> >> [PATCH] 894 webui: certificate profiles >> [PATCH] 895 webui: caacl >> [PATCH] 896 webui: hide facet tab in certificate details facet >> >> > > Fixed bug (adding profiles to caacl) in patch 895. > > ACK -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbabej at redhat.com Wed Jul 8 14:58:10 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 08 Jul 2015 16:58:10 +0200 Subject: [Freeipa-devel] [PATCHES 0335-0336] adtrustinstance: Enable and start oddjobd Message-ID: <559D3A82.1020809@redhat.com> Hi, Enable and start the oddjobd service as part of the ipa-adtrust-install for the new IPA installations and upgraded ones. Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0335-adtrustinstance-Enable-and-start-oddjobd.patch Type: text/x-patch Size: 2960 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0336-upgrade-Enable-and-start-oddjobd-if-adtrust-is-avail.patch Type: text/x-patch Size: 2469 bytes Desc: not available URL: From rmeggins at redhat.com Wed Jul 8 15:10:34 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 08 Jul 2015 09:10:34 -0600 Subject: [Freeipa-devel] How to support Designate? In-Reply-To: <559CFBF6.6000109@redhat.com> References: <5593FC83.8030504@redhat.com> <559402F9.1000708@redhat.com> <5594034B.9040706@redhat.com> <559CFBF6.6000109@redhat.com> Message-ID: <559D3D6A.5020106@redhat.com> On 07/08/2015 04:31 AM, Petr Spacek wrote: > On 1.7.2015 17:12, Rich Megginson wrote: >> On 07/01/2015 09:10 AM, Petr Spacek wrote: >>> On 1.7.2015 16:43, Rich Megginson wrote: >>>> How much work would it be to support IPA as an AXFR/IXFR client or server with >>>> Designate? Right now, their miniDNS component only supports being a master >>>> and sending updates via AXFR, but they have IXFR support planned. >>> I need to read more about it. Could you please point me to some comprehensive >>> docs about Designate? >>> >>> Thanks! >>> >> http://docs.openstack.org/developer/designate/architecture.html > Designate in setups with mini-DNS acts as DNS master server, i.e. the only > source of DNS data/truth. Currently FreeIPA can act only as master, too, which > is not possible. By "master" do you mean "unable to accept AXFR/IXFR from another server"? > > I can see several alternatives: > > A) Add support for slave zones to FreeIPA. > It should be relatively easy and I guess doable in Fedora 23 time frame if it > gets appropriate priority. > > For plain/insecure DNS zones it will allow us to use FreeIPA in place of any > other DNS server but the added value will be negligible because FreeIPA acting > as a slave cannot change the data. > > The real added value could be the ability of FreeIPA to DNSSEC-sign zones and > do the DNSSEC key management. I believe that we should be able to re-use > machinery we implemented for master zones in FreeIPA so DNSSEC signing for > slave zones should be almost 'for free'. > > When implemented, FreeIPA could become the easiest way how to secure DNS in > Designate with DNSSEC technology even in cases where all the data are managed > by Designate API. This sounds interesting. This seems like it would fit in with the typical OpenStack use case - create a new host, assign it a hostname in a sub-zone. > > > B) We can avoid implementing slave zones by using 'agent': > http://docs.openstack.org/developer/designate/glossary.html > > If I'm not mistaken, this is what you implemented last year. I implemented support in Designate for a FreeIPA backend which used the JSON HTTPS API to send updates from Designate to FreeIPA. Designate has deprecated support for backends. The agent approach is basically putting a "mini-DNS"-like daemon on each system which can accept AXFR from Designate. This agent would then use the backend code I developed to send the data to FreeIPA. > > > C) We can say that combining FreeIPA DNS and Designate does not make sense and > drop what you did last year. It was already dropped when the backend approach was deprecated. > In current architecture it really does not add > any value *unless* we add DNSSEC to the mix. > > > D) Integrate IPA installers with Designate API. > This is somehow complementary to variants A (and C) and would allow us to > automatically add DNS records required by FreeIPA to Designate during FreeIPA > installation and replica management. I wrote a script (ipaextractor.py) that will extract DNS data from FreeIPA and store it in Designate. That would be a good place to start. > > > In my opinion variants A+D are the best way to move forward. What do you think? > If we could change Designate in some way to work better with FreeIPA, what would you propose? From tbabej at redhat.com Wed Jul 8 15:11:40 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 08 Jul 2015 17:11:40 +0200 Subject: [Freeipa-devel] [PATCH 0278] Fix API logging In-Reply-To: <559D1532.2060907@redhat.com> References: <559D1532.2060907@redhat.com> Message-ID: <559D3DAC.4040902@redhat.com> On 07/08/2015 02:18 PM, Martin Basti wrote: > log must be initilized before first usage in API, otherwise traceback is > shown: > > # ipa -e random-nonexistent-key=1 user-find > Traceback (most recent call last): > File "/bin/ipa", line 32, in > cli.run(api) > File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1346, in run > api.log.exception('%s: %s', e.__class__.__name__, str(e)) > AttributeError: 'API' object has no attribute 'log' > > Patch attached. > > > ACK. Pushed to master: e51bb1bc668bf3008c8cca1dcbb0ebda7fa5c703 From abokovoy at redhat.com Wed Jul 8 15:12:04 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 8 Jul 2015 18:12:04 +0300 Subject: [Freeipa-devel] [PATCHES 0335-0336] adtrustinstance: Enable and start oddjobd In-Reply-To: <559D3A82.1020809@redhat.com> References: <559D3A82.1020809@redhat.com> Message-ID: <20150708151204.GR21928@redhat.com> On Wed, 08 Jul 2015, Tomas Babej wrote: >From 66d39f12a77d23e8d8ac2c11650258ed9f3eb200 Mon Sep 17 00:00:00 2001 >From: Tomas Babej >Date: Wed, 8 Jul 2015 15:44:13 +0200 >Subject: [PATCH] adtrustinstance: Enable and start oddjobd > >Enable and start the oddjobd service as part of the >ipa-adtrust-install for the new IPA installations. ACK >--- > ipaserver/install/adtrustinstance.py | 19 +++++++++++++++++++ > ipaserver/install/installutils.py | 11 +++++++++++ > 2 files changed, 30 insertions(+) > >diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py >index 8343f81826b661e0ab5a34073b0df9b477589ffa..ff0e8cc3e6dd7a78bd5a6ab06918757ca343970c 100644 >--- a/ipaserver/install/adtrustinstance.py >+++ b/ipaserver/install/adtrustinstance.py >@@ -706,6 +706,9 @@ class ADTRUSTInstance(service.Service): > except Exception, e: > root_logger.critical("Enabling nsswitch support in slapi-nis failed with error '%s'" % e) > >+ def __enable_and_start_oddjobd(self): >+ installutils.enable_and_start_oddjobd(self.sstore) >+ > def __start(self): > try: > self.start() >@@ -852,6 +855,7 @@ class ADTRUSTInstance(service.Service): > self.step("adding Default Trust View", self.__add_default_trust_view) > self.step("setting SELinux booleans", \ > self.__configure_selinux_for_smbd) >+ self.step("enabling oddjobd", self.__enable_and_start_oddjobd) > self.step("starting CIFS services", self.__start) > > if self.add_sids: >@@ -880,6 +884,21 @@ class ADTRUSTInstance(service.Service): > except Exception: > pass > >+ # Restore oddjobd to its original state >+ oddjobd = services.service('oddjobd') >+ >+ if not self.sstore.restore_state('oddjobd', 'running'): >+ try: >+ oddjobd.stop() >+ except Exception: >+ pass >+ >+ if not self.sstore.restore_state('oddjobd', 'enabled'): >+ try: >+ oddjobd.disable() >+ except Exception: >+ pass >+ > # Since we do not guarantee restoring back to working samba state, > # we should not restore smb.conf > >diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py >index 08620c472b9478511d7d08a0d174e7da3f732207..02e8526317dbab909ed48a1823000922ce6e6b7a 100644 >--- a/ipaserver/install/installutils.py >+++ b/ipaserver/install/installutils.py >@@ -1081,3 +1081,14 @@ def check_version(): > > def realm_to_serverid(realm_name): > return "-".join(realm_name.split(".")) >+ >+def enable_and_start_oddjobd(sstore): >+ oddjobd = services.service('oddjobd') >+ sstore.backup_state('oddjobd', 'running', oddjobd.is_running()) >+ sstore.backup_state('oddjobd', 'enabled', oddjobd.is_enabled()) >+ >+ try: >+ oddjobd.enable() >+ oddjobd.start() >+ except Exception as e: >+ root_logger.critical("Unable to start oddjobd: {0}".format(str(e))) >-- >2.1.0 > -- / Alexander Bokovoy From tbabej at redhat.com Wed Jul 8 15:12:57 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 08 Jul 2015 17:12:57 +0200 Subject: [Freeipa-devel] [PATCH] 894-896 webui: certificate profiles and acls In-Reply-To: <559D399C.2010209@redhat.com> References: <559D1698.5080403@redhat.com> <559D219E.2020805@redhat.com> <559D399C.2010209@redhat.com> Message-ID: <559D3DF9.7080501@redhat.com> On 07/08/2015 04:54 PM, Martin Basti wrote: > On 08/07/15 15:11, Petr Vobornik wrote: >> On 07/08/2015 02:24 PM, Petr Vobornik wrote: >>> add Web UI for new certificate objects >>> >>> [PATCH] 894 webui: certificate profiles >>> [PATCH] 895 webui: caacl >>> [PATCH] 896 webui: hide facet tab in certificate details facet >>> >>> >> >> Fixed bug (adding profiles to caacl) in patch 895. >> >> > ACK > > -- > Martin Basti > > > Pushed to master: f13cce2d9c7d0b31b366fd7b5af518fbccb10ee8 From tbabej at redhat.com Wed Jul 8 15:15:41 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 08 Jul 2015 17:15:41 +0200 Subject: [Freeipa-devel] [PATCHES 0335-0336] adtrustinstance: Enable and start oddjobd In-Reply-To: <20150708151204.GR21928@redhat.com> References: <559D3A82.1020809@redhat.com> <20150708151204.GR21928@redhat.com> Message-ID: <559D3E9D.7030802@redhat.com> On 07/08/2015 05:12 PM, Alexander Bokovoy wrote: > On Wed, 08 Jul 2015, Tomas Babej wrote: >> From 66d39f12a77d23e8d8ac2c11650258ed9f3eb200 Mon Sep 17 00:00:00 2001 >> From: Tomas Babej >> Date: Wed, 8 Jul 2015 15:44:13 +0200 >> Subject: [PATCH] adtrustinstance: Enable and start oddjobd >> >> Enable and start the oddjobd service as part of the >> ipa-adtrust-install for the new IPA installations. > ACK > Pushed to master: 9c5df3cf76c921d268e7892ef9d9e7a7d2ad89f9 From abokovoy at redhat.com Wed Jul 8 15:15:48 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 8 Jul 2015 18:15:48 +0300 Subject: [Freeipa-devel] [PATCHES 0335-0336] adtrustinstance: Enable and start oddjobd In-Reply-To: <559D3A82.1020809@redhat.com> References: <559D3A82.1020809@redhat.com> Message-ID: <20150708151548.GS21928@redhat.com> On Wed, 08 Jul 2015, Tomas Babej wrote: >From c6135d634cbccbdbb30ab3906c32cd3720bca95e Mon Sep 17 00:00:00 2001 >From: Tomas Babej >Date: Wed, 8 Jul 2015 15:45:18 +0200 >Subject: [PATCH] upgrade: Enable and start oddjobd if adtrust is available > >If ipa-adtrust-install has already been run on the system, >enable and start the oddjobd service. ACK as well. >--- > install/updates/90-post_upgrade_plugins.update | 1 + > ipaserver/install/plugins/adtrust.py | 24 ++++++++++++++++++++++++ > 2 files changed, 25 insertions(+) > >diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update >index 8e8fe09414eac57d2e8c15dcfc4aed64b6e35cd5..3df3a4574705dbd8df8f25149c13877898afb66b 100644 >--- a/install/updates/90-post_upgrade_plugins.update >+++ b/install/updates/90-post_upgrade_plugins.update >@@ -18,3 +18,4 @@ plugin: update_managed_post > plugin: update_managed_permissions > plugin: update_idrange_baserid > plugin: update_passync_privilege_update >+plugin: update_oddjobd_for_adtrust >diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py >index d96bfe83e3b9d1d3e64b9fde385fbf520ed20a3a..45bcc5f2fe532446342300ff0c5e1e7149cf023b 100644 >--- a/ipaserver/install/plugins/adtrust.py >+++ b/ipaserver/install/plugins/adtrust.py >@@ -19,8 +19,11 @@ > > from ipalib import api, errors > from ipalib import Updater >+from ipaplatform.paths import paths > from ipapython.dn import DN > from ipapython.ipa_log_manager import * >+from ipapython import sysrestore >+from ipaserver.install import installutils > > DEFAULT_ID_RANGE_SIZE = 200000 > >@@ -161,5 +164,26 @@ class update_default_trust_view(Updater): > > return False, [update] > >+ >+class update_oddjobd_for_adtrust(Updater): >+ """ >+ Enables and starts oddjobd daemon if ipa-adtrust-install has been run >+ on this system. >+ """ >+ >+ def execute(self, **options): >+ adtrust_is_enabled = self.api.Command['adtrust_is_enabled']()['result'] >+ >+ if adtrust_is_enabled: >+ self.log.debug('Try to enable and start oddjobd') >+ sstore = sysrestore.StateFile(paths.SYSRESTORE) >+ installutils.enable_and_start_oddjobd(sstore) >+ else: >+ self.log.debug('ADTrust not configured on this server, do not ' >+ 'start and enable oddjobd') >+ >+ return False, [] >+ > api.register(update_default_range) > api.register(update_default_trust_view) >+api.register(update_oddjobd_for_adtrust) >-- >2.1.0 > -- / Alexander Bokovoy From tbabej at redhat.com Wed Jul 8 15:16:15 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 08 Jul 2015 17:16:15 +0200 Subject: [Freeipa-devel] [PATCH] 0026..0027 #5096 enforce caacl for SAN principals In-Reply-To: <559D3400.3020705@redhat.com> References: <20150703142639.GG6584@dhcp-40-8.bne.redhat.com> <559D3400.3020705@redhat.com> Message-ID: <559D3EBF.2020006@redhat.com> On 07/08/2015 04:30 PM, David Kupka wrote: > On 03/07/15 16:26, Fraser Tweedale wrote: >> The attached patches fix: >> >> - a bug that caused caacl false negatives for hosts principals >> - #5096 cert-request: enforce caacl for subjectAltName principals >> >> Thanks, >> Fraser >> >> >> > Works for me, ACK. > Pushed to master: ec7e5e0cac4d93f4a0bb62c1de28be46f362740b From tbabej at redhat.com Wed Jul 8 15:17:15 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 08 Jul 2015 17:17:15 +0200 Subject: [Freeipa-devel] [PATCH] 893 move session_logout command to ipalib/plugins directory In-Reply-To: <559D189B.1030700@redhat.com> References: <559CE14D.5060502@redhat.com> <559CF976.1050903@redhat.com> <559D00B9.50906@redhat.com> <559D0776.7040104@redhat.com> <559D0D8A.5070302@redhat.com> <559D189B.1030700@redhat.com> Message-ID: <559D3EFB.4050601@redhat.com> On 07/08/2015 02:33 PM, Martin Basti wrote: > On 08/07/15 13:46, Petr Vobornik wrote: >> On 07/08/2015 01:20 PM, Martin Basti wrote: >>> On 08/07/15 12:51, Martin Basti wrote: >>>> On 08/07/15 12:20, Petr Vobornik wrote: >>>>> On 07/08/2015 10:37 AM, Petr Vobornik wrote: >>>>>> API refactoring caused that session_logout command was not >>>>>> registered. >>>>>> >>>>>> Commands in ipalib/plugins directory are automatically registered. >>>>>> >>>>>> >>>>> ercategory >> >> User category the ACL applies to >> >> >>>>> Added NO_CLI = True to hide the command in CLI. >>>>> >>>>> >>>> Works for me. >>>> >>>> -- >>>> Martin Basti >>>> >>>> >>> NACK, It works but you should update API.txt >>> >>> Command session_logout in ipalib, not in API >>> >>> There are one or more new commands defined. >>> Update API.txt and increment the minor version in VERSION. >>> >> >> updated patch attached. > > ACK > Pushed to master: cd3ca94ff2ef738cb3a9eae502193413058f976d From pspacek at redhat.com Wed Jul 8 16:11:36 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 08 Jul 2015 18:11:36 +0200 Subject: [Freeipa-devel] How to support Designate? In-Reply-To: <559D3D6A.5020106@redhat.com> References: <5593FC83.8030504@redhat.com> <559402F9.1000708@redhat.com> <5594034B.9040706@redhat.com> <559CFBF6.6000109@redhat.com> <559D3D6A.5020106@redhat.com> Message-ID: <559D4BB8.6080407@redhat.com> On 8.7.2015 17:10, Rich Megginson wrote: > On 07/08/2015 04:31 AM, Petr Spacek wrote: >> On 1.7.2015 17:12, Rich Megginson wrote: >>> On 07/01/2015 09:10 AM, Petr Spacek wrote: >>>> On 1.7.2015 16:43, Rich Megginson wrote: >>>>> How much work would it be to support IPA as an AXFR/IXFR client or server >>>>> with >>>>> Designate? Right now, their miniDNS component only supports being a master >>>>> and sending updates via AXFR, but they have IXFR support planned. >>>> I need to read more about it. Could you please point me to some comprehensive >>>> docs about Designate? >>>> >>>> Thanks! >>>> >>> http://docs.openstack.org/developer/designate/architecture.html >> Designate in setups with mini-DNS acts as DNS master server, i.e. the only >> source of DNS data/truth. Currently FreeIPA can act only as master, too, which >> is not possible. > > By "master" do you mean "unable to accept AXFR/IXFR from another server"? Sort of. DNS is conceptually built around concept of single authoritative database hosted on Primary Master server. The database is then transferred using AXFR to Slave servers, which are read-only (and can forward update requests to the Primary Master). See http://tools.ietf.org/html/rfc2136#section-1 The Primary Master server is the place where changes are made. There is by definition only one primary master server per zone, so FreeIPA and Designare cannot be Primary Masters at the same time. We need to decide who is going to have control over the data. >> I can see several alternatives: >> >> A) Add support for slave zones to FreeIPA. >> It should be relatively easy and I guess doable in Fedora 23 time frame if it >> gets appropriate priority. >> >> For plain/insecure DNS zones it will allow us to use FreeIPA in place of any >> other DNS server but the added value will be negligible because FreeIPA acting >> as a slave cannot change the data. >> >> The real added value could be the ability of FreeIPA to DNSSEC-sign zones and >> do the DNSSEC key management. I believe that we should be able to re-use >> machinery we implemented for master zones in FreeIPA so DNSSEC signing for >> slave zones should be almost 'for free'. >> >> When implemented, FreeIPA could become the easiest way how to secure DNS in >> Designate with DNSSEC technology even in cases where all the data are managed >> by Designate API. > > This sounds interesting. This seems like it would fit in with the typical > OpenStack use case - create a new host, assign it a hostname in a sub-zone. To be sure we understood each other: In the scenarios where FreeIPA acts as Slave server, the change is done in Designate and then a new version of the DNS zone is transferred to FreeIPA. After that FreeIPA can DNSSEC-sign the zone and serve the signed version to the clients. >> B) We can avoid implementing slave zones by using 'agent': >> http://docs.openstack.org/developer/designate/glossary.html >> >> If I'm not mistaken, this is what you implemented last year. > > I implemented support in Designate for a FreeIPA backend which used the JSON > HTTPS API to send updates from Designate to FreeIPA. > Designate has deprecated support for backends. > > The agent approach is basically putting a "mini-DNS"-like daemon on each > system which can accept AXFR from Designate. This agent would then use the > backend code I developed to send the data to FreeIPA. Wow, that is a lot of complexity. I suspect that something like this is already implemented in dnssyncd written by Martin Basti: https://github.com/bastiak/dnssyncd Anyway, I do not see any value in doing so in this particular scenario. Designate would be the authoritative source of data (Primary Master) so from functional point of view it would be the same (or worse) than variant (A), just with more code and more error prone. >> C) We can say that combining FreeIPA DNS and Designate does not make sense and >> drop what you did last year. > > It was already dropped when the backend approach was deprecated. > >> In current architecture it really does not add >> any value *unless* we add DNSSEC to the mix. >> >> >> D) Integrate IPA installers with Designate API. >> This is somehow complementary to variants A (and C) and would allow us to >> automatically add DNS records required by FreeIPA to Designate during FreeIPA >> installation and replica management. > > I wrote a script (ipaextractor.py) that will extract DNS data from FreeIPA and > store it in Designate. That would be a good place to start. Generally FreeIPA should integrate with other DNS server implementations in a way similar to this: https://fedorahosted.org/freeipa/ticket/4424 http://www.freeipa.org/page/V4/External_DNS_integration_with_installer Hopefully 4.3 timeframe will allow us to work on that. >> In my opinion variants A+D are the best way to move forward. What do you think? >> > > If we could change Designate in some way to work better with FreeIPA, what > would you propose? How much can we change? :-D I liked the original architecture where Designate just 'proxied' change requests to DNS implementations/backends. Assuming that Designate wants to own DNS and be Primary Master, it would be awesome if they could support standard DNS UPDATE protocol (RFC 2136) alongside their own JSON API. The JSON API is superset of DNS UPDATE protocol because it allows to add zones but still, standard protocol would mean that standard client (possibly guest OS inside VM) can update its records without any OpenStack dependency, which is very much desirable. The use case here is to allow the guest OS to publish it's SSH key (which was generated inside the VM after first boot) to prevent Man in the middle attacks. The same goes for all other sorts of DANE/DNSSEC data or service discovery using DNS, where a guest/container running a distributed service can publish it's existence in DNS. DNS UPDATE supports GSS(API) for authentication via RFC 3007 and that is widely supported, too. So DNS UPDATE is my biggest wish :-) -- Petr^2 Spacek From rmeggins at redhat.com Wed Jul 8 17:56:37 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 08 Jul 2015 11:56:37 -0600 Subject: [Freeipa-devel] How to support Designate? In-Reply-To: <559D4BB8.6080407@redhat.com> References: <5593FC83.8030504@redhat.com> <559402F9.1000708@redhat.com> <5594034B.9040706@redhat.com> <559CFBF6.6000109@redhat.com> <559D3D6A.5020106@redhat.com> <559D4BB8.6080407@redhat.com> Message-ID: <559D6455.4040704@redhat.com> On 07/08/2015 10:11 AM, Petr Spacek wrote: > On 8.7.2015 17:10, Rich Megginson wrote: >> On 07/08/2015 04:31 AM, Petr Spacek wrote: >>> On 1.7.2015 17:12, Rich Megginson wrote: >>>> On 07/01/2015 09:10 AM, Petr Spacek wrote: >>>>> On 1.7.2015 16:43, Rich Megginson wrote: >>>>>> How much work would it be to support IPA as an AXFR/IXFR client or server >>>>>> with >>>>>> Designate? Right now, their miniDNS component only supports being a master >>>>>> and sending updates via AXFR, but they have IXFR support planned. >>>>> I need to read more about it. Could you please point me to some comprehensive >>>>> docs about Designate? >>>>> >>>>> Thanks! >>>>> >>>> http://docs.openstack.org/developer/designate/architecture.html >>> Designate in setups with mini-DNS acts as DNS master server, i.e. the only >>> source of DNS data/truth. Currently FreeIPA can act only as master, too, which >>> is not possible. >> By "master" do you mean "unable to accept AXFR/IXFR from another server"? > Sort of. DNS is conceptually built around concept of single authoritative > database hosted on Primary Master server. The database is then transferred > using AXFR to Slave servers, which are read-only (and can forward update > requests to the Primary Master). > > See http://tools.ietf.org/html/rfc2136#section-1 > > The Primary Master server is the place where changes are made. There is by > definition only one primary master server per zone, so FreeIPA and Designare > cannot be Primary Masters at the same time. > > We need to decide who is going to have control over the data. > >>> I can see several alternatives: >>> >>> A) Add support for slave zones to FreeIPA. >>> It should be relatively easy and I guess doable in Fedora 23 time frame if it >>> gets appropriate priority. >>> >>> For plain/insecure DNS zones it will allow us to use FreeIPA in place of any >>> other DNS server but the added value will be negligible because FreeIPA acting >>> as a slave cannot change the data. >>> >>> The real added value could be the ability of FreeIPA to DNSSEC-sign zones and >>> do the DNSSEC key management. I believe that we should be able to re-use >>> machinery we implemented for master zones in FreeIPA so DNSSEC signing for >>> slave zones should be almost 'for free'. >>> >>> When implemented, FreeIPA could become the easiest way how to secure DNS in >>> Designate with DNSSEC technology even in cases where all the data are managed >>> by Designate API. >> This sounds interesting. This seems like it would fit in with the typical >> OpenStack use case - create a new host, assign it a hostname in a sub-zone. > To be sure we understood each other: > In the scenarios where FreeIPA acts as Slave server, the change is done in > Designate and then a new version of the DNS zone is transferred to FreeIPA. > After that FreeIPA can DNSSEC-sign the zone and serve the signed version to > the clients. > > >>> B) We can avoid implementing slave zones by using 'agent': >>> http://docs.openstack.org/developer/designate/glossary.html >>> >>> If I'm not mistaken, this is what you implemented last year. >> I implemented support in Designate for a FreeIPA backend which used the JSON >> HTTPS API to send updates from Designate to FreeIPA. >> Designate has deprecated support for backends. >> >> The agent approach is basically putting a "mini-DNS"-like daemon on each >> system which can accept AXFR from Designate. This agent would then use the >> backend code I developed to send the data to FreeIPA. > Wow, that is a lot of complexity. I suspect that something like this is > already implemented in dnssyncd written by Martin Basti: > https://github.com/bastiak/dnssyncd > > Anyway, I do not see any value in doing so in this particular scenario. > Designate would be the authoritative source of data (Primary Master) so from > functional point of view it would be the same (or worse) than variant (A), > just with more code and more error prone. > > >>> C) We can say that combining FreeIPA DNS and Designate does not make sense and >>> drop what you did last year. >> It was already dropped when the backend approach was deprecated. >> >>> In current architecture it really does not add >>> any value *unless* we add DNSSEC to the mix. >>> >>> >>> D) Integrate IPA installers with Designate API. >>> This is somehow complementary to variants A (and C) and would allow us to >>> automatically add DNS records required by FreeIPA to Designate during FreeIPA >>> installation and replica management. >> I wrote a script (ipaextractor.py) that will extract DNS data from FreeIPA and >> store it in Designate. That would be a good place to start. > Generally FreeIPA should integrate with other DNS server implementations in a > way similar to this: > https://fedorahosted.org/freeipa/ticket/4424 > http://www.freeipa.org/page/V4/External_DNS_integration_with_installer > > Hopefully 4.3 timeframe will allow us to work on that. > >>> In my opinion variants A+D are the best way to move forward. What do you think? >>> >> If we could change Designate in some way to work better with FreeIPA, what >> would you propose? > How much can we change? :-D I liked the original architecture where Designate > just 'proxied' change requests to DNS implementations/backends. Me too, but we didn't/don't have much say in the direction/design that Designate takes . . . > > Assuming that Designate wants to own DNS and be Primary Master, it would be > awesome if they could support standard DNS UPDATE protocol (RFC 2136) > alongside their own JSON API. > > The JSON API is superset of DNS UPDATE protocol because it allows to add zones > but still, standard protocol would mean that standard client (possibly guest > OS inside VM) can update its records without any OpenStack dependency, which > is very much desirable. > > The use case here is to allow the guest OS to publish it's SSH key (which was > generated inside the VM after first boot) to prevent Man in the middle > attacks. The same goes for all other sorts of DANE/DNSSEC data or service > discovery using DNS, where a guest/container running a distributed service can > publish it's existence in DNS. > > DNS UPDATE supports GSS(API) for authentication via RFC 3007 and that is > widely supported, too. > > So DNS UPDATE is my biggest wish :-) > Ok. There was a Designate blueprint for such a feature, but I can't find it and neither can the Designate guys. There is a mention of nsupdate in the minidns blueprint, but that's about it. The fact that Designate upstream can't find the bp suggests that this is not a high priority for them and will not likely implement it on their own i.e. we would have to contribute this feature. If Designate had such a feature, how would this help us integrate FreeIPA with Designate? From rmeggins at redhat.com Wed Jul 8 18:45:11 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 08 Jul 2015 12:45:11 -0600 Subject: [Freeipa-devel] How to support Designate? In-Reply-To: <559D6455.4040704@redhat.com> References: <5593FC83.8030504@redhat.com> <559402F9.1000708@redhat.com> <5594034B.9040706@redhat.com> <559CFBF6.6000109@redhat.com> <559D3D6A.5020106@redhat.com> <559D4BB8.6080407@redhat.com> <559D6455.4040704@redhat.com> Message-ID: <559D6FB7.4030105@redhat.com> On 07/08/2015 11:56 AM, Rich Megginson wrote: > On 07/08/2015 10:11 AM, Petr Spacek wrote: >> On 8.7.2015 17:10, Rich Megginson wrote: >>> On 07/08/2015 04:31 AM, Petr Spacek wrote: >>>> On 1.7.2015 17:12, Rich Megginson wrote: >>>>> On 07/01/2015 09:10 AM, Petr Spacek wrote: >>>>>> On 1.7.2015 16:43, Rich Megginson wrote: >>>>>>> How much work would it be to support IPA as an AXFR/IXFR client >>>>>>> or server >>>>>>> with >>>>>>> Designate? Right now, their miniDNS component only supports >>>>>>> being a master >>>>>>> and sending updates via AXFR, but they have IXFR support planned. >>>>>> I need to read more about it. Could you please point me to some >>>>>> comprehensive >>>>>> docs about Designate? >>>>>> >>>>>> Thanks! >>>>>> >>>>> http://docs.openstack.org/developer/designate/architecture.html >>>> Designate in setups with mini-DNS acts as DNS master server, i.e. >>>> the only >>>> source of DNS data/truth. Currently FreeIPA can act only as master, >>>> too, which >>>> is not possible. >>> By "master" do you mean "unable to accept AXFR/IXFR from another >>> server"? >> Sort of. DNS is conceptually built around concept of single >> authoritative >> database hosted on Primary Master server. The database is then >> transferred >> using AXFR to Slave servers, which are read-only (and can forward update >> requests to the Primary Master). >> >> See http://tools.ietf.org/html/rfc2136#section-1 >> >> The Primary Master server is the place where changes are made. There >> is by >> definition only one primary master server per zone, so FreeIPA and >> Designare >> cannot be Primary Masters at the same time. >> >> We need to decide who is going to have control over the data. >> >>>> I can see several alternatives: >>>> >>>> A) Add support for slave zones to FreeIPA. >>>> It should be relatively easy and I guess doable in Fedora 23 time >>>> frame if it >>>> gets appropriate priority. >>>> >>>> For plain/insecure DNS zones it will allow us to use FreeIPA in >>>> place of any >>>> other DNS server but the added value will be negligible because >>>> FreeIPA acting >>>> as a slave cannot change the data. >>>> >>>> The real added value could be the ability of FreeIPA to DNSSEC-sign >>>> zones and >>>> do the DNSSEC key management. I believe that we should be able to >>>> re-use >>>> machinery we implemented for master zones in FreeIPA so DNSSEC >>>> signing for >>>> slave zones should be almost 'for free'. >>>> >>>> When implemented, FreeIPA could become the easiest way how to >>>> secure DNS in >>>> Designate with DNSSEC technology even in cases where all the data >>>> are managed >>>> by Designate API. >>> This sounds interesting. This seems like it would fit in with the >>> typical >>> OpenStack use case - create a new host, assign it a hostname in a >>> sub-zone. >> To be sure we understood each other: >> In the scenarios where FreeIPA acts as Slave server, the change is >> done in >> Designate and then a new version of the DNS zone is transferred to >> FreeIPA. >> After that FreeIPA can DNSSEC-sign the zone and serve the signed >> version to >> the clients. >> >> >>>> B) We can avoid implementing slave zones by using 'agent': >>>> http://docs.openstack.org/developer/designate/glossary.html >>>> >>>> If I'm not mistaken, this is what you implemented last year. >>> I implemented support in Designate for a FreeIPA backend which used >>> the JSON >>> HTTPS API to send updates from Designate to FreeIPA. >>> Designate has deprecated support for backends. >>> >>> The agent approach is basically putting a "mini-DNS"-like daemon on >>> each >>> system which can accept AXFR from Designate. This agent would then >>> use the >>> backend code I developed to send the data to FreeIPA. >> Wow, that is a lot of complexity. I suspect that something like this is >> already implemented in dnssyncd written by Martin Basti: >> https://github.com/bastiak/dnssyncd How does this work? Does it receive zone transfer (AXFR? IXFR?) from a DNS master, then update LDAP with those records? >> >> Anyway, I do not see any value in doing so in this particular scenario. >> Designate would be the authoritative source of data (Primary Master) >> so from >> functional point of view it would be the same (or worse) than variant >> (A), >> just with more code and more error prone. >> >> >>>> C) We can say that combining FreeIPA DNS and Designate does not >>>> make sense and >>>> drop what you did last year. >>> It was already dropped when the backend approach was deprecated. >>> >>>> In current architecture it really does not add >>>> any value *unless* we add DNSSEC to the mix. >>>> >>>> >>>> D) Integrate IPA installers with Designate API. >>>> This is somehow complementary to variants A (and C) and would allow >>>> us to >>>> automatically add DNS records required by FreeIPA to Designate >>>> during FreeIPA >>>> installation and replica management. >>> I wrote a script (ipaextractor.py) that will extract DNS data from >>> FreeIPA and >>> store it in Designate. That would be a good place to start. >> Generally FreeIPA should integrate with other DNS server >> implementations in a >> way similar to this: >> https://fedorahosted.org/freeipa/ticket/4424 >> http://www.freeipa.org/page/V4/External_DNS_integration_with_installer >> >> Hopefully 4.3 timeframe will allow us to work on that. >> >>>> In my opinion variants A+D are the best way to move forward. What >>>> do you think? >>>> >>> If we could change Designate in some way to work better with >>> FreeIPA, what >>> would you propose? >> How much can we change? :-D I liked the original architecture where >> Designate >> just 'proxied' change requests to DNS implementations/backends. > > Me too, but we didn't/don't have much say in the direction/design that > Designate takes . . . > >> >> Assuming that Designate wants to own DNS and be Primary Master, it >> would be >> awesome if they could support standard DNS UPDATE protocol (RFC 2136) >> alongside their own JSON API. >> >> The JSON API is superset of DNS UPDATE protocol because it allows to >> add zones >> but still, standard protocol would mean that standard client >> (possibly guest >> OS inside VM) can update its records without any OpenStack >> dependency, which >> is very much desirable. >> >> The use case here is to allow the guest OS to publish it's SSH key >> (which was >> generated inside the VM after first boot) to prevent Man in the middle >> attacks. The same goes for all other sorts of DANE/DNSSEC data or >> service >> discovery using DNS, where a guest/container running a distributed >> service can >> publish it's existence in DNS. >> >> DNS UPDATE supports GSS(API) for authentication via RFC 3007 and that is >> widely supported, too. >> >> So DNS UPDATE is my biggest wish :-) >> > Ok. There was a Designate blueprint for such a feature, but I can't > find it and neither can the Designate guys. There is a mention of > nsupdate in the minidns blueprint, but that's about it. The fact that > Designate upstream can't find the bp suggests that this is not a high > priority for them and will not likely implement it on their own i.e. > we would have to contribute this feature. > > If Designate had such a feature, how would this help us integrate > FreeIPA with Designate? > > From pvoborni at redhat.com Wed Jul 8 22:28:55 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 9 Jul 2015 00:28:55 +0200 Subject: [Freeipa-devel] [PATCH] 897 fix error message when certificate CN is invalid Message-ID: <559DA427.2080504@redhat.com> The error message was probably copied from mail address check below. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0897-fix-error-message-when-certificate-CN-is-invalid.patch Type: text/x-patch Size: 1047 bytes Desc: not available URL: From pvoborni at redhat.com Wed Jul 8 22:35:56 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 9 Jul 2015 00:35:56 +0200 Subject: [Freeipa-devel] [PATCH] 898-900 webui: user and multiple certs improvements Message-ID: <559DA5CC.1010903@redhat.com> == [PATCH] 898 webui: cert-request improvements == Certificate request action and dialog now supports 'profile_id', 'add' and 'principal' options. 'add' and 'principal' are disaplayed only if certificate is added from certificate search facet. Certificate search facet allows to add a certificate. User details facet allows to add a certificate. part of https://fedorahosted.org/freeipa/ticket/5046 == [PATCH] 899 webui: show multiple cert == New certificate widget which replaced certificate status widget. It can display multiple certs. Drawback is that it cannot display if the certificate was revoked. Web UI does not have the information. part of: https://fedorahosted.org/freeipa/ticket/5045 == [PATCH] 900 webui: remove cert manipulation actions from host and service == Remove * cert_view * cert_get * cert_revoke * cert_restore These actions require serial number which is not provided to Web UI if multiple certificates are present. As an alternative to patch 900 we could also provide the original interface if there is only one cert and hide the actions if there are multiple certs. note: {user|host|service}-{add|remove}_cert command support is still missing. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0900-webui-remove-cert-manipulation-actions-from-host-and.patch Type: text/x-patch Size: 2386 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0899-webui-show-multiple-cert.patch Type: text/x-patch Size: 9407 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0898-webui-cert-request-improvements.patch Type: text/x-patch Size: 21107 bytes Desc: not available URL: From pvoborni at redhat.com Thu Jul 9 08:37:57 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 9 Jul 2015 10:37:57 +0200 Subject: [Freeipa-devel] [RFC] Community Portal - Where to go next? In-Reply-To: <55960F85.2040801@redhat.com> References: <559599F0.8040408@redhat.com> <55960F85.2040801@redhat.com> Message-ID: <559E32E5.8070904@redhat.com> On 07/03/2015 06:28 AM, David Kupka wrote: > On 02/07/15 22:07, Drew Erny wrote: >> Hi, all, >> >> The core functionality of the community portal is more-or-less complete. >> In a local development environment, you can go to a web page, put in >> information, and have that information reflected in the FreeIPA server. >> There's definitely some polishing needed (for example, there is no >> styling to the web pages), but the core functionality is all there. >> >> What I need now is for someone to go through the source code, which can >> be found at github.com/dperny/freeipa-communityportal, and let me know >> if everything seems sound and sane. >> >> I also, perhaps more importantly, need some help on where to go with >> this next. The core functionality is all there, but how I'm going to >> deploy this to a live environment is still a bit hazy where I should >> start to make that happen. There are many ways to deploy a cherrypy web >> application, and I'm not sure which path is best. Or, if deployment >> isn't important yet at this stage in the prototype, what should I focus >> my efforts on now? >> >> Thanks, >> >> Drew Erny >> > > Hi Drew, > when all the core functionality is done and ready then polish it, pack > it, ship it :-) > > IIUC, the community portal is a part of WebUI so I would package it > together, iow in freeipa-server. Or create another package depending on > freeipa-server. > IIRC we discussed it and agreed that it will be a separate application. I think that it would be nice to deploy it on OpenShift v3. -- Petr Vobornik From mbasti at redhat.com Thu Jul 9 08:54:13 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 9 Jul 2015 10:54:13 +0200 Subject: [Freeipa-devel] [PATCH] 898-900 webui: user and multiple certs improvements In-Reply-To: <559DA5CC.1010903@redhat.com> References: <559DA5CC.1010903@redhat.com> Message-ID: <559E36B5.9000701@redhat.com> On 09/07/15 00:35, Petr Vobornik wrote: > == [PATCH] 898 webui: cert-request improvements == > Certificate request action and dialog now supports 'profile_id', > 'add' and 'principal' options. 'add' and 'principal' are disaplayed > only if certificate is added from certificate search facet. > > Certificate search facet allows to add a certificate. > > User details facet allows to add a certificate. > > part of > https://fedorahosted.org/freeipa/ticket/5046 > > == [PATCH] 899 webui: show multiple cert == > New certificate widget which replaced certificate status widget. > > It can display multiple certs. Drawback is that it cannot display > if the certificate was revoked. Web UI does not have the information. > > part of: https://fedorahosted.org/freeipa/ticket/5045 > > == [PATCH] 900 webui: remove cert manipulation actions from host and > service == > Remove > * cert_view > * cert_get > * cert_revoke > * cert_restore > > These actions require serial number which is not provided to Web UI if > multiple certificates are present. > > As an alternative to patch 900 we could also provide the original > interface if there is only one cert and hide the actions if there are > multiple certs. > > note: {user|host|service}-{add|remove}_cert command support is still > missing. > > ACK -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Thu Jul 9 08:59:27 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 9 Jul 2015 10:59:27 +0200 Subject: [Freeipa-devel] [PATCH] 898-900 webui: user and multiple certs improvements In-Reply-To: <559E36B5.9000701@redhat.com> References: <559DA5CC.1010903@redhat.com> <559E36B5.9000701@redhat.com> Message-ID: <559E37EF.5020107@redhat.com> On 07/09/2015 10:54 AM, Martin Basti wrote: > On 09/07/15 00:35, Petr Vobornik wrote: >> == [PATCH] 898 webui: cert-request improvements == >> Certificate request action and dialog now supports 'profile_id', >> 'add' and 'principal' options. 'add' and 'principal' are disaplayed >> only if certificate is added from certificate search facet. >> >> Certificate search facet allows to add a certificate. >> >> User details facet allows to add a certificate. >> >> part of >> https://fedorahosted.org/freeipa/ticket/5046 >> >> == [PATCH] 899 webui: show multiple cert == >> New certificate widget which replaced certificate status widget. >> >> It can display multiple certs. Drawback is that it cannot display >> if the certificate was revoked. Web UI does not have the information. >> >> part of: https://fedorahosted.org/freeipa/ticket/5045 >> >> == [PATCH] 900 webui: remove cert manipulation actions from host and >> service == >> Remove >> * cert_view >> * cert_get >> * cert_revoke >> * cert_restore >> >> These actions require serial number which is not provided to Web UI if >> multiple certificates are present. >> >> As an alternative to patch 900 we could also provide the original >> interface if there is only one cert and hide the actions if there are >> multiple certs. >> >> note: {user|host|service}-{add|remove}_cert command support is still >> missing. >> >> > ACK > pushed to master: * 7c481b1e90dbb6821b71707c4012b3857adb84e2 webui: cert-request improvements * cf8b56cc75af43a26f1bd7fadb29a2ab0dd64633 webui: show multiple cert * 0b943f3ce9cb70fa8b68aa44ec525d50604b84a2 webui: remove cert manipulation actions from host and service -- Petr Vobornik From dkupka at redhat.com Thu Jul 9 09:21:22 2015 From: dkupka at redhat.com (David Kupka) Date: Thu, 9 Jul 2015 11:21:22 +0200 Subject: [Freeipa-devel] [PATCH] 897 fix error message when certificate CN is invalid In-Reply-To: <559DA427.2080504@redhat.com> References: <559DA427.2080504@redhat.com> Message-ID: <559E3D12.9080607@redhat.com> On 09/07/15 00:28, Petr Vobornik wrote: > The error message was probably copied from mail address check below. > > ACK. -- David Kupka From pvoborni at redhat.com Thu Jul 9 09:59:44 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 9 Jul 2015 11:59:44 +0200 Subject: [Freeipa-devel] [PATCH] 897 fix error message when certificate CN is invalid In-Reply-To: <559E3D12.9080607@redhat.com> References: <559DA427.2080504@redhat.com> <559E3D12.9080607@redhat.com> Message-ID: <559E4610.6020104@redhat.com> On 07/09/2015 11:21 AM, David Kupka wrote: > On 09/07/15 00:28, Petr Vobornik wrote: >> The error message was probably copied from mail address check below. >> >> > ACK. > Pushed to master: f0e88e9b13c0c950cb02f377ac13c8e5b9188a34 -- Petr Vobornik From mbasti at redhat.com Thu Jul 9 10:32:07 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 9 Jul 2015 12:32:07 +0200 Subject: [Freeipa-devel] How to support Designate? In-Reply-To: <559D6FB7.4030105@redhat.com> References: <5593FC83.8030504@redhat.com> <559402F9.1000708@redhat.com> <5594034B.9040706@redhat.com> <559CFBF6.6000109@redhat.com> <559D3D6A.5020106@redhat.com> <559D4BB8.6080407@redhat.com> <559D6455.4040704@redhat.com> <559D6FB7.4030105@redhat.com> Message-ID: <559E4DA7.1090100@redhat.com> On 08/07/15 20:45, Rich Megginson wrote: > On 07/08/2015 11:56 AM, Rich Megginson wrote: >> On 07/08/2015 10:11 AM, Petr Spacek wrote: >>> On 8.7.2015 17:10, Rich Megginson wrote: >>>> On 07/08/2015 04:31 AM, Petr Spacek wrote: >>>>> On 1.7.2015 17:12, Rich Megginson wrote: >>>>>> On 07/01/2015 09:10 AM, Petr Spacek wrote: >>>>>>> On 1.7.2015 16:43, Rich Megginson wrote: >>>>>>>> How much work would it be to support IPA as an AXFR/IXFR client >>>>>>>> or server >>>>>>>> with >>>>>>>> Designate? Right now, their miniDNS component only supports >>>>>>>> being a master >>>>>>>> and sending updates via AXFR, but they have IXFR support planned. >>>>>>> I need to read more about it. Could you please point me to some >>>>>>> comprehensive >>>>>>> docs about Designate? >>>>>>> >>>>>>> Thanks! >>>>>>> >>>>>> http://docs.openstack.org/developer/designate/architecture.html >>>>> Designate in setups with mini-DNS acts as DNS master server, i.e. >>>>> the only >>>>> source of DNS data/truth. Currently FreeIPA can act only as >>>>> master, too, which >>>>> is not possible. >>>> By "master" do you mean "unable to accept AXFR/IXFR from another >>>> server"? >>> Sort of. DNS is conceptually built around concept of single >>> authoritative >>> database hosted on Primary Master server. The database is then >>> transferred >>> using AXFR to Slave servers, which are read-only (and can forward >>> update >>> requests to the Primary Master). >>> >>> See http://tools.ietf.org/html/rfc2136#section-1 >>> >>> The Primary Master server is the place where changes are made. There >>> is by >>> definition only one primary master server per zone, so FreeIPA and >>> Designare >>> cannot be Primary Masters at the same time. >>> >>> We need to decide who is going to have control over the data. >>> >>>>> I can see several alternatives: >>>>> >>>>> A) Add support for slave zones to FreeIPA. >>>>> It should be relatively easy and I guess doable in Fedora 23 time >>>>> frame if it >>>>> gets appropriate priority. >>>>> >>>>> For plain/insecure DNS zones it will allow us to use FreeIPA in >>>>> place of any >>>>> other DNS server but the added value will be negligible because >>>>> FreeIPA acting >>>>> as a slave cannot change the data. >>>>> >>>>> The real added value could be the ability of FreeIPA to >>>>> DNSSEC-sign zones and >>>>> do the DNSSEC key management. I believe that we should be able to >>>>> re-use >>>>> machinery we implemented for master zones in FreeIPA so DNSSEC >>>>> signing for >>>>> slave zones should be almost 'for free'. >>>>> >>>>> When implemented, FreeIPA could become the easiest way how to >>>>> secure DNS in >>>>> Designate with DNSSEC technology even in cases where all the data >>>>> are managed >>>>> by Designate API. >>>> This sounds interesting. This seems like it would fit in with the >>>> typical >>>> OpenStack use case - create a new host, assign it a hostname in a >>>> sub-zone. >>> To be sure we understood each other: >>> In the scenarios where FreeIPA acts as Slave server, the change is >>> done in >>> Designate and then a new version of the DNS zone is transferred to >>> FreeIPA. >>> After that FreeIPA can DNSSEC-sign the zone and serve the signed >>> version to >>> the clients. >>> >>> >>>>> B) We can avoid implementing slave zones by using 'agent': >>>>> http://docs.openstack.org/developer/designate/glossary.html >>>>> >>>>> If I'm not mistaken, this is what you implemented last year. >>>> I implemented support in Designate for a FreeIPA backend which used >>>> the JSON >>>> HTTPS API to send updates from Designate to FreeIPA. >>>> Designate has deprecated support for backends. >>>> >>>> The agent approach is basically putting a "mini-DNS"-like daemon on >>>> each >>>> system which can accept AXFR from Designate. This agent would then >>>> use the >>>> backend code I developed to send the data to FreeIPA. >>> Wow, that is a lot of complexity. I suspect that something like this is >>> already implemented in dnssyncd written by Martin Basti: >>> https://github.com/bastiak/dnssyncd > > How does this work? Does it receive zone transfer (AXFR? IXFR?) from > a DNS master, then update LDAP with those records? It receives AXFR/IXFR, Notify from DNS master, and updates data by Dynamic DNS. You can write own plugin for it to support any DNS server/backend. But it is proof of concept, it is not rock stable. Martin > >>> >>> Anyway, I do not see any value in doing so in this particular scenario. >>> Designate would be the authoritative source of data (Primary Master) >>> so from >>> functional point of view it would be the same (or worse) than >>> variant (A), >>> just with more code and more error prone. >>> >>> >>>>> C) We can say that combining FreeIPA DNS and Designate does not >>>>> make sense and >>>>> drop what you did last year. >>>> It was already dropped when the backend approach was deprecated. >>>> >>>>> In current architecture it really does not add >>>>> any value *unless* we add DNSSEC to the mix. >>>>> >>>>> >>>>> D) Integrate IPA installers with Designate API. >>>>> This is somehow complementary to variants A (and C) and would >>>>> allow us to >>>>> automatically add DNS records required by FreeIPA to Designate >>>>> during FreeIPA >>>>> installation and replica management. >>>> I wrote a script (ipaextractor.py) that will extract DNS data from >>>> FreeIPA and >>>> store it in Designate. That would be a good place to start. >>> Generally FreeIPA should integrate with other DNS server >>> implementations in a >>> way similar to this: >>> https://fedorahosted.org/freeipa/ticket/4424 >>> http://www.freeipa.org/page/V4/External_DNS_integration_with_installer >>> >>> Hopefully 4.3 timeframe will allow us to work on that. >>> >>>>> In my opinion variants A+D are the best way to move forward. What >>>>> do you think? >>>>> >>>> If we could change Designate in some way to work better with >>>> FreeIPA, what >>>> would you propose? >>> How much can we change? :-D I liked the original architecture where >>> Designate >>> just 'proxied' change requests to DNS implementations/backends. >> >> Me too, but we didn't/don't have much say in the direction/design >> that Designate takes . . . >> >>> >>> Assuming that Designate wants to own DNS and be Primary Master, it >>> would be >>> awesome if they could support standard DNS UPDATE protocol (RFC 2136) >>> alongside their own JSON API. >>> >>> The JSON API is superset of DNS UPDATE protocol because it allows to >>> add zones >>> but still, standard protocol would mean that standard client >>> (possibly guest >>> OS inside VM) can update its records without any OpenStack >>> dependency, which >>> is very much desirable. >>> >>> The use case here is to allow the guest OS to publish it's SSH key >>> (which was >>> generated inside the VM after first boot) to prevent Man in the middle >>> attacks. The same goes for all other sorts of DANE/DNSSEC data or >>> service >>> discovery using DNS, where a guest/container running a distributed >>> service can >>> publish it's existence in DNS. >>> >>> DNS UPDATE supports GSS(API) for authentication via RFC 3007 and >>> that is >>> widely supported, too. >>> >>> So DNS UPDATE is my biggest wish :-) >>> >> Ok. There was a Designate blueprint for such a feature, but I can't >> find it and neither can the Designate guys. There is a mention of >> nsupdate in the minidns blueprint, but that's about it. The fact >> that Designate upstream can't find the bp suggests that this is not a >> high priority for them and will not likely implement it on their own >> i.e. we would have to contribute this feature. >> >> If Designate had such a feature, how would this help us integrate >> FreeIPA with Designate? >> >> > -- Martin Basti From pvoborni at redhat.com Thu Jul 9 10:36:09 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 9 Jul 2015 12:36:09 +0200 Subject: [Freeipa-devel] Notice: release-4-2-0 was tagged, ipa-4-2 branch created Message-ID: <559E4E99.3000600@redhat.com> -- Petr Vobornik From pvoborni at redhat.com Thu Jul 9 10:36:46 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 9 Jul 2015 12:36:46 +0200 Subject: [Freeipa-devel] [PATCH] 901 Bump 4.3 development version to 4.2.90 Message-ID: <559E4EBE.5010405@redhat.com> -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0901-Bump-4.3-development-version-to-4.2.90.patch Type: text/x-patch Size: 724 bytes Desc: not available URL: From tbabej at redhat.com Thu Jul 9 11:08:12 2015 From: tbabej at redhat.com (Tomas Babej) Date: Thu, 09 Jul 2015 13:08:12 +0200 Subject: [Freeipa-devel] [PATCH] 901 Bump 4.3 development version to 4.2.90 In-Reply-To: <559E4EBE.5010405@redhat.com> References: <559E4EBE.5010405@redhat.com> Message-ID: <559E561C.2060603@redhat.com> On 07/09/2015 12:36 PM, Petr Vobornik wrote: > > > ACK, pushed to master: 0569910fead3b33a0806b216823738cf17283108 From vkabatov at redhat.com Thu Jul 9 11:49:57 2015 From: vkabatov at redhat.com (Veronika Kabatova) Date: Thu, 9 Jul 2015 07:49:57 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] 0001 Enhance the DNSNotARecordError message In-Reply-To: <2086418290.5869279.1436442330324.JavaMail.zimbra@redhat.com> Message-ID: <477458039.5870245.1436442597119.JavaMail.zimbra@redhat.com> The attached patch solves the ticket. Veronika Kabatova -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-veruu-0001-Enhance-the-DNSNotARecordError-message.patch Type: text/x-patch Size: 1272 bytes Desc: not available URL: From mbasti at redhat.com Thu Jul 9 11:50:12 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 9 Jul 2015 13:50:12 +0200 Subject: [Freeipa-devel] [PATCHES 0279-0280] Backport index fixes into IPA 4.1 Message-ID: <559E5FF4.8020308@redhat.com> Backport following commits into IPA 4-1: 57fba7a56f88c517b3ebb03842f1cc18bc129ebb 16f47ed4520d4f89db39d1dc58be7a8efb1d8612 Patches attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0279-Fix-indicies-ntUserDomainId-ntUniqueId.patch Type: text/x-patch Size: 2015 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0280-Server-Upgrade-fix-memberUid-index.patch Type: text/x-patch Size: 918 bytes Desc: not available URL: From mbasti at redhat.com Thu Jul 9 14:55:22 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 9 Jul 2015 16:55:22 +0200 Subject: [Freeipa-devel] [PATCH 0281] Validate adding a privilege to a permission Message-ID: <559E8B5A.5040909@redhat.com> https://fedorahosted.org/freeipa/ticket/5075 Patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0281-Validate-adding-privilege-to-a-permission.patch Type: text/x-patch Size: 5217 bytes Desc: not available URL: From mbasti at redhat.com Thu Jul 9 15:21:24 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 9 Jul 2015 17:21:24 +0200 Subject: [Freeipa-devel] [PATCH 0282] Prevent to rename certprofile profile id Message-ID: <559E9174.4000305@redhat.com> https://fedorahosted.org/freeipa/ticket/5074 Patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0282-Prevent-to-rename-certprofile-profile-id.patch Type: text/x-patch Size: 1052 bytes Desc: not available URL: From jcholast at redhat.com Fri Jul 10 05:29:40 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 10 Jul 2015 07:29:40 +0200 Subject: [Freeipa-devel] [PATCH 0282] Prevent to rename certprofile profile id In-Reply-To: <559E9174.4000305@redhat.com> References: <559E9174.4000305@redhat.com> Message-ID: <559F5844.1030109@redhat.com> Hi, Dne 9.7.2015 v 17:21 Martin Basti napsal(a): > https://fedorahosted.org/freeipa/ticket/5074 > > Patch attached. NACK, you should remove the --rename option from certprofile-mod. You can do it by removing "rdn_is_primary_key = True" from certprofile. Honza -- Jan Cholasta From jcholast at redhat.com Fri Jul 10 05:32:19 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 10 Jul 2015 07:32:19 +0200 Subject: [Freeipa-devel] [PATCH 0281] Validate adding a privilege to a permission In-Reply-To: <559E8B5A.5040909@redhat.com> References: <559E8B5A.5040909@redhat.com> Message-ID: <559F58E3.5000405@redhat.com> Hi, Dne 9.7.2015 v 16:55 Martin Basti napsal(a): > https://fedorahosted.org/freeipa/ticket/5075 > > Patch attached. the check is very plugin-specific, so I don't think it should be in ipalib.util. You can keep it in privilege and import it from there in permission just fine. Honza -- Jan Cholasta From pvoborni at redhat.com Fri Jul 10 08:26:11 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 10 Jul 2015 10:26:11 +0200 Subject: [Freeipa-devel] Announcing FreeIPA 4.2.0 Message-ID: <559F81A3.3010708@redhat.com> The FreeIPA team is proud to announce FreeIPA v4.2.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds for Fedora 22 and Fedora Rawhide will be available in the official COPR repository . This announcement with additional ticket and design page links is available at . == Highlights in 4.2 == === Enhancements === * Support for multiple certificate profiles, including support for user certificates. The profiles are now replicated between FreeIPA server to have consistent state for all certificate creation request. The certificate submission requests are authorized by the new CA ACL rules * Support One-Way Trust to Active Directory * User life-cycle management management - add inactive stage users using UI or LDAP interface and have them moved to active users by single command. Deleted users can now be also moved - 'preserved' - to special tree and re-activated when user returns, preserving it's UID/GID * Support for Password Vault (KRA) component of PKI for storing user or service secrets. All encrypted with public key cryptography so that even FreeIPA server does not know the secrets! * Datepicker is now used for datetime fields in the Web UI * Upgrade process was overhauled. There is now single upgrade tool ('ipa-server-upgrade') providing simplified interface for upgrading the FreeIPA server. See details in separate subsection. * Service constrained delegation rules can be now added by UI and CLI * FreeIPA Web UI now provides API browser and documentation. See 'IPA Server' - 'API Browser' tab * Access control instructions were updated so that hosts can create their own services * FreeIPA server now offers Kerberos over HTTP (kdcproxy) as a service * FreeIPA Web Server no longer use deprecated 'mod_auth_kerb' but switched to the modern 'mod_auth_gssapi' * New automated migration tool from winsync to 'ID Views' * 'migrate-ds' command can now search the migrated users and groups with different scope * DNSSEC integration was improved and FreeIPA server is configured to do DNSSEC validation by default. This might potentially affect installations which did not follow Deployment_Recommendations#DNS|Deployment Recommendations for DNS. * 'ipa migrate-ds' command can now run with different search scopes * And many other small improvements or bug fixes! === Changes to upgrade === The server still upgrades automatically during RPM update. However, 'ipactl start' now verifies that the server was really upgraded before starting FreeIPA to prevent running upgraded bits on old data when 'ipa-server-upgrade' was not run during RPM update (for example during FedUp Fedora upgrade). Update files (files in '/usr/share/ipa/updates/') format was changed. Namely: * Updates are not merged, update files are applied one at a time * Update entries no longer support CSV - commas can be now freely used in the added attributes * Update can now use base64 values * Update plugins are now not run automatically, but when referenced from update files ('plugin: ') == Upgrading == Upgrade instructions are available on the Upgrade page. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Detailed Changelog since 4.1 == === Ade Lee (3) === * Add a KRA to IPA * Add man page for ipa-kra-install * Re-enable uninstall feature for ipa-kra-install === Ales 'alich' Marecek (1) === * Ipatests DNS SOA Record Maintenance === Alexander Bokovoy (21) === * Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides * Update slapi-nis dependency to pull 0.54.1 * AD trust: improve trust validation * Support Samba PASSDB 0.2.0 aka interface version 24 * ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP properly * ipa-kdb: when processing transitions, hand over unknown ones to KDC * ipa-kdb: reject principals from disabled domains as a KDC policy * fix Makefile.am for daemons * slapi-nis: require 0.54.2 for CVE-2015-0283 fixes * ipaserver/dcerpc: Ensure LSA pipe has session key before using it * ipa-kdb: use proper memory chunk size when moving sids * ipa-kdb: filter out group membership from MS-PAC for exact SID matches too * add one-way trust support to ipasam * ipa-adtrust-install: add IPA master host principal to adtrust agents * trusts: pass AD DC hostname if specified explicitly * ipa-sidgen: reduce log level to normal if domain SID is not available * ipa-adtrust-install: allow configuring of trust agents * trusts: add support for one-way trust and switch to it by default * ipa-pwd-extop: expand error message to tell what user is not allowed to fetch keytab * trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabs * trust: support retrieving POSIX IDs with one-way trust during trust-add === Christian Heimes (4) === * Provide Kerberos over HTTP (MS-KKDCP) * Fix removal of ipa-kdc-proxy.conf symlink * Fix upgrade of HTTPInstance for KDC Proxy * Improve error handling in ipa-httpd-kdcproxy === David Kupka (27) === * Respect UID and GID soft static allocation. * Stop dirsrv last in ipactl stop. * Remove unneeded internal methods. Move code to public methods. * Remove service file even if it isn't link. * Produce better error in group-add command. * Fix --{user,group}-ignore-attribute in migration plugin. * ipa-restore: Check if directory is provided + better errors. * Fix error message for nonexistent members and add tests. * Use singular in help metavars + update man pages. * Always add /etc/hosts record when DNS is being configured. * Remove ipanttrustauthincoming/ipanttrustauthoutgoing from ipa trust-add output. * Abort backup restoration on not matching host. * idviews: Allow setting ssh public key on ipauseroverride-add * Use IPA CA certificate when available and ignore NO_TLS_LDAP when not. * Restore default.conf and use it to build API. * Always reload StateFile before getting or modifying the stored values. * Remove unused part of ipa.conf. * Use mod_auth_gssapi instead of mod_auth_kerb. * Bump ipa.conf version to 17. * Lint: Skip checking of functions stolen by python-nose. * Make lint work on Fedora 22. * Lint: Fix error on pylint-1.3.1 introduced by fix for pylint-1.4.1. * Do not store state if CA is enabled * Move CA installation code into single module. * Use 389-ds centralized scripts. * upgrade: Raise error when certmonger is not running. * ipa-replica-prepare: Do not create DNS zone it automatically. === Drew Erny (1) === * Migration now accepts scope as argument === Endi Sukma Dewata (8) === * Fixed KRA backend. * Modififed NSSConnection not to shutdown existing database. * Added vault plugin. * Added vault-archive and vault-retrieve commands. * Fixed KRA installation problem. * Added symmetric and asymmetric vaults. * Added ipaVaultPublicKey attribute. * Added vault access control. === Francesco Marella (1) === * Refactor selinuxenabled check === Fraser Tweedale (25) === * Support multiple host and service certificates * Fix certificate management with service-mod * Install CA with LDAP profiles backend * Add schema for certificate profiles * ipa-pki-proxy: provide access to profiles REST API * Add ACL to allow CA agent to modify profiles * Add certprofile plugin * Enable LDAP-based profiles in CA on upgrade * Import included profiles during install or upgrade * Add generic split_any_principal method * Add profile_id parameter to 'request_certificate' * Add usercertificate attribute to user plugin * Update cert-request to support user certs and profiles * Fix certificate subject base * Import profiles earlier during install * ipa-pki-proxy: allow certificate and password authentication * Add CA ACL plugin * Enforce CA ACLs in cert-request command * certprofile: fix doc error * Upgrade CA schema during upgrade * Migrate CA profiles after enabling LDAPProfileSubsystem * certprofile: add option to export profile config * certprofile: add ability to update profile config in Dogtag * caacl: fix incorrect construction of HbacRequest for hosts * cert-request: enforce caacl for principals in SAN === Gabe Alford (17) === * Remove trivial path constants from modules * ipa-server-install Directory Manager help incorrect * ipa-managed-entries requires password with bad password * Update default NTP configuration * Remove usage of app_PYTHON in ipaserver Makefiles * Remove dependency on subscription-manager * Typos in ipa-rmkeytab options help and man page * permission-add does not prompt for ipapermright in interactive mode * ipa-replica-prepare should document ipv6 options * ipatests: Add tests for valid and invalid ipa-advise * ipa-replica-prepare can only be created on the first master * Add message for skipping NTP configuration during client install * Remove unneeded ip-address option in ipa-adtrust-install * Unsaved changes dialog internally inconsistent * Allow ipa help command to run when ipa-client-install is not configured * Do not print traceback when pipe is broken * Clear SSSD caches when uninstalling the client === Jan Cholasta (109) === * Do not crash in CAInstance.__init__ when default argument values are used * Fix certmonger configuration in installer code * Do not check if port 8443 is available in step 2 of external CA install * Handle profile changes in dogtag-ipa-ca-renew-agent * Do not wait for new CA certificate to appear in LDAP in ipa-certupdate * Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage * Fix possible NULL dereference in ipa-kdb * Fix memory leaks in ipa-extdom-extop * Fix various bugs in ipa-opt-counter and ipa-otp-lasttoken * Fix memory leak in ipa-pwd-extop * Fix memory leaks in ipa-join * Fix various bugs in ipap11helper * Fix CA certificate backup and restore * Fix wrong expiration date on renewed IPA CA certificates * Restore file extended attributes and SELinux context in ipa-restore * Use correct service name in cainstance.backup_config * Stop tracking certificates before restoring them in ipa-restore * Remove redefinition of LOG from ipa-otp-lasttoken * Unload P11_Helper object's library when it is finalized in ipap11helper * Fix Kerberos error handling in ipa-sam * Fix unchecked return value in ipa-kdb * Fix unchecked return values in ipa-winsync * Fix unchecked return value in ipa-join * Fix unchecked return value in krb5 common utils * Fix memory leak in GetKeytabControl asn1 code * Add TLS 1.2 to the protocol list in mod_nss config * Fix automatic CA cert renewal endless loop in dogtag-ipa-ca-renew-agent * Do not renew the IPA CA cert by serial number in dogtag-ipa-ca-renew-agent * Improve validation of --instance and --backend options in ipa-restore * Check subject name encoding in ipa-cacert-manage renew * Refer the user to freeipa.org when something goes wrong in ipa-cacert-manage * Fix ipa-restore on systems without IPA installed * Remove RUV from LDIF files before using them in ipa-restore * Fix CA certificate renewal syslog alert * Do not crash on unknown services in installutils.stopped_service * Restart dogtag when its server certificate is renewed * Make certificate renewal process synchronized * Fix validation of ipa-restore options * Do not assume certmonger is running in httpinstance * Put LDIF files to their original location in ipa-restore * Revert "Make all ipatokenTOTP attributes mandatory" * Create correct log directories during full restore in ipa-restore * Do not crash when replica is unreachable in ipa-restore * Bump 389-ds-base and pki-ca dependencies for POODLE fixes * ipalib: Allow multiple API instances * ipalib: Move plugin package setup to ipalib-specific API subclass * advise: Add separate API object for ipa-advise * ldap2: Use self API instance instead of ipalib.api * replica-install: Use different API instance for the remote server * certstore: Make certificate retrieval more robust * client-install: Do not crash on invalid CA certificate in LDAP * client: Fix ca_is_enabled calls * upload_cacrt: Fix empty cACertificate in cn=CAcert * ldap: Drop python-ldap tuple compatibility * ldap: Remove unused IPAdmin methods * ldap: Add connection management to LDAPClient * ldap: Use LDAPClient connection management in IPAdmin * ldap: Use LDAPClient connection management in ldap2 * ldap: Add bind and unbind methods to LDAPClient * ldap: Use LDAPClient bind and unbind methods in IPAdmin * ldap: Use LDAPClient bind and unbind methods in ldap2 * ldap: Use LDAPClient instead of IPASimpleLDAPObject in ldap2.modify_password * cainstance: Use LDAPClient instead of IPASimpleLDAPObject * makeaci: Use LDAPClient instead of IPASimpleLDAPObject * ldap: Move value encoding from IPASimpleLDAPObject to LDAPClient * ldap: Use LDAPClient instead of IPASimpleLDAPObject in LDAPEntry * ldap: Move schema handling from IPASimpleLDAPObject to LDAPClient * ldap: Use SimpleLDAPObject instead of IPASimpleLDAPObject in LDAPClient * ldap: Remove IPASimpleLDAPObject * Fix stop_tracking_certificates call in ipa-restore * baseldap: Fix possible crash in LDAPObject.handle_duplicate_entry * client-install: Fix kinits with non-default Kerberos config file * install: Make a package out of ipaserver.install.server * install: Move ipa-server-install code into a module * install: Move ipa-replica-install code into a module * install: Move ipa-server-upgrade code into a module * install: Fix missing variable initialization in replica install * install: Fix CA-less server install * install: Fix external CA server install * install: Move private_ccache from ipaserver to ipapython * install: Introduce installer framework ipapython.install * install: Migrate ipa-server-install to the install framework * install: Handle Knob cli_name and cli_aliases values consistently * install: Add support for positional arguments in CLI tools * install: Allow setting usage in CLI tools * install: Migrate ipa-replica-install to the install framework * vault: Move vaults to cn=vaults,cn=kra * install: Initialize API early in server and replica install * vault: Fix ipa-kra-install * install: Fix logging setup in server and replica install * User life cycle: provide preserved user virtual attribute * install: Fix ipa-replica-install not installing RA cert * User life cycle: change user-del flags to be CLI-specific * plugable: Move plugin base class and override logic to API * ipalib: Load ipaserver plugins when api.env.in_server is True * ipalib: Move find_modules_in_dir from util to plugable * plugable: Specify plugins to import in API by module names * plugable: Load plugins only from modules imported by API * plugable: Pass API to plugins on initialization rather than using set_api * plugable: Do not use DictProxy for API * plugable: Lock API on finalization rather than on initialization * ipaplatform: Do not use MagicDict for KnownServices * plugable: Remove SetProxy, DictProxy and MagicDict * plugable: Change is_production_mode to method of API * plugable: Specify plugin base classes and modules using API properties * plugable: Remove unused call method of Plugin * replica prepare: Do not use entry after disconnecting from LDAP * ipalib: Fix skip_version_check option * spec file: Update minimal versions of required packages === Jan Pazdziora (1) === * No explicit zone specification. === Lenka Ryznarova (1) === * Test Objectclass of postdetach group === Ludwig Krispenz (14) === * ds plugin - manage replication topology in the shared tree * install part - manage topology in shared tree * replica install fails with domain level 1 * accept missing binddn group * plugin uses 1 as minimum domain level to become active no calculation based on plugin version * crash when removing a replica * check for existing and self referential segments * make sure the agremment rdn match the rdn used in the segment * v2-reject modifications of endpoints and connectivity of a segment * correct management of one directional segments * fix coverity issues * v2 clear start attr from segment after initialization * v2 improve processing of invalid data. * allow deletion of segment if endpoint is not managed === Luk?? Slebodn?k (2) === * SPEC: Explicitly requires python-sssdconfig * SPEC: Require python2 version of sssd bindings === Martin Babinsky (43) === * Use 'remove-ds.pl' to remove DS instance * Moved dbus-python dependence to freeipa-python package * ipa-kdb: unexpected error code in 'ipa_kdb_audit_as_req' triggers a message * always get PAC for client principal if AS_REQ is true * ipa-kdb: more robust handling of principal addition/editing * OTP: failed search for the user of last token emits an error message * ipa-pwd-extop: added an informational comment about intentional fallthrough * ipa-uuid: emit a message when unexpected mod type is encountered * OTP: emit a log message when LDAP entry for config record is not found * ipa-client-install: put eol character after the last line of altered config file(s) * migrate-ds: exit with error message if no users/groups to migrate are found * Changing the token owner changes also the manager * ipa-dns-install: use STARTTLS to connect to DS * ipa-dns-install: use LDAPI to connect to DS * migrate-ds: print out failed attempts when no users/groups are migrated * show the exception message thrown by dogtag._parse_ca_status during install * do not log BINDs to non-existent users as errors * fix improper handling of boolean option in * proper client host setup/teardown in forced client reenrollment integration test suite * do not install CA on replica during integration test if setup_ca=False * ipautil: new functions kinit_keytab and kinit_password * ipa-client-install: try to get host TGT several times before giving up * Adopted kinit_keytab and kinit_password for kerberos auth * use separate ccache filename for each IPA DNSSEC daemon * point the users to PKI-related logs when CA configuration fails * suppress errors arising from deleting non-existent files during client uninstall * prevent duplicate IDs when setting up multiple replicas against single master * ipa-server-install: deprecate manual setting of master KDC password * update 'api.env.ca_host' if a different hostname is used during server install * provide dedicated ccache file for httpd * move IPA-related http runtime directories to common subdirectory * explicitly destroy httpd service ccache file during httpinstance removal * do not check for directory manager password during KRA uninstall * merge KRA installation machinery to a single module * KRA: get the right dogtag version during server uninstall * add DS index for userCertificate attribute * generalize certificate creation during testing * ipa-kdb: common function to get key encodings/salt types * increase NSS memcache timeout for IPA server * baseldap: add support for API commands managing only a single attribute * reworked certificate normalization and revocation * new commands to manage user/host/service certificates * add option to skip client API version check === Martin Ba?ti (126) === * Dogtag 10.2 to spec.file * Fix dns zonemgr validation regression * Add bind-dyndb-ldap working dir to IPA specfile * Fix CI tests: install_adtrust * Fix upgrade: do not use invalid ldap connection * Fix: DNS installer adds invalid zonemgr email * Fix: DNS policy upgrade raises asertion error * Fix upgrade referint plugin * Upgrade: fix trusts objectclass violationi * Fix named working directory permissions * Fix: zonemgr must be unicode value * Fix warning message should not contain CLI commands * Show warning instead of error if CA did not start * Raise right exception if domain name is not valid * Fix pk11helper module compiler warnings * Fix: read_ip_addresses should return ipaddr object * Fix detection of encoding in zonemgr option * Fix zonemgr option encoding detection * Throw zonemgr error message before installation proceeds * Upgrade fix: masking named should be executed only once * Using wget to get status of CA * Show SSHFP record containing space in fingerprint * Fix don't check certificate during getting CA status * Fix: Upgrade forwardzones zones after adding newer replica * Fix zone find during forwardzone upgrade * Fix traceback if zonemgr error contains unicode * DNS tests: separate current forward zone tests * New test cases for Forward_zones * Detect and warn about invalid DNS forward zone configuration * DNS tests: warning if forward zone is inactive * Add debug messages into client autodetection * DNSSEC catch ldap exceptions in ipa-dnskeysyncd * DNSSEC: fix root zone dns name conversion * Always return absolute idnsname in dnszone commands * Use dyndns_update instead of deprecated sssd option * Fix reference counting in pkcs11 extension * Prevent install scripts fail silently if timeout exceeded * Fix warning message on client side * Fix restoring services status during uninstall * Fix do not enable service before storing status * Uninstall configured services only * Fix saving named restore status * Migrate uniquess plugins configuration to new style * Fix uniqueness plugins * DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism * Fix memory leaks in ipap11helper * Remove unused method from ipap11pkcs helper module * Remove unused disable-betxn.ldif file * DNS fix: do not traceback if unsupported records are in LDAP * DNS fix: do not show part options for unsupported records * DNS: remove NSEC3PARAM from records * Fix dead code in ipap11helper module * Server Upgrade: Remove unused PRE_SCHEMA_UPDATE * Server Upgrade: do not sort updates by DN * Server Upgrade: Upgrade one file per time * Server Upgrade: Set modified to false, before each update * Server Upgrade: Update entries in order specified in file * Server Upgrade: order update files by default * Server Upgrade: respect --test option in plugins * Server Upgrade: remove --test option * Server Upgrade: Fix comments * DNSSEC: Do not log into files * Fix ldap2 shared connection * Server Upgrade: use only LDAPI connection * Server Upgrade: remove unused code in upgrade * Server Upgrade: Apply plugin updates immediately * Server Upgrade: specify order of plugins in update files * Server Upgrade: plugins should use ldapupdater API instance * Server Upgrade: Handle connection better in updates_from_dict * Server Upgrade: use ldap2 connection in fix_replica_agreements * Server Upgrade: restart DS using ipaplatfom service * Server Upgrade: only root can run updates * DNSSEC CI tests * ipa client: make --ntp-server option multivalued * ipa client: use NTP servers detected from SRV * ipa client: use NTP servers specified by user * Server Upgrade: ipa-server-upgrade command * Server Upgrade: Verify version and platform * Server Upgrade: use ipa-server-upgrade in RPM upgrade * Server Upgrade: fix a comment in ldapupdater * move realm_to_serverid to installutils module * Server Upgrade: use LDIF parser to modify DSE.ldif * Server Upgrade: enable DS global lock during upgrade * Server Upgrade: remove CSV from upgrade files * Server Upgrade: Allow base64 encoded values * Server Upgrade: fix memberUid index * Dont use the proxy to check CA status * Server Upgrade: Do not start DS if it was stopped before upgrade * Server Upgrade: raise RuntimeError instead exit() * Server Upgrade: do not allow to run upgradeinstace alone * Server Upgrade: handle errors better * Server Upgrade: ipa-ldap-updater will not do overall upgrade * Server Upgrade: Fix uniqueness plugins * DNSSEC: FIX Do not re-create kasp.db if already exists * DNSSEC: update OpenDNSSEC KASP configuration * DNS install: extract DNS installer into one module * Pylint: fix false positive warning for domain * Uid uniqueness: fix: exclude compat tree from uniqueness * Server Upgrade: wait until DS is ready * Server Upgrade: Fix: execute schema update * Server Upgrade: Move code from ipa-upgradeconfig to separate module * Fix: use DS socket check only for upgrade * Server Upgrade: fix remove statement * Installers fix: remove temporal ccache * ULC: fix: upgrade for stage Stage User Admins failed * Fix: regression in host and service plugin * DNSSEC: Improve global forwarders validation * DNSSEC: validate forward zone forwarders * Revert 389-DS BuildRequires version to 1.3.3.9 * DNSSEC: fix traceback during shutdown phase * Server Upgrade: disconnect ldap2 connection before DS restart * DNS: add UnknownRecord to schema * ipa-ca-install fix: reconnect ldap2 after DS restart * Server Upgrade: create default config for NIS Server plugin * Fix indicies ntUserDomainId, ntUniqueId * Sanitize CA replica install * DNS: Do not traceback if DNS is not installed * KRA Install: check replica file if contains req. certificates * Server Upgrade: use debug log level for upgrade instead of info * DNSSEC: allow to disable/replace DNSSEC key master * DNSSEC: update message * Allow to run subprocess with suplementary groups * FIX: Clear SSSD caches when uninstalling the client * Fix regression: ipa-dns-install will add CA records if required * Upgrade: Do not show upgrade failed message when IPA is not installed * Fix logging in API === Martin Ko?ek (11) === * Fix ImportError in ipa-ca-install * Bump SSSD Requires to 1.12.3 * Fix IPA_BACKUP_DIR path name * Allow PassSync user to locate and update NT users * Allow Replication Administrators manipulate Winsync Agreements * Replication Administrators cannot remove replication agreements * Add anonymous read ACI for DUA profile * Print PublicError traceback when in debug mode * group-detach does not add correct objectclasses * Remove references to GPL v2.0 license * Fix typo in ipa-server-upgrade man page === Milan Kub?k (3) === * ipatests: port of p11helper test from github * Abstract the HostTracker class from host plugin test * Fix for a typo in certprofile mod command. === Nathan Kinder (2) === * Timeout when performing time sync during client install * Skip time sync during client install when using --no-ntp === Nathaniel McCallum (15) === * Ensure that a password exists after OTP validation * Improve otptoken help messages * Ensure users exist when assigning tokens to them * Enable QR code display by default in otptoken-add * Catch USBError during YubiKey location * Preliminary refactoring of libotp files * Move authentication configuration cache into libotp * Enable last token deletion when password auth type is configured * Make token auth and sync windows configurable * Create an OTP help topic * Prefer TCP connections to UDP in krb5 clients * Expose the disabled User Auth Type * Update python-yubico dependency version * Fix a signedness bug in OTP code * Fix OTP token URI generation === Petr Viktorin (35) === * ipa-restore: Don't crash if AD trust is not installed * ipaplatform: Use the dirsrv service, not target * Do not restore SELinux settings that were not backed up * Add additional backup & restore checks * tests: Use PEP8-compliant setup/teardown method names * tests: Add configuration for pytest * ipatests.util.ClassChecker: Raise AttributeError in get_subcls * test_automount_plugin: Fix test ordering * Use setup_class/teardown_class in Declarative tests * dogtag plugin: Don't use doctest syntax for non-doctest examples * test_webui: Don't use __init__ for test classes * test_ipapython: Use functions instead of classes in test generators * Configure pytest to run doctests * Declarative tests: Move cleanup to setup_class/teardown_class * Declarative tests: Switch to pytest * Integration tests: Port the ordering plugin to pytest * Switch make-test to pytest * Add local pytest plugin for --with-xunit and --logging-level * Switch ipa-run-tests to pytest * Switch integration testing config to a fixture * Integration tests: Port the BeakerLib plugin and log collection to pytest * test_integration: Adjust tests for pytest * copy_schema_to_ca: Fallback to old import location for ipaplatform.services * Ignore ipap11helper/setup.py in doctests * test_integration: Use python-pytest-multihost * test_integration: Use collect_log from the host, not the testing class * test_integration: Parametrize test instead of using a generator * ipatests: Use pytest-beakerlib * ipatests: Use pytest-sourceorder * Run pylint on tests * test_host_plugin: Convert tests to imperative style * test_host_plugin: Split tests into independent classes * test_host_plugin: Use HostTracker fixtures * rename_managed: Remove use of EditableDN * Remove Editable DN and DN component classes === Petr Voborn?k (113) === * build: increase java stack size for all arches * ranges: prohibit setting --rid-base with ipa-trust-ad-posix type * unittests: baserid for ipa-ad-trust-posix idranges * ldapupdater: set baserid to 0 for ipa-ad-trust-posix ranges * idrange: include raw range type in output * webui: prohibit setting rid base with ipa-trust-ad-posix type * webui: fix potential XSS vulnerabilities * restore: clear httpd ccache after restore * webui: use domain name instead of domain SID in idrange adder dialog * webui: normalize idview tab labels * webui: add radius fields to user page * fix indentation in ipa-restore page * add --hosts and --hostgroup options to allow/retrieve keytab methods * webui: fix service unprovisioning * webui: increase duration of notification messages * revert removal of cn attribute from idnsRecord * migrate-ds: fix compat plugin check * rpcclient: use json_encode_binary for verbose output * Fix TOTP Synchronization Window label * ipatests: add missing ssh object classes to idoverrideuser * webui: service: add ipakrbrequirespreauth checkbox * webui: unable to select single value in CB by enter key * webui: use no_members option in entity select search * performance: faster DN implementation * speed up convert_attribute_members * speed up indirect member processing * webui: add pwpolicy link to group details page if group has associated pwpolicy * webui-ci: do not open 2 browser windows * Update BUILD.txt * allow to call ldap2.destroy_connection multiple times * use Connectible.disconnect() instead of .destroy_connection() * jQuery.ordered_map: faster creation * jQuery.ordered_map: remove map attribute * migrate-ds: optimize adding users to default group * migrate-ds: skip default group option * migrate-ds: remove unused def_group_gid context property * migrate-ds: optimize gid checks by utilizing dictionary nature of set * migrate-ds: log migrated group members only on debug level * cli: differentiate Flag a Bool when autofill is set * webui-ci: fix type error in host_tasks inicializations * webui: update patternfly to v1.1.4 * webui: rename IPA.user_* to IPA.user.* * webui: declare search command options in search facet * webui: register construction spec based on existing spec * webui: entity facets in facet registry * webui: entity menu items navigate to main entity facet * webui: prefer entity fallback in menu item select * webui: navigation: do not remember selected childs of menu item * webui: navigation: unique names on entity facet menu items * webui: metadata validator min and max value overrides * webui: custom facet groups in a facet * webui: facet groups widget * webui: allow to replace facet tabs with sidebar * webui: allow to hide facet tabs or sidebar * webui: facet policies for all facets * webui: stageuser plugin * webui: extend user deleter dialog with --permanent and --preserve options * webui: update stageuser/user pages based on action in diffrent user search page * webui: stageusers, display page elements based on user state * webui: prefer search facet's deleter dialog * webui: fix empty table border in Firefox * webui: option to not create user private group * webui: add boostrap-datepicker files * webui: datetime widget with datepicker * git ignore ipaplatform/__init__.py * server-find and server-show commands * topology: ipa management commands * webui: IPA.command_dialog - a new dialog base class * webui: use command_dialog as a base class for password dialog * webui: make usage of --all in details facet optional * webui: topology plugin * webui: configurable refresh command * webui: don't log in back after logout * topology: allow only one node to be specified in topologysegment-refresh * topology: hide topologysuffix-add del mod commands * move replications managers group to cn=sysaccounts,cn=etc,$SUFFIX * add entries required by topology plugin on update * webui: make topology suffices UI readonly * rename topologysegment_refresh to topologysegment_reinitialize * disallow mod of topology segment nodes * topology: restrict direction changes * topology: fix swapped topologysegment-reinitialize behavior * regenerate ACI.txt after stage user permission rename * ipa-replica-manage: Do not allow topology altering commands from DL 1 * server: add "del" command * ipa-replica-manage: adjust del to work with managed topology * webui: adjust user deleter dialog to new api * Become IPA 4.2.0 Alpha 1 * fix handling of ldap.LDAPError in installer * add python-setuptools to requires * fix force-sync, re-initialize of replica and a check for replication agreement existence * topology: check topology in ipa-replica-manage del * Verify replication topology for a suffix * replication: fix regression in get_agreement_type * ipa-replica-manage del: relax segment deletement check if topology is disconnected * ipa-replica-manage del: add timeout to segment removal check * topologysegment: hide direction and enable options * topology: make cn of new segment consistent with topology plugin * include more information in metadata * webui: ListViewWidget * webui: fix webui specific metadata * webui: menu and navigation fixes * webui: API browser * webui: add mangedby tab to otptoken * webui: certificate profiles * webui: caacl * webui: hide facet tab in certificate details facet * move session_logout command to ipalib/plugins directory * webui: cert-request improvements * webui: show multiple cert * webui: remove cert manipulation actions from host and service * fix error message when certificate CN is invalid * Become IPA 4.2.0 === Petr ?pa?ek (28) === * Fix zone name to directory name conversion in BINDMgr. * Fix minimal version of BIND for Fedora 20 and 21 * Fix default value type for wait_for_dns option * p11helper: standardize indentation and other visual aspects of the code * p11helper: use sizeof() instead of magic constants * p11helper: clarify error message * Clarify messages related to adding DNS forwarders * Grammar fix in 'Estimated time' messages printed by installer * Clarify host name output in ipa-client-install * Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40. * DNSSEC: Detect zone shadowing with incorrect DNSSEC signatures. * Bump run-time requires to SoftHSM 2.0.0rc1. * Improve error messages about reverse address resolution in ipa-replica-prepare * Clarify recommendation about --ip-address option in ipa-replica-prepapre * Clarify error messages in ipa-replica-prepare: add_dns_records() * Hide traceback in ipa-dnskeysyncd if kinit failed. * Bump minimal BIND version for CentOS. * Rate-limit while loop in SystemdService.is_active(). * Add hint how to re-run IPA upgrade. * DNSSEC: Detect invalid master keys in LDAP. * DNSSEC: Accept ipa-ods-exporter commands from command line. * DNSSEC: ipa-ods-exporter: move zone synchronization into separate function * DNSSEC: log ipa-ods-exporter file lock operations into debug log * DNSSEC: Add ability to trigger full data synchronization to ipa-ods-exporter. * DNSSEC: Improve ipa-ods-exporter log messages with key metadata. * DNSSEC: Store time & date key metadata in UTC. * DNSSEC: ipa-dns-install: Detect existing master server sooner. * DNSSEC: Detect attempt to install & disable master at the same time. === Rob Crittenden (5) === * Search using proper scope when connecting CA instances * Use NSS protocol range API to set available TLS protocols * Add plugin to manage service constraint delegations * Add ACI to allow hosts to add their own services * Don't rely on positional arguments for python-kerberos calls === Simo Sorce (14) === * Add UTC date to GIT snapshot version generation * Fix filtering of enctypes in server code. * Add asn1c generated code for keytab controls * Use asn1c helpers to encode/decode the getkeytab control * Stop saving the master key in a stash file * Avoid calling ldap functions without a context * Remove the removal of the ccache * Handle DAL ABI change in MIT 1.13 * Add a clear OpenSSL exception. * Stop including the DES algorythm from openssl. * Detect default encsalts kadmin password change * Add compatibility function for older libkrb5 * Fix s4u2proxy README and add warning * Replicas cannot define their own master password. === Sumit Bose (16) === * ipa-range-check: do not treat missing objects as error * Add configure check for cwrap libraries * extdom: handle ERANGE return code for getXXYYY_r() calls * extdom: make nss buffer configurable * extdom: return LDAP_NO_SUCH_OBJECT to the client * extdom: fix memory leak * extdom: add err_msg member to request context * extdom: add add_err_msg() with test * extdom: add selected error messages * extdom: migrate check-based test to cmocka * extdom: fix wrong realloc size * extdom: add unit-test for get_user_grouplist() * ipa-kdb: convert test to cmocka * ipa-kdb: add unit-test for filter_logon_info() * ipa-kdb: make string_to_sid() and dom_sid_string() more robust * ipa-kdb: add unit_tests for string_to_sid() and dom_sid_string() === Thierry Bordaz (19) === * User Life Cycle: create containers and scoping DS plugins * User Life Cycle: DNA scopes full SUFFIX * Deadlock in schema compat plugin (between automember_update_membership task and dse update) * User Life Cycle: Exclude subtree for ipaUniqueID generation * User life cycle: stageuser-add verb * User life cycle: allows MODRDN from ldap2 * User life cycle: new stageuser commands del/mod/find/show * User life cycle: new stageuser commands activate * User life cycle: new stageuser commands activate (provisioning) * User life cycle: user-del supports --permanently, --preserve options and ability to delete deleted user * User life cycle: user-find support finding delete users * User life cycle: support of user-undel * User life cycle: DNA DS plugin should exclude provisioning DIT * User life cycle: Stage user Administrators permission/priviledge * User life cycle: Add 'Stage User Provisioning' permission/priviledge * Stage User: Fix permissions naming and split them where apropriate. * Display the wrong attribute name when mandatory attribute is missing * Limit deadlocks between DS plugin DNA and slapi-nis * User life cycle: permission to delete a preserved user === Thorsten Scherf (4) === * pwpolicy-add: Added better error handling * Add help string on how to configure multiple DNS forwards for various cli tools * Removed recommendation from ipa-adtrust-install * Changed in-tree development setup instructions === Tom?? Babej (52) === * Bump 4.2 development version to 4.1.99 * specfile: Add BuildRequires for pki-base 10.2.1-0 * Re-initialize NSS database after otptoken plugin tests * certs: Fix incorrect flag handling in load_cacert * hosts: Display assigned ID view by default in host-find and show commands * ipatests: Increase required version for pytest-multihost plugin * idviews: Complain if host is already assigned the ID View in idview-apply * idviews: Ignore host or hostgroup options set to None * ipatests: Invoke class install methods properly with respect to pytest-multihost * ipatests: Set the correct number of required clients for IntegrationTest * ipatests: Refactor and fix docstrings in integration pytest plugin * baseldap: Handle missing parent objects properly in *-find commands * spec: Add BuildRequires for python-pytest plugins * ipatests: Make descriptions sorted according to the order of the tests * ipatests: Add coverage for referential integrity plugin applied on ipaAssignedIDView * ipatests: Fix old command references in the ID views tests * ipatests: Fix incorrect assumptions in idviews tests * ipapython: Fix incorrect python shebangs * ipatests: Add coverage for adding and removing sshpubkeys in ID overrides * ipalib: Make sure correct attribute name is referenced for fax * idviews: Use case-insensitive detection of Default Trust View * Revert "Server Upgrade: respect --test option in plugins" * replica-manage: Properly delete nested entries * Add Domain Level feature * idviews: Set dcerpc detection flag properly * idviews: Allow users specify the raw anchor directly as identifier * idviews: Remove ID overrides for permanently removed users and groups * ipaplatform: Remove redundant definitions * winsync-migrate: Add initial plumbing * winsync-migrate: Add a way to find all winsync users * migrate-winsync: Create user ID overrides in place of winsynced user entries * migrate-winsync: Add option validation and handling * winsync-migrate: Move the api initalization and LDAP connection to the main method * dcerpc: Change logging level for debug information * dcerpc: Add debugging message to failing kinit as http * winsync-migrate: Require root privileges * idviews: Do not abort the find & show commands on conversion errors * winsync-migrate: Require explicit specification of the target server and validate existing agreement * winsync-migrate: Delete winsync agreement prior to migration * winsync-migrate: Rename to tool to achive consistency with other tools * winsync-migrate: Move the tool under ipaserver.install package * winsync-migrate: Include the tool parts in Makefile and friends * idviews: Fallback to AD DC LDAP only if specifically allowed * man: Add manpage for ipa-winsync-migrate * winsync_migrate: Migrate memberships of the winsynced users * winsync_migrate: Generalize membership migration * l10n: Add configuration file for Zanata * l10n: Update translation strings * Hide topology and domainlevel features * dcerpc: Raise ACIError correctly * adtrustinstance: Enable and start oddjobd * upgrade: Enable and start oddjobd if adtrust is available -- Petr Vobornik From mbasti at redhat.com Fri Jul 10 08:43:06 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 10 Jul 2015 10:43:06 +0200 Subject: [Freeipa-devel] [PATCH 0281] Validate adding a privilege to a permission In-Reply-To: <559F58E3.5000405@redhat.com> References: <559E8B5A.5040909@redhat.com> <559F58E3.5000405@redhat.com> Message-ID: <559F859A.9000503@redhat.com> On 10/07/15 07:32, Jan Cholasta wrote: > Hi, > > Dne 9.7.2015 v 16:55 Martin Basti napsal(a): >> https://fedorahosted.org/freeipa/ticket/5075 >> >> Patch attached. > > the check is very plugin-specific, so I don't think it should be in > ipalib.util. You can keep it in privilege and import it from there in > permission just fine. > > Honza > Updated patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0281.2-Validate-adding-privilege-to-a-permission.patch Type: text/x-patch Size: 4742 bytes Desc: not available URL: From mbasti at redhat.com Fri Jul 10 08:43:32 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 10 Jul 2015 10:43:32 +0200 Subject: [Freeipa-devel] [PATCH 0282] Prevent to rename certprofile profile id In-Reply-To: <559F5844.1030109@redhat.com> References: <559E9174.4000305@redhat.com> <559F5844.1030109@redhat.com> Message-ID: <559F85B4.6010606@redhat.com> On 10/07/15 07:29, Jan Cholasta wrote: > Hi, > > Dne 9.7.2015 v 17:21 Martin Basti napsal(a): >> https://fedorahosted.org/freeipa/ticket/5074 >> >> Patch attached. > > NACK, you should remove the --rename option from certprofile-mod. You > can do it by removing "rdn_is_primary_key = True" from certprofile. > > Honza > Updated patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0282.2-Prevent-to-rename-certprofile-profile-id.patch Type: text/x-patch Size: 838 bytes Desc: not available URL: From jcholast at redhat.com Fri Jul 10 08:59:30 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 10 Jul 2015 10:59:30 +0200 Subject: [Freeipa-devel] [PATCH 0282] Prevent to rename certprofile profile id In-Reply-To: <559F85B4.6010606@redhat.com> References: <559E9174.4000305@redhat.com> <559F5844.1030109@redhat.com> <559F85B4.6010606@redhat.com> Message-ID: <559F8972.2050806@redhat.com> Dne 10.7.2015 v 10:43 Martin Basti napsal(a): > On 10/07/15 07:29, Jan Cholasta wrote: >> Hi, >> >> Dne 9.7.2015 v 17:21 Martin Basti napsal(a): >>> https://fedorahosted.org/freeipa/ticket/5074 >>> >>> Patch attached. >> >> NACK, you should remove the --rename option from certprofile-mod. You >> can do it by removing "rdn_is_primary_key = True" from certprofile. >> >> Honza >> > Updated patch attached. > What I meant was remove --rename *and* do the check from your previous patch. Anyway, I didn't realize we already released IPA with certprofile and removing --rename would be a backward incompatible change, so I think it's better to just keep it. So ACK on the original patch. -- Jan Cholasta From jcholast at redhat.com Fri Jul 10 09:01:45 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 10 Jul 2015 11:01:45 +0200 Subject: [Freeipa-devel] [PATCH 0282] Prevent to rename certprofile profile id In-Reply-To: <559F8972.2050806@redhat.com> References: <559E9174.4000305@redhat.com> <559F5844.1030109@redhat.com> <559F85B4.6010606@redhat.com> <559F8972.2050806@redhat.com> Message-ID: <559F89F9.5040405@redhat.com> Dne 10.7.2015 v 10:59 Jan Cholasta napsal(a): > Dne 10.7.2015 v 10:43 Martin Basti napsal(a): >> On 10/07/15 07:29, Jan Cholasta wrote: >>> Hi, >>> >>> Dne 9.7.2015 v 17:21 Martin Basti napsal(a): >>>> https://fedorahosted.org/freeipa/ticket/5074 >>>> >>>> Patch attached. >>> >>> NACK, you should remove the --rename option from certprofile-mod. You >>> can do it by removing "rdn_is_primary_key = True" from certprofile. >>> >>> Honza >>> >> Updated patch attached. >> > > What I meant was remove --rename *and* do the check from your previous > patch. > > Anyway, I didn't realize we already released IPA with certprofile and > removing --rename would be a backward incompatible change, so I think > it's better to just keep it. > > So ACK on the original patch. > Pushed to master: 67b2b3408579814f7ff307cfd20bc4250edbea15 -- Jan Cholasta From simo at redhat.com Fri Jul 10 09:10:47 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 10 Jul 2015 05:10:47 -0400 Subject: [Freeipa-devel] [PATCH 0282] Prevent to rename certprofile profile id In-Reply-To: <559F89F9.5040405@redhat.com> References: <559E9174.4000305@redhat.com> <559F5844.1030109@redhat.com> <559F85B4.6010606@redhat.com> <559F8972.2050806@redhat.com> <559F89F9.5040405@redhat.com> Message-ID: <1436519447.4097.63.camel@willson.usersys.redhat.com> On Fri, 2015-07-10 at 11:01 +0200, Jan Cholasta wrote: > Dne 10.7.2015 v 10:59 Jan Cholasta napsal(a): > > Dne 10.7.2015 v 10:43 Martin Basti napsal(a): > >> On 10/07/15 07:29, Jan Cholasta wrote: > >>> Hi, > >>> > >>> Dne 9.7.2015 v 17:21 Martin Basti napsal(a): > >>>> https://fedorahosted.org/freeipa/ticket/5074 > >>>> > >>>> Patch attached. > >>> > >>> NACK, you should remove the --rename option from certprofile-mod. You > >>> can do it by removing "rdn_is_primary_key = True" from certprofile. > >>> > >>> Honza > >>> > >> Updated patch attached. > >> > > > > What I meant was remove --rename *and* do the check from your previous > > patch. > > > > Anyway, I didn't realize we already released IPA with certprofile and > > removing --rename would be a backward incompatible change, so I think > > it's better to just keep it. > > > > So ACK on the original patch. > > > > Pushed to master: 67b2b3408579814f7ff307cfd20bc4250edbea15 I see no LDAP ACI that prevents a rename though, without that an admin can simply issue a modrdn operation. If it is critical for us to not allow renames we should rather have an ACI that prohibits them. Simo. -- Simo Sorce * Red Hat, Inc * New York From jcholast at redhat.com Fri Jul 10 09:28:11 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 10 Jul 2015 11:28:11 +0200 Subject: [Freeipa-devel] [PATCH 0282] Prevent to rename certprofile profile id In-Reply-To: <1436519447.4097.63.camel@willson.usersys.redhat.com> References: <559E9174.4000305@redhat.com> <559F5844.1030109@redhat.com> <559F85B4.6010606@redhat.com> <559F8972.2050806@redhat.com> <559F89F9.5040405@redhat.com> <1436519447.4097.63.camel@willson.usersys.redhat.com> Message-ID: <559F902B.3090701@redhat.com> Dne 10.7.2015 v 11:10 Simo Sorce napsal(a): > On Fri, 2015-07-10 at 11:01 +0200, Jan Cholasta wrote: >> Dne 10.7.2015 v 10:59 Jan Cholasta napsal(a): >>> Dne 10.7.2015 v 10:43 Martin Basti napsal(a): >>>> On 10/07/15 07:29, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> Dne 9.7.2015 v 17:21 Martin Basti napsal(a): >>>>>> https://fedorahosted.org/freeipa/ticket/5074 >>>>>> >>>>>> Patch attached. >>>>> >>>>> NACK, you should remove the --rename option from certprofile-mod. You >>>>> can do it by removing "rdn_is_primary_key = True" from certprofile. >>>>> >>>>> Honza >>>>> >>>> Updated patch attached. >>>> >>> >>> What I meant was remove --rename *and* do the check from your previous >>> patch. >>> >>> Anyway, I didn't realize we already released IPA with certprofile and >>> removing --rename would be a backward incompatible change, so I think >>> it's better to just keep it. >>> >>> So ACK on the original patch. >>> >> >> Pushed to master: 67b2b3408579814f7ff307cfd20bc4250edbea15 > > I see no LDAP ACI that prevents a rename though, without that an admin > can simply issue a modrdn operation. If it is critical for us to not > allow renames we should rather have an ACI that prohibits them. AFAIK there is no ACI to prevent renaming hosts (the check in this patch is copied from the host plugin) or users either and so far nobody complained. I'm not saying this is right, but the patch is consistent with existing code. -- Jan Cholasta From mkubik at redhat.com Fri Jul 10 10:05:11 2015 From: mkubik at redhat.com (Milan Kubik) Date: Fri, 10 Jul 2015 12:05:11 +0200 Subject: [Freeipa-devel] [patch 0004] spec file: Update the package name from libipa_hbac-python to python-libipa_hbac Message-ID: <559F98D7.5020003@redhat.com> Name update + the renamed package breaks 'dnf builddep'. I will report the bug. Yum can take care of the conflict resolution. Patch attached. Milan -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkubik-0004-spec-file-update-the-package-name-from-libipa_hbac-p.patch Type: text/x-patch Size: 1125 bytes Desc: not available URL: From slaznick at redhat.com Fri Jul 10 10:08:18 2015 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 10 Jul 2015 12:08:18 +0200 Subject: [Freeipa-devel] Time-Based Account Policies Message-ID: <559F9992.5070600@redhat.com> Hi, Long time no post from me, time to make it up to you. I have been working on the the implementation of the design of time policies for HBAC rules on FreeIPA and SSSD sides. Attached is the current state of the FreeIPA solution. My comments and notes to the solution follow. The FreeIPA side backend base for time policies in HBAC seems working to me but still needs formal testing. Also, there is no conversion from the iCal format as previously requested and I personally would postpone this feature until the time policies functionality is rock solid. There were some uncertainties in the design as well. I ran into 2 of these but more may come. The first thing is how to deal with weeks in a month. There are two possibilities. A week in month (as specified by the weekofmonth keyword in the time policies) may be understood as a period of time between two Sundays, so when a month starts on, say, Friday the 1st, weekofmonth=1 would specify days Friday, Saturday, Sunday and anything from that Sunday on would be a weekofmonth=2 and on. However, I think a week in a month may also be considered a period of time that equals 7 days of a month. In the previous example, a weekofmonth=1 would therefore also apply to the following days up until Friday the 8th, excluding this last day. Although I implemented the first case in the SSSD, I actually started thinking the second case scenario might be the right or "better" one. The other thing is which years should be allowed to be the input of the "year" keyword. Currently, I set the range for these values to 1970-2038 according to the Unix timestamp. I'm not sure if anyone would want to set it less than 1970, setting it for a higher value than 2038 might probably make sense in some very special cases, although I really can't think of a one. As for the WebUI, I am not really satisfied with the current state - the time zone select button requires saving the rule before any further setting on the page and the tables for setting the time rules don't allow editing the rules, which gets annoying fast. The WebUI for the time policies in HBAC was created for my Master's thesis purposes in a hurry and I will probably need to discuss it some more with Petr V. It works well for basic display and add/remove of the time rules, though. So, that is what I do now, aside from SSSD functionality. Please, let me know what your ideas are, especially about those weekofmonth and year issues. Cheers, Stanislav Laznicka -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Added-time-based-policies-types-to-LDAP-schema.patch Type: text/x-patch Size: 3033 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Prepared-parameters-for-HBAC-Rule-plugin-time-polici.patch Type: text/x-patch Size: 13194 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-Added-methods-for-setting-time-based-policies-in-hba.patch Type: text/x-patch Size: 21938 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-Created-basic-UI-for-setting-the-time-based-policies.patch Type: text/x-patch Size: 130585 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0005-Time-zone-select-styled-properly.patch Type: text/x-patch Size: 104188 bytes Desc: not available URL: From abokovoy at redhat.com Fri Jul 10 10:43:42 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 10 Jul 2015 13:43:42 +0300 Subject: [Freeipa-devel] Time-Based Account Policies In-Reply-To: <559F9992.5070600@redhat.com> References: <559F9992.5070600@redhat.com> Message-ID: <20150710104342.GH21928@redhat.com> On Fri, 10 Jul 2015, Stanislav Laznicka wrote: > Hi, > > Long time no post from me, time to make it up to you. Welcome back! > I have been working on the the implementation of the design of time policies > for HBAC rules on FreeIPA and SSSD sides. Attached is the current state of > the FreeIPA solution. My comments and notes to the solution follow. > > The FreeIPA side backend base for time policies in HBAC seems working to me > but still needs formal testing. Also, there is no conversion from the iCal > format as previously requested and I personally would postpone this feature > until the time policies functionality is rock solid. > > There were some uncertainties in the design as well. I ran into 2 of these > but more may come. > > The first thing is how to deal with weeks in a month. There are two > possibilities. A week in month (as specified by the weekofmonth keyword in > the time policies) may be understood as a period of time between two > Sundays, so when a month starts on, say, Friday the 1st, weekofmonth=1 would > specify days Friday, Saturday, Sunday and anything from that Sunday on would > be a weekofmonth=2 and on. However, I think a week in a month may also be > considered a period of time that equals 7 days of a month. In the previous > example, a weekofmonth=1 would therefore also apply to the following days up > until Friday the 8th, excluding this last day. Although I implemented the > first case in the SSSD, I actually started thinking the second case scenario > might be the right or "better" one. One thing you need to realize that there is no universal 'week starts on Sunday'. There are different ways of starting a week, some countries do it on Sunday, some -- on Saturday, some -- on Monday. This means you need to make possible to pull in a locale definition if you really want this functionality and then it also becomes quite fuzzy as there are legal definitions of what a week is (as well as a month and a work day). > The other thing is which years should be allowed to be the input of the > "year" keyword. Currently, I set the range for these values to 1970-2038 > according to the Unix timestamp. I'm not sure if anyone would want to set it > less than 1970, setting it for a higher value than 2038 might probably make > sense in some very special cases, although I really can't think of a one. You certainly can set it more than 2038 (time doesn't stop there). What you are limited with is Kerberos 32-bit time stamp, not HBAC policy time definition. I would say we better set to 64-bit ourselves and handle irregularities in SSSD. -- / Alexander Bokovoy From simo at redhat.com Fri Jul 10 10:52:20 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 10 Jul 2015 06:52:20 -0400 Subject: [Freeipa-devel] [PATCH 0282] Prevent to rename certprofile profile id In-Reply-To: <559F902B.3090701@redhat.com> References: <559E9174.4000305@redhat.com> <559F5844.1030109@redhat.com> <559F85B4.6010606@redhat.com> <559F8972.2050806@redhat.com> <559F89F9.5040405@redhat.com> <1436519447.4097.63.camel@willson.usersys.redhat.com> <559F902B.3090701@redhat.com> Message-ID: <1436525540.4097.65.camel@willson.usersys.redhat.com> On Fri, 2015-07-10 at 11:28 +0200, Jan Cholasta wrote: > Dne 10.7.2015 v 11:10 Simo Sorce napsal(a): > > On Fri, 2015-07-10 at 11:01 +0200, Jan Cholasta wrote: > >> Dne 10.7.2015 v 10:59 Jan Cholasta napsal(a): > >>> Dne 10.7.2015 v 10:43 Martin Basti napsal(a): > >>>> On 10/07/15 07:29, Jan Cholasta wrote: > >>>>> Hi, > >>>>> > >>>>> Dne 9.7.2015 v 17:21 Martin Basti napsal(a): > >>>>>> https://fedorahosted.org/freeipa/ticket/5074 > >>>>>> > >>>>>> Patch attached. > >>>>> > >>>>> NACK, you should remove the --rename option from certprofile-mod. You > >>>>> can do it by removing "rdn_is_primary_key = True" from certprofile. > >>>>> > >>>>> Honza > >>>>> > >>>> Updated patch attached. > >>>> > >>> > >>> What I meant was remove --rename *and* do the check from your previous > >>> patch. > >>> > >>> Anyway, I didn't realize we already released IPA with certprofile and > >>> removing --rename would be a backward incompatible change, so I think > >>> it's better to just keep it. > >>> > >>> So ACK on the original patch. > >>> > >> > >> Pushed to master: 67b2b3408579814f7ff307cfd20bc4250edbea15 > > > > I see no LDAP ACI that prevents a rename though, without that an admin > > can simply issue a modrdn operation. If it is critical for us to not > > allow renames we should rather have an ACI that prohibits them. > > AFAIK there is no ACI to prevent renaming hosts (the check in this patch > is copied from the host plugin) or users either and so far nobody > complained. I'm not saying this is right, but the patch is consistent > with existing code. Renaming users is explicitly allowed, renaming hosts is something we may want to prevent too. Maybe we should add a ticket to take care of these things ? Simo. -- Simo Sorce * Red Hat, Inc * New York From jcholast at redhat.com Fri Jul 10 10:55:04 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 10 Jul 2015 12:55:04 +0200 Subject: [Freeipa-devel] [patch 0004] spec file: Update the package name from libipa_hbac-python to python-libipa_hbac In-Reply-To: <559F98D7.5020003@redhat.com> References: <559F98D7.5020003@redhat.com> Message-ID: <559FA488.40104@redhat.com> Hi, Dne 10.7.2015 v 12:05 Milan Kubik napsal(a): > Name update + the renamed package breaks 'dnf builddep'. I will report > the bug. > Yum can take care of the conflict resolution. > > Patch attached. You might as well update libsss_nss_idmap-python to python-libsss_nss_idmap while you are at it. Honza -- Jan Cholasta From pvoborni at redhat.com Fri Jul 10 11:10:18 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 10 Jul 2015 13:10:18 +0200 Subject: [Freeipa-devel] Time-Based Account Policies In-Reply-To: <20150710104342.GH21928@redhat.com> References: <559F9992.5070600@redhat.com> <20150710104342.GH21928@redhat.com> Message-ID: <559FA81A.6020704@redhat.com> On 07/10/2015 12:43 PM, Alexander Bokovoy wrote: > On Fri, 10 Jul 2015, Stanislav Laznicka wrote: >> Hi, >> >> Long time no post from me, time to make it up to you. > Welcome back! > >> I have been working on the the implementation of the design of time >> policies for HBAC rules on FreeIPA and SSSD sides. Attached is the >> current state of the FreeIPA solution. My comments and notes to the >> solution follow. >> >> The FreeIPA side backend base for time policies in HBAC seems working >> to me but still needs formal testing. Also, there is no conversion >> from the iCal format as previously requested and I personally would >> postpone this feature until the time policies functionality is rock >> solid. >> >> There were some uncertainties in the design as well. I ran into 2 of >> these but more may come. >> >> The first thing is how to deal with weeks in a month. There are two >> possibilities. A week in month (as specified by the weekofmonth >> keyword in the time policies) may be understood as a period of time >> between two Sundays, so when a month starts on, say, Friday the 1st, >> weekofmonth=1 would specify days Friday, Saturday, Sunday and anything >> from that Sunday on would be a weekofmonth=2 and on. However, I think >> a week in a month may also be considered a period of time that equals >> 7 days of a month. In the previous example, a weekofmonth=1 would >> therefore also apply to the following days up until Friday the 8th, >> excluding this last day. Although I implemented the first case in the >> SSSD, I actually started thinking the second case scenario might be >> the right or "better" one. > One thing you need to realize that there is no universal 'week starts on > Sunday'. > There are different ways of starting a week, some countries do it on > Sunday, some -- on Saturday, some -- on Monday. This means you need to > make possible to pull in a locale definition if you really want this > functionality and then it also becomes quite fuzzy as there are legal > definitions of what a week is (as well as a month and a work day). > Yes, it could be more complicated, e.g. see Week Of Month in Java: """ week-of-month: The calculation ensures that weeks never overlap a month boundary. The month is divided into periods where each period starts on the defined first day-of-week. The earliest period is referred to as week 0 if it has less than the minimal number of days and week 1 if it has at least the minimal number of days. public int getMinimalDaysInFirstWeek(): Gets the minimal number of days in the first week. The number of days considered to define the first week of a month or year varies by culture. For example, the ISO-8601 requires 4 days (more than half a week) to be present before counting the first week. """ https://docs.oracle.com/javase/8/docs/api/java/time/temporal/WeekFields.html >> The other thing is which years should be allowed to be the input of >> the "year" keyword. Currently, I set the range for these values to >> 1970-2038 according to the Unix timestamp. I'm not sure if anyone >> would want to set it less than 1970, setting it for a higher value >> than 2038 might probably make sense in some very special cases, >> although I really can't think of a one. > You certainly can set it more than 2038 (time doesn't stop there). What > you are limited with is Kerberos 32-bit time stamp, not HBAC policy time > definition. I would say we better set to 64-bit ourselves and handle > irregularities in SSSD. > Yes, we should talk. Some comments from looking on patch 0004: 1. list of time zones should be moved to a module property so that it can be reused else where if needed. Other possibility is to get this list from backend, e.g. on Web UI load or something. 2. please don't do any changes to patternfly.js. It's updated only when bundled PatternFly is updated. Long term goal is to get it out of FreeIPA git. All IPA css changes should be done in install/ui/less/*less files - as you did in widgets.less. From these .less files an install/ui/css/ipa.css file is created. Note that there is also install/ui/ipa.css which contains most of the ipa specific styles. It's planned to move these styles to .less files as well. -- Petr Vobornik From mhonek at redhat.com Fri Jul 10 11:12:10 2015 From: mhonek at redhat.com (=?UTF-8?B?TWF0w7rFoSBIb27Em2s=?=) Date: Fri, 10 Jul 2015 13:12:10 +0200 Subject: [Freeipa-devel] Time-Based Account Policies In-Reply-To: <20150710104342.GH21928@redhat.com> References: <559F9992.5070600@redhat.com> <20150710104342.GH21928@redhat.com> Message-ID: <559FA88A.5020608@redhat.com> On 07/10/2015 12:43 PM, Alexander Bokovoy wrote: > On Fri, 10 Jul 2015, Stanislav Laznicka wrote: >> Hi, >> >> Long time no post from me, time to make it up to you. > Welcome back! > >> I have been working on the the implementation of the design of time >> policies for HBAC rules on FreeIPA and SSSD sides. Attached is the >> current state of the FreeIPA solution. My comments and notes to the >> solution follow. >> >> The FreeIPA side backend base for time policies in HBAC seems working >> to me but still needs formal testing. Also, there is no conversion >> from the iCal format as previously requested and I personally would >> postpone this feature until the time policies functionality is rock >> solid. >> >> There were some uncertainties in the design as well. I ran into 2 of >> these but more may come. >> >> The first thing is how to deal with weeks in a month. There are two >> possibilities. A week in month (as specified by the weekofmonth >> keyword in the time policies) may be understood as a period of time >> between two Sundays, so when a month starts on, say, Friday the 1st, >> weekofmonth=1 would specify days Friday, Saturday, Sunday and anything >> from that Sunday on would be a weekofmonth=2 and on. However, I think >> a week in a month may also be considered a period of time that equals >> 7 days of a month. In the previous example, a weekofmonth=1 would >> therefore also apply to the following days up until Friday the 8th, >> excluding this last day. Although I implemented the first case in the >> SSSD, I actually started thinking the second case scenario might be >> the right or "better" one. > One thing you need to realize that there is no universal 'week starts on > Sunday'. > There are different ways of starting a week, some countries do it on > Sunday, some -- on Saturday, some -- on Monday. This means you need to > make possible to pull in a locale definition if you really want this > functionality and then it also becomes quite fuzzy as there are legal > definitions of what a week is (as well as a month and a work day). I would definitely go with using the locales for deciding (same for weeks of year, etc.). With addition to that I would, personally, also make it clear to see the exact description of the policy currently in use, on the WebUI and CLI (if it is possible, of course). Maybe it is just me but I have no idea how to decide when is the first week of a month, even in my locale. (if it is already there then act as if I have said nothing) > >> The other thing is which years should be allowed to be the input of >> the "year" keyword. Currently, I set the range for these values to >> 1970-2038 according to the Unix timestamp. I'm not sure if anyone >> would want to set it less than 1970, setting it for a higher value >> than 2038 might probably make sense in some very special cases, >> although I really can't think of a one. > You certainly can set it more than 2038 (time doesn't stop there). What > you are limited with is Kerberos 32-bit time stamp, not HBAC policy time > definition. I would say we better set to 64-bit ourselves and handle > irregularities in SSSD. > -- Mat?? Hon?k From mkubik at redhat.com Fri Jul 10 11:25:33 2015 From: mkubik at redhat.com (Milan Kubik) Date: Fri, 10 Jul 2015 13:25:33 +0200 Subject: [Freeipa-devel] [patch 0004] spec file: Update the package name from libipa_hbac-python to python-libipa_hbac In-Reply-To: <559FA488.40104@redhat.com> References: <559F98D7.5020003@redhat.com> <559FA488.40104@redhat.com> Message-ID: <559FABAD.6080904@redhat.com> On 07/10/2015 12:55 PM, Jan Cholasta wrote: > Hi, > > > > Dne 10.7.2015 v 12:05 Milan Kubik napsal(a): > >> Name update + the renamed package breaks 'dnf builddep'. I will report >> >> the bug. >> >> Yum can take care of the conflict resolution. >> >> >> >> Patch attached. >> > > > You might as well update libsss_nss_idmap-python to > python-libsss_nss_idmap while you are at it. > > > > Honza > > > > > Hi, new patch is here :) Self-NACK on 0004. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkubik-0005-spec-file-update-the-python-package-names-for-libipa.patch Type: text/x-patch Size: 1440 bytes Desc: not available URL: From mkubik at redhat.com Fri Jul 10 11:57:06 2015 From: mkubik at redhat.com (Milan Kubik) Date: Fri, 10 Jul 2015 13:57:06 +0200 Subject: [Freeipa-devel] [patch 0006] ipalib: pass api instance into textui in doctest snippets Message-ID: <559FB312.4030109@redhat.com> Hi, the recent set of patches that modified api broke the tests that are included in ipalib/cli.py This patch fixes the problems by passing api instance to textui() calls. Milan -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkubik-0006-ipalib-pass-api-instance-into-textui-in-doctest-snip.patch Type: text/x-patch Size: 4160 bytes Desc: not available URL: From mkubik at redhat.com Fri Jul 10 12:15:47 2015 From: mkubik at redhat.com (Milan Kubik) Date: Fri, 10 Jul 2015 14:15:47 +0200 Subject: [Freeipa-devel] [patch 0006] ipalib: pass api instance into textui in doctest snippets In-Reply-To: <559FB312.4030109@redhat.com> References: <559FB312.4030109@redhat.com> Message-ID: <559FB773.4070009@redhat.com> On 07/10/2015 01:57 PM, Milan Kubik wrote: > Hi, > > the recent set of patches that modified api broke the tests that are > included in ipalib/cli.py > > This patch fixes the problems by passing api instance to textui() calls. > > Milan > > This may not be the complete solution. Similar problems arise in the rest of the tests in ipalib modules. I guess the code examples (doctest test cases) are all affected by the changes to the api object. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Jul 10 12:31:12 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 10 Jul 2015 14:31:12 +0200 Subject: [Freeipa-devel] [PATCH 0283] copy-schema-to-ca: allow to overwrite schema files Message-ID: <559FBB10.6030104@redhat.com> https://fedorahosted.org/freeipa/ticket/5034 Patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0283-copy-schema-to-ca-allow-to-overwrite-schema-files.patch Type: text/x-patch Size: 2681 bytes Desc: not available URL: From mbasti at redhat.com Fri Jul 10 12:51:53 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 10 Jul 2015 14:51:53 +0200 Subject: [Freeipa-devel] [PATCH 0284] stageuser-activate: show user name in error message instead of DN Message-ID: <559FBFE9.8000308@redhat.com> https://fedorahosted.org/freeipa/ticket/5038 I reworded the error message to keep the same format as stageuser-add and user-add. Patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0284-Stageusedr-activate-show-username-instead-of-DN.patch Type: text/x-patch Size: 1289 bytes Desc: not available URL: From tbabej at redhat.com Fri Jul 10 12:56:58 2015 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 10 Jul 2015 14:56:58 +0200 Subject: [Freeipa-devel] [PATCH] 0001 Enhance the DNSNotARecordError message In-Reply-To: <477458039.5870245.1436442597119.JavaMail.zimbra@redhat.com> References: <477458039.5870245.1436442597119.JavaMail.zimbra@redhat.com> Message-ID: <559FC11A.4000609@redhat.com> On 07/09/2015 01:49 PM, Veronika Kabatova wrote: > The attached patch solves the ticket. > > Veronika Kabatova > > > Hello, thanks for the patch. Actually, the doctest does not pass: $ ipa-run-tests /usr/lib/python2.7/site-packages/ipalib/errors.py --doctest-modules ============================================================================================================= test session starts ============================================================================================================= platform linux2 -- Python 2.7.10 -- py-1.4.28 -- pytest-2.6.4 plugins: multihost, sourceorder collected 85 items ../ipalib/errors.py ...................F..............F.................................................. ================================================================================================================== FAILURES =================================================================================================================== _________________________________________________________________________________________________ [doctest] ipalib.errors.DNSNotARecordError __________________________________________________________________________________________________ 1137 """ 1138 **4019** Raised when a hostname is not a DNS A/AAAA record 1139 1140 For example: 1141 1142 >>> raise DNSNotARecordError() Differences (unified diff with -expected +actual): @@ -1,4 +1,6 @@ Traceback (most recent call last): - ... -DNSNotARecordError: Host does not have corresponding DNS A/AAAA record, -use --force to continue anyway + File "/usr/lib64/python2.7/doctest.py", line 1315, in __run + compileflags, 1) in test.globs + File "", line 1, in + raise DNSNotARecordError() +DNSNotARecordError: Host does not have corresponding DNS A/AAAA record, use --force to continue anyway /usr/lib/python2.7/site-packages/ipalib/errors.py:1142: DocTestFailure The reason for the mismatch here is that you wrapped the line - in this case, we need to violate the PEP8, and allow the length of the line exceed 80 characters. HTH, Tomas From slaznick at redhat.com Fri Jul 10 12:57:53 2015 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 10 Jul 2015 14:57:53 +0200 Subject: [Freeipa-devel] Time-Based Account Policies In-Reply-To: <559FA81A.6020704@redhat.com> References: <559F9992.5070600@redhat.com> <20150710104342.GH21928@redhat.com> <559FA81A.6020704@redhat.com> Message-ID: <559FC151.3080503@redhat.com> On 07/10/2015 01:10 PM, Petr Vobornik wrote: > On 07/10/2015 12:43 PM, Alexander Bokovoy wrote: >> On Fri, 10 Jul 2015, Stanislav Laznicka wrote: >>> Hi, >>> >>> Long time no post from me, time to make it up to you. >> Welcome back! >> >>> I have been working on the the implementation of the design of time >>> policies for HBAC rules on FreeIPA and SSSD sides. Attached is the >>> current state of the FreeIPA solution. My comments and notes to the >>> solution follow. >>> >>> The FreeIPA side backend base for time policies in HBAC seems working >>> to me but still needs formal testing. Also, there is no conversion >>> from the iCal format as previously requested and I personally would >>> postpone this feature until the time policies functionality is rock >>> solid. >>> >>> There were some uncertainties in the design as well. I ran into 2 of >>> these but more may come. >>> >>> The first thing is how to deal with weeks in a month. There are two >>> possibilities. A week in month (as specified by the weekofmonth >>> keyword in the time policies) may be understood as a period of time >>> between two Sundays, so when a month starts on, say, Friday the 1st, >>> weekofmonth=1 would specify days Friday, Saturday, Sunday and anything >>> from that Sunday on would be a weekofmonth=2 and on. However, I think >>> a week in a month may also be considered a period of time that equals >>> 7 days of a month. In the previous example, a weekofmonth=1 would >>> therefore also apply to the following days up until Friday the 8th, >>> excluding this last day. Although I implemented the first case in the >>> SSSD, I actually started thinking the second case scenario might be >>> the right or "better" one. >> One thing you need to realize that there is no universal 'week starts on >> Sunday'. >> There are different ways of starting a week, some countries do it on >> Sunday, some -- on Saturday, some -- on Monday. This means you need to >> make possible to pull in a locale definition if you really want this >> functionality and then it also becomes quite fuzzy as there are legal >> definitions of what a week is (as well as a month and a work day). >> > > Yes, it could be more complicated, e.g. see Week Of Month in Java: > """ > week-of-month: The calculation ensures that weeks never overlap a > month boundary. The month is divided into periods where each period > starts on the defined first day-of-week. The earliest period is > referred to as week 0 if it has less than the minimal number of days > and week 1 if it has at least the minimal number of days. > > > public int getMinimalDaysInFirstWeek(): > > Gets the minimal number of days in the first week. > > The number of days considered to define the first week of a month or > year varies by culture. For example, the ISO-8601 requires 4 days > (more than half a week) to be present before counting the first week. > """ > https://docs.oracle.com/javase/8/docs/api/java/time/temporal/WeekFields.html > > That is a pretty good example of what a week is, thanks. I don't think I would want the functionality of having weeks begin with different weekdays according to locale. I would rather stick to the ISO 8601 as described in the link Petr sent. I was rather wondering whether weekofmonth should mean the x-th appearance of a day in a month or an appearance of this day in x-th week of the month. However, the definition above is quite strong and I think I could live with a week starting only on Monday and having 0-th weeks in month. >>> The other thing is which years should be allowed to be the input of >>> the "year" keyword. Currently, I set the range for these values to >>> 1970-2038 according to the Unix timestamp. I'm not sure if anyone >>> would want to set it less than 1970, setting it for a higher value >>> than 2038 might probably make sense in some very special cases, >>> although I really can't think of a one. >> You certainly can set it more than 2038 (time doesn't stop there). What >> you are limited with is Kerberos 32-bit time stamp, not HBAC policy time >> definition. I would say we better set to 64-bit ourselves and handle >> irregularities in SSSD. >> > > Yes, we should talk. > > Some comments from looking on patch 0004: > 1. list of time zones should be moved to a module property so that it > can be reused else where if needed. Other possibility is to get this > list from backend, e.g. on Web UI load or something. > > 2. please don't do any changes to patternfly.js. It's updated only > when bundled PatternFly is updated. Long term goal is to get it out of > FreeIPA git. > > All IPA css changes should be done in install/ui/less/*less files - as > you did in widgets.less. From these .less files an > install/ui/css/ipa.css file is created. Note that there is also > install/ui/ipa.css which contains most of the ipa specific styles. > It's planned to move these styles to .less files as well. I put those 2 last commits together, the only difference there was that once the styles were set correctly (0005) and incorrectly in the previous patch (0004). Attaching the last commit, also hopefully with correct formatting as pointed out by Martin Basti. I should add the list of time zones to a module property in later commits. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-Created-basic-UI-for-setting-time-policies-at-HBAC-r.patch Type: text/x-patch Size: 17675 bytes Desc: not available URL: From tbabej at redhat.com Fri Jul 10 13:02:08 2015 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 10 Jul 2015 15:02:08 +0200 Subject: [Freeipa-devel] [PATCH 0337] ipalib: Fix missing format for InvalidDomainLevelError Message-ID: <559FC250.8090901@redhat.com> Hi, this patch fixes missing format for the InvalidDomainLevelError exception. Pushed to, under oneliner rule: master: 8a4e79c9e6ebb92e5bcc3c53e3f0073c10333227 ipa-4-2: fe69b2cbe48c9874ac0ee1d34cce1cdb244abadc Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0337-ipalib-Fix-missing-format-for-InvalidDomainLevelErro.patch Type: text/x-patch Size: 659 bytes Desc: not available URL: From tbabej at redhat.com Fri Jul 10 13:05:59 2015 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 10 Jul 2015 15:05:59 +0200 Subject: [Freeipa-devel] [patch 0006] ipalib: pass api instance into textui in doctest snippets In-Reply-To: <559FB773.4070009@redhat.com> References: <559FB312.4030109@redhat.com> <559FB773.4070009@redhat.com> Message-ID: <559FC337.8050902@redhat.com> On 07/10/2015 02:15 PM, Milan Kubik wrote: > On 07/10/2015 01:57 PM, Milan Kubik wrote: >> Hi, >> >> the recent set of patches that modified api broke the tests that are >> included in ipalib/cli.py >> >> This patch fixes the problems by passing api instance to textui() calls. >> >> Milan >> >> > This may not be the complete solution. Similar problems arise in the > rest of the tests in ipalib modules. > I guess the code examples (doctest test cases) are all affected by the > changes to the api object. > > ACK for this patch. Pushed to: master: 61f41df9493acfbfd1cda017b40cf6786afd8815 ipa-4-2: c210b3d2843326e5bc934d397831d4d128c1b603 As far as the other modules go, I see most failures in the frontend: ../ipalib/__init__.py F ../ipalib/base.py ..... ../ipalib/cli.py ............ ../ipalib/config.py ..... ../ipalib/crud.py F ../ipalib/errors.py ..................................................................................... ../ipalib/frontend.py FFFF.FFFFFFF ../ipalib/messages.py . ../ipalib/output.py . ../ipalib/parameters.py ........... ../ipalib/text.py ...... From simo at redhat.com Fri Jul 10 13:07:13 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 10 Jul 2015 09:07:13 -0400 Subject: [Freeipa-devel] [PATCH 0334] Hide topology and domainlevel features In-Reply-To: <559C4E27.60007@redhat.com> References: <559B8EBE.1030003@redhat.com> <559C0980.2000701@redhat.com> <559C4E27.60007@redhat.com> Message-ID: <1436533633.4097.74.camel@willson.usersys.redhat.com> On Wed, 2015-07-08 at 00:09 +0200, Tomas Babej wrote: > > On 07/07/2015 07:16 PM, Martin Basti wrote: > > On 07/07/15 10:33, Tomas Babej wrote: > >> Hi, > >> > >> * Hide topology and domainlevel commands in the CLI > >> * Hide topology and domainlevel in the WebUI > >> * Set maximum allowed domain level to 0 > >> * Do not configure and enable the topology plugin > >> > >> https://fedorahosted.org/freeipa/ticket/5097 > >> > >> > > ACK > > > > -- > > Martin Basti > > > > Pushed to master: 62e8002bc43ddd890c3db35a123cb7daf35e3121 > Can we revert the Max Domain Level change in master ? It should have been changed only in the 4.2 branch! Simo. -- Simo Sorce * Red Hat, Inc * New York From tbabej at redhat.com Fri Jul 10 13:08:19 2015 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 10 Jul 2015 15:08:19 +0200 Subject: [Freeipa-devel] [PATCH 0334] Hide topology and domainlevel features In-Reply-To: <1436533633.4097.74.camel@willson.usersys.redhat.com> References: <559B8EBE.1030003@redhat.com> <559C0980.2000701@redhat.com> <559C4E27.60007@redhat.com> <1436533633.4097.74.camel@willson.usersys.redhat.com> Message-ID: <559FC3C3.40401@redhat.com> On 07/10/2015 03:07 PM, Simo Sorce wrote: > On Wed, 2015-07-08 at 00:09 +0200, Tomas Babej wrote: >> >> On 07/07/2015 07:16 PM, Martin Basti wrote: >>> On 07/07/15 10:33, Tomas Babej wrote: >>>> Hi, >>>> >>>> * Hide topology and domainlevel commands in the CLI >>>> * Hide topology and domainlevel in the WebUI >>>> * Set maximum allowed domain level to 0 >>>> * Do not configure and enable the topology plugin >>>> >>>> https://fedorahosted.org/freeipa/ticket/5097 >>>> >>>> >>> ACK >>> >>> -- >>> Martin Basti >>> >> >> Pushed to master: 62e8002bc43ddd890c3db35a123cb7daf35e3121 >> > > Can we revert the Max Domain Level change in master ? > It should have been changed only in the 4.2 branch! > > Simo. > This was pushed prior to the branching of the ipa-4-2 branch. I will prepare a patch. Tomas From slaznick at redhat.com Fri Jul 10 13:10:31 2015 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 10 Jul 2015 15:10:31 +0200 Subject: [Freeipa-devel] Time-Based Account Policies In-Reply-To: <559FA88A.5020608@redhat.com> References: <559F9992.5070600@redhat.com> <20150710104342.GH21928@redhat.com> <559FA88A.5020608@redhat.com> Message-ID: <559FC447.10102@redhat.com> On 07/10/2015 01:12 PM, Mat?? Hon?k wrote: > On 07/10/2015 12:43 PM, Alexander Bokovoy wrote: >> On Fri, 10 Jul 2015, Stanislav Laznicka wrote: >>> Hi, >>> >>> Long time no post from me, time to make it up to you. >> Welcome back! >> >>> I have been working on the the implementation of the design of time >>> policies for HBAC rules on FreeIPA and SSSD sides. Attached is the >>> current state of the FreeIPA solution. My comments and notes to the >>> solution follow. >>> >>> The FreeIPA side backend base for time policies in HBAC seems working >>> to me but still needs formal testing. Also, there is no conversion >>> from the iCal format as previously requested and I personally would >>> postpone this feature until the time policies functionality is rock >>> solid. >>> >>> There were some uncertainties in the design as well. I ran into 2 of >>> these but more may come. >>> >>> The first thing is how to deal with weeks in a month. There are two >>> possibilities. A week in month (as specified by the weekofmonth >>> keyword in the time policies) may be understood as a period of time >>> between two Sundays, so when a month starts on, say, Friday the 1st, >>> weekofmonth=1 would specify days Friday, Saturday, Sunday and anything >>> from that Sunday on would be a weekofmonth=2 and on. However, I think >>> a week in a month may also be considered a period of time that equals >>> 7 days of a month. In the previous example, a weekofmonth=1 would >>> therefore also apply to the following days up until Friday the 8th, >>> excluding this last day. Although I implemented the first case in the >>> SSSD, I actually started thinking the second case scenario might be >>> the right or "better" one. >> One thing you need to realize that there is no universal 'week starts on >> Sunday'. >> There are different ways of starting a week, some countries do it on >> Sunday, some -- on Saturday, some -- on Monday. This means you need to >> make possible to pull in a locale definition if you really want this >> functionality and then it also becomes quite fuzzy as there are legal >> definitions of what a week is (as well as a month and a work day). > I would definitely go with using the locales for deciding (same for > weeks of year, etc.). With addition to that I would, personally, also > make it clear to see the exact description of the policy currently in > use, on the WebUI and CLI (if it is possible, of course). Maybe it is > just me but I have no idea how to decide when is the first week of a > month, even in my locale. (if it is already there then act as if I > have said nothing) > I am not sure about using locales to decide on which day should start a week. It seems better to stick to only one certain day to avoid confusion. I don't think it would be possible to have a note that says that this certain time policy applies at this certain time. It would be hard when only different time zones and UTC are taken into account, but the possibility to make time policy whose time zone is dependent purely on host's local time zone makes this impossible. Petr V. posted a nice way of how to define a week earlier in this thread, even the first and 0-th week. >> >>> The other thing is which years should be allowed to be the input of >>> the "year" keyword. Currently, I set the range for these values to >>> 1970-2038 according to the Unix timestamp. I'm not sure if anyone >>> would want to set it less than 1970, setting it for a higher value >>> than 2038 might probably make sense in some very special cases, >>> although I really can't think of a one. >> You certainly can set it more than 2038 (time doesn't stop there). What >> you are limited with is Kerberos 32-bit time stamp, not HBAC policy time >> definition. I would say we better set to 64-bit ourselves and handle >> irregularities in SSSD. >> > From tbabej at redhat.com Fri Jul 10 13:18:10 2015 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 10 Jul 2015 15:18:10 +0200 Subject: [Freeipa-devel] [PATCH 0338] Revert "Hide topology and domainlevel features" Message-ID: <559FC612.2060602@redhat.com> Hi, This reverts commit 62e8002bc43ddd890c3db35a123cb7daf35e3121. Hiding of the topology and domainlevel features was necessary for the 4.2 branch only. Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0338-Revert-Hide-topology-and-domainlevel-features.patch Type: text/x-patch Size: 7044 bytes Desc: not available URL: From simo at redhat.com Fri Jul 10 13:25:02 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 10 Jul 2015 09:25:02 -0400 Subject: [Freeipa-devel] [PATCH 0338] Revert "Hide topology and domainlevel features" In-Reply-To: <559FC612.2060602@redhat.com> References: <559FC612.2060602@redhat.com> Message-ID: <1436534702.4097.77.camel@willson.usersys.redhat.com> On Fri, 2015-07-10 at 15:18 +0200, Tomas Babej wrote: > Hi, > > This reverts commit 62e8002bc43ddd890c3db35a123cb7daf35e3121. > > Hiding of the topology and domainlevel features was necessary > for the 4.2 branch only. > > Tomas ACK Simo, -- Simo Sorce * Red Hat, Inc * New York From tbabej at redhat.com Fri Jul 10 13:27:37 2015 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 10 Jul 2015 15:27:37 +0200 Subject: [Freeipa-devel] [PATCH 0338] Revert "Hide topology and domainlevel features" In-Reply-To: <1436534702.4097.77.camel@willson.usersys.redhat.com> References: <559FC612.2060602@redhat.com> <1436534702.4097.77.camel@willson.usersys.redhat.com> Message-ID: <559FC849.1060803@redhat.com> On 07/10/2015 03:25 PM, Simo Sorce wrote: > On Fri, 2015-07-10 at 15:18 +0200, Tomas Babej wrote: >> Hi, >> >> This reverts commit 62e8002bc43ddd890c3db35a123cb7daf35e3121. >> >> Hiding of the topology and domainlevel features was necessary >> for the 4.2 branch only. >> >> Tomas > > ACK > > Simo, > Pushed to master: 510642196184e588b3014db1d1fdd7bc4aa2f5dd From mbasti at redhat.com Fri Jul 10 14:17:06 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 10 Jul 2015 16:17:06 +0200 Subject: [Freeipa-devel] Time-Based Account Policies In-Reply-To: <559F9992.5070600@redhat.com> References: <559F9992.5070600@redhat.com> Message-ID: <559FD3E2.5020503@redhat.com> On 10/07/15 12:08, Stanislav Laznicka wrote: > Hi, > > Long time no post from me, time to make it up to you. > > I have been working on the the implementation of the design of time > policies for HBAC rules on FreeIPA and SSSD sides. Attached is the > current state of the FreeIPA solution. My comments and notes to the > solution follow. > > The FreeIPA side backend base for time policies in HBAC seems working > to me but still needs formal testing. Also, there is no conversion > from the iCal format as previously requested and I personally would > postpone this feature until the time policies functionality is rock > solid. > > There were some uncertainties in the design as well. I ran into 2 of > these but more may come. > > The first thing is how to deal with weeks in a month. There are two > possibilities. A week in month (as specified by the weekofmonth > keyword in the time policies) may be understood as a period of time > between two Sundays, so when a month starts on, say, Friday the 1st, > weekofmonth=1 would specify days Friday, Saturday, Sunday and anything > from that Sunday on would be a weekofmonth=2 and on. However, I think > a week in a month may also be considered a period of time that equals > 7 days of a month. In the previous example, a weekofmonth=1 would > therefore also apply to the following days up until Friday the 8th, > excluding this last day. Although I implemented the first case in the > SSSD, I actually started thinking the second case scenario might be > the right or "better" one. > > The other thing is which years should be allowed to be the input of > the "year" keyword. Currently, I set the range for these values to > 1970-2038 according to the Unix timestamp. I'm not sure if anyone > would want to set it less than 1970, setting it for a higher value > than 2038 might probably make sense in some very special cases, > although I really can't think of a one. > > As for the WebUI, I am not really satisfied with the current state - > the time zone select button requires saving the rule before any > further setting on the page and the tables for setting the time rules > don't allow editing the rules, which gets annoying fast. The WebUI for > the time policies in HBAC was created for my Master's thesis purposes > in a hurry and I will probably need to discuss it some more with Petr > V. It works well for basic display and add/remove of the time rules, > though. > > So, that is what I do now, aside from SSSD functionality. Please, let > me know what your ideas are, especially about those weekofmonth and > year issues. > > Cheers, > Stanislav Laznicka > > Please revert this change, 'replaces' keyword is used only for legacy permission. Changes in new permissions are handled automatically by update plugin. 'replaces': [ - '(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target ="ldap:///ipauniqueid=*,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn ="ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,$SUFFIX";)', + '(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || timezone || accesstime || accesstimeexclude || usercategory || hostcategory || accessruletype || sourcehost")(target ="ldap:///ipauniqueid=*,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn ="ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,$SUFFIX";)', ], Martin -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From cheimes at redhat.com Fri Jul 10 16:29:00 2015 From: cheimes at redhat.com (Christian Heimes) Date: Fri, 10 Jul 2015 18:29:00 +0200 Subject: [Freeipa-devel] [PATCH 0006] Start dirsrv for kdcproxy upgrade Message-ID: <559FF2CC.6050802@redhat.com> Hi, this patch ensures that DS is running before HTTPInstance attempts to connect to LDAP. https://fedorahosted.org/freeipa/ticket/5113 While I was testing the patch I ran into trouble with DS. The upgrade script couldn't connect to 389/TCP, although ns-slapd was running. After some digging I found this log line: Jul 10 18:13:24 vm-120.abc.idm.lab.eng.brq.redhat.com ns-slapd[6278]: [10/Jul/2015:18:13:24 +0200] - Information: Non-Secure Port Disabled which eventually lead me to /etc/dirsrv/slapd-IPA-EXAMPLE/dse.ldif. The port was disabled with "nsslapd-port: 0". After I stopped DS, changed the port back to 389 and started DS again, ipa-server-upgrade worked again. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0006-Start-dirsrv-for-kdcproxy-upgrade.patch Type: text/x-patch Size: 2424 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From simo at redhat.com Fri Jul 10 17:03:20 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 10 Jul 2015 13:03:20 -0400 Subject: [Freeipa-devel] [PATCH 529] Fix DNS record installation for replicas Message-ID: <1436547800.4097.98.camel@willson.usersys.redhat.com> This bug affects 4.2, we should backport the fix there too. See ticket: https://fedorahosted.org/freeipa/ticket/5116 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-529-1-Fix-DNS-records-installation-for-replicas.patch Type: text/x-patch Size: 1299 bytes Desc: not available URL: -------------- next part -------------- An HTML attachment was scrubbed... URL: From derny at redhat.com Fri Jul 10 17:05:08 2015 From: derny at redhat.com (Drew Erny) Date: Fri, 10 Jul 2015 13:05:08 -0400 Subject: [Freeipa-devel] [RFC] Community Portal Captcha Message-ID: <559FFB44.5040202@redhat.com> Hi, All, I think some of you discussed with me the details of the community portal captcha with me on IRC. Yesterday, I wrote up a design proposal for the captcha system that I'd like some of you to take a look at and check to see that I'm understanding it correctly, and that this captcha method is secure. http://www.freeipa.org/page/V4/Community_Portal_Captcha Thanks, Drew Erny From simo at redhat.com Fri Jul 10 17:33:37 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 10 Jul 2015 13:33:37 -0400 Subject: [Freeipa-devel] [RFC] Community Portal Captcha In-Reply-To: <559FFB44.5040202@redhat.com> References: <559FFB44.5040202@redhat.com> Message-ID: <1436549617.4097.102.camel@willson.usersys.redhat.com> On Fri, 2015-07-10 at 13:05 -0400, Drew Erny wrote: > Hi, All, > > I think some of you discussed with me the details of the community > portal captcha with me on IRC. Yesterday, I wrote up a design proposal > for the captcha system that I'd like some of you to take a look at and > check to see that I'm understanding it correctly, and that this captcha > method is secure. > > http://www.freeipa.org/page/V4/Community_Portal_Captcha > If you are going to use a DB for storing the HMAC signatures, then you can also store there the key used to generate them IMO. You generate the key from os.urandom(16) if it is not found (in which case you can also remove all the HMACs present in the DB as none will validate anymore). Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Fri Jul 10 17:57:49 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 10 Jul 2015 13:57:49 -0400 Subject: [Freeipa-devel] [PATCH 529] Fix DNS record installation for replicas In-Reply-To: <1436547800.4097.98.camel@willson.usersys.redhat.com> References: <1436547800.4097.98.camel@willson.usersys.redhat.com> Message-ID: <1436551069.4097.108.camel@willson.usersys.redhat.com> On Fri, 2015-07-10 at 13:03 -0400, Simo Sorce wrote: > This bug affects 4.2, we should backport the fix there too. > > See ticket: https://fedorahosted.org/freeipa/ticket/5116 For what is worth I tested this change in my replica install code and it fixes the issue, though the code is different and therefore should be tested with a classic replica install. Also sorry for the HTML attachment, fat fingered while trying to copy/paste the ticket link from FF. Simo. -- Simo Sorce * Red Hat, Inc * New York From vkabatov at redhat.com Fri Jul 10 18:06:08 2015 From: vkabatov at redhat.com (Veronika Kabatova) Date: Fri, 10 Jul 2015 14:06:08 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] 0001 Enhance the DNSNotARecordError message In-Reply-To: <559FC11A.4000609@redhat.com> References: <477458039.5870245.1436442597119.JavaMail.zimbra@redhat.com> <559FC11A.4000609@redhat.com> Message-ID: <1174459440.6203454.1436551568849.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Tomas Babej" > To: "Veronika Kabatova" , freeipa-devel at redhat.com > Sent: Friday, July 10, 2015 2:56:58 PM > Subject: Re: [Freeipa-devel] [PATCH] 0001 Enhance the DNSNotARecordError message > > > > On 07/09/2015 01:49 PM, Veronika Kabatova wrote: > > The attached patch solves the > > ticket. > > > > Veronika Kabatova > > > > > > > > Hello, > > thanks for the patch. > > Actually, the doctest does not pass: > > $ ipa-run-tests /usr/lib/python2.7/site-packages/ipalib/errors.py > --doctest-modules > ============================================================================================================= > test session starts > ============================================================================================================= > platform linux2 -- Python 2.7.10 -- py-1.4.28 -- pytest-2.6.4 > plugins: multihost, sourceorder > collected 85 items > > ../ipalib/errors.py > ...................F..............F.................................................. > > ================================================================================================================== > FAILURES > =================================================================================================================== > _________________________________________________________________________________________________ > [doctest] ipalib.errors.DNSNotARecordError > __________________________________________________________________________________________________ > 1137 """ > 1138 **4019** Raised when a hostname is not a DNS A/AAAA record > 1139 > 1140 For example: > 1141 > 1142 >>> raise DNSNotARecordError() > Differences (unified diff with -expected +actual): > @@ -1,4 +1,6 @@ > Traceback (most recent call last): > - ... > -DNSNotARecordError: Host does not have corresponding DNS A/AAAA record, > -use --force to continue anyway > + File "/usr/lib64/python2.7/doctest.py", line 1315, in __run > + compileflags, 1) in test.globs > + File "", line 1, in > > + raise DNSNotARecordError() > +DNSNotARecordError: Host does not have corresponding DNS A/AAAA > record, use --force to continue anyway > > /usr/lib/python2.7/site-packages/ipalib/errors.py:1142: DocTestFailure > > The reason for the mismatch here is that you wrapped the line - in this > case, we need to violate the PEP8, and allow the length of the line > exceed 80 characters. Good to know, thanks for clarifying. Attached modified version which doesn't break tests, even if PEP8 checker is not happy with it. > HTH, > > Tomas > Thanks, Veronika Kabatova -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-veruu-0001-2-Enhance-the-DNSNotARecordError-message.patch Type: text/x-patch Size: 1247 bytes Desc: not available URL: From slaznick at redhat.com Mon Jul 13 06:16:02 2015 From: slaznick at redhat.com (Stanislav Laznicka) Date: Mon, 13 Jul 2015 08:16:02 +0200 Subject: [Freeipa-devel] Time-Based Account Policies In-Reply-To: <559FD3E2.5020503@redhat.com> References: <559F9992.5070600@redhat.com> <559FD3E2.5020503@redhat.com> Message-ID: <55A357A2.1090208@redhat.com> On 07/10/2015 04:17 PM, Martin Basti wrote: > On 10/07/15 12:08, Stanislav Laznicka wrote: >> Hi, >> >> Long time no post from me, time to make it up to you. >> >> I have been working on the the implementation of the design of time >> policies for HBAC rules on FreeIPA and SSSD sides. Attached is the >> current state of the FreeIPA solution. My comments and notes to the >> solution follow. >> >> The FreeIPA side backend base for time policies in HBAC seems working >> to me but still needs formal testing. Also, there is no conversion >> from the iCal format as previously requested and I personally would >> postpone this feature until the time policies functionality is rock >> solid. >> >> There were some uncertainties in the design as well. I ran into 2 of >> these but more may come. >> >> The first thing is how to deal with weeks in a month. There are two >> possibilities. A week in month (as specified by the weekofmonth >> keyword in the time policies) may be understood as a period of time >> between two Sundays, so when a month starts on, say, Friday the 1st, >> weekofmonth=1 would specify days Friday, Saturday, Sunday and >> anything from that Sunday on would be a weekofmonth=2 and on. >> However, I think a week in a month may also be considered a period of >> time that equals 7 days of a month. In the previous example, a >> weekofmonth=1 would therefore also apply to the following days up >> until Friday the 8th, excluding this last day. Although I implemented >> the first case in the SSSD, I actually started thinking the second >> case scenario might be the right or "better" one. >> >> The other thing is which years should be allowed to be the input of >> the "year" keyword. Currently, I set the range for these values to >> 1970-2038 according to the Unix timestamp. I'm not sure if anyone >> would want to set it less than 1970, setting it for a higher value >> than 2038 might probably make sense in some very special cases, >> although I really can't think of a one. >> >> As for the WebUI, I am not really satisfied with the current state - >> the time zone select button requires saving the rule before any >> further setting on the page and the tables for setting the time rules >> don't allow editing the rules, which gets annoying fast. The WebUI >> for the time policies in HBAC was created for my Master's thesis >> purposes in a hurry and I will probably need to discuss it some more >> with Petr V. It works well for basic display and add/remove of the >> time rules, though. >> >> So, that is what I do now, aside from SSSD functionality. Please, let >> me know what your ideas are, especially about those weekofmonth and >> year issues. >> >> Cheers, >> Stanislav Laznicka >> >> > Please revert this change, 'replaces' keyword is used only for legacy > permission. Changes in new permissions are handled automatically by > update plugin. > > 'replaces': [ > - '(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target ="ldap:///ipauniqueid=*,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn ="ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,$SUFFIX";)', > + '(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || timezone || accesstime || accesstimeexclude || usercategory || hostcategory || accessruletype || sourcehost")(target ="ldap:///ipauniqueid=*,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn ="ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,$SUFFIX";)', > ], > > Martin > -- > Martin Basti Attaching the sequence of fixed patches. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0001-Added-time-based-policies-types-to-LDAP-schema.patch Type: text/x-patch Size: 3064 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0002-Prepared-parameters-for-HBAC-Rule-plugin-time-polici.patch Type: text/x-patch Size: 13408 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0003-Added-methods-for-setting-time-based-policies-in-hba.patch Type: text/x-patch Size: 21400 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0004-Created-basic-UI-for-setting-time-policies-at-HBAC-r.patch Type: text/x-patch Size: 17675 bytes Desc: not available URL: From cheimes at redhat.com Mon Jul 13 12:13:48 2015 From: cheimes at redhat.com (Christian Heimes) Date: Mon, 13 Jul 2015 14:13:48 +0200 Subject: [Freeipa-devel] [PATCH 007] Remove tuple unpacking from except clause Message-ID: <55A3AB7C.1050703@redhat.com> The patch replaces implicit tuple unpacking from except clauses with explicit unpacking of the exception objects' args attribute. Example: >>> e = RuntimeError('num', 'messages') >>> num, message = e >>> num, message ('num', 'messages') >>> e.args ('num', 'messages') >>> num, message = e.args >>> num, message ('num', 'messages') Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0007-Remove-tuple-unpacking-from-except-clause.patch Type: text/x-patch Size: 6369 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From rcritten at redhat.com Mon Jul 13 12:59:58 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Jul 2015 08:59:58 -0400 Subject: [Freeipa-devel] [PATCH 007] Remove tuple unpacking from except clause In-Reply-To: <55A3AB7C.1050703@redhat.com> References: <55A3AB7C.1050703@redhat.com> Message-ID: <55A3B64E.209@redhat.com> Christian Heimes wrote: > The patch replaces implicit tuple unpacking from except clauses with > explicit unpacking of the exception objects' args attribute. > > Example: > >>>> e = RuntimeError('num', 'messages') >>>> num, message = e >>>> num, message > ('num', 'messages') >>>> e.args > ('num', 'messages') >>>> num, message = e.args >>>> num, message > ('num', 'messages') > Not related to this patch directly but I think it would be a good idea to create a Python 3 tracking ticket to make it easy to find python 3-specific changes. Then create tickets to fix particular issues and link those with the tracking ticket. rob From mbasti at redhat.com Mon Jul 13 13:03:17 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 13 Jul 2015 15:03:17 +0200 Subject: [Freeipa-devel] [PATCH 529] Fix DNS record installation for replicas In-Reply-To: <1436551069.4097.108.camel@willson.usersys.redhat.com> References: <1436547800.4097.98.camel@willson.usersys.redhat.com> <1436551069.4097.108.camel@willson.usersys.redhat.com> Message-ID: <55A3B715.80407@redhat.com> On 10/07/15 19:57, Simo Sorce wrote: > On Fri, 2015-07-10 at 13:03 -0400, Simo Sorce wrote: >> This bug affects 4.2, we should backport the fix there too. >> >> See ticket: https://fedorahosted.org/freeipa/ticket/5116 > For what is worth I tested this change in my replica install code and it > fixes the issue, though the code is different and therefore should be > tested with a classic replica install. > > Also sorry for the HTML attachment, fat fingered while trying to > copy/paste the ticket link from FF. > > Simo. > ACK -- Martin Basti From dkupka at redhat.com Mon Jul 13 13:03:29 2015 From: dkupka at redhat.com (David Kupka) Date: Mon, 13 Jul 2015 15:03:29 +0200 Subject: [Freeipa-devel] [PATCH 0284] stageuser-activate: show user name in error message instead of DN In-Reply-To: <559FBFE9.8000308@redhat.com> References: <559FBFE9.8000308@redhat.com> Message-ID: <55A3B721.1090606@redhat.com> On 10/07/15 14:51, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5038 > > I reworded the error message to keep the same format as stageuser-add > and user-add. > > Patch attached. > > > Works for me, ACK. -- David Kupka From pspacek at redhat.com Mon Jul 13 13:12:13 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 13 Jul 2015 15:12:13 +0200 Subject: [Freeipa-devel] [PATCH] 0001 Enhance the DNSNotARecordError message In-Reply-To: <1174459440.6203454.1436551568849.JavaMail.zimbra@redhat.com> References: <477458039.5870245.1436442597119.JavaMail.zimbra@redhat.com> <559FC11A.4000609@redhat.com> <1174459440.6203454.1436551568849.JavaMail.zimbra@redhat.com> Message-ID: <55A3B92D.1000607@redhat.com> On 10.7.2015 20:06, Veronika Kabatova wrote: > ----- Original Message ----- >> From: "Tomas Babej" >> To: "Veronika Kabatova" , freeipa-devel at redhat.com >> Sent: Friday, July 10, 2015 2:56:58 PM >> Subject: Re: [Freeipa-devel] [PATCH] 0001 Enhance the DNSNotARecordError message >> >> >> >> On 07/09/2015 01:49 PM, Veronika Kabatova wrote: >>> The attached patch solves the >>> ticket. >>> >>> Veronika Kabatova >>> >>> >>> >> >> Hello, >> >> thanks for the patch. >> >> Actually, the doctest does not pass: >> >> $ ipa-run-tests /usr/lib/python2.7/site-packages/ipalib/errors.py >> --doctest-modules >> ============================================================================================================= >> test session starts >> ============================================================================================================= >> platform linux2 -- Python 2.7.10 -- py-1.4.28 -- pytest-2.6.4 >> plugins: multihost, sourceorder >> collected 85 items >> >> ../ipalib/errors.py >> ...................F..............F.................................................. >> >> ================================================================================================================== >> FAILURES >> =================================================================================================================== >> _________________________________________________________________________________________________ >> [doctest] ipalib.errors.DNSNotARecordError >> __________________________________________________________________________________________________ >> 1137 """ >> 1138 **4019** Raised when a hostname is not a DNS A/AAAA record >> 1139 >> 1140 For example: >> 1141 >> 1142 >>> raise DNSNotARecordError() >> Differences (unified diff with -expected +actual): >> @@ -1,4 +1,6 @@ >> Traceback (most recent call last): >> - ... >> -DNSNotARecordError: Host does not have corresponding DNS A/AAAA record, >> -use --force to continue anyway >> + File "/usr/lib64/python2.7/doctest.py", line 1315, in __run >> + compileflags, 1) in test.globs >> + File "", line 1, in >> >> + raise DNSNotARecordError() >> +DNSNotARecordError: Host does not have corresponding DNS A/AAAA >> record, use --force to continue anyway >> >> /usr/lib/python2.7/site-packages/ipalib/errors.py:1142: DocTestFailure >> >> The reason for the mismatch here is that you wrapped the line - in this >> case, we need to violate the PEP8, and allow the length of the line >> exceed 80 characters. > > > Good to know, thanks for clarifying. Attached modified version which doesn't > break tests, even if PEP8 checker is not happy with it. Personally-opinionated-NACK. I would like to avoid advertising --force options when possible. --force should not be necessary in proper setups and advertising it will make people to use it instead of fixing underlying problems. Can we *please* drop this patch? -- Petr^2 Spacek From pspacek at redhat.com Mon Jul 13 13:14:13 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 13 Jul 2015 15:14:13 +0200 Subject: [Freeipa-devel] [PATCH] 886-890 webui: API browser In-Reply-To: <55964BB3.6040308@redhat.com> References: <5592C535.8070708@redhat.com> <55939859.4040704@redhat.com> <5593FE64.40307@redhat.com> <559550F9.80201@redhat.com> <55964291.4000803@redhat.com> <55964BB3.6040308@redhat.com> Message-ID: <55A3B9A5.5090407@redhat.com> On 3.7.2015 10:45, Tomas Babej wrote: > > > On 07/03/2015 10:06 AM, Tomas Babej wrote: >> >> >> On 07/02/2015 04:55 PM, Martin Kosek wrote: >>> On 07/01/2015 04:51 PM, Petr Vobornik wrote: >>>> For those of you who don't want to try the patches: >>>> * https://pvoborni.fedorapeople.org/images/api-user-show.png >>>> * https://pvoborni.fedorapeople.org/images/api-user-add.png >>>> >>>> On 07/01/2015 09:35 AM, Martin Kosek wrote: >>>>> On 06/30/2015 06:35 PM, Petr Vobornik wrote: >>>>>> First part of API Browser - displaying the metadata in more consumable way. >>>>>> >>>>>> Second part, how to use it in different languages will be written as wiki pages >>>>>> first. >>>>>> >>>>>> The browser could be later enhanced with more infos and tooltips. >>>>>> >>>>>> Patch 886 extends backend to send more metadata. >>>>>> Patch 887,888,889 are webui fixes and prerequisites >>>>>> Patch 890 is the API browser >>>>> >>>>> Thanks, this is a very good start. I looked at a VM with the patches and have >>>>> couple usability suggestions: >>>>> >>>>> 1) It was hard for me to find where the API Browser is. But "IPA Server" looks >>>>> as a good tab where it should be though. >>>> >>>> could be moved to "Help" tab when it's introduced. For that we need at least >>>> one more link. >>>> >>>>> >>>>> 2) I have strong doubts about the "Objects" tab, this is only understandable to >>>>> users knowledgeable about FreeIPA framework internals. Common API user who just >>>>> want to consume the API and not know about the internals will not know what >>>>> this is. >>>>> >>>>> What I would do is make "API Browser" directly clickable so that it opens the >>>>> Commands tab. This is what most people will use. Other tabs may be stacked on >>>>> the left just like with Staged or Deleted users. For now, I would hide Objects >>>>> as I think it would cause more confusion. If we want to show it, there should >>>>> be some introduction what it is good for and maybe limitation of showed fields >>>>> to only those that has any value for the consumers. >>>> >>>> fixed, there is only "API Browser" and no submenu >>>> >>>>> >>>>> 3) In Commands tab, we will some more explanatory what the attributes of Param >>>>> needs and probably hide some. For example "exclude" is not needed for consumers. >>>>> >>>> >>>> Attributes as follows were kept: label, type, default, default_from, values, >>>> minlength, maxlength, pattern, minvalue, maxvalue, precision, cli_name, >>>> option_group >>>> >>>>> 4) Many attributes have "autofill": True. I wonder how usable it is without >>>>> knowing the actual default for the attribute. Can we show the default? >>>> >>>> default_from now contains list of attrs which are used for the default value, >>>> e.g.: >>>> default value created from: givenname, sn >>>> >>>> >>>>> >>>>> 5) I would hide "Output Params" all together given we don't have them set up >>>>> correctly in FreeIPA framework and they may rather confuse people, with having >>>>> all the HBAC or SUDO with User objects. >>>>> >>>> >>>> Removed from metadata >>>> >>>>> I may think about it more, there were just my couple first thoughts. Others may >>>>> have different opinions here. >>>>> >>>>> Martin >>>>> >>>> >>>> Other changes: >>>> * cli options are shown with dashes as in CLI >>>> * required and multivalued were changed into tags next to option name. 'flags' >>>> which were shown as the tags are not displayed anymore >>>> >>>> >>>> updated patches attached. >>> >>> I like the new version, good job! ACK from my side. >>> >> >> Patchset works fine in my testing. >> >> Two (nitpick) questions: >> >> 1.) Should we show objects that have defined no methods or params as >> 'pkinit'? >> >> 2.) Relationships and attirbute members are displayed in rather raw form: >> >> attribute_members: >> {"member":["user","group"],"memberindirect":["user","group"],"memberof":["group","netgroup","role","hbacrule","sudorule"],"memberofindirect":["group","netgroup","role","hbacrule","sudorule"]} >> >> relationships: {"member":["Member","","no_"],"memberindirect":["Indirect >> Member",null,"no_indirect_"],"memberof":["Member >> Of","in_","not_in_"],"memberofindirect":["Indirect Member >> Of",null,"not_in_indirect_"]} >> >> >> Could we maybe special-case these (or introduce a way how to detect and >> display a dict of lists as formatted html)? Or are there arguments for >> the raw view of the API? >> >> Tomas >> > > On a second thought, I don't think these issues should block this > patchset for now. We can improve/discuss that in 4.2.x. > > Pushed to master: 2a976334c2160c91a61fb0c477777e7adbbd3150 I did not see the latest version but still, can we add *BIG FAT* warning that the API is not stable yet? I would like to prevent people from getting false sense of stability. -- Petr^2 Spacek From tbabej at redhat.com Mon Jul 13 13:21:14 2015 From: tbabej at redhat.com (Tomas Babej) Date: Mon, 13 Jul 2015 15:21:14 +0200 Subject: [Freeipa-devel] [PATCH 007] Remove tuple unpacking from except clause In-Reply-To: <55A3B64E.209@redhat.com> References: <55A3AB7C.1050703@redhat.com> <55A3B64E.209@redhat.com> Message-ID: <55A3BB4A.9090004@redhat.com> On 07/13/2015 02:59 PM, Rob Crittenden wrote: > Christian Heimes wrote: >> The patch replaces implicit tuple unpacking from except clauses with >> explicit unpacking of the exception objects' args attribute. >> >> Example: >> >>>>> e = RuntimeError('num', 'messages') >>>>> num, message = e >>>>> num, message >> ('num', 'messages') >>>>> e.args >> ('num', 'messages') >>>>> num, message = e.args >>>>> num, message >> ('num', 'messages') >> > > Not related to this patch directly but I think it would be a good idea > to create a Python 3 tracking ticket to make it easy to find python > 3-specific changes. > > Then create tickets to fix particular issues and link those with the > tracking ticket. > > rob > ACK Otherwise, I agree with Rob. Can you create an umbrella ticket? I will push&mark the commit there. Tomas From cheimes at redhat.com Mon Jul 13 13:23:50 2015 From: cheimes at redhat.com (Christian Heimes) Date: Mon, 13 Jul 2015 15:23:50 +0200 Subject: [Freeipa-devel] [PATCH 007] Remove tuple unpacking from except clause In-Reply-To: <55A3BB4A.9090004@redhat.com> References: <55A3AB7C.1050703@redhat.com> <55A3B64E.209@redhat.com> <55A3BB4A.9090004@redhat.com> Message-ID: <55A3BBE6.9040401@redhat.com> On 2015-07-13 15:21, Tomas Babej wrote: > > > On 07/13/2015 02:59 PM, Rob Crittenden wrote: >> Christian Heimes wrote: >>> The patch replaces implicit tuple unpacking from except clauses with >>> explicit unpacking of the exception objects' args attribute. >>> >>> Example: >>> >>>>>> e = RuntimeError('num', 'messages') >>>>>> num, message = e >>>>>> num, message >>> ('num', 'messages') >>>>>> e.args >>> ('num', 'messages') >>>>>> num, message = e.args >>>>>> num, message >>> ('num', 'messages') >>> >> >> Not related to this patch directly but I think it would be a good idea >> to create a Python 3 tracking ticket to make it easy to find python >> 3-specific changes. >> >> Then create tickets to fix particular issues and link those with the >> tracking ticket. >> >> rob >> > > ACK > > Otherwise, I agree with Rob. Can you create an umbrella ticket? > > I will push&mark the commit there. Sure, I'll create a meta ticket for Python 3 and a sub ticket for each task. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From jpazdziora at redhat.com Mon Jul 13 13:25:13 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Mon, 13 Jul 2015 15:25:13 +0200 Subject: [Freeipa-devel] [PATCH] 0001 Enhance the DNSNotARecordError message In-Reply-To: <55A3B92D.1000607@redhat.com> References: <477458039.5870245.1436442597119.JavaMail.zimbra@redhat.com> <559FC11A.4000609@redhat.com> <1174459440.6203454.1436551568849.JavaMail.zimbra@redhat.com> <55A3B92D.1000607@redhat.com> Message-ID: <20150713132513.GD4218@redhat.com> On Mon, Jul 13, 2015 at 03:12:13PM +0200, Petr Spacek wrote: > > Personally-opinionated-NACK. > > I would like to avoid advertising --force options when possible. --force > should not be necessary in proper setups and advertising it will make people > to use it instead of fixing underlying problems. How do you propose for things to work when the host is pre-created (with --random) and the service should be pre-created, and then IP address will only be set by the machine itself when it IPA-enrolls with the OTP? > Can we *please* drop this patch? Does your nack go against this patch (code change), or against the ticket https://fedorahosted.org/freeipa/ticket/3959 itself? Frankly, I don't really understand why service-add checks for the DNS record at all. DNS is a property of host, not service. Yes, it might be nice to advise the user that they do not have DNS record for the host but the current ipa: ERROR: Host does not have corresponding DNS A record is just bad user experience. Do you propose to change that ERROR to warning, for example, relaxing the requirement for the DNS records being present? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From abokovoy at redhat.com Mon Jul 13 14:29:09 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 13 Jul 2015 17:29:09 +0300 Subject: [Freeipa-devel] [PATCH 007] Remove tuple unpacking from except clause In-Reply-To: <55A3BB4A.9090004@redhat.com> References: <55A3AB7C.1050703@redhat.com> <55A3B64E.209@redhat.com> <55A3BB4A.9090004@redhat.com> Message-ID: <20150713142909.GY21928@redhat.com> On Mon, 13 Jul 2015, Tomas Babej wrote: > > >On 07/13/2015 02:59 PM, Rob Crittenden wrote: >> Christian Heimes wrote: >>> The patch replaces implicit tuple unpacking from except clauses with >>> explicit unpacking of the exception objects' args attribute. >>> >>> Example: >>> >>>>>> e = RuntimeError('num', 'messages') >>>>>> num, message = e >>>>>> num, message >>> ('num', 'messages') >>>>>> e.args >>> ('num', 'messages') >>>>>> num, message = e.args >>>>>> num, message >>> ('num', 'messages') >>> >> >> Not related to this patch directly but I think it would be a good idea >> to create a Python 3 tracking ticket to make it easy to find python >> 3-specific changes. >> >> Then create tickets to fix particular issues and link those with the >> tracking ticket. >> >> rob >> > >ACK > >Otherwise, I agree with Rob. Can you create an umbrella ticket? > >I will push&mark the commit there. Please do not push this specific version of the patch yet. Christian will do the changes with four separate commits as discussed on the IRC, to avoid future problems with maintenance and backports. -- / Alexander Bokovoy From mbasti at redhat.com Mon Jul 13 14:30:14 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 13 Jul 2015 16:30:14 +0200 Subject: [Freeipa-devel] [PATCH 0006] Start dirsrv for kdcproxy upgrade In-Reply-To: <559FF2CC.6050802@redhat.com> References: <559FF2CC.6050802@redhat.com> Message-ID: <55A3CB76.4010605@redhat.com> On 10/07/15 18:29, Christian Heimes wrote: > Hi, > > this patch ensures that DS is running before HTTPInstance attempts to > connect to LDAP. > > https://fedorahosted.org/freeipa/ticket/5113 > > > While I was testing the patch I ran into trouble with DS. The upgrade > script couldn't connect to 389/TCP, although ns-slapd was running. After > some digging I found this log line: > > Jul 10 18:13:24 vm-120.abc.idm.lab.eng.brq.redhat.com ns-slapd[6278]: > [10/Jul/2015:18:13:24 +0200] - Information: Non-Secure Port Disabled > > which eventually lead me to /etc/dirsrv/slapd-IPA-EXAMPLE/dse.ldif. The > port was disabled with "nsslapd-port: 0". After I stopped DS, changed > the port back to 389 and started DS again, ipa-server-upgrade worked again. > > Christian ACK -- Martin Basti From abokovoy at redhat.com Mon Jul 13 14:32:18 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 13 Jul 2015 17:32:18 +0300 Subject: [Freeipa-devel] [PATCH] 0001 Enhance the DNSNotARecordError message In-Reply-To: <20150713132513.GD4218@redhat.com> References: <477458039.5870245.1436442597119.JavaMail.zimbra@redhat.com> <559FC11A.4000609@redhat.com> <1174459440.6203454.1436551568849.JavaMail.zimbra@redhat.com> <55A3B92D.1000607@redhat.com> <20150713132513.GD4218@redhat.com> Message-ID: <20150713143218.GZ21928@redhat.com> On Mon, 13 Jul 2015, Jan Pazdziora wrote: >On Mon, Jul 13, 2015 at 03:12:13PM +0200, Petr Spacek wrote: >> >> Personally-opinionated-NACK. >> >> I would like to avoid advertising --force options when possible. --force >> should not be necessary in proper setups and advertising it will make people >> to use it instead of fixing underlying problems. > >How do you propose for things to work when the host is pre-created >(with --random) and the service should be pre-created, and then IP >address will only be set by the machine itself when it IPA-enrolls >with the OTP? This is a workflow question, not a code fix. If you need to use --force, use it but this specific flow has to be documented, not suggested by the code. We have plenty of cases where you have to use --addattr/--setattr as well, but we don't advertise them in the error messages. On contrary, documenting the fact that in some workflows you actually need to override default belts and suspenders is fine. -- / Alexander Bokovoy From pspacek at redhat.com Mon Jul 13 14:40:39 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 13 Jul 2015 16:40:39 +0200 Subject: [Freeipa-devel] [PATCH] 0001 Enhance the DNSNotARecordError message In-Reply-To: <20150713143218.GZ21928@redhat.com> References: <477458039.5870245.1436442597119.JavaMail.zimbra@redhat.com> <559FC11A.4000609@redhat.com> <1174459440.6203454.1436551568849.JavaMail.zimbra@redhat.com> <55A3B92D.1000607@redhat.com> <20150713132513.GD4218@redhat.com> <20150713143218.GZ21928@redhat.com> Message-ID: <55A3CDE7.7020809@redhat.com> On 13.7.2015 16:32, Alexander Bokovoy wrote: > On Mon, 13 Jul 2015, Jan Pazdziora wrote: >> On Mon, Jul 13, 2015 at 03:12:13PM +0200, Petr Spacek wrote: >>> >>> Personally-opinionated-NACK. >>> >>> I would like to avoid advertising --force options when possible. --force >>> should not be necessary in proper setups and advertising it will make people >>> to use it instead of fixing underlying problems. >> >> How do you propose for things to work when the host is pre-created >> (with --random) and the service should be pre-created, and then IP >> address will only be set by the machine itself when it IPA-enrolls >> with the OTP? > This is a workflow question, not a code fix. If you need to use --force, > use it but this specific flow has to be documented, not suggested by the > code. We have plenty of cases where you have to use --addattr/--setattr > as well, but we don't advertise them in the error messages. > > On contrary, documenting the fact that in some workflows you actually > need to override default belts and suspenders is fine. I agree with Alexander. The point is that you have to know what you are doing if you decide to use --force/--setattr and advertising them will lead to cargo cults. The idea of services/hosts without host entry may be worth discussing, please start a separate thread on ipa-devel. -- Petr^2 Spacek From mbasti at redhat.com Mon Jul 13 15:55:22 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 13 Jul 2015 17:55:22 +0200 Subject: [Freeipa-devel] [PATCH 0050] Fix client ca.crt to match the server's cert In-Reply-To: References: <5592ACFE.8020803@redhat.com> <5593913D.8000303@redhat.com> <5593AABB.607@redhat.com> Message-ID: <55A3DF6A.6080206@redhat.com> On 08/07/15 16:09, Gabe Alford wrote: > Thanks, Martin. Update patch attached. > > I was getting an 'No newline at the end of file' in my environment > hence an extra '\n' at the end. > Please let me know if you see the same thing. > > Thanks, > > Gabe > > On Wed, Jul 1, 2015 at 2:54 AM, Martin Basti > wrote: > > On 01/07/15 09:05, Martin Basti wrote: >> On 30/06/15 17:31, Gabe Alford wrote: >>> On Tue, Jun 30, 2015 at 8:51 AM, Martin Basti >> > wrote: >>> >>> On 16/06/15 16:58, Gabe Alford wrote: >>>> I know you guys are busy. Bump for review. >>>> >>>> Thanks, >>>> >>>> Gabe >>>> >>>> On Tue, May 26, 2015 at 8:16 AM, Gabe Alford >>>> > wrote: >>>> >>>> Hello, >>>> >>>> Fix for https://fedorahosted.org/freeipa/ticket/3809 >>>> >>>> Thanks, >>>> >>>> Gabe >>>> >>>> >>>> >>>> >>> I'm getting certificate on server without extra '\n' at the end. >>> >>> So certificate files are not the same. >>> >>> >>> I assume you did a diff of the server /etc/ipa/ca.crt and the >>> client /etc/ipa/ca.crt, right? Did you setup a server and then >>> connect a client (just wonder what your steps were so that I can >>> also reproduce)? >> >> Yes. I did that. >> >> I will retest it today. >> > Retested and ca.cert on client has extra '\n' at the end. >>> >>> >>> -- >>> Martin Basti >>> >>> >> >> >> -- >> Martin Basti >> >> > > > -- > Martin Basti > > Thank you! ACK -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From jpazdziora at redhat.com Mon Jul 13 17:37:39 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Mon, 13 Jul 2015 19:37:39 +0200 Subject: [Freeipa-devel] Why do we require DNS record when service is being added? Message-ID: <20150713173739.GB15217@redhat.com> Hello, we got a nack https://www.redhat.com/archives/freeipa-devel/2015-July/msg00259.html when attempting to address ticket https://fedorahosted.org/freeipa/ticket/3959 Basically, when service is being added with ipa service-add, you have to use --force to add it if the underlying host record does not have DNS record. But it seems that the workflow of host created with --random OTP generated, service added to this host record (which still does not have IP address because no machine was enrolled), and only then IPA-enrolling with ipa-client --password OTP is a supported and increasingly promoted and used mechanism, for example with realm support for provisioned machines in Foreman. The initial intent of ticket https://fedorahosted.org/freeipa/ticket/3959 was to lower the stress and confusion of new IPA users by making the error message that you get when there isn't DNS record for the host entry less scary and more helpful. There is objection to making it more helpful, with the fear that people will just learn to add --force to every command and avoid the safeguards. However -- what is the purpose of the DNS check when adding service? Shouldn't that check be removed altogether? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From pspacek at redhat.com Tue Jul 14 06:31:19 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 14 Jul 2015 08:31:19 +0200 Subject: [Freeipa-devel] Why do we require DNS record when service is being added? In-Reply-To: <20150713173739.GB15217@redhat.com> References: <20150713173739.GB15217@redhat.com> Message-ID: <55A4ACB7.8010707@redhat.com> On 13.7.2015 19:37, Jan Pazdziora wrote: > > Hello, > > we got a nack > > https://www.redhat.com/archives/freeipa-devel/2015-July/msg00259.html > > when attempting to address ticket > > https://fedorahosted.org/freeipa/ticket/3959 > > Basically, when service is being added with ipa service-add, you > have to use --force to add it if the underlying host record does > not have DNS record. > > But it seems that the workflow of host created with --random OTP > generated, service added to this host record (which still does not > have IP address because no machine was enrolled), and only then > IPA-enrolling with ipa-client --password OTP is a supported and > increasingly promoted and used mechanism, for example with realm > support for provisioned machines in Foreman. > > The initial intent of ticket > > https://fedorahosted.org/freeipa/ticket/3959 > > was to lower the stress and confusion of new IPA users by making the > error message that you get when there isn't DNS record for the host > entry less scary and more helpful. > > There is objection to making it more helpful, with the fear that > people will just learn to add --force to every command and avoid > the safeguards. > > However -- what is the purpose of the DNS check when adding service? The service is typically a Kerberos service, which usually is not going to work if the host does not have DNS record. > Shouldn't that check be removed altogether? I would rather relax the check so it can detect usage of host-add --random/--password and emit a warning instead of hard error. What do you think about this approach? -- Petr^2 Spacek From jpazdziora at redhat.com Tue Jul 14 07:45:40 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Tue, 14 Jul 2015 09:45:40 +0200 Subject: [Freeipa-devel] Why do we require DNS record when service is being added? In-Reply-To: <55A4ACB7.8010707@redhat.com> References: <20150713173739.GB15217@redhat.com> <55A4ACB7.8010707@redhat.com> Message-ID: <20150714074540.GA10870@redhat.com> On Tue, Jul 14, 2015 at 08:31:19AM +0200, Petr Spacek wrote: > On 13.7.2015 19:37, Jan Pazdziora wrote: > > > > However -- what is the purpose of the DNS check when adding service? > > The service is typically a Kerberos service, which usually is not going to > work if the host does not have DNS record. So it's an error about existing *state* of the identity management system, not an error of the service-add operation itself or error about the result of that operation. IOW, the code tries to be smarter than necessary, hitting users who attempt to do things right, precreating host records. Plus it's an error about related object, not the object being manipulated / created which in itself is suspicious. > > Shouldn't that check be removed altogether? > I would rather relax the check so it can detect usage of host-add > --random/--password and emit a warning instead of hard error. > > What do you think about this approach? I guess you are then talking about not having that check in the host-add operation, not service-add: # ipa host-add --random client56.example.test ipa: ERROR: Host does not have corresponding DNS A/AAAA record Because to face the error during service-add, the user must already have overriden the error for the host itself. So how about: No DNS check / error in host-add when --random is used. No DNS check / error in service-add at all. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From abokovoy at redhat.com Tue Jul 14 08:08:32 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 14 Jul 2015 11:08:32 +0300 Subject: [Freeipa-devel] Why do we require DNS record when service is being added? In-Reply-To: <20150714074540.GA10870@redhat.com> References: <20150713173739.GB15217@redhat.com> <55A4ACB7.8010707@redhat.com> <20150714074540.GA10870@redhat.com> Message-ID: <20150714080832.GH21928@redhat.com> On Tue, 14 Jul 2015, Jan Pazdziora wrote: >On Tue, Jul 14, 2015 at 08:31:19AM +0200, Petr Spacek wrote: >> On 13.7.2015 19:37, Jan Pazdziora wrote: >> > >> > However -- what is the purpose of the DNS check when adding service? >> >> The service is typically a Kerberos service, which usually is not going to >> work if the host does not have DNS record. > >So it's an error about existing *state* of the identity management >system, not an error of the service-add operation itself or error >about the result of that operation. IOW, the code tries to be smarter >than necessary, hitting users who attempt to do things right, >precreating host records. Plus it's an error about related object, >not the object being manipulated / created which in itself is >suspicious. > >> > Shouldn't that check be removed altogether? >> I would rather relax the check so it can detect usage of host-add >> --random/--password and emit a warning instead of hard error. >> >> What do you think about this approach? > >I guess you are then talking about not having that check in the >host-add operation, not service-add: > > # ipa host-add --random client56.example.test > ipa: ERROR: Host does not have corresponding DNS A/AAAA record > >Because to face the error during service-add, the user must already >have overriden the error for the host itself. > >So how about: > > No DNS check / error in host-add when --random is used. > No DNS check / error in service-add at all. I would still add a warning in service-add "Host ... does not exist in DNS, this service will not be accessible via Kerberos until A/AAAA record for the host will be created". -- / Alexander Bokovoy From mbabinsk at redhat.com Tue Jul 14 10:19:21 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 14 Jul 2015 12:19:21 +0200 Subject: [Freeipa-devel] [PATCH 0023] enable debugging of spawned ntpd command during client install In-Reply-To: <551927B9.7020100@redhat.com> References: <5512C588.3010002@redhat.com> <5512D1C9.6090308@redhat.com> <5513F841.4050306@redhat.com> <551927B9.7020100@redhat.com> Message-ID: <55A4E229.2090304@redhat.com> On 03/30/2015 12:38 PM, Martin Babinsky wrote: > On 03/26/2015 01:14 PM, Martin Kosek wrote: >> On 03/25/2015 04:18 PM, Jan Cholasta wrote: >>> Hi, >>> >>> Dne 25.3.2015 v 15:26 Martin Babinsky napsal(a): >>>> The attached patch related to >>>> https://fedorahosted.org/freeipa/ticket/4931 >>> >>> Please make sure stays >>> fixed. >>> >>>> >>>> It is certainly not a final solution, more of an initial "hack" of >>>> sorts >>>> just to gather some suggestions, since I am not even sure if this is >>>> the >>>> right thing to do. >>>> >>>> The reporter from bugzilla suggests to enable debugging of ALL commands >>>> called through ipautil.run(), but I think that fixing all cca 157 found >>>> usages of run() is too much work with a quite small benefit. >>>> >>>> Anyway I would welcome some opinions about this: should the external >>>> commands really inherit the debug settings of ipa-* utilities, and if >>>> so, is the method showed in this patch the right way to do it? >>> >>> I am not a fan of this method, ipautil.run does not know anything >>> about the >>> command it runs and I think it should stay that way. >>> >>> I would prefer to have an ipautil.run wrapper with debug flag using >>> appropriate >>> debugging option for each command where we need to conditionally enable >>> debugging. Or just add the debugging option unconditionally to every >>> command >>> where it could be useful. >> >> +1, I do not like this change to ipautil.run either. It should be sole >> responsibility of the caller to specify the right combinations of >> options, >> including debug option, where applicable. >> > Attaching updated patch. > > > Reviving this patch from the dead. Attaching rebased version for master branch and ipa-4-1. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0023.3-enable-debugging-of-ntpd-during-client-installation.patch Type: text/x-patch Size: 2945 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4-1-mbabinsk-0023.3-enable-debugging-of-ntpd-during-client-installation.patch Type: text/x-patch Size: 2943 bytes Desc: not available URL: From cheimes at redhat.com Tue Jul 14 10:34:23 2015 From: cheimes at redhat.com (Christian Heimes) Date: Tue, 14 Jul 2015 12:34:23 +0200 Subject: [Freeipa-devel] [PATCH 007-010] Remove tuple unpacking from except clause In-Reply-To: <20150713142909.GY21928@redhat.com> References: <55A3AB7C.1050703@redhat.com> <55A3B64E.209@redhat.com> <55A3BB4A.9090004@redhat.com> <20150713142909.GY21928@redhat.com> Message-ID: <55A4E5AF.8090602@redhat.com> On 2015-07-13 16:29, Alexander Bokovoy wrote: >> I will push&mark the commit there. > Please do not push this specific version of the patch yet. Christian > will do the changes with four separate commits as discussed on the IRC, > to avoid future problems with maintenance and backports. Alex, please have a look at the patches. I have split the patch into four files, one for every file. Is that right? Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0007-Remove-tuple-unpacking-from-except-clause-contrib-RH.patch Type: text/x-patch Size: 1263 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0008-Remove-tuple-unpacking-from-except-clause-ipa-client.patch Type: text/x-patch Size: 1297 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0009-Remove-tuple-unpacking-from-except-clause-ipalib-plu.patch Type: text/x-patch Size: 1780 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0010-Remove-tuple-unpacking-from-except-clause-ipaserver-.patch Type: text/x-patch Size: 3528 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From jcholast at redhat.com Tue Jul 14 10:38:19 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 14 Jul 2015 12:38:19 +0200 Subject: [Freeipa-devel] [PATCH 0006] Start dirsrv for kdcproxy upgrade In-Reply-To: <55A3CB76.4010605@redhat.com> References: <559FF2CC.6050802@redhat.com> <55A3CB76.4010605@redhat.com> Message-ID: <55A4E69B.1080106@redhat.com> Dne 13.7.2015 v 16:30 Martin Basti napsal(a): > On 10/07/15 18:29, Christian Heimes wrote: >> Hi, >> >> this patch ensures that DS is running before HTTPInstance attempts to >> connect to LDAP. >> >> https://fedorahosted.org/freeipa/ticket/5113 >> >> >> While I was testing the patch I ran into trouble with DS. The upgrade >> script couldn't connect to 389/TCP, although ns-slapd was running. After >> some digging I found this log line: >> >> Jul 10 18:13:24 vm-120.abc.idm.lab.eng.brq.redhat.com ns-slapd[6278]: >> [10/Jul/2015:18:13:24 +0200] - Information: Non-Secure Port Disabled >> >> which eventually lead me to /etc/dirsrv/slapd-IPA-EXAMPLE/dse.ldif. The >> port was disabled with "nsslapd-port: 0". After I stopped DS, changed >> the port back to 389 and started DS again, ipa-server-upgrade worked >> again. >> >> Christian > ACK > Pushed to master: c701ab612de831f72f21e0f3bfd105fbc515cd4d -- Jan Cholasta From jcholast at redhat.com Tue Jul 14 10:44:23 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 14 Jul 2015 12:44:23 +0200 Subject: [Freeipa-devel] [PATCH 0006] Start dirsrv for kdcproxy upgrade In-Reply-To: <55A4E69B.1080106@redhat.com> References: <559FF2CC.6050802@redhat.com> <55A3CB76.4010605@redhat.com> <55A4E69B.1080106@redhat.com> Message-ID: <55A4E807.10206@redhat.com> Dne 14.7.2015 v 12:38 Jan Cholasta napsal(a): > Dne 13.7.2015 v 16:30 Martin Basti napsal(a): >> On 10/07/15 18:29, Christian Heimes wrote: >>> Hi, >>> >>> this patch ensures that DS is running before HTTPInstance attempts to >>> connect to LDAP. >>> >>> https://fedorahosted.org/freeipa/ticket/5113 >>> >>> >>> While I was testing the patch I ran into trouble with DS. The upgrade >>> script couldn't connect to 389/TCP, although ns-slapd was running. After >>> some digging I found this log line: >>> >>> Jul 10 18:13:24 vm-120.abc.idm.lab.eng.brq.redhat.com ns-slapd[6278]: >>> [10/Jul/2015:18:13:24 +0200] - Information: Non-Secure Port Disabled >>> >>> which eventually lead me to /etc/dirsrv/slapd-IPA-EXAMPLE/dse.ldif. The >>> port was disabled with "nsslapd-port: 0". After I stopped DS, changed >>> the port back to 389 and started DS again, ipa-server-upgrade worked >>> again. >>> >>> Christian >> ACK >> > > Pushed to master: c701ab612de831f72f21e0f3bfd105fbc515cd4d > and Pushed to ipa-4-2: d98aa76b26daf461f19d733fedc4bd9a8c36f05f -- Jan Cholasta From abokovoy at redhat.com Tue Jul 14 10:45:33 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 14 Jul 2015 13:45:33 +0300 Subject: [Freeipa-devel] [PATCH 007-010] Remove tuple unpacking from except clause In-Reply-To: <55A4E5AF.8090602@redhat.com> References: <55A3AB7C.1050703@redhat.com> <55A3B64E.209@redhat.com> <55A3BB4A.9090004@redhat.com> <20150713142909.GY21928@redhat.com> <55A4E5AF.8090602@redhat.com> Message-ID: <20150714104533.GJ21928@redhat.com> On Tue, 14 Jul 2015, Christian Heimes wrote: >On 2015-07-13 16:29, Alexander Bokovoy wrote: >>> I will push&mark the commit there. >> Please do not push this specific version of the patch yet. Christian >> will do the changes with four separate commits as discussed on the IRC, >> to avoid future problems with maintenance and backports. > >Alex, > >please have a look at the patches. I have split the patch into four >files, one for every file. Is that right? Yes, perfect! ACK for all four patches. -- / Alexander Bokovoy From jcholast at redhat.com Tue Jul 14 10:51:21 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 14 Jul 2015 12:51:21 +0200 Subject: [Freeipa-devel] [PATCH 529] Fix DNS record installation for replicas In-Reply-To: <55A3B715.80407@redhat.com> References: <1436547800.4097.98.camel@willson.usersys.redhat.com> <1436551069.4097.108.camel@willson.usersys.redhat.com> <55A3B715.80407@redhat.com> Message-ID: <55A4E9A9.7010108@redhat.com> Dne 13.7.2015 v 15:03 Martin Basti napsal(a): > On 10/07/15 19:57, Simo Sorce wrote: >> On Fri, 2015-07-10 at 13:03 -0400, Simo Sorce wrote: >>> This bug affects 4.2, we should backport the fix there too. >>> >>> See ticket: https://fedorahosted.org/freeipa/ticket/5116 >> For what is worth I tested this change in my replica install code and it >> fixes the issue, though the code is different and therefore should be >> tested with a classic replica install. >> >> Also sorry for the HTML attachment, fat fingered while trying to >> copy/paste the ticket link from FF. >> >> Simo. >> > ACK > Fixed formatting and pushed to: master: ca6947da6ffa363e8019941e21ea15787d17dd02 ipa-4-2: 97f099b8a26ffdd68f3928ae5f77a06752bd2bf7 (Please follow PEP8 in new code.) -- Jan Cholasta From jcholast at redhat.com Tue Jul 14 10:59:41 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 14 Jul 2015 12:59:41 +0200 Subject: [Freeipa-devel] [patch 0004] spec file: Update the package name from libipa_hbac-python to python-libipa_hbac In-Reply-To: <559FABAD.6080904@redhat.com> References: <559F98D7.5020003@redhat.com> <559FA488.40104@redhat.com> <559FABAD.6080904@redhat.com> Message-ID: <55A4EB9D.50703@redhat.com> Dne 10.7.2015 v 13:25 Milan Kubik napsal(a): > On 07/10/2015 12:55 PM, Jan Cholasta wrote: >> Hi, >> >> >> >> Dne 10.7.2015 v 12:05 Milan Kubik napsal(a): >> >>> Name update + the renamed package breaks 'dnf builddep'. I will report >>> >>> the bug. >>> >>> Yum can take care of the conflict resolution. >>> >>> >>> >>> Patch attached. >>> >> >> >> You might as well update libsss_nss_idmap-python to >> python-libsss_nss_idmap while you are at it. >> >> >> >> Honza >> >> >> >> >> > > Hi, new patch is here :) Thanks, ACK. Pushed to: master: 345960741063279f8f3b742dcd6e4813682f1832 ipa-4-2: 9c8d23a725ee6895e85944954e0deb6daa7b92f5 > > Self-NACK on 0004. FYI the protocol is to bump patch revision instead of bumping patch number: -- Jan Cholasta From jcholast at redhat.com Tue Jul 14 11:12:43 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 14 Jul 2015 13:12:43 +0200 Subject: [Freeipa-devel] [PATCH 0282] Prevent to rename certprofile profile id In-Reply-To: <1436525540.4097.65.camel@willson.usersys.redhat.com> References: <559E9174.4000305@redhat.com> <559F5844.1030109@redhat.com> <559F85B4.6010606@redhat.com> <559F8972.2050806@redhat.com> <559F89F9.5040405@redhat.com> <1436519447.4097.63.camel@willson.usersys.redhat.com> <559F902B.3090701@redhat.com> <1436525540.4097.65.camel@willson.usersys.redhat.com> Message-ID: <55A4EEAB.6050105@redhat.com> Dne 10.7.2015 v 12:52 Simo Sorce napsal(a): > On Fri, 2015-07-10 at 11:28 +0200, Jan Cholasta wrote: >> Dne 10.7.2015 v 11:10 Simo Sorce napsal(a): >>> On Fri, 2015-07-10 at 11:01 +0200, Jan Cholasta wrote: >>>> Dne 10.7.2015 v 10:59 Jan Cholasta napsal(a): >>>>> Dne 10.7.2015 v 10:43 Martin Basti napsal(a): >>>>>> On 10/07/15 07:29, Jan Cholasta wrote: >>>>>>> Hi, >>>>>>> >>>>>>> Dne 9.7.2015 v 17:21 Martin Basti napsal(a): >>>>>>>> https://fedorahosted.org/freeipa/ticket/5074 >>>>>>>> >>>>>>>> Patch attached. >>>>>>> >>>>>>> NACK, you should remove the --rename option from certprofile-mod. You >>>>>>> can do it by removing "rdn_is_primary_key = True" from certprofile. >>>>>>> >>>>>>> Honza >>>>>>> >>>>>> Updated patch attached. >>>>>> >>>>> >>>>> What I meant was remove --rename *and* do the check from your previous >>>>> patch. >>>>> >>>>> Anyway, I didn't realize we already released IPA with certprofile and >>>>> removing --rename would be a backward incompatible change, so I think >>>>> it's better to just keep it. >>>>> >>>>> So ACK on the original patch. >>>>> >>>> >>>> Pushed to master: 67b2b3408579814f7ff307cfd20bc4250edbea15 >>> >>> I see no LDAP ACI that prevents a rename though, without that an admin >>> can simply issue a modrdn operation. If it is critical for us to not >>> allow renames we should rather have an ACI that prohibits them. >> >> AFAIK there is no ACI to prevent renaming hosts (the check in this patch >> is copied from the host plugin) or users either and so far nobody >> complained. I'm not saying this is right, but the patch is consistent >> with existing code. > > Renaming users is explicitly allowed, renaming hosts is something we may > want to prevent too. Maybe we should add a ticket to take care of these > things ? Forgot to push this patch to ipa-4-2: Pushed to ipa-4-2: 62e30d007275a3051370006a7546a5b3158f9686 -- Jan Cholasta From cheimes at redhat.com Tue Jul 14 11:24:40 2015 From: cheimes at redhat.com (Christian Heimes) Date: Tue, 14 Jul 2015 13:24:40 +0200 Subject: [Freeipa-devel] [PATCH 011] [py3] Replace file() with open() Message-ID: <55A4F178.5010400@redhat.com> The patch replaces file() with open() and a proper with statement. The patch is related to https://fedorahosted.org/freeipa/ticket/5127 Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0011-py3-Replace-file-with-open.patch Type: text/x-patch Size: 1508 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From cheimes at redhat.com Tue Jul 14 11:29:19 2015 From: cheimes at redhat.com (Christian Heimes) Date: Tue, 14 Jul 2015 13:29:19 +0200 Subject: [Freeipa-devel] [PATCH 011] [py3] Replace file() with open() In-Reply-To: <55A4F178.5010400@redhat.com> References: <55A4F178.5010400@redhat.com> Message-ID: <55A4F28F.8050005@redhat.com> On 2015-07-14 13:24, Christian Heimes wrote: > The patch replaces file() with open() and a proper with statement. > > The patch is related to https://fedorahosted.org/freeipa/ticket/5127 > > Christian The first patch has a typo. Note to self: save file first, then commit Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0011-1-py3-Replace-file-with-open.patch Type: text/x-patch Size: 1511 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From abokovoy at redhat.com Tue Jul 14 11:31:12 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 14 Jul 2015 14:31:12 +0300 Subject: [Freeipa-devel] [PATCH] 0191 Add SELinux boolean for oddjobd-activated services Message-ID: <20150714113112.GK21928@redhat.com> Hi! An SELinux policy we need for one-way trust is now in Fedora updates-testing repository. Attached patch adds support for 'httpd_run_ipa' SELinux boolean. Below is how one-way trust is using the communication with oddjobd (it is a slightly fixed copy of the description of bug https://bugzilla.redhat.com/show_bug.cgi?id=1238165 for SELinux policy): ------------------------------------------------------------------- In FreeIPA 4.2 we added support to establish one-way trust to Active Directory. As a consequence of this, we need to change how certain operations against AD LDAP are performed. Right now we are using a feature of bi-directional cross-realm Kerberos trust: we authenticate as HTTP/ipa.master at IPA.REALM from within Apache process and then talk to ldap/ad.dc at AD.REALM or to cifs/ad.dc at AD.REALM services in AD. With one-way trust we cannot use this approach anymore because there is no cross-realm Kerberos trust from IPA to AD, only the other way around. Instead, there is an object in AD LDAP which represents IPA and we have to authenticate as this object. Access to this object is highly regulated (by us) because possession of the trust domain object (TDO) credentials impersonates whole trust link. Thus, we want to avoid authenticating as TDO within Apache process. To achieve this I've implemented a scheme similar to oddjob-mkhomedir, by providing a helper script which is executed by oddjobd on request from Apache: Apache process sends DBus request to oddjobd daemon. Oddjobd daemon executes an IPA helper. IPA helper accesses /etc/samba/samba.keytab and authenticates as cifs/ipa.master at IPA.REALM. It then fetches TDO credentials from IPA LDAP and authenticates with them to AD DC. Once operation is performed, it connects again to IPA LDAP and updates it. Now, there are several moving parts here: 1. /etc/samba/samba.keytab is root:root, 0600, unconfined_u:object_r:samba_etc_t:s0 It is created by /usr/sbin/ipa-adtrust-install 2. /var/lib/sss/keytabs/ad.test.keytab is sssd:sssd, 0600, unconfined_u:object_r:sssd_var_lib_t:s0 It can be created by IPA helper or by SSSD, whoever runs into need of the keytab first. The name is dependent on the AD forest root name (ad.test in my case). 3. /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains is root:root, 0755, system_u:object_r:ipa_helper_exec_t:s0 label. It is the IPA helper oddjobd daemon will be calling in response to Apache request. The helper is written in Python. 4. /var/run/ipa/krb5cc_oddjob_trusts{,_fetch} -- credential caches used by the helper. They are root:root, 0600, system_u:object_r:ipa_var_run_t:s0 label. 5. oddjobd daemon runs under system_u:system_r:oddjob_t:s0-s0:c0.c1023 context. --------------------------------------------------------------------------------- -- / Alexander Bokovoy -------------- next part -------------- From 9259c87ab843b2d3a2873683dcb20df5a25a5fe5 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 14 Jul 2015 11:11:36 +0000 Subject: [PATCH] selinux: enable httpd_run_ipa to allow communicating with oddjobd services A new SELinux policy allows communication between IPA framework running under Apache with oddjobd-based services via DBus. This communication is crucial for one-way trust support and also is required for any out of band tools which may be executed by IPA framework. Details of out of band communication and SELinux policy can be found in a bug https://bugzilla.redhat.com/show_bug.cgi?id=1238165 --- freeipa.spec.in | 2 +- ipaserver/install/httpinstance.py | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index e9f97c3..39306ed 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -8,7 +8,7 @@ %global selinux_policy_version 3.12.1-153 %else %global samba_version 2:4.0.5-1 -%global selinux_policy_version 3.12.1-179 +%global selinux_policy_version 3.13.1-128.6 %endif %global plugin_dir %{_libdir}/dirsrv/plugins diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index f5f2a86..7928256 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -46,6 +46,7 @@ from ipaplatform import services SELINUX_BOOLEAN_SETTINGS = dict( httpd_can_network_connect='on', httpd_manage_ipa='on', + httpd_run_ipa='on', ) -- 2.4.3 From tbabej at redhat.com Tue Jul 14 11:44:55 2015 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 14 Jul 2015 13:44:55 +0200 Subject: [Freeipa-devel] [PATCH 007-010] Remove tuple unpacking from except clause In-Reply-To: <20150714104533.GJ21928@redhat.com> References: <55A3AB7C.1050703@redhat.com> <55A3B64E.209@redhat.com> <55A3BB4A.9090004@redhat.com> <20150713142909.GY21928@redhat.com> <55A4E5AF.8090602@redhat.com> <20150714104533.GJ21928@redhat.com> Message-ID: <55A4F637.7020803@redhat.com> On 07/14/2015 12:45 PM, Alexander Bokovoy wrote: > On Tue, 14 Jul 2015, Christian Heimes wrote: >> On 2015-07-13 16:29, Alexander Bokovoy wrote: >>>> I will push&mark the commit there. >>> Please do not push this specific version of the patch yet. Christian >>> will do the changes with four separate commits as discussed on the IRC, >>> to avoid future problems with maintenance and backports. >> >> Alex, >> >> please have a look at the patches. I have split the patch into four >> files, one for every file. Is that right? > Yes, perfect! > > ACK for all four patches. > Pushed to master: 35e219f996b933c8f9a5e5624bbffd6174f4c55c From pspacek at redhat.com Tue Jul 14 11:47:07 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 14 Jul 2015 13:47:07 +0200 Subject: [Freeipa-devel] Why do we require DNS record when service is being added? In-Reply-To: <20150714080832.GH21928@redhat.com> References: <20150713173739.GB15217@redhat.com> <55A4ACB7.8010707@redhat.com> <20150714074540.GA10870@redhat.com> <20150714080832.GH21928@redhat.com> Message-ID: <55A4F6BB.4060506@redhat.com> On 14.7.2015 10:08, Alexander Bokovoy wrote: > On Tue, 14 Jul 2015, Jan Pazdziora wrote: >> On Tue, Jul 14, 2015 at 08:31:19AM +0200, Petr Spacek wrote: >>> On 13.7.2015 19:37, Jan Pazdziora wrote: >>> > >>> > However -- what is the purpose of the DNS check when adding service? >>> >>> The service is typically a Kerberos service, which usually is not going to >>> work if the host does not have DNS record. >> >> So it's an error about existing *state* of the identity management >> system, not an error of the service-add operation itself or error >> about the result of that operation. IOW, the code tries to be smarter >> than necessary, hitting users who attempt to do things right, >> precreating host records. Plus it's an error about related object, >> not the object being manipulated / created which in itself is >> suspicious. >> >>> > Shouldn't that check be removed altogether? >>> I would rather relax the check so it can detect usage of host-add >>> --random/--password and emit a warning instead of hard error. >>> >>> What do you think about this approach? >> >> I guess you are then talking about not having that check in the >> host-add operation, not service-add: >> >> # ipa host-add --random client56.example.test >> ipa: ERROR: Host does not have corresponding DNS A/AAAA record >> >> Because to face the error during service-add, the user must already >> have overriden the error for the host itself. >> >> So how about: >> >> No DNS check / error in host-add when --random is used. >> No DNS check / error in service-add at all. > I would still add a warning in service-add "Host ... does not exist in > DNS, this service will not be accessible via Kerberos until A/AAAA > record for the host will be created". Yes, this is what I meant - host-add should do the DNS check and spit only warning if --random/--password is used. Service-add should require the host to exist (as it does now) but again the check should spit a warning instead of error if the host was created with --random. -- Petr^2 Spacek From abokovoy at redhat.com Tue Jul 14 11:50:51 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 14 Jul 2015 14:50:51 +0300 Subject: [Freeipa-devel] Why do we require DNS record when service is being added? In-Reply-To: <55A4F6BB.4060506@redhat.com> References: <20150713173739.GB15217@redhat.com> <55A4ACB7.8010707@redhat.com> <20150714074540.GA10870@redhat.com> <20150714080832.GH21928@redhat.com> <55A4F6BB.4060506@redhat.com> Message-ID: <20150714115051.GL21928@redhat.com> On Tue, 14 Jul 2015, Petr Spacek wrote: >On 14.7.2015 10:08, Alexander Bokovoy wrote: >> On Tue, 14 Jul 2015, Jan Pazdziora wrote: >>> On Tue, Jul 14, 2015 at 08:31:19AM +0200, Petr Spacek wrote: >>>> On 13.7.2015 19:37, Jan Pazdziora wrote: >>>> > >>>> > However -- what is the purpose of the DNS check when adding service? >>>> >>>> The service is typically a Kerberos service, which usually is not going to >>>> work if the host does not have DNS record. >>> >>> So it's an error about existing *state* of the identity management >>> system, not an error of the service-add operation itself or error >>> about the result of that operation. IOW, the code tries to be smarter >>> than necessary, hitting users who attempt to do things right, >>> precreating host records. Plus it's an error about related object, >>> not the object being manipulated / created which in itself is >>> suspicious. >>> >>>> > Shouldn't that check be removed altogether? >>>> I would rather relax the check so it can detect usage of host-add >>>> --random/--password and emit a warning instead of hard error. >>>> >>>> What do you think about this approach? >>> >>> I guess you are then talking about not having that check in the >>> host-add operation, not service-add: >>> >>> # ipa host-add --random client56.example.test >>> ipa: ERROR: Host does not have corresponding DNS A/AAAA record >>> >>> Because to face the error during service-add, the user must already >>> have overriden the error for the host itself. >>> >>> So how about: >>> >>> No DNS check / error in host-add when --random is used. >>> No DNS check / error in service-add at all. >> I would still add a warning in service-add "Host ... does not exist in >> DNS, this service will not be accessible via Kerberos until A/AAAA >> record for the host will be created". > >Yes, this is what I meant - host-add should do the DNS check and spit only >warning if --random/--password is used. Service-add should require the host to >exist (as it does now) but again the check should spit a warning instead of >error if the host was created with --random. Sounds good to me. Will you make a ticket? -- / Alexander Bokovoy From jcholast at redhat.com Tue Jul 14 11:56:28 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 14 Jul 2015 13:56:28 +0200 Subject: [Freeipa-devel] [PATCH 464] spec file: Move /etc/ipa/kdcproxy to the server subpackage Message-ID: <55A4F8EB.9060407@redhat.com> Hi, the attached patch fixes client-only builds. Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-464-spec-file-Move-etc-ipa-kdcproxy-to-the-server-subpac.patch Type: text/x-patch Size: 1445 bytes Desc: not available URL: From tbabej at redhat.com Tue Jul 14 12:02:52 2015 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 14 Jul 2015 14:02:52 +0200 Subject: [Freeipa-devel] [PATCH 011] [py3] Replace file() with open() In-Reply-To: <55A4F28F.8050005@redhat.com> References: <55A4F178.5010400@redhat.com> <55A4F28F.8050005@redhat.com> Message-ID: <55A4FA6C.3030902@redhat.com> On 07/14/2015 01:29 PM, Christian Heimes wrote: > On 2015-07-14 13:24, Christian Heimes wrote: >> The patch replaces file() with open() and a proper with statement. >> >> The patch is related to https://fedorahosted.org/freeipa/ticket/5127 >> >> Christian > > The first patch has a typo. > > Note to self: save file first, then commit > > Christian > > > ACK. Pushed to master: 18d417e981045830f5dd359cf912caf3b0b9e6d3 From dkupka at redhat.com Tue Jul 14 12:17:25 2015 From: dkupka at redhat.com (David Kupka) Date: Tue, 14 Jul 2015 14:17:25 +0200 Subject: [Freeipa-devel] [PATCH 0283] copy-schema-to-ca: allow to overwrite schema files In-Reply-To: <559FBB10.6030104@redhat.com> References: <559FBB10.6030104@redhat.com> Message-ID: <55A4FDD5.6020000@redhat.com> On 10/07/15 14:31, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5034 > > Patch attached. > > > Works for me, ACK. -- David Kupka From pspacek at redhat.com Tue Jul 14 12:33:01 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 14 Jul 2015 14:33:01 +0200 Subject: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package In-Reply-To: <5594EEA5.3060504@redhat.com> References: <5593D93D.7090000@redhat.com> <5593E768.6030401@redhat.com> <5593EA5D.90404@redhat.com> <5594E0BC.8090803@redhat.com> <20150702070647.GH11876@redhat.com> <5594E598.7040400@redhat.com> <20150702073605.GI11876@redhat.com> <5594EEA5.3060504@redhat.com> Message-ID: <55A5017D.5010608@redhat.com> On 2.7.2015 09:56, Petr Spacek wrote: > On 2.7.2015 09:36, Alexander Bokovoy wrote: >> On Thu, 02 Jul 2015, Jan Cholasta wrote: >>>>>>> Can this be done without adding server-core? >>>>>> I'm not aware of such method (except of adding all DNS dependencies as >>>>>> Requires straight into freeipa-server package). >>>>>> >>>>>>> Because it's not server core, >>>>>>> it's the whole thing! Or maybe just rename it to server-common? >>>>>> >>>>>> I'm fine with 'common'. Ticket 4058 calls for sub-package for CA too >>>>>> so my >>>>>> idea was to create 'core' package which will be gradually reduced >>>>>> more and more. >>>>> >>>>> Well, I don't like the fact that in order to install IPA server >>>>> without DNS you have to install freeipa-server-core instead of just >>>>> freeipa-server. Fedora packaging guidelines [1] state that the >>>>> metapackage should be named freeipa-server-compat, so I guess renaming >>>>> freeipa-server to freeipa-server-compat and freeipa-server-core to >>>>> freeipa-server is good enough. >>>> I think you are misunderstanding what the guidelines say. -compat >>>> subpackage is something that only contains Requires: and Obsoletes:, to >>>> help to pull the right packages. It is not supposed to be a >>>> full-featured package with content. >>> >>> With Petr's patch, freeipa-server is exactly that - a metapackage with >>> requires and obsoletes only - hence my suggestion to rename it according to >>> the guidelines. >> That's not good. >> >>>> I think we are good enough with freeipa-server-dns. We have the same >>>> situation with freeipa-server-trust-ad -- it is not required by the main >>>> package and pulls in Samba-related bits. We also don't have any -compat >>>> or metapackage for it. >>> >>> freeipa-server-dns is fine, what is IMO not fine is that it *is* required by >>> the main freeipa-server package, *unlike* freeipa-server-trust-ad. >>> >>> We don't have a compat metapackage for freeipa-server-trust-ad, because >>> there are no upgrade issues with it, which is what Petr is trying to solve >>> with his patch. >> So, the issue is that for installed bind+bind-dyndb-ldap combination we >> need to switch to bind-pkcs11+bind-dyndb-ldap. Maybe instead of >> modifying main freeipa package we could modify bind-dyndb-ldap package >> to require bind-pkcs11 and corresponding bits of freeipa packages? > > Unfortunately, no. > - bind-dyndb-ldap itself is used & supported even without FreeIPA. > - bind-pkcs11 depends on properly configured SoftHSM (or other PKCS#11 provider) > => upgrade could break non-FreeIPA installations. > > I'm attempting to rework the patch now, stay tuned. Apparently this thread was abandoned during my PTO so I'm sending new patch here. It includes the -compat package and works with YUM and DNF. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0052-2-Create-server-dns-sub-package.patch Type: text/x-patch Size: 6472 bytes Desc: not available URL: From pspacek at redhat.com Tue Jul 14 12:48:46 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 14 Jul 2015 14:48:46 +0200 Subject: [Freeipa-devel] Why do we require DNS record when service is being added? In-Reply-To: <20150714115051.GL21928@redhat.com> References: <20150713173739.GB15217@redhat.com> <55A4ACB7.8010707@redhat.com> <20150714074540.GA10870@redhat.com> <20150714080832.GH21928@redhat.com> <55A4F6BB.4060506@redhat.com> <20150714115051.GL21928@redhat.com> Message-ID: <55A5052E.8050508@redhat.com> On 14.7.2015 13:50, Alexander Bokovoy wrote: > On Tue, 14 Jul 2015, Petr Spacek wrote: >> On 14.7.2015 10:08, Alexander Bokovoy wrote: >>> On Tue, 14 Jul 2015, Jan Pazdziora wrote: >>>> On Tue, Jul 14, 2015 at 08:31:19AM +0200, Petr Spacek wrote: >>>>> On 13.7.2015 19:37, Jan Pazdziora wrote: >>>>> > >>>>> > However -- what is the purpose of the DNS check when adding service? >>>>> >>>>> The service is typically a Kerberos service, which usually is not going to >>>>> work if the host does not have DNS record. >>>> >>>> So it's an error about existing *state* of the identity management >>>> system, not an error of the service-add operation itself or error >>>> about the result of that operation. IOW, the code tries to be smarter >>>> than necessary, hitting users who attempt to do things right, >>>> precreating host records. Plus it's an error about related object, >>>> not the object being manipulated / created which in itself is >>>> suspicious. >>>> >>>>> > Shouldn't that check be removed altogether? >>>>> I would rather relax the check so it can detect usage of host-add >>>>> --random/--password and emit a warning instead of hard error. >>>>> >>>>> What do you think about this approach? >>>> >>>> I guess you are then talking about not having that check in the >>>> host-add operation, not service-add: >>>> >>>> # ipa host-add --random client56.example.test >>>> ipa: ERROR: Host does not have corresponding DNS A/AAAA record >>>> >>>> Because to face the error during service-add, the user must already >>>> have overriden the error for the host itself. >>>> >>>> So how about: >>>> >>>> No DNS check / error in host-add when --random is used. >>>> No DNS check / error in service-add at all. >>> I would still add a warning in service-add "Host ... does not exist in >>> DNS, this service will not be accessible via Kerberos until A/AAAA >>> record for the host will be created". >> >> Yes, this is what I meant - host-add should do the DNS check and spit only >> warning if --random/--password is used. Service-add should require the host to >> exist (as it does now) but again the check should spit a warning instead of >> error if the host was created with --random. > Sounds good to me. > > Will you make a ticket? I would hijack https://fedorahosted.org/freeipa/ticket/3959 ... -- Petr^2 Spacek From mkubik at redhat.com Tue Jul 14 13:22:47 2015 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Tue, 14 Jul 2015 15:22:47 +0200 Subject: [Freeipa-devel] [PATCHES 0042-45] new commands for adding/removing certificates from entries In-Reply-To: <55954E68.3040805@redhat.com> References: <558947C9.9020509@redhat.com> <559103A2.4080706@redhat.com> <55926999.5020301@redhat.com> <5592797F.6030509@redhat.com> <55928F78.6010408@redhat.com> <5593E58A.90801@redhat.com> <55950095.3000700@redhat.com> <55950431.9020505@redhat.com> <559530A5.7060404@redhat.com> <55954C89.1090804@redhat.com> <55954E68.3040805@redhat.com> Message-ID: <55A50D27.5000303@redhat.com> On 07/02/2015 04:44 PM, Jan Cholasta wrote: > Dne 2.7.2015 v 16:36 Martin Babinsky napsal(a): >> On 07/02/2015 02:37 PM, Martin Babinsky wrote: >>> On 07/02/2015 11:28 AM, Martin Babinsky wrote: >>>> On 07/02/2015 11:12 AM, Martin Babinsky wrote: >>>>> On 07/01/2015 03:05 PM, Martin Babinsky wrote: >>>>>> On 06/30/2015 02:45 PM, Martin Babinsky wrote: >>>>>>> On 06/30/2015 01:11 PM, Martin Babinsky wrote: >>>>>>>> On 06/30/2015 12:04 PM, Jan Cholasta wrote: >>>>>>>>> Dne 29.6.2015 v 10:36 Martin Babinsky napsal(a): >>>>>>>>>> On 06/23/2015 01:49 PM, Martin Babinsky wrote: >>>>>>>>>>> This patchset implements new API commands for manipulating >>>>>>>>>>> user/host/service userCertificate attribute alongside some >>>>>>>>>>> underlying >>>>>>>>>>> plumbing. >>>>>>>>>>> >>>>>>>>>>> PATCH 0045 is a small test suite that I slapped together since >>>>>>>>>>> manual >>>>>>>>>>> testing of this stuff is very cumbersome. It requires my PATCH >>>>>>>>>>> 0040 to >>>>>>>>>>> apply and work which was pushed to master recently >>>>>>>>>>> (commit 74883bbc959058c8bfafd9f63e8fad0e3792ac28). >>>>>>>>>>> >>>>>>>>>>> The work is related to >>>>>>>>>>> http://www.freeipa.org/page/V4/User_Certificates >>>>>>>>>>> and https://fedorahosted.org/freeipa/ticket/4238 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> Attaching updated patches. >>>>>>>>>> >>>>>>>>>> Here are some notes for Jan because I did some things >>>>>>>>>> differently >>>>>>>>>> than >>>>>>>>>> we agreed on during review: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 1.) I chose not to rename 'usercertificate' to >>>>>>>>>> 'usercertificate;binary' >>>>>>>>>> and back in pre/post callbacks. Despite the fact that the >>>>>>>>>> correct >>>>>>>>>> way to >>>>>>>>>> name the certificate attribute is 'usercertificate;binary', I >>>>>>>>>> feel >>>>>>>>>> that >>>>>>>>>> suddenly renaming it in the new code is asking for trouble. >>>>>>>>> >>>>>>>>> New code is new, there is no renaming, there is naming, and that >>>>>>>>> naming >>>>>>>>> should follow standards, and the standard is >>>>>>>>> userCertificate;binary. >>>>>>>>> >>>>>>>>> (For the record I did not ask for any renaming in *old* host and >>>>>>>>> service >>>>>>>>> code.) >>>>>>>>> >>>>>>>> OK I will then use 'usercertificate;binary' and try to not break >>>>>>>> things. >>>>>>>>>> >>>>>>>>>> I'm all for changing the mapping between CLI options and actual >>>>>>>>>> attribute names but it should be done in a systematic fashion. >>>>>>>>> >>>>>>>>> +1, shall I post a patch? >>>>>>>>> >>>>>>>> That would be great, but I'm not sure if there is time for it. >>>>>>>> Maybe we >>>>>>>> can create a ticket for tracking? >>>>>>>>>> >>>>>>>>>> 2.) I have kept the `normalize_certs` function. It has the >>>>>>>>>> potential to >>>>>>>>>> catch incorrectly formatted/encoded certificates and in a way >>>>>>>>>> circumvents the slightly demented way the framework deals with >>>>>>>>>> supposedly binary data. >>>>>>>>> >>>>>>>>> One sentence above you asked for doing things in systematic >>>>>>>>> fashion. >>>>>>>>> This is exactly what it isn't. A systematic solution would be >>>>>>>>> a new >>>>>>>>> parameter type for certificates. >>>>>>>>> >>>>>>>> Ha I didn't notice that incorrect encoding is caught by validator. >>>>>>>> >>>>>>>> But I think that we still need to catch malformed certificates >>>>>>>> that >>>>>>>> can >>>>>>>> not be decoded to DER and AFAIK we don't do that anywhere (failing >>>>>>>> tests >>>>>>>> when adding a random Base64-encoded string confirm this). >>>>>>>> >>>>>>>> All this probably stems from my confusion about the way IPA >>>>>>>> framework >>>>>>>> guesses binary data. For example, if I call >>>>>>>> `api.Command.user_add_cert` >>>>>>>> and fill 'certificate' option with Base64 blob reencoded to >>>>>>>> Unicode, >>>>>>>> everything works as expected. >>>>>>>> >>>>>>>> However, filling this option with 'str' leads to another round of >>>>>>>> Base64 >>>>>>>> encoding in the framework, leading to 'userCertificate;binary' >>>>>>>> which is >>>>>>>> filled by original Base64 blob instead of DER encoded cert. >>>>>>>> >>>>>>>>>> >>>>>>>>>> I have also added two negative test cases which deal with >>>>>>>>>> incorrectly >>>>>>>>>> encoded and formatted certificates. >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Attaching updated patches (actually only 44 is updated, I added the >>>>>>> rename to/from 'usercertificate;binary' to user pre/post >>>>>>> callbacks). >>>>>>> >>>>>>> >>>>>>> >>>>>> Another patch update attached (mainly fixing pep8 complaints and >>>>>> reworking certificate validation). >>>>>> >>>>>> >>>>>> >>>>> >>>>> Updated patches attached. >>>>> >>>>> >>>>> >>>> >>>> I left a a bug in PATCH 0043. Attaching updated version. >>>> >>>> >>>> >>> Attaching updated patches. >>> >>> >>> >> Attaching revised patchset. > > Thanks, ACK on patch 42-44. > > Pushed to master: 76eea85701af80dc972c47e14aecc7a688b9c846 > >> >> It would be nice if Milan could comment on PATCH 0045. >> > > (I did not push this patch.) > Hi, sorry for the delay. The test looks good to me. Though we'll better rewrite the test after the Trackers for the plugins involved in certificate signing and CA ACL enforcement will be available. It won't be necessary right away, though. ACK Thanks, Milan From npmccallum at redhat.com Tue Jul 14 13:23:04 2015 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Tue, 14 Jul 2015 09:23:04 -0400 (EDT) Subject: [Freeipa-devel] 4.3 Branch? In-Reply-To: <2127739068.41148589.1436880103171.JavaMail.zimbra@redhat.com> Message-ID: <1192868348.41149398.1436880184299.JavaMail.zimbra@redhat.com> 4.3 is going to be a very narrow feature release. Should we branch 4.3 early so that we can still land new features on master during 4.3? From jcholast at redhat.com Tue Jul 14 14:29:18 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 14 Jul 2015 16:29:18 +0200 Subject: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package In-Reply-To: <55A5017D.5010608@redhat.com> References: <5593D93D.7090000@redhat.com> <5593E768.6030401@redhat.com> <5593EA5D.90404@redhat.com> <5594E0BC.8090803@redhat.com> <20150702070647.GH11876@redhat.com> <5594E598.7040400@redhat.com> <20150702073605.GI11876@redhat.com> <5594EEA5.3060504@redhat.com> <55A5017D.5010608@redhat.com> Message-ID: <55A51CBE.7040702@redhat.com> Dne 14.7.2015 v 14:33 Petr Spacek napsal(a): > On 2.7.2015 09:56, Petr Spacek wrote: >> On 2.7.2015 09:36, Alexander Bokovoy wrote: >>> On Thu, 02 Jul 2015, Jan Cholasta wrote: >>>>>>>> Can this be done without adding server-core? >>>>>>> I'm not aware of such method (except of adding all DNS dependencies as >>>>>>> Requires straight into freeipa-server package). >>>>>>> >>>>>>>> Because it's not server core, >>>>>>>> it's the whole thing! Or maybe just rename it to server-common? >>>>>>> >>>>>>> I'm fine with 'common'. Ticket 4058 calls for sub-package for CA too >>>>>>> so my >>>>>>> idea was to create 'core' package which will be gradually reduced >>>>>>> more and more. >>>>>> >>>>>> Well, I don't like the fact that in order to install IPA server >>>>>> without DNS you have to install freeipa-server-core instead of just >>>>>> freeipa-server. Fedora packaging guidelines [1] state that the >>>>>> metapackage should be named freeipa-server-compat, so I guess renaming >>>>>> freeipa-server to freeipa-server-compat and freeipa-server-core to >>>>>> freeipa-server is good enough. >>>>> I think you are misunderstanding what the guidelines say. -compat >>>>> subpackage is something that only contains Requires: and Obsoletes:, to >>>>> help to pull the right packages. It is not supposed to be a >>>>> full-featured package with content. >>>> >>>> With Petr's patch, freeipa-server is exactly that - a metapackage with >>>> requires and obsoletes only - hence my suggestion to rename it according to >>>> the guidelines. >>> That's not good. >>> >>>>> I think we are good enough with freeipa-server-dns. We have the same >>>>> situation with freeipa-server-trust-ad -- it is not required by the main >>>>> package and pulls in Samba-related bits. We also don't have any -compat >>>>> or metapackage for it. >>>> >>>> freeipa-server-dns is fine, what is IMO not fine is that it *is* required by >>>> the main freeipa-server package, *unlike* freeipa-server-trust-ad. >>>> >>>> We don't have a compat metapackage for freeipa-server-trust-ad, because >>>> there are no upgrade issues with it, which is what Petr is trying to solve >>>> with his patch. >>> So, the issue is that for installed bind+bind-dyndb-ldap combination we >>> need to switch to bind-pkcs11+bind-dyndb-ldap. Maybe instead of >>> modifying main freeipa package we could modify bind-dyndb-ldap package >>> to require bind-pkcs11 and corresponding bits of freeipa packages? >> >> Unfortunately, no. >> - bind-dyndb-ldap itself is used & supported even without FreeIPA. >> - bind-pkcs11 depends on properly configured SoftHSM (or other PKCS#11 provider) >> => upgrade could break non-FreeIPA installations. >> >> I'm attempting to rework the patch now, stay tuned. > > Apparently this thread was abandoned during my PTO so I'm sending new patch > here. It includes the -compat package and works with YUM and DNF. I don't like that freeipa-server got renamed to freeipa-server-core, but I won't push against it if Alexander and others (CCing Simo) are OK with it. -- Jan Cholasta From pspacek at redhat.com Tue Jul 14 14:33:41 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 14 Jul 2015 16:33:41 +0200 Subject: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package In-Reply-To: <55A51CBE.7040702@redhat.com> References: <5593D93D.7090000@redhat.com> <5593E768.6030401@redhat.com> <5593EA5D.90404@redhat.com> <5594E0BC.8090803@redhat.com> <20150702070647.GH11876@redhat.com> <5594E598.7040400@redhat.com> <20150702073605.GI11876@redhat.com> <5594EEA5.3060504@redhat.com> <55A5017D.5010608@redhat.com> <55A51CBE.7040702@redhat.com> Message-ID: <55A51DC5.6090209@redhat.com> On 14.7.2015 16:29, Jan Cholasta wrote: > Dne 14.7.2015 v 14:33 Petr Spacek napsal(a): >> On 2.7.2015 09:56, Petr Spacek wrote: >>> On 2.7.2015 09:36, Alexander Bokovoy wrote: >>>> On Thu, 02 Jul 2015, Jan Cholasta wrote: >>>>>>>>> Can this be done without adding server-core? >>>>>>>> I'm not aware of such method (except of adding all DNS dependencies as >>>>>>>> Requires straight into freeipa-server package). >>>>>>>> >>>>>>>>> Because it's not server core, >>>>>>>>> it's the whole thing! Or maybe just rename it to server-common? >>>>>>>> >>>>>>>> I'm fine with 'common'. Ticket 4058 calls for sub-package for CA too >>>>>>>> so my >>>>>>>> idea was to create 'core' package which will be gradually reduced >>>>>>>> more and more. >>>>>>> >>>>>>> Well, I don't like the fact that in order to install IPA server >>>>>>> without DNS you have to install freeipa-server-core instead of just >>>>>>> freeipa-server. Fedora packaging guidelines [1] state that the >>>>>>> metapackage should be named freeipa-server-compat, so I guess renaming >>>>>>> freeipa-server to freeipa-server-compat and freeipa-server-core to >>>>>>> freeipa-server is good enough. >>>>>> I think you are misunderstanding what the guidelines say. -compat >>>>>> subpackage is something that only contains Requires: and Obsoletes:, to >>>>>> help to pull the right packages. It is not supposed to be a >>>>>> full-featured package with content. >>>>> >>>>> With Petr's patch, freeipa-server is exactly that - a metapackage with >>>>> requires and obsoletes only - hence my suggestion to rename it according to >>>>> the guidelines. >>>> That's not good. >>>> >>>>>> I think we are good enough with freeipa-server-dns. We have the same >>>>>> situation with freeipa-server-trust-ad -- it is not required by the main >>>>>> package and pulls in Samba-related bits. We also don't have any -compat >>>>>> or metapackage for it. >>>>> >>>>> freeipa-server-dns is fine, what is IMO not fine is that it *is* required by >>>>> the main freeipa-server package, *unlike* freeipa-server-trust-ad. >>>>> >>>>> We don't have a compat metapackage for freeipa-server-trust-ad, because >>>>> there are no upgrade issues with it, which is what Petr is trying to solve >>>>> with his patch. >>>> So, the issue is that for installed bind+bind-dyndb-ldap combination we >>>> need to switch to bind-pkcs11+bind-dyndb-ldap. Maybe instead of >>>> modifying main freeipa package we could modify bind-dyndb-ldap package >>>> to require bind-pkcs11 and corresponding bits of freeipa packages? >>> >>> Unfortunately, no. >>> - bind-dyndb-ldap itself is used & supported even without FreeIPA. >>> - bind-pkcs11 depends on properly configured SoftHSM (or other PKCS#11 >>> provider) >>> => upgrade could break non-FreeIPA installations. >>> >>> I'm attempting to rework the patch now, stay tuned. >> >> Apparently this thread was abandoned during my PTO so I'm sending new patch >> here. It includes the -compat package and works with YUM and DNF. > > I don't like that freeipa-server got renamed to freeipa-server-core, but I > won't push against it if Alexander and others (CCing Simo) are OK with it. For the record, I was not able to make it work without the rename. -- Petr^2 Spacek From abokovoy at redhat.com Tue Jul 14 14:46:29 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 14 Jul 2015 17:46:29 +0300 Subject: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package In-Reply-To: <55A51DC5.6090209@redhat.com> References: <5593E768.6030401@redhat.com> <5593EA5D.90404@redhat.com> <5594E0BC.8090803@redhat.com> <20150702070647.GH11876@redhat.com> <5594E598.7040400@redhat.com> <20150702073605.GI11876@redhat.com> <5594EEA5.3060504@redhat.com> <55A5017D.5010608@redhat.com> <55A51CBE.7040702@redhat.com> <55A51DC5.6090209@redhat.com> Message-ID: <20150714144629.GN21928@redhat.com> On Tue, 14 Jul 2015, Petr Spacek wrote: >On 14.7.2015 16:29, Jan Cholasta wrote: >> Dne 14.7.2015 v 14:33 Petr Spacek napsal(a): >>> On 2.7.2015 09:56, Petr Spacek wrote: >>>> On 2.7.2015 09:36, Alexander Bokovoy wrote: >>>>> On Thu, 02 Jul 2015, Jan Cholasta wrote: >>>>>>>>>> Can this be done without adding server-core? >>>>>>>>> I'm not aware of such method (except of adding all DNS dependencies as >>>>>>>>> Requires straight into freeipa-server package). >>>>>>>>> >>>>>>>>>> Because it's not server core, >>>>>>>>>> it's the whole thing! Or maybe just rename it to server-common? >>>>>>>>> >>>>>>>>> I'm fine with 'common'. Ticket 4058 calls for sub-package for CA too >>>>>>>>> so my >>>>>>>>> idea was to create 'core' package which will be gradually reduced >>>>>>>>> more and more. >>>>>>>> >>>>>>>> Well, I don't like the fact that in order to install IPA server >>>>>>>> without DNS you have to install freeipa-server-core instead of just >>>>>>>> freeipa-server. Fedora packaging guidelines [1] state that the >>>>>>>> metapackage should be named freeipa-server-compat, so I guess renaming >>>>>>>> freeipa-server to freeipa-server-compat and freeipa-server-core to >>>>>>>> freeipa-server is good enough. >>>>>>> I think you are misunderstanding what the guidelines say. -compat >>>>>>> subpackage is something that only contains Requires: and Obsoletes:, to >>>>>>> help to pull the right packages. It is not supposed to be a >>>>>>> full-featured package with content. >>>>>> >>>>>> With Petr's patch, freeipa-server is exactly that - a metapackage with >>>>>> requires and obsoletes only - hence my suggestion to rename it according to >>>>>> the guidelines. >>>>> That's not good. >>>>> >>>>>>> I think we are good enough with freeipa-server-dns. We have the same >>>>>>> situation with freeipa-server-trust-ad -- it is not required by the main >>>>>>> package and pulls in Samba-related bits. We also don't have any -compat >>>>>>> or metapackage for it. >>>>>> >>>>>> freeipa-server-dns is fine, what is IMO not fine is that it *is* required by >>>>>> the main freeipa-server package, *unlike* freeipa-server-trust-ad. >>>>>> >>>>>> We don't have a compat metapackage for freeipa-server-trust-ad, because >>>>>> there are no upgrade issues with it, which is what Petr is trying to solve >>>>>> with his patch. >>>>> So, the issue is that for installed bind+bind-dyndb-ldap combination we >>>>> need to switch to bind-pkcs11+bind-dyndb-ldap. Maybe instead of >>>>> modifying main freeipa package we could modify bind-dyndb-ldap package >>>>> to require bind-pkcs11 and corresponding bits of freeipa packages? >>>> >>>> Unfortunately, no. >>>> - bind-dyndb-ldap itself is used & supported even without FreeIPA. >>>> - bind-pkcs11 depends on properly configured SoftHSM (or other PKCS#11 >>>> provider) >>>> => upgrade could break non-FreeIPA installations. >>>> >>>> I'm attempting to rework the patch now, stay tuned. >>> >>> Apparently this thread was abandoned during my PTO so I'm sending new patch >>> here. It includes the -compat package and works with YUM and DNF. >> >> I don't like that freeipa-server got renamed to freeipa-server-core, but I >> won't push against it if Alexander and others (CCing Simo) are OK with it. > >For the record, I was not able to make it work without the rename. This is on my review list for this week. -- / Alexander Bokovoy From pspacek at redhat.com Tue Jul 14 16:03:43 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 14 Jul 2015 18:03:43 +0200 Subject: [Freeipa-devel] ipa-devel repos on jdennis.fedorapeople.org Message-ID: <55A532DF.7070302@redhat.com> Hello, Is anyone using repos https://jdennis.fedorapeople.org/ipa-devel/ ? AFAIK nobody in Brno is seriously using it but I'm not sure about people outside the Brno. Could we use COPR instead and get out of builder business? Upcoming lab maintenance window could be a good time to do that. -- Petr^2 Spacek From pvoborni at redhat.com Tue Jul 14 16:47:40 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 14 Jul 2015 18:47:40 +0200 Subject: [Freeipa-devel] [PATCH] 902 webui: fix user reset password dialog Message-ID: <55A53D2C.2070407@redhat.com> Could not open user password dialog. regression introduced in ed78dcfa3acde7aeb1f381f49988c6911c5277ee https://fedorahosted.org/freeipa/ticket/5131 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0902-webui-fix-user-reset-password-dialog.patch Type: text/x-patch Size: 2256 bytes Desc: not available URL: From jdennis at redhat.com Tue Jul 14 16:49:23 2015 From: jdennis at redhat.com (John Dennis) Date: Tue, 14 Jul 2015 12:49:23 -0400 Subject: [Freeipa-devel] ipa-devel repos on jdennis.fedorapeople.org In-Reply-To: <55A532DF.7070302@redhat.com> References: <55A532DF.7070302@redhat.com> Message-ID: <55A53D93.4050201@redhat.com> On 07/14/2015 12:03 PM, Petr Spacek wrote: > Hello, > > Is anyone using repos > https://jdennis.fedorapeople.org/ipa-devel/ > ? > > AFAIK nobody in Brno is seriously using it but I'm not sure about people > outside the Brno. > > Could we use COPR instead and get out of builder business? Upcoming lab > maintenance window could be a good time to do that. I would love to get out of the builder business and I suspect Nalin would as well [1]. The question came up in our Monday meeting as well. Nobody seem to know if anyone was using these builds and why we weren't using COPR. The setup we're using was designed and implemented many years ago long before COPR. It's probably time to retire it. The repo is composed on an F17 VM which is now pretty old, I'm not sure how that's plays now that F22 has moved to dnf. Of course this means somebody has to set up the COPR builds and maintain them. [1] Nalin does the builds, I create the repo from the builds Nalin produces. -- John From pvoborni at redhat.com Tue Jul 14 16:50:14 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 14 Jul 2015 18:50:14 +0200 Subject: [Freeipa-devel] [PATCH] 903 fix hbac rule search for non-admin users Message-ID: <55A53DC6.70105@redhat.com> hbacrule has it default attributes (which are used in search) attribute 'memberhostgroup'. This attr is not in ACI nor in schema. If the search contains an attribute which can't be read then the search won't return anything. Therefore all searches with filter set fail. Also I don't think this is a proper fix because any custom ACIs will cause the bug again. Same issue in https://fedorahosted.org/freeipa/ticket/5055 https://fedorahosted.org/freeipa/ticket/5130 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0903-fix-hbac-rule-search-for-non-admin-users.patch Type: text/x-patch Size: 1221 bytes Desc: not available URL: From derny at redhat.com Tue Jul 14 17:44:50 2015 From: derny at redhat.com (Drew Erny) Date: Tue, 14 Jul 2015 13:44:50 -0400 Subject: [Freeipa-devel] Finishing the Community Portal Message-ID: <55A54A92.90200@redhat.com> Hi, all, I'm just about finished with the Community Portal, which I've said a couple of times, but I really mean it this time. The Captcha was the last technical detail that needed addressing. At this point, any further programming is going to be dedicated to configuration of the application. Right now, a organization could deploy the community portal in about a day, if they had a programmer handy who pulled down my source, changed a bunch of hard-coded configuration, and stuck it on a server. This might be acceptable, especially in the first iteration of the application, but it probably isn't. How do I go about packaging the web app that I built so that it can be deployed quickly to a server? Someone off-list, I think, mentioned making it deployable to OpenShift? Basically, what do I have to do to call this application Finished? The code is located at github.com/dperny/freeipa-communityportal Thanks, Drew Erny From jcholast at redhat.com Wed Jul 15 07:08:53 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 15 Jul 2015 09:08:53 +0200 Subject: [Freeipa-devel] [PATCH 0284] stageuser-activate: show user name in error message instead of DN In-Reply-To: <55A3B721.1090606@redhat.com> References: <559FBFE9.8000308@redhat.com> <55A3B721.1090606@redhat.com> Message-ID: <55A60705.1070803@redhat.com> Dne 13.7.2015 v 15:03 David Kupka napsal(a): > On 10/07/15 14:51, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5038 >> >> I reworded the error message to keep the same format as stageuser-add >> and user-add. >> >> Patch attached. >> >> >> > Works for me, ACK. > Pushed to: master: c144ea6feff2a712e4862f4e3c2fa882309da5b8 ipa-4-2: 49802bff910bf9ba9eb6fda7e0f255e0a688611f -- Jan Cholasta From jcholast at redhat.com Wed Jul 15 07:11:39 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 15 Jul 2015 09:11:39 +0200 Subject: [Freeipa-devel] [PATCH 0283] copy-schema-to-ca: allow to overwrite schema files In-Reply-To: <55A4FDD5.6020000@redhat.com> References: <559FBB10.6030104@redhat.com> <55A4FDD5.6020000@redhat.com> Message-ID: <55A607AB.6080709@redhat.com> Dne 14.7.2015 v 14:17 David Kupka napsal(a): > On 10/07/15 14:31, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5034 >> >> Patch attached. >> >> >> > Works for me, ACK. > Pushed to: master: 8bc0e9693b4b8356859b00afecd150b5c75fed99 ipa-4-2: cbdeba7a73c20b60b748558e63cf8672387febda -- Jan Cholasta From jpazdziora at redhat.com Wed Jul 15 07:44:50 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Wed, 15 Jul 2015 09:44:50 +0200 Subject: [Freeipa-devel] ipa-devel repos on jdennis.fedorapeople.org In-Reply-To: <55A53D93.4050201@redhat.com> References: <55A532DF.7070302@redhat.com> <55A53D93.4050201@redhat.com> Message-ID: <20150715074450.GL4218@redhat.com> On Tue, Jul 14, 2015 at 12:49:23PM -0400, John Dennis wrote: > On 07/14/2015 12:03 PM, Petr Spacek wrote: > >Hello, > > > >Is anyone using repos > >https://jdennis.fedorapeople.org/ipa-devel/ > >? > > > >AFAIK nobody in Brno is seriously using it but I'm not sure about people > >outside the Brno. > > > >Could we use COPR instead and get out of builder business? Upcoming lab > >maintenance window could be a good time to do that. > > I would love to get out of the builder business and I suspect Nalin would as > well [1]. The question came up in our Monday meeting as well. Nobody seem to > know if anyone was using these builds and why we weren't using COPR. The The Fedora infra admins should be able to provide HTTP logs for the repo, if you needs some numbers about potential usage. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From ofayans at redhat.com Wed Jul 15 09:07:29 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 15 Jul 2015 11:07:29 +0200 Subject: [Freeipa-devel] Unable to acquire replicaLDAP during replica installation Message-ID: <55A622D1.2000203@redhat.com> Hi everybody, The following error was encountered during installation of one of repicas using the packages built from the latest upstream code: [error] RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted. Replication error message: Unable to acquire replicaLDAP error: No such object The second replica however was installed successfully. Installation log and dirsrv errors log are attached -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- 389-Directory/1.3.4.1 B2015.181.1428 f22replica2.pesen.net:389 (/etc/dirsrv/slapd-PESEN-NET) [15/Jul/2015:04:44:43 -0400] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [15/Jul/2015:04:44:43 -0400] - check_and_set_import_cache: pagesize: 4096, pages: 428393, procpages: 56944 [15/Jul/2015:04:44:43 -0400] - WARNING: After allocating import cache 685428KB, the available memory is 1028144KB, which is less than the soft limit 1048576KB. You may want to decrease the import cache size and rerun import. [15/Jul/2015:04:44:43 -0400] - Import allocates 685428KB import cache. [15/Jul/2015:04:44:43 -0400] - import userRoot: Beginning import job... [15/Jul/2015:04:44:43 -0400] - import userRoot: Index buffering enabled with bucket size 100 [15/Jul/2015:04:44:43 -0400] - import userRoot: Processing file "/var/lib/dirsrv/boot.ldif" [15/Jul/2015:04:44:43 -0400] - import userRoot: Finished scanning file "/var/lib/dirsrv/boot.ldif" (1 entries) [15/Jul/2015:04:44:44 -0400] - import userRoot: Workers finished; cleaning up... [15/Jul/2015:04:44:44 -0400] - import userRoot: Workers cleaned up. [15/Jul/2015:04:44:44 -0400] - import userRoot: Cleaning up producer thread... [15/Jul/2015:04:44:44 -0400] - import userRoot: Indexing complete. Post-processing... [15/Jul/2015:04:44:44 -0400] - import userRoot: Generating numsubordinates (this may take several minutes to complete)... [15/Jul/2015:04:44:44 -0400] - import userRoot: Generating numSubordinates complete. [15/Jul/2015:04:44:44 -0400] - import userRoot: Gathering ancestorid non-leaf IDs... [15/Jul/2015:04:44:44 -0400] - import userRoot: Finished gathering ancestorid non-leaf IDs. [15/Jul/2015:04:44:44 -0400] - Nothing to do to build ancestorid index [15/Jul/2015:04:44:44 -0400] - import userRoot: Created ancestorid index (new idl). [15/Jul/2015:04:44:44 -0400] - import userRoot: Flushing caches... [15/Jul/2015:04:44:44 -0400] - import userRoot: Closing files... [15/Jul/2015:04:44:44 -0400] - All database threads now stopped [15/Jul/2015:04:44:44 -0400] - import userRoot: Import complete. Processed 1 entries in 1 seconds. (1.00 entries/sec) [15/Jul/2015:04:44:45 -0400] - 389-Directory/1.3.4.1 B2015.181.1428 starting up [15/Jul/2015:04:44:45 -0400] - Db home directory is not set. Possibly nsslapd-directory (optionally nsslapd-db-home-directory) is missing in the config file. [15/Jul/2015:04:44:45 -0400] - resizing db cache size: 701878272 -> 10000000 [15/Jul/2015:04:44:46 -0400] - convert_pbe_des_to_aes: Converting DES passwords to AES... [15/Jul/2015:04:44:46 -0400] - convert_pbe_des_to_aes: Successfully disabled DES plugin (cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config) [15/Jul/2015:04:44:46 -0400] - convert_pbe_des_to_aes: Finished - no DES passwords to convert. [15/Jul/2015:04:44:46 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [15/Jul/2015:04:44:47 -0400] - slapd shutting down - signaling operation threads - op stack size 0 max work q size 0 max work q stack size 0 [15/Jul/2015:04:44:47 -0400] - slapd shutting down - closing down internal subsystems and plugins [15/Jul/2015:04:44:47 -0400] - Waiting for 4 database threads to stop [15/Jul/2015:04:44:48 -0400] - All database threads now stopped [15/Jul/2015:04:44:48 -0400] - slapd shutting down - freed 0 work q stack objects - freed 0 op stack objects [15/Jul/2015:04:44:48 -0400] - slapd stopped. [15/Jul/2015:04:44:49 -0400] - 389-Directory/1.3.4.1 B2015.181.1428 starting up [15/Jul/2015:04:44:49 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [15/Jul/2015:04:44:50 -0400] - The change of nsslapd-ldapilisten will not take effect until the server is restarted [15/Jul/2015:04:44:50 -0400] - Warning: Adding configuration attribute "nsslapd-security" [15/Jul/2015:04:44:51 -0400] - slapd shutting down - signaling operation threads - op stack size 2 max work q size 1 max work q stack size 1 [15/Jul/2015:04:44:51 -0400] - slapd shutting down - waiting for 1 thread to terminate [15/Jul/2015:04:44:51 -0400] - slapd shutting down - closing down internal subsystems and plugins [15/Jul/2015:04:44:51 -0400] - Waiting for 4 database threads to stop [15/Jul/2015:04:44:51 -0400] - All database threads now stopped [15/Jul/2015:04:44:51 -0400] - slapd shutting down - freed 1 work q stack objects - freed 2 op stack objects [15/Jul/2015:04:44:51 -0400] - slapd stopped. [15/Jul/2015:04:44:52 -0400] - SSL alert: Configured NSS Ciphers [15/Jul/2015:04:44:52 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [15/Jul/2015:04:44:52 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [15/Jul/2015:04:44:52 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [15/Jul/2015:04:44:53 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [15/Jul/2015:04:44:53 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [15/Jul/2015:04:44:53 -0400] - 389-Directory/1.3.4.1 B2015.181.1428 starting up [15/Jul/2015:04:44:53 -0400] attrcrypt - No symmetric key found for cipher AES in backend userRoot, attempting to create one... [15/Jul/2015:04:44:53 -0400] attrcrypt - Key for cipher AES successfully generated and stored [15/Jul/2015:04:44:53 -0400] attrcrypt - No symmetric key found for cipher 3DES in backend userRoot, attempting to create one... [15/Jul/2015:04:44:54 -0400] attrcrypt - Key for cipher 3DES successfully generated and stored [15/Jul/2015:04:44:54 -0400] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [15/Jul/2015:04:44:54 -0400] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [15/Jul/2015:04:44:54 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [15/Jul/2015:04:44:54 -0400] - Listening on All Interfaces port 636 for LDAPS requests [15/Jul/2015:04:44:54 -0400] - Listening on /var/run/slapd-PESEN-NET.socket for LDAPI requests [15/Jul/2015:04:44:55 -0400] - slapd shutting down - signaling operation threads - op stack size 2 max work q size 1 max work q stack size 1 [15/Jul/2015:04:44:55 -0400] - slapd shutting down - waiting for 1 thread to terminate [15/Jul/2015:04:44:55 -0400] - slapd shutting down - closing down internal subsystems and plugins [15/Jul/2015:04:44:55 -0400] - Waiting for 4 database threads to stop [15/Jul/2015:04:44:55 -0400] - All database threads now stopped [15/Jul/2015:04:44:55 -0400] - slapd shutting down - freed 1 work q stack objects - freed 2 op stack objects [15/Jul/2015:04:44:55 -0400] - slapd stopped. [15/Jul/2015:04:44:56 -0400] - SSL alert: Configured NSS Ciphers [15/Jul/2015:04:44:56 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [15/Jul/2015:04:44:56 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [15/Jul/2015:04:44:56 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:44:56 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:44:56 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:44:56 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [15/Jul/2015:04:44:56 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [15/Jul/2015:04:44:56 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:44:56 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [15/Jul/2015:04:44:57 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:44:57 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:44:57 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [15/Jul/2015:04:44:57 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [15/Jul/2015:04:44:57 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [15/Jul/2015:04:44:57 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:44:57 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:44:57 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [15/Jul/2015:04:44:57 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [15/Jul/2015:04:44:57 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [15/Jul/2015:04:44:57 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:44:58 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:44:58 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:44:58 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:44:58 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [15/Jul/2015:04:44:58 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:44:58 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [15/Jul/2015:04:44:58 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [15/Jul/2015:04:44:58 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:44:58 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [15/Jul/2015:04:44:58 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [15/Jul/2015:04:44:58 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [15/Jul/2015:04:44:58 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [15/Jul/2015:04:44:58 -0400] - 389-Directory/1.3.4.1 B2015.181.1428 starting up [15/Jul/2015:04:44:58 -0400] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [15/Jul/2015:04:44:58 -0400] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [15/Jul/2015:04:44:58 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [15/Jul/2015:04:44:58 -0400] - Listening on All Interfaces port 636 for LDAPS requests [15/Jul/2015:04:44:58 -0400] - Listening on /var/run/slapd-PESEN-NET.socket for LDAPI requests [15/Jul/2015:04:45:01 -0400] ipa-topology-plugin - ipa_topo_be_state_changebackend userRoot is going offline; inactivate plugin [15/Jul/2015:04:45:01 -0400] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=pesen,dc=net is going offline; disabling replication [15/Jul/2015:04:45:01 -0400] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [15/Jul/2015:04:45:05 -0400] - import userRoot: Workers finished; cleaning up... [15/Jul/2015:04:45:05 -0400] - import userRoot: Workers cleaned up. [15/Jul/2015:04:45:05 -0400] - import userRoot: Indexing complete. Post-processing... [15/Jul/2015:04:45:05 -0400] - import userRoot: Generating numsubordinates (this may take several minutes to complete)... [15/Jul/2015:04:45:05 -0400] - import userRoot: Generating numSubordinates complete. [15/Jul/2015:04:45:05 -0400] - import userRoot: Gathering ancestorid non-leaf IDs... [15/Jul/2015:04:45:05 -0400] - import userRoot: Finished gathering ancestorid non-leaf IDs. [15/Jul/2015:04:45:05 -0400] - import userRoot: Creating ancestorid index (new idl)... [15/Jul/2015:04:45:06 -0400] - import userRoot: Created ancestorid index (new idl). [15/Jul/2015:04:45:06 -0400] - import userRoot: Flushing caches... [15/Jul/2015:04:45:06 -0400] - import userRoot: Closing files... [15/Jul/2015:04:45:08 -0400] - import userRoot: Import complete. Processed 405 entries in 6 seconds. (67.50 entries/sec) [15/Jul/2015:04:45:08 -0400] ipa-topology-plugin - ipa_topo_be_state_change - backend userRoot is coming online; checking domain level and init shared topology [15/Jul/2015:04:45:08 -0400] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=pesen,dc=net is coming online; enabling replication [15/Jul/2015:04:45:08 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=pesen,dc=net--no CoS Templates found, which should be added before the CoS Definition. [15/Jul/2015:04:45:08 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=pesen,dc=net does not exist [15/Jul/2015:04:45:08 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=pesen,dc=net does not exist [15/Jul/2015:04:45:08 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=pesen,dc=net does not exist [15/Jul/2015:04:45:08 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=pesen,dc=net does not exist [15/Jul/2015:04:45:08 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=pesen,dc=net does not exist [15/Jul/2015:04:45:08 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=pesen,dc=net does not exist [15/Jul/2015:04:45:08 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pesen,dc=net does not exist [15/Jul/2015:04:45:08 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pesen,dc=net does not exist [15/Jul/2015:04:45:13 -0400] - slapd shutting down - signaling operation threads - op stack size 3 max work q size 2 max work q stack size 2 [15/Jul/2015:04:45:13 -0400] - slapd shutting down - waiting for 1 thread to terminate [15/Jul/2015:04:45:13 -0400] - slapd shutting down - closing down internal subsystems and plugins [15/Jul/2015:04:45:14 -0400] - Waiting for 4 database threads to stop [15/Jul/2015:04:45:14 -0400] - All database threads now stopped [15/Jul/2015:04:45:14 -0400] - slapd shutting down - freed 2 work q stack objects - freed 3 op stack objects [15/Jul/2015:04:45:14 -0400] - slapd stopped. [15/Jul/2015:04:45:15 -0400] - SSL alert: Configured NSS Ciphers [15/Jul/2015:04:45:15 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [15/Jul/2015:04:45:15 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [15/Jul/2015:04:45:15 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:45:15 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:45:15 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:45:15 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [15/Jul/2015:04:45:15 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [15/Jul/2015:04:45:15 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:45:15 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [15/Jul/2015:04:45:15 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:45:15 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:45:15 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [15/Jul/2015:04:45:15 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [15/Jul/2015:04:45:15 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [15/Jul/2015:04:45:15 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:45:15 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:45:15 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [15/Jul/2015:04:45:15 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [15/Jul/2015:04:45:16 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [15/Jul/2015:04:45:16 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:45:16 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:45:16 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:45:16 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:45:16 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [15/Jul/2015:04:45:16 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:45:16 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [15/Jul/2015:04:45:16 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [15/Jul/2015:04:45:16 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:45:16 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [15/Jul/2015:04:45:16 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [15/Jul/2015:04:45:16 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [15/Jul/2015:04:45:16 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [15/Jul/2015:04:45:16 -0400] - 389-Directory/1.3.4.1 B2015.181.1428 starting up [15/Jul/2015:04:45:16 -0400] - resizing db cache size: 20000000 -> 10000000 [15/Jul/2015:04:45:16 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=pesen,dc=net [15/Jul/2015:04:45:16 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=pesen,dc=net [15/Jul/2015:04:45:16 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=pesen,dc=net [15/Jul/2015:04:45:16 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=pesen,dc=net does not exist [15/Jul/2015:04:45:16 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=pesen,dc=net does not exist [15/Jul/2015:04:45:16 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=pesen,dc=net does not exist [15/Jul/2015:04:45:16 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=pesen,dc=net does not exist [15/Jul/2015:04:45:17 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=pesen,dc=net does not exist [15/Jul/2015:04:45:17 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=pesen,dc=net does not exist [15/Jul/2015:04:45:17 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pesen,dc=net does not exist [15/Jul/2015:04:45:17 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pesen,dc=net does not exist [15/Jul/2015:04:45:17 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=pesen,dc=net--no CoS Templates found, which should be added before the CoS Definition. [15/Jul/2015:04:45:17 -0400] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [15/Jul/2015:04:45:17 -0400] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [15/Jul/2015:04:45:17 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [15/Jul/2015:04:45:17 -0400] - Listening on All Interfaces port 636 for LDAPS requests [15/Jul/2015:04:45:17 -0400] - Listening on /var/run/slapd-PESEN-NET.socket for LDAPI requests [15/Jul/2015:04:45:46 -0400] attrcrypt - No symmetric key found for cipher AES in backend ipaca, attempting to create one... [15/Jul/2015:04:45:46 -0400] attrcrypt - Key for cipher AES successfully generated and stored [15/Jul/2015:04:45:46 -0400] attrcrypt - No symmetric key found for cipher 3DES in backend ipaca, attempting to create one... [15/Jul/2015:04:45:46 -0400] attrcrypt - Key for cipher 3DES successfully generated and stored [15/Jul/2015:04:45:47 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=pesen,dc=net--no CoS Templates found, which should be added before the CoS Definition. [15/Jul/2015:04:46:38 -0400] NSMMReplicationPlugin - multimaster_be_state_change: replica o=ipaca is going offline; disabling replication [15/Jul/2015:04:46:39 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-f22replica2.pesen.net-pki-tomcat" (f22master:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [15/Jul/2015:04:46:39 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=pesen,dc=net--no CoS Templates found, which should be added before the CoS Definition. [15/Jul/2015:04:46:40 -0400] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [15/Jul/2015:04:46:43 -0400] - import ipaca: Workers finished; cleaning up... [15/Jul/2015:04:46:43 -0400] - import ipaca: Workers cleaned up. [15/Jul/2015:04:46:43 -0400] - import ipaca: Indexing complete. Post-processing... [15/Jul/2015:04:46:43 -0400] - import ipaca: Generating numsubordinates (this may take several minutes to complete)... [15/Jul/2015:04:46:43 -0400] - import ipaca: Generating numSubordinates complete. [15/Jul/2015:04:46:44 -0400] - import ipaca: Gathering ancestorid non-leaf IDs... [15/Jul/2015:04:46:44 -0400] - import ipaca: Finished gathering ancestorid non-leaf IDs. [15/Jul/2015:04:46:44 -0400] - import ipaca: Creating ancestorid index (new idl)... [15/Jul/2015:04:46:44 -0400] - import ipaca: Created ancestorid index (new idl). [15/Jul/2015:04:46:44 -0400] - import ipaca: Flushing caches... [15/Jul/2015:04:46:44 -0400] - import ipaca: Closing files... [15/Jul/2015:04:46:45 -0400] - import ipaca: Import complete. Processed 143 entries in 6 seconds. (23.83 entries/sec) [15/Jul/2015:04:46:45 -0400] NSMMReplicationPlugin - multimaster_be_state_change: replica o=ipaca is coming online; enabling replication [15/Jul/2015:04:46:45 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=pesen,dc=net--no CoS Templates found, which should be added before the CoS Definition. [15/Jul/2015:04:46:48 -0400] - ipaca: Indexing VLV: allCerts-pki-tomcatIndex [15/Jul/2015:04:46:48 -0400] - ipaca: Indexing VLV: allExpiredCerts-pki-tomcatIndex [15/Jul/2015:04:46:48 -0400] - ipaca: Indexing VLV: allInvalidCerts-pki-tomcatIndex [15/Jul/2015:04:46:48 -0400] - ipaca: Indexing VLV: allInValidCertsNotBefore-pki-tomcatIndex [15/Jul/2015:04:46:48 -0400] - ipaca: Indexing VLV: allNonRevokedCerts-pki-tomcatIndex [15/Jul/2015:04:46:48 -0400] - ipaca: Indexing VLV: allRevokedCaCerts-pki-tomcatIndex [15/Jul/2015:04:46:48 -0400] - ipaca: Indexing VLV: allRevokedCerts-pki-tomcatIndex [15/Jul/2015:04:46:48 -0400] - ipaca: Indexing VLV: allRevokedCertsNotAfter-pki-tomcatIndex [15/Jul/2015:04:46:48 -0400] - ipaca: Indexing VLV: allRevokedExpiredCerts-pki-tomcatIndex [15/Jul/2015:04:46:48 -0400] - ipaca: Indexing VLV: allRevokedOrRevokedExpiredCaCerts-pki-tomcatIndex [15/Jul/2015:04:46:48 -0400] - ipaca: Indexing VLV: allRevokedOrRevokedExpiredCerts-pki-tomcatIndex [15/Jul/2015:04:46:48 -0400] - ipaca: Indexing VLV: allValidCerts-pki-tomcatIndex [15/Jul/2015:04:46:48 -0400] - ipaca: Indexing VLV: allValidCertsNotAfter-pki-tomcatIndex [15/Jul/2015:04:46:48 -0400] - ipaca: Indexing VLV: allValidOrRevokedCerts-pki-tomcatIndex [15/Jul/2015:04:46:48 -0400] - ipaca: Indexing VLV: caAll-pki-tomcatIndex [15/Jul/2015:04:46:48 -0400] - ipaca: Indexing VLV: caCanceled-pki-tomcatIndex [15/Jul/2015:04:46:48 -0400] - ipaca: Indexing VLV: caCanceledEnrollment-pki-tomcatIndex [15/Jul/2015:04:46:48 -0400] - ipaca: Indexing VLV: caCanceledRenewal-pki-tomcatIndex [15/Jul/2015:04:46:48 -0400] - ipaca: Indexing VLV: caCanceledRevocation-pki-tomcatIndex [15/Jul/2015:04:46:48 -0400] - ipaca: Indexing VLV: caComplete-pki-tomcatIndex [15/Jul/2015:04:46:49 -0400] - ipaca: Indexing VLV: caCompleteEnrollment-pki-tomcatIndex [15/Jul/2015:04:46:49 -0400] - ipaca: Indexing VLV: caCompleteRenewal-pki-tomcatIndex [15/Jul/2015:04:46:49 -0400] - ipaca: Indexing VLV: caCompleteRevocation-pki-tomcatIndex [15/Jul/2015:04:46:49 -0400] - ipaca: Indexing VLV: caEnrollment-pki-tomcatIndex [15/Jul/2015:04:46:49 -0400] - ipaca: Indexing VLV: caPending-pki-tomcatIndex [15/Jul/2015:04:46:49 -0400] - ipaca: Indexing VLV: caPendingEnrollment-pki-tomcatIndex [15/Jul/2015:04:46:49 -0400] - ipaca: Indexing VLV: caPendingRenewal-pki-tomcatIndex [15/Jul/2015:04:46:49 -0400] - ipaca: Indexing VLV: caPendingRevocation-pki-tomcatIndex [15/Jul/2015:04:46:49 -0400] - ipaca: Indexing VLV: caRejected-pki-tomcatIndex [15/Jul/2015:04:46:49 -0400] - ipaca: Indexing VLV: caRejectedEnrollment-pki-tomcatIndex [15/Jul/2015:04:46:49 -0400] - ipaca: Indexing VLV: caRejectedRenewal-pki-tomcatIndex [15/Jul/2015:04:46:49 -0400] - ipaca: Indexing VLV: caRejectedRevocation-pki-tomcatIndex [15/Jul/2015:04:46:49 -0400] - ipaca: Indexing VLV: caRenewal-pki-tomcatIndex [15/Jul/2015:04:46:49 -0400] - ipaca: Indexing VLV: caRevocation-pki-tomcatIndex [15/Jul/2015:04:46:55 -0400] - ipaca: Finished indexing. [15/Jul/2015:04:47:23 -0400] - slapd shutting down - signaling operation threads - op stack size 3 max work q size 2 max work q stack size 2 [15/Jul/2015:04:47:23 -0400] - slapd shutting down - waiting for 12 threads to terminate [15/Jul/2015:04:47:23 -0400] - slapd shutting down - closing down internal subsystems and plugins [15/Jul/2015:04:47:23 -0400] - Waiting for 4 database threads to stop [15/Jul/2015:04:47:24 -0400] - All database threads now stopped [15/Jul/2015:04:47:24 -0400] - slapd shutting down - freed 2 work q stack objects - freed 3 op stack objects [15/Jul/2015:04:47:24 -0400] - slapd stopped. [15/Jul/2015:04:47:26 -0400] - SSL alert: Configured NSS Ciphers [15/Jul/2015:04:47:26 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [15/Jul/2015:04:47:26 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [15/Jul/2015:04:47:26 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:47:26 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:47:26 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:47:26 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [15/Jul/2015:04:47:26 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [15/Jul/2015:04:47:26 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:47:26 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [15/Jul/2015:04:47:26 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:47:26 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:47:26 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [15/Jul/2015:04:47:26 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [15/Jul/2015:04:47:26 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [15/Jul/2015:04:47:27 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:47:27 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:47:27 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [15/Jul/2015:04:47:27 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [15/Jul/2015:04:47:27 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [15/Jul/2015:04:47:27 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:47:27 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:47:27 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:47:27 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:47:27 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [15/Jul/2015:04:47:27 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [15/Jul/2015:04:47:27 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [15/Jul/2015:04:47:27 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [15/Jul/2015:04:47:28 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [15/Jul/2015:04:47:28 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [15/Jul/2015:04:47:28 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [15/Jul/2015:04:47:28 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [15/Jul/2015:04:47:28 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [15/Jul/2015:04:47:28 -0400] - 389-Directory/1.3.4.1 B2015.181.1428 starting up [15/Jul/2015:04:47:28 -0400] - resizing db cache size: 20000000 -> 10000000 [15/Jul/2015:04:47:29 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=pesen,dc=net [15/Jul/2015:04:47:29 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=pesen,dc=net [15/Jul/2015:04:47:29 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=pesen,dc=net [15/Jul/2015:04:47:29 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=pesen,dc=net does not exist [15/Jul/2015:04:47:29 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=pesen,dc=net does not exist [15/Jul/2015:04:47:29 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=pesen,dc=net does not exist [15/Jul/2015:04:47:29 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=pesen,dc=net does not exist [15/Jul/2015:04:47:29 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=pesen,dc=net does not exist [15/Jul/2015:04:47:30 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=pesen,dc=net does not exist [15/Jul/2015:04:47:30 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pesen,dc=net does not exist [15/Jul/2015:04:47:30 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pesen,dc=net does not exist [15/Jul/2015:04:47:30 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=pesen,dc=net--no CoS Templates found, which should be added before the CoS Definition. [15/Jul/2015:04:47:30 -0400] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [15/Jul/2015:04:47:30 -0400] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [15/Jul/2015:04:47:30 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 97 ldap://f22replica1.pesen.net:389} 55a61dd5000000610000 55a61dd6000200610000] which is present in RUV [database RUV] [15/Jul/2015:04:47:31 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: for replica o=ipaca there were some differences between the changelog max RUV and the database RUV. If there are obsolete elements in the database RUV, you should remove them using the CLEANALLRUV task. If they are not obsolete, you should check their status to see why there are no changes from those servers in the changelog. [15/Jul/2015:04:47:31 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:47:31 -0400] NSMMReplicationPlugin - agmt="cn=meTof22master.pesen.net" (f22master:389): Replication bind with SIMPLE auth failed: LDAP error 32 (No such object) () [15/Jul/2015:04:47:31 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-f22replica2.pesen.net-pki-tomcat" (f22master:389): Unable to acquire replica: the replica instructed us to go into backoff mode. Will retry later. [15/Jul/2015:04:47:31 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [15/Jul/2015:04:47:31 -0400] - Listening on All Interfaces port 636 for LDAPS requests [15/Jul/2015:04:47:31 -0400] - Listening on /var/run/slapd-PESEN-NET.socket for LDAPI requests [15/Jul/2015:04:47:34 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:47:40 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:47:52 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:48:08 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:48:11 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:48:12 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:48:14 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:48:17 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:48:19 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:48:21 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:48:23 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:48:25 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:48:27 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:48:29 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:48:31 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:48:33 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:48:35 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:48:37 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:48:39 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:48:41 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:48:43 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:48:45 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:48:47 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:48:49 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:48:52 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:48:54 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:48:56 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:48:58 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:00 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:02 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:04 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:06 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:08 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:11 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:14 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:15 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:17 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:19 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:21 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:23 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:25 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:27 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:29 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:31 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:33 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:35 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:38 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:40 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:42 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:44 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:46 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:48 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:50 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:52 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:54 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:56 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:49:58 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:00 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:02 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:05 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:07 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:09 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:11 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:13 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:15 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:18 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:20 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:22 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:24 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:26 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:29 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:31 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:33 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:35 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:37 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:39 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:41 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:43 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:45 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:47 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:49 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:51 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:53 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:55 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:50:58 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:51:00 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:51:02 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:51:04 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:51:06 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:51:08 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:51:10 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:51:12 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:51:14 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:51:16 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:51:18 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:51:20 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:51:22 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:51:24 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:51:26 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:51:29 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:51:30 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:51:33 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:51:35 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:51:37 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:51:39 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:51:42 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:51:48 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:52:00 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:52:24 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:53:12 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:54:48 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:58:00 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) -------------- next part -------------- A non-text attachment was scrubbed... Name: ipareplica-install.log Type: text/x-log Size: 303681 bytes Desc: not available URL: -------------- next part -------------- root at f22replica2:/home/ofayans]$ ipa-replica-install --setup-ca --setup-dns /var/lib/ipa/replica-info-f22replica2.pesen.net.gpg --forwarder 10.38.5.26 -p 'password' -w 'password' --unattended Checking DNS forwarders, please wait ... Using reverse zone(s) 122.168.192.in-addr.arpa. Run connection check to master Check connection from replica to remote master 'f22master.pesen.net': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica 'f22replica2.pesen.net': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Connection from master to replica is OK. Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 1 minute [1/39]: creating directory server user [2/39]: creating directory server instance [3/39]: adding default schema [4/39]: enabling memberof plugin [5/39]: enabling winsync plugin [6/39]: configuring replication version plugin [7/39]: enabling IPA enrollment plugin [8/39]: enabling ldapi [9/39]: configuring uniqueness plugin [10/39]: configuring uuid plugin [11/39]: configuring modrdn plugin [12/39]: configuring DNS plugin [13/39]: enabling entryUSN plugin [14/39]: configuring lockout plugin [15/39]: configuring topology plugin [16/39]: creating indices [17/39]: enabling referential integrity plugin [18/39]: configuring ssl for ds instance [19/39]: configuring certmap.conf [20/39]: configure autobind for root [21/39]: configure new location for managed entries [22/39]: configure dirsrv ccache [23/39]: enable SASL mapping fallback [24/39]: restarting directory server [25/39]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 7 seconds elapsed Update succeeded [26/39]: updating schema [27/39]: setting Auto Member configuration [28/39]: enabling S4U2Proxy delegation [29/39]: importing CA certificates from LDAP [30/39]: initializing group membership [31/39]: adding master entry [32/39]: initializing domain level [33/39]: configuring Posix uid/gid generation [34/39]: adding replication acis [35/39]: enabling compatibility plugin [36/39]: activating sidgen plugin [37/39]: activating extdom plugin [38/39]: tuning directory server ipa : CRITICAL Failed to load ds-nfiles.ldif: Command ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpEt3d2V' '-H' 'ldap://f22replica2.pesen.net:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmp7BKlwl'' returned non-zero exit status 53 [39/39]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: configuring certificate server instance [3/17]: stopping certificate server instance to update CS.cfg [4/17]: backing up CS.cfg [5/17]: disabling nonces [6/17]: set up CRL publishing [7/17]: enable PKIX certificate path discovery and validation [8/17]: starting certificate server instance [9/17]: creating RA agent certificate database [10/17]: importing CA chain to RA certificate database [11/17]: fixing RA database permissions [12/17]: setting up signing cert profile [13/17]: setting audit signing renewal to 2 years [14/17]: configure certmonger for renewals [15/17]: configure certificate renewals [16/17]: configure Server-Cert certificate renewal [17/17]: Configure HTTP to proxy connections Done configuring certificate server (pki-tomcatd). Restarting the directory and certificate servers Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/8]: adding sasl mappings to the directory [2/8]: configuring KDC [3/8]: creating a keytab for the directory [4/8]: creating a keytab for the machine [5/8]: adding the password extension to the directory [6/8]: enable GSSAPI for replication [error] RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted. Replication error message: Unable to acquire replicaLDAP error: No such object Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the ldap service principals is missing. Replication agreement cannot be converted. Replication error message: Unable to acquire replicaLDAP error: No such object From lkrispen at redhat.com Wed Jul 15 10:20:40 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 15 Jul 2015 12:20:40 +0200 Subject: [Freeipa-devel] Unable to acquire replicaLDAP during replica installation In-Reply-To: <55A622D1.2000203@redhat.com> References: <55A622D1.2000203@redhat.com> Message-ID: <55A633F8.4030305@redhat.com> looks like the initial replication is failing: [15/Jul/2015:04:47:31 -0400] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [15/Jul/2015:04:47:31 -0400] NSMMReplicationPlugin - agmt="cn=meTof22master.pesen.net" (f22master:389): Replication bind with SIMPLE auth failed: LDAP error 32 (No such object) () could you check the access log for ADD and DEL of "cn=replication manager,cn=config" on both master and replica, is there anything in the error log of the master ? Ludwig On 07/15/2015 11:07 AM, Oleg Fayans wrote: > Hi everybody, > > The following error was encountered during installation of one of > repicas using the packages built from the latest upstream code: > [error] RuntimeError: One of the ldap service principals is missing. > Replication agreement cannot be converted. > Replication error message: Unable to acquire replicaLDAP error: No > such object > > The second replica however was installed successfully. > Installation log and dirsrv errors log are attached > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Wed Jul 15 10:27:23 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 15 Jul 2015 12:27:23 +0200 Subject: [Freeipa-devel] [PATCH 465] spec file: Update minimum required version of krb5 Message-ID: <55A6358B.7090707@redhat.com> Hi, the attached patch fixes . Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-465-spec-file-Update-minimum-required-version-of-krb5.patch Type: text/x-patch Size: 1527 bytes Desc: not available URL: From cheimes at redhat.com Wed Jul 15 10:42:48 2015 From: cheimes at redhat.com (Christian Heimes) Date: Wed, 15 Jul 2015 12:42:48 +0200 Subject: [Freeipa-devel] [PATCH 464] spec file: Move /etc/ipa/kdcproxy to the server subpackage In-Reply-To: <55A4F8EB.9060407@redhat.com> References: <55A4F8EB.9060407@redhat.com> Message-ID: <55A63928.30409@redhat.com> On 2015-07-14 13:56, Jan Cholasta wrote: > Hi, > > the attached patch fixes client-only builds. LGTM. I didn't know about the difference between server and client-only builds. Thanks for the fix! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From jcholast at redhat.com Wed Jul 15 10:46:54 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 15 Jul 2015 12:46:54 +0200 Subject: [Freeipa-devel] [PATCH 464] spec file: Move /etc/ipa/kdcproxy to the server subpackage In-Reply-To: <55A63928.30409@redhat.com> References: <55A4F8EB.9060407@redhat.com> <55A63928.30409@redhat.com> Message-ID: <55A63A1E.5010908@redhat.com> Dne 15.7.2015 v 12:42 Christian Heimes napsal(a): > On 2015-07-14 13:56, Jan Cholasta wrote: >> Hi, >> >> the attached patch fixes client-only builds. > > LGTM. > > I didn't know about the difference between server and client-only > builds. Thanks for the fix! Pushed to: master: ba31b415697b1e8e85f6d55e939ede36be9942e6 ipa-4-2: 3fa581afc2da962496edba09488c569ffa26cf8d -- Jan Cholasta From mbasti at redhat.com Wed Jul 15 10:47:27 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Jul 2015 12:47:27 +0200 Subject: [Freeipa-devel] [PATCH 0281] Validate adding a privilege to a permission In-Reply-To: <559F859A.9000503@redhat.com> References: <559E8B5A.5040909@redhat.com> <559F58E3.5000405@redhat.com> <559F859A.9000503@redhat.com> Message-ID: <55A63A3F.9070307@redhat.com> On 10/07/15 10:43, Martin Basti wrote: > On 10/07/15 07:32, Jan Cholasta wrote: >> Hi, >> >> Dne 9.7.2015 v 16:55 Martin Basti napsal(a): >>> https://fedorahosted.org/freeipa/ticket/5075 >>> >>> Patch attached. >> >> the check is very plugin-specific, so I don't think it should be in >> ipalib.util. You can keep it in privilege and import it from there in >> permission just fine. >> >> Honza >> > Updated patch attached. > > > Updated patch attached. -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0281.3-Validate-adding-privilege-to-a-permission.patch Type: text/x-patch Size: 4522 bytes Desc: not available URL: From abokovoy at redhat.com Wed Jul 15 10:54:25 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 15 Jul 2015 13:54:25 +0300 Subject: [Freeipa-devel] [PATCH 465] spec file: Update minimum required version of krb5 In-Reply-To: <55A6358B.7090707@redhat.com> References: <55A6358B.7090707@redhat.com> Message-ID: <20150715105425.GY21928@redhat.com> On Wed, 15 Jul 2015, Jan Cholasta wrote: > Hi, > > the attached patch fixes . ACK -- / Alexander Bokovoy From jcholast at redhat.com Wed Jul 15 11:02:58 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 15 Jul 2015 13:02:58 +0200 Subject: [Freeipa-devel] [PATCH 465] spec file: Update minimum required version of krb5 In-Reply-To: <20150715105425.GY21928@redhat.com> References: <55A6358B.7090707@redhat.com> <20150715105425.GY21928@redhat.com> Message-ID: <55A63DE2.2070302@redhat.com> Hi, Dne 15.7.2015 v 12:54 Alexander Bokovoy napsal(a): > On Wed, 15 Jul 2015, Jan Cholasta wrote: >> Hi, >> >> the attached patch fixes . > ACK > Thanks for the review. Pushed to: master: d6e701a79333c0d732323a1f4250aa698625e889 ipa-4-2: 5678e211af604af5ed20df5d4282df8a0275aa14 Honza -- Jan Cholasta From ofayans at redhat.com Wed Jul 15 11:22:39 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 15 Jul 2015 13:22:39 +0200 Subject: [Freeipa-devel] Unable to acquire replicaLDAP during replica installation In-Reply-To: <55A633F8.4030305@redhat.com> References: <55A622D1.2000203@redhat.com> <55A633F8.4030305@redhat.com> Message-ID: <55A6427F.5060707@redhat.com> Hi Ludwig, On 07/15/2015 12:20 PM, Ludwig Krispenz wrote: > looks like the initial replication is failing: > [15/Jul/2015:04:47:31 -0400] slapi_ldap_bind - Error: could not bind > id [cn=replication manager,cn=config] authentication mechanism > [SIMPLE]: error 32 (No such object) errno 0 (Success) > [15/Jul/2015:04:47:31 -0400] NSMMReplicationPlugin - > agmt="cn=meTof22master.pesen.net" (f22master:389): Replication bind > with SIMPLE auth failed: LDAP error 32 (No such object) () > > could you check the access log for ADD and DEL of "cn=replication > manager,cn=config" on both master and replica, Here are corresponding lines in access log of master: [15/Jul/2015:04:45:00 -0400] conn=52 op=6 ADD dn="cn=replication manager,cn=config" [15/Jul/2015:04:45:00 -0400] conn=52 op=6 RESULT err=68 tag=105 nentries=0 etime=0 Replica's access log does not contain any records about replication manager error log on master has this interesting record: [15/Jul/2015:04:47:30 -0400] repl_version_plugin_recv_acquire_cb - [file ipa_repl_version.c, line 119]: Incompatible IPA versions, pausing replication. This server: "20100614120000" remote server: "(null)". This is really weird, because both master and replica use the same version of packages: freeipa-server-4.2.90.201507141138GIT3459607-0.fc22.x86_64 > is there anything in the error log of the master ? > > Ludwig > > On 07/15/2015 11:07 AM, Oleg Fayans wrote: >> Hi everybody, >> >> The following error was encountered during installation of one of >> repicas using the packages built from the latest upstream code: >> [error] RuntimeError: One of the ldap service principals is >> missing. Replication agreement cannot be converted. >> Replication error message: Unable to acquire replicaLDAP error: No >> such object >> >> The second replica however was installed successfully. >> Installation log and dirsrv errors log are attached >> >> >> >> > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From jcholast at redhat.com Wed Jul 15 11:41:16 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 15 Jul 2015 13:41:16 +0200 Subject: [Freeipa-devel] [PATCH 0054] cermonger: Use private unix socket when DBus SystemBus is not, available. In-Reply-To: <559BE76A.9040505@redhat.com> References: <5593F9A5.4080703@redhat.com> <55952FDE.8080408@redhat.com> <55962E91.4040104@redhat.com> <55962FB5.906@redhat.com> <559BE76A.9040505@redhat.com> Message-ID: <55A646DC.6060102@redhat.com> Dne 7.7.2015 v 16:51 David Kupka napsal(a): > On 03/07/15 08:46, Martin Kosek wrote: >> On 07/03/2015 08:41 AM, Jan Cholasta wrote: >>> Dne 2.7.2015 v 14:34 David Kupka napsal(a): >>>> On 01/07/15 16:31, David Kupka wrote: >>>>> >>>>> >>>>> >>>> Updated patch attached. >>> >>> Client install works, but uninstall does not: >>> >>> # ipa-client-install --uninstall -U >>> certmonger failed to start: Command ''/bin/systemctl' 'start' >>> 'certmonger.service'' returned non-zero exit status 1 >>> certmonger failed to stop tracking certificate: Failed to start >>> certmonger: >>> Timeouted >>> 2015-07-03 02:38:15 [17242] Error reading PIN from >>> "/etc/ipa/nssdb/pwdfile.txt": No such file or directory. >>> Failed to start certmonger: Timeouted >>> >>> The patch needs a rebase. >>> >> >> Also, "Timeouted" is not a word, try "Timed out" instead :-) > > Updated patch attached. Also attaching patch that removes unneeded > certmonger (re)starting and DBus starting from ipa-client-install. > NACK. When dbus is not available and ipa-client-install is run *without* --request-cert, certmonger tracks "Local IPA host" in /etc/ipa/nssdb. When ipa-client-install is run *with* --request-cert, the certificate is not issued, but I guess this is not caused by your patch. -- Jan Cholasta From lkrispen at redhat.com Wed Jul 15 11:52:28 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 15 Jul 2015 13:52:28 +0200 Subject: [Freeipa-devel] Unable to acquire replicaLDAP during replica installation In-Reply-To: <55A6427F.5060707@redhat.com> References: <55A622D1.2000203@redhat.com> <55A633F8.4030305@redhat.com> <55A6427F.5060707@redhat.com> Message-ID: <55A6497C.60809@redhat.com> On 07/15/2015 01:22 PM, Oleg Fayans wrote: > Hi Ludwig, > > On 07/15/2015 12:20 PM, Ludwig Krispenz wrote: >> looks like the initial replication is failing: >> [15/Jul/2015:04:47:31 -0400] slapi_ldap_bind - Error: could not bind >> id [cn=replication manager,cn=config] authentication mechanism >> [SIMPLE]: error 32 (No such object) errno 0 (Success) >> [15/Jul/2015:04:47:31 -0400] NSMMReplicationPlugin - >> agmt="cn=meTof22master.pesen.net" (f22master:389): Replication bind >> with SIMPLE auth failed: LDAP error 32 (No such object) () >> >> could you check the access log for ADD and DEL of "cn=replication >> manager,cn=config" on both master and replica, > Here are corresponding lines in access log of master: > > [15/Jul/2015:04:45:00 -0400] conn=52 op=6 ADD dn="cn=replication > manager,cn=config" > [15/Jul/2015:04:45:00 -0400] conn=52 op=6 RESULT err=68 tag=105 > nentries=0 etime=0 err=68 means "already exists", so is there an other ADD, and a DEL ? did you install the replicas in parallel ? > > Replica's access log does not contain any records about replication > manager > > error log on master has this interesting record: > [15/Jul/2015:04:47:30 -0400] repl_version_plugin_recv_acquire_cb - > [file ipa_repl_version.c, line 119]: Incompatible IPA versions, > pausing replication. This server: "20100614120000" remote server: > "(null)". > > This is really weird, because both master and replica use the same > version of packages: > freeipa-server-4.2.90.201507141138GIT3459607-0.fc22.x86_64 > >> is there anything in the error log of the master ? >> >> Ludwig >> >> On 07/15/2015 11:07 AM, Oleg Fayans wrote: >>> Hi everybody, >>> >>> The following error was encountered during installation of one of >>> repicas using the packages built from the latest upstream code: >>> [error] RuntimeError: One of the ldap service principals is >>> missing. Replication agreement cannot be converted. >>> Replication error message: Unable to acquire replicaLDAP error: No >>> such object >>> >>> The second replica however was installed successfully. >>> Installation log and dirsrv errors log are attached >>> >>> >>> >>> >> >> >> > From tbabej at redhat.com Wed Jul 15 12:24:44 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 15 Jul 2015 14:24:44 +0200 Subject: [Freeipa-devel] [PATCH 0339] trusts: Check for AD root domain among our trusted domains Message-ID: <55A6510C.9040004@redhat.com> Hi, Check for the presence of the forest root DNS domain of the AD realm among the IPA realm domains prior to esablishing the trust. This prevents creation of a failing setup, as trusts would not work properly in this case. https://fedorahosted.org/freeipa/ticket/4799 Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0339-trusts-Check-for-AD-root-domain-among-our-trusted-do.patch Type: text/x-patch Size: 2554 bytes Desc: not available URL: From abokovoy at redhat.com Wed Jul 15 12:31:40 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 15 Jul 2015 15:31:40 +0300 Subject: [Freeipa-devel] [PATCH 0339] trusts: Check for AD root domain among our trusted domains In-Reply-To: <55A6510C.9040004@redhat.com> References: <55A6510C.9040004@redhat.com> Message-ID: <20150715123140.GA15172@redhat.com> On Wed, 15 Jul 2015, Tomas Babej wrote: >Hi, > > Check for the presence of the forest root DNS domain of the AD realm >among the IPA realm domains prior to esablishing the trust. > >This prevents creation of a failing setup, as trusts would not work >properly in this case. > >https://fedorahosted.org/freeipa/ticket/4799 LGTM. The only comment I have is for the error message text. Would it make sense to point to 'ipa realmdomans-mod --del-domain' command? -- / Alexander Bokovoy From tbabej at redhat.com Wed Jul 15 12:41:58 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 15 Jul 2015 14:41:58 +0200 Subject: [Freeipa-devel] [PATCH 0339] trusts: Check for AD root domain among our trusted domains In-Reply-To: <20150715123140.GA15172@redhat.com> References: <55A6510C.9040004@redhat.com> <20150715123140.GA15172@redhat.com> Message-ID: <55A65516.6070303@redhat.com> On 07/15/2015 02:31 PM, Alexander Bokovoy wrote: > On Wed, 15 Jul 2015, Tomas Babej wrote: >> Hi, >> >> Check for the presence of the forest root DNS domain of the AD realm >> among the IPA realm domains prior to esablishing the trust. >> >> This prevents creation of a failing setup, as trusts would not work >> properly in this case. >> >> https://fedorahosted.org/freeipa/ticket/4799 > LGTM. > > The only comment I have is for the error message text. Would it make > sense to point to 'ipa realmdomans-mod --del-domain' command? > > Sure, why not. I actually abstained from generating the whole command (including the AD domain argument), as I believe it's better the users are discouraged from blindly copying commands around. Updated patch attached. Toams -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0339-2-trusts-Check-for-AD-root-domain-among-our-trusted-do.patch Type: text/x-patch Size: 2632 bytes Desc: not available URL: From mbasti at redhat.com Wed Jul 15 12:42:06 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Jul 2015 14:42:06 +0200 Subject: [Freeipa-devel] DNS: consolidate RR types in API and LDAP schema Message-ID: <55A6551E.9070306@redhat.com> Patch attached. https://fedorahosted.org/freeipa/ticket/4934 https://fedorahosted.org/freeipa/ticket/5055 -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0285-DNS-Consolidate-DNS-RR-types-in-API-and-schema.patch Type: text/x-patch Size: 52044 bytes Desc: not available URL: From ofayans at redhat.com Wed Jul 15 12:42:37 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 15 Jul 2015 14:42:37 +0200 Subject: [Freeipa-devel] Unable to acquire replicaLDAP during replica installation In-Reply-To: <55A6497C.60809@redhat.com> References: <55A622D1.2000203@redhat.com> <55A633F8.4030305@redhat.com> <55A6427F.5060707@redhat.com> <55A6497C.60809@redhat.com> Message-ID: <55A6553D.3000006@redhat.com> Hi Ludwig, On 07/15/2015 01:52 PM, Ludwig Krispenz wrote: > > On 07/15/2015 01:22 PM, Oleg Fayans wrote: >> Hi Ludwig, >> >> On 07/15/2015 12:20 PM, Ludwig Krispenz wrote: >>> looks like the initial replication is failing: >>> [15/Jul/2015:04:47:31 -0400] slapi_ldap_bind - Error: could not bind >>> id [cn=replication manager,cn=config] authentication mechanism >>> [SIMPLE]: error 32 (No such object) errno 0 (Success) >>> [15/Jul/2015:04:47:31 -0400] NSMMReplicationPlugin - >>> agmt="cn=meTof22master.pesen.net" (f22master:389): Replication bind >>> with SIMPLE auth failed: LDAP error 32 (No such object) () >>> >>> could you check the access log for ADD and DEL of "cn=replication >>> manager,cn=config" on both master and replica, >> Here are corresponding lines in access log of master: >> >> [15/Jul/2015:04:45:00 -0400] conn=52 op=6 ADD dn="cn=replication >> manager,cn=config" >> [15/Jul/2015:04:45:00 -0400] conn=52 op=6 RESULT err=68 tag=105 >> nentries=0 etime=0 > err=68 means "already exists", so is there an other ADD, and a DEL ? > > did you install the replicas in parallel ? Yes, I did. Probably, this is the main reason >> >> Replica's access log does not contain any records about replication >> manager >> >> error log on master has this interesting record: >> [15/Jul/2015:04:47:30 -0400] repl_version_plugin_recv_acquire_cb - >> [file ipa_repl_version.c, line 119]: Incompatible IPA versions, >> pausing replication. This server: "20100614120000" remote server: >> "(null)". >> >> This is really weird, because both master and replica use the same >> version of packages: >> freeipa-server-4.2.90.201507141138GIT3459607-0.fc22.x86_64 >> >>> is there anything in the error log of the master ? >>> >>> Ludwig >>> >>> On 07/15/2015 11:07 AM, Oleg Fayans wrote: >>>> Hi everybody, >>>> >>>> The following error was encountered during installation of one of >>>> repicas using the packages built from the latest upstream code: >>>> [error] RuntimeError: One of the ldap service principals is >>>> missing. Replication agreement cannot be converted. >>>> Replication error message: Unable to acquire replicaLDAP error: No >>>> such object >>>> >>>> The second replica however was installed successfully. >>>> Installation log and dirsrv errors log are attached >>>> >>>> >>>> >>>> >>> >>> >>> >> > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From mbasti at redhat.com Wed Jul 15 12:45:34 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Jul 2015 14:45:34 +0200 Subject: [Freeipa-devel] [PATCH 0285] DNS: consolidate RR types in API and LDAP schema In-Reply-To: <55A6551E.9070306@redhat.com> References: <55A6551E.9070306@redhat.com> Message-ID: <55A655EE.5030301@redhat.com> On 15/07/15 14:42, Martin Basti wrote: > Patch attached. > > https://fedorahosted.org/freeipa/ticket/4934 > https://fedorahosted.org/freeipa/ticket/5055 > > > I forgot to add patch number in subject. -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0285-DNS-Consolidate-DNS-RR-types-in-API-and-schema.patch Type: text/x-patch Size: 52044 bytes Desc: not available URL: From mbabinsk at redhat.com Wed Jul 15 12:47:31 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 15 Jul 2015 14:47:31 +0200 Subject: [Freeipa-devel] [PATCH 0047] ipa-ca-install: print more specific errors when CA is already installed Message-ID: <55A65663.9080100@redhat.com> Fixes https://fedorahosted.org/freeipa/ticket/4492 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0047-ipa-ca-install-print-more-specific-errors-when-CA-is.patch Type: text/x-patch Size: 1730 bytes Desc: not available URL: From lkrispen at redhat.com Wed Jul 15 13:06:14 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 15 Jul 2015 15:06:14 +0200 Subject: [Freeipa-devel] Unable to acquire replicaLDAP during replica installation In-Reply-To: <55A6553D.3000006@redhat.com> References: <55A622D1.2000203@redhat.com> <55A633F8.4030305@redhat.com> <55A6427F.5060707@redhat.com> <55A6497C.60809@redhat.com> <55A6553D.3000006@redhat.com> Message-ID: <55A65AC6.8010405@redhat.com> On 07/15/2015 02:42 PM, Oleg Fayans wrote: > Hi Ludwig, > > On 07/15/2015 01:52 PM, Ludwig Krispenz wrote: >> >> On 07/15/2015 01:22 PM, Oleg Fayans wrote: >>> Hi Ludwig, >>> >>> On 07/15/2015 12:20 PM, Ludwig Krispenz wrote: >>>> looks like the initial replication is failing: >>>> [15/Jul/2015:04:47:31 -0400] slapi_ldap_bind - Error: could not >>>> bind id [cn=replication manager,cn=config] authentication mechanism >>>> [SIMPLE]: error 32 (No such object) errno 0 (Success) >>>> [15/Jul/2015:04:47:31 -0400] NSMMReplicationPlugin - >>>> agmt="cn=meTof22master.pesen.net" (f22master:389): Replication bind >>>> with SIMPLE auth failed: LDAP error 32 (No such object) () >>>> >>>> could you check the access log for ADD and DEL of "cn=replication >>>> manager,cn=config" on both master and replica, >>> Here are corresponding lines in access log of master: >>> >>> [15/Jul/2015:04:45:00 -0400] conn=52 op=6 ADD dn="cn=replication >>> manager,cn=config" >>> [15/Jul/2015:04:45:00 -0400] conn=52 op=6 RESULT err=68 tag=105 >>> nentries=0 etime=0 >> err=68 means "already exists", so is there an other ADD, and a DEL ? >> >> did you install the replicas in parallel ? > Yes, I did. > Probably, this is the main reason could be. the procedure is to use a temporary repl manager, ADD/DEL cn=replication manager. Done in parallel you could have A ADD cn=repl B ADD cn=repl ==> err=68 ==> ??? don't know how the failure is handled A DEL cn=repl B try to use cn=repl, but it no longer exists > >>> >>> Replica's access log does not contain any records about replication >>> manager >>> >>> error log on master has this interesting record: >>> [15/Jul/2015:04:47:30 -0400] repl_version_plugin_recv_acquire_cb - >>> [file ipa_repl_version.c, line 119]: Incompatible IPA versions, >>> pausing replication. This server: "20100614120000" remote server: >>> "(null)". >>> >>> This is really weird, because both master and replica use the same >>> version of packages: >>> freeipa-server-4.2.90.201507141138GIT3459607-0.fc22.x86_64 >>> >>>> is there anything in the error log of the master ? >>>> >>>> Ludwig >>>> >>>> On 07/15/2015 11:07 AM, Oleg Fayans wrote: >>>>> Hi everybody, >>>>> >>>>> The following error was encountered during installation of one of >>>>> repicas using the packages built from the latest upstream code: >>>>> [error] RuntimeError: One of the ldap service principals is >>>>> missing. Replication agreement cannot be converted. >>>>> Replication error message: Unable to acquire replicaLDAP error: No >>>>> such object >>>>> >>>>> The second replica however was installed successfully. >>>>> Installation log and dirsrv errors log are attached >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >> > From dkupka at redhat.com Wed Jul 15 13:21:53 2015 From: dkupka at redhat.com (David Kupka) Date: Wed, 15 Jul 2015 15:21:53 +0200 Subject: [Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI. Message-ID: <55A65E71.7060701@redhat.com> https://fedorahosted.org/freeipa/ticket/4953 To test this patch: 1. Migrate users from LDAP or other FreeIPA server (https://www.freeipa.org/page/Howto/Migration) 2. Disable anonymous bind to Directory Server (https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html) 3. Go to FreeIPA migration page (ipa.example.com/ipa/migration/) and enter name and password of one of the migrated users. Without this patch you will get an error page. -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0057-Do-not-use-anonymous-bind-in-migration-UI.patch Type: text/x-patch Size: 916 bytes Desc: not available URL: From jcholast at redhat.com Wed Jul 15 13:34:57 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 15 Jul 2015 15:34:57 +0200 Subject: [Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI. In-Reply-To: <55A65E71.7060701@redhat.com> References: <55A65E71.7060701@redhat.com> Message-ID: <55A66181.9080700@redhat.com> Dne 15.7.2015 v 15:21 David Kupka napsal(a): > https://fedorahosted.org/freeipa/ticket/4953 > > To test this patch: > > 1. Migrate users from LDAP or other FreeIPA server > (https://www.freeipa.org/page/Howto/Migration) > > 2. Disable anonymous bind to Directory Server > (https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html) > > > 3. Go to FreeIPA migration page (ipa.example.com/ipa/migration/) and > enter name and password of one of the migrated users. > > Without this patch you will get an error page. NACK, you are calling do_bind with wrong arguments. -- Jan Cholasta From pvoborni at redhat.com Wed Jul 15 13:39:47 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 15 Jul 2015 15:39:47 +0200 Subject: [Freeipa-devel] DNS: consolidate RR types in API and LDAP schema In-Reply-To: <55A6551E.9070306@redhat.com> References: <55A6551E.9070306@redhat.com> Message-ID: <55A662A3.3090505@redhat.com> On 07/15/2015 02:42 PM, Martin Basti wrote: > Patch attached. > > https://fedorahosted.org/freeipa/ticket/4934 > https://fedorahosted.org/freeipa/ticket/5055 > Why are you adding RP, APL, IPSEC, DHCID, HIP, SPF records? Is there a plan to use them? Can't we just not use unsupported records in LDAPSearch'? (which would fix #5055) -- Petr Vobornik From mbabinsk at redhat.com Wed Jul 15 14:02:09 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 15 Jul 2015 16:02:09 +0200 Subject: [Freeipa-devel] [PATCH 0048] separate module to handle installation of AD trust related functionality Message-ID: <55A667E1.8090900@redhat.com> During investigation of https://fedorahosted.org/freeipa/ticket/3993 I have realized that I can do some guerilla ref*ctoring and move the guts of `ipa-adtrust-install` to separate module, as we did with CA, KRA, DNS and friends. I have put a link to https://fedorahosted.org/freeipa/ticket/4468 to the commit message, is it OK even if we formally closed the ticket? -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0048-separate-module-to-handle-installation-of-AD-trust-r.patch Type: text/x-patch Size: 25433 bytes Desc: not available URL: From mbasti at redhat.com Wed Jul 15 14:03:37 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Jul 2015 16:03:37 +0200 Subject: [Freeipa-devel] DNS: consolidate RR types in API and LDAP schema In-Reply-To: <55A662A3.3090505@redhat.com> References: <55A6551E.9070306@redhat.com> <55A662A3.3090505@redhat.com> Message-ID: <55A66839.80508@redhat.com> On 15/07/15 15:39, Petr Vobornik wrote: > On 07/15/2015 02:42 PM, Martin Basti wrote: >> Patch attached. >> >> https://fedorahosted.org/freeipa/ticket/4934 >> https://fedorahosted.org/freeipa/ticket/5055 >> > > Why are you adding RP, APL, IPSEC, DHCID, HIP, SPF records? Is there a > plan to use them? Can't we just not use unsupported records in > LDAPSearch'? (which would fix #5055) I had discussion with Petr2, and we decided to do it this way, because these records are valid. Removing unsupported records from search changes the behavior of the DNS commands. Now IPA shows even unsupported records which cannot be modified by API. AFAIK we want to keep this behavior. -- Martin Basti From jcholast at redhat.com Wed Jul 15 14:05:11 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 15 Jul 2015 16:05:11 +0200 Subject: [Freeipa-devel] [PATCH 0048] separate module to handle installation of AD trust related functionality In-Reply-To: <55A667E1.8090900@redhat.com> References: <55A667E1.8090900@redhat.com> Message-ID: <55A66897.9010009@redhat.com> Dne 15.7.2015 v 16:02 Martin Babinsky napsal(a): > During investigation of https://fedorahosted.org/freeipa/ticket/3993 I > have realized that I can do some guerilla ref*ctoring and move the guts > of `ipa-adtrust-install` to separate module, as we did with CA, KRA, DNS > and friends. +1 > > I have put a link to https://fedorahosted.org/freeipa/ticket/4468 to the > commit message, is it OK even if we formally closed the ticket? > To quote the last comment in the ticket: "Please open tickets for missing functionality that you depend on." -- Jan Cholasta From dkupka at redhat.com Wed Jul 15 14:04:51 2015 From: dkupka at redhat.com (David Kupka) Date: Wed, 15 Jul 2015 16:04:51 +0200 Subject: [Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI. In-Reply-To: <55A66181.9080700@redhat.com> References: <55A65E71.7060701@redhat.com> <55A66181.9080700@redhat.com> Message-ID: <55A66883.3080606@redhat.com> On 15/07/15 15:34, Jan Cholasta wrote: > Dne 15.7.2015 v 15:21 David Kupka napsal(a): >> https://fedorahosted.org/freeipa/ticket/4953 >> >> To test this patch: >> >> 1. Migrate users from LDAP or other FreeIPA server >> (https://www.freeipa.org/page/Howto/Migration) >> >> 2. Disable anonymous bind to Directory Server >> (https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html) >> >> >> >> 3. Go to FreeIPA migration page (ipa.example.com/ipa/migration/) and >> enter name and password of one of the migrated users. >> >> Without this patch you will get an error page. > > NACK, you are calling do_bind with wrong arguments. > Updated patch attached. -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0057.1-Do-not-use-anonymous-bind-in-migration-UI.patch Type: text/x-patch Size: 908 bytes Desc: not available URL: From mbabinsk at redhat.com Wed Jul 15 14:19:07 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 15 Jul 2015 16:19:07 +0200 Subject: [Freeipa-devel] [PATCH 0048] separate module to handle installation of AD trust related functionality In-Reply-To: <55A66897.9010009@redhat.com> References: <55A667E1.8090900@redhat.com> <55A66897.9010009@redhat.com> Message-ID: <55A66BDB.7070209@redhat.com> On 07/15/2015 04:05 PM, Jan Cholasta wrote: > Dne 15.7.2015 v 16:02 Martin Babinsky napsal(a): >> During investigation of https://fedorahosted.org/freeipa/ticket/3993 I >> have realized that I can do some guerilla ref*ctoring and move the guts >> of `ipa-adtrust-install` to separate module, as we did with CA, KRA, DNS >> and friends. > > +1 > >> >> I have put a link to https://fedorahosted.org/freeipa/ticket/4468 to the >> commit message, is it OK even if we formally closed the ticket? >> > > To quote the last comment in the ticket: "Please open tickets for > missing functionality that you depend on." > Attaching updated patch with the link to #4468 removed from commit message. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0048.1-separate-module-to-handle-installation-of-AD-trust-r.patch Type: text/x-patch Size: 25388 bytes Desc: not available URL: From mbabinsk at redhat.com Wed Jul 15 14:38:43 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 15 Jul 2015 16:38:43 +0200 Subject: [Freeipa-devel] [PATCH 0048] separate module to handle installation of AD trust related functionality In-Reply-To: <55A66BDB.7070209@redhat.com> References: <55A667E1.8090900@redhat.com> <55A66897.9010009@redhat.com> <55A66BDB.7070209@redhat.com> Message-ID: <55A67073.8000108@redhat.com> On 07/15/2015 04:19 PM, Martin Babinsky wrote: > On 07/15/2015 04:05 PM, Jan Cholasta wrote: >> Dne 15.7.2015 v 16:02 Martin Babinsky napsal(a): >>> During investigation of https://fedorahosted.org/freeipa/ticket/3993 I >>> have realized that I can do some guerilla ref*ctoring and move the guts >>> of `ipa-adtrust-install` to separate module, as we did with CA, KRA, DNS >>> and friends. >> >> +1 >> >>> >>> I have put a link to https://fedorahosted.org/freeipa/ticket/4468 to the >>> commit message, is it OK even if we formally closed the ticket? >>> >> >> To quote the last comment in the ticket: "Please open tickets for >> missing functionality that you depend on." >> > > Attaching updated patch with the link to #4468 removed from commit message. > > > Git's copy/rename detection can confuse people. That's why I am attaching a patch generated without passing '-M' and '-C' options to 'git format-patch'. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0048.2-separate-module-to-handle-installation-of-AD-trust-r.patch Type: text/x-patch Size: 36084 bytes Desc: not available URL: From mbasti at redhat.com Wed Jul 15 15:33:29 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Jul 2015 17:33:29 +0200 Subject: [Freeipa-devel] DNS: consolidate RR types in API and LDAP schema In-Reply-To: <55A66839.80508@redhat.com> References: <55A6551E.9070306@redhat.com> <55A662A3.3090505@redhat.com> <55A66839.80508@redhat.com> Message-ID: <55A67D49.7020208@redhat.com> On 15/07/15 16:03, Martin Basti wrote: > On 15/07/15 15:39, Petr Vobornik wrote: >> On 07/15/2015 02:42 PM, Martin Basti wrote: >>> Patch attached. >>> >>> https://fedorahosted.org/freeipa/ticket/4934 >>> https://fedorahosted.org/freeipa/ticket/5055 >>> >> >> Why are you adding RP, APL, IPSEC, DHCID, HIP, SPF records? Is there >> a plan to use them? Can't we just not use unsupported records in >> LDAPSearch'? (which would fix #5055) > I had discussion with Petr2, and we decided to do it this way, because > these records are valid. > > Removing unsupported records from search changes the behavior of the > DNS commands. Now IPA shows even unsupported records which cannot be > modified by API. AFAIK we want to keep this behavior. > Updated patch attached. I forgot to remove DNSKEY from object class definition. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0285.2-DNS-Consolidate-DNS-RR-types-in-API-and-schema.patch Type: text/x-patch Size: 52016 bytes Desc: not available URL: From pspacek at redhat.com Wed Jul 15 15:38:20 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 15 Jul 2015 17:38:20 +0200 Subject: [Freeipa-devel] DNS: consolidate RR types in API and LDAP schema In-Reply-To: <55A67D49.7020208@redhat.com> References: <55A6551E.9070306@redhat.com> <55A662A3.3090505@redhat.com> <55A66839.80508@redhat.com> <55A67D49.7020208@redhat.com> Message-ID: <55A67E6C.3000401@redhat.com> On 15.7.2015 17:33, Martin Basti wrote: > On 15/07/15 16:03, Martin Basti wrote: >> On 15/07/15 15:39, Petr Vobornik wrote: >>> On 07/15/2015 02:42 PM, Martin Basti wrote: >>>> Patch attached. >>>> >>>> https://fedorahosted.org/freeipa/ticket/4934 >>>> https://fedorahosted.org/freeipa/ticket/5055 >>>> >>> >>> Why are you adding RP, APL, IPSEC, DHCID, HIP, SPF records? Is there a plan >>> to use them? Can't we just not use unsupported records in LDAPSearch'? >>> (which would fix #5055) >> I had discussion with Petr2, and we decided to do it this way, because these >> records are valid. >> >> Removing unsupported records from search changes the behavior of the DNS >> commands. Now IPA shows even unsupported records which cannot be modified by >> API. AFAIK we want to keep this behavior. >> > Updated patch attached. > > I forgot to remove DNSKEY from object class definition. Are you 100 % sure that it will not break on upgrade? Please double-check that with Thierry. -- Petr^2 Spacek From mbasti at redhat.com Wed Jul 15 15:39:27 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Jul 2015 17:39:27 +0200 Subject: [Freeipa-devel] DNS: consolidate RR types in API and LDAP schema In-Reply-To: <55A67E6C.3000401@redhat.com> References: <55A6551E.9070306@redhat.com> <55A662A3.3090505@redhat.com> <55A66839.80508@redhat.com> <55A67D49.7020208@redhat.com> <55A67E6C.3000401@redhat.com> Message-ID: <55A67EAF.8040803@redhat.com> On 15/07/15 17:38, Petr Spacek wrote: > On 15.7.2015 17:33, Martin Basti wrote: >> On 15/07/15 16:03, Martin Basti wrote: >>> On 15/07/15 15:39, Petr Vobornik wrote: >>>> On 07/15/2015 02:42 PM, Martin Basti wrote: >>>>> Patch attached. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/4934 >>>>> https://fedorahosted.org/freeipa/ticket/5055 >>>>> >>>> Why are you adding RP, APL, IPSEC, DHCID, HIP, SPF records? Is there a plan >>>> to use them? Can't we just not use unsupported records in LDAPSearch'? >>>> (which would fix #5055) >>> I had discussion with Petr2, and we decided to do it this way, because these >>> records are valid. >>> >>> Removing unsupported records from search changes the behavior of the DNS >>> commands. Now IPA shows even unsupported records which cannot be modified by >>> API. AFAIK we want to keep this behavior. >>> >> Updated patch attached. >> >> I forgot to remove DNSKEY from object class definition. > Are you 100 % sure that it will not break on upgrade? Please double-check that > with Thierry. > IT was my change before we decided that DNSKEY should not be there, it is not in git repo. -- Martin Basti From mbasti at redhat.com Wed Jul 15 15:57:51 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Jul 2015 17:57:51 +0200 Subject: [Freeipa-devel] [PATCH 0286] Sysrestore: copy files instead of moving them to avoid SELinux issues Message-ID: <55A682FF.8000000@redhat.com> Moved files temporarily exist without a proper SElinux context which causes issues when running SSSD/ntpd tries to work with files. https://fedorahosted.org/freeipa/ticket/4923 Patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0286-sysrestore-copy-files-instead-of-moving-them-to-avoi.patch Type: text/x-patch Size: 1580 bytes Desc: not available URL: From abokovoy at redhat.com Wed Jul 15 16:01:18 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 15 Jul 2015 19:01:18 +0300 Subject: [Freeipa-devel] [PATCH 0286] Sysrestore: copy files instead of moving them to avoid SELinux issues In-Reply-To: <55A682FF.8000000@redhat.com> References: <55A682FF.8000000@redhat.com> Message-ID: <20150715160118.GJ21928@redhat.com> On Wed, 15 Jul 2015, Martin Basti wrote: >Moved files temporarily exist without a proper SElinux context which >causes issues when running SSSD/ntpd tries to work with files. > >https://fedorahosted.org/freeipa/ticket/4923 > >Patch attached. > >-- >Martin Basti > >From a86424429eea3bede519284e2d986c4fad8755f8 Mon Sep 17 00:00:00 2001 >From: Martin Basti >Date: Wed, 15 Jul 2015 16:20:59 +0200 >Subject: [PATCH] sysrestore: copy files instead of moving them to avoind > SELinux issues > >Copying files restores SELinux context. > >https://fedorahosted.org/freeipa/ticket/4923 >--- > ipapython/sysrestore.py | 12 ++++++------ > 1 file changed, 6 insertions(+), 6 deletions(-) > >diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py >index c058ff7c04d4604ba96c2a4ece68d476b5b6491f..354897240b542c2671b662a4fdad1a089652f899 100644 >--- a/ipapython/sysrestore.py >+++ b/ipapython/sysrestore.py >@@ -186,12 +186,12 @@ class FileStore: > if new_path is not None: > path = new_path > >- shutil.move(backup_path, path) >+ shutil.copy(backup_path, path) # SELinux needs copy >+ os.remove(backup_path) >+ > os.chown(path, int(uid), int(gid)) > os.chmod(path, int(mode)) > >- tasks.restore_context(path) >- Please keep restorecon calls because we might have a case when old label was wrong in the backup. > del self.files[filename] > self.save() > >@@ -217,12 +217,12 @@ class FileStore: > root_logger.debug(" -> Not restoring - '%s' doesn't exist", backup_path) > continue > >- shutil.move(backup_path, path) >+ shutil.copy(backup_path, path) # SELinux needs copy >+ os.remove(backup_path) >+ > os.chown(path, int(uid), int(gid)) > os.chmod(path, int(mode)) > >- tasks.restore_context(path) >- Same here. -- / Alexander Bokovoy From pspacek at redhat.com Wed Jul 15 16:13:30 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 15 Jul 2015 18:13:30 +0200 Subject: [Freeipa-devel] DNS: consolidate RR types in API and LDAP schema In-Reply-To: <55A67EAF.8040803@redhat.com> References: <55A6551E.9070306@redhat.com> <55A662A3.3090505@redhat.com> <55A66839.80508@redhat.com> <55A67D49.7020208@redhat.com> <55A67E6C.3000401@redhat.com> <55A67EAF.8040803@redhat.com> Message-ID: <55A686AA.4050801@redhat.com> On 15.7.2015 17:39, Martin Basti wrote: > On 15/07/15 17:38, Petr Spacek wrote: >> On 15.7.2015 17:33, Martin Basti wrote: >>> On 15/07/15 16:03, Martin Basti wrote: >>>> On 15/07/15 15:39, Petr Vobornik wrote: >>>>> On 07/15/2015 02:42 PM, Martin Basti wrote: >>>>>> Patch attached. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/4934 >>>>>> https://fedorahosted.org/freeipa/ticket/5055 >>>>>> >>>>> Why are you adding RP, APL, IPSEC, DHCID, HIP, SPF records? Is there a plan >>>>> to use them? Can't we just not use unsupported records in LDAPSearch'? >>>>> (which would fix #5055) >>>> I had discussion with Petr2, and we decided to do it this way, because these >>>> records are valid. >>>> >>>> Removing unsupported records from search changes the behavior of the DNS >>>> commands. Now IPA shows even unsupported records which cannot be modified by >>>> API. AFAIK we want to keep this behavior. >>>> >>> Updated patch attached. >>> >>> I forgot to remove DNSKEY from object class definition. >> Are you 100 % sure that it will not break on upgrade? Please double-check that >> with Thierry. >> > IT was my change before we decided that DNSKEY should not be there, it is not > in git repo. I see, okay. -- Petr^2 Spacek From mbasti at redhat.com Wed Jul 15 16:15:36 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Jul 2015 18:15:36 +0200 Subject: [Freeipa-devel] [PATCH 0286] Sysrestore: copy files instead of moving them to avoid SELinux issues In-Reply-To: <20150715160118.GJ21928@redhat.com> References: <55A682FF.8000000@redhat.com> <20150715160118.GJ21928@redhat.com> Message-ID: <55A68728.7050606@redhat.com> On 15/07/15 18:01, Alexander Bokovoy wrote: > On Wed, 15 Jul 2015, Martin Basti wrote: >> Moved files temporarily exist without a proper SElinux context which >> causes issues when running SSSD/ntpd tries to work with files. >> >> https://fedorahosted.org/freeipa/ticket/4923 >> >> Patch attached. >> >> -- >> Martin Basti >> > >> From a86424429eea3bede519284e2d986c4fad8755f8 Mon Sep 17 00:00:00 2001 >> From: Martin Basti >> Date: Wed, 15 Jul 2015 16:20:59 +0200 >> Subject: [PATCH] sysrestore: copy files instead of moving them to avoind >> SELinux issues >> >> Copying files restores SELinux context. >> >> https://fedorahosted.org/freeipa/ticket/4923 >> --- >> ipapython/sysrestore.py | 12 ++++++------ >> 1 file changed, 6 insertions(+), 6 deletions(-) >> >> diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py >> index >> c058ff7c04d4604ba96c2a4ece68d476b5b6491f..354897240b542c2671b662a4fdad1a089652f899 >> 100644 >> --- a/ipapython/sysrestore.py >> +++ b/ipapython/sysrestore.py >> @@ -186,12 +186,12 @@ class FileStore: >> if new_path is not None: >> path = new_path >> >> - shutil.move(backup_path, path) >> + shutil.copy(backup_path, path) # SELinux needs copy >> + os.remove(backup_path) >> + >> os.chown(path, int(uid), int(gid)) >> os.chmod(path, int(mode)) >> >> - tasks.restore_context(path) >> - > Please keep restorecon calls because we might have a case when old label > was wrong in the backup. > > >> del self.files[filename] >> self.save() >> >> @@ -217,12 +217,12 @@ class FileStore: >> root_logger.debug(" -> Not restoring - '%s' doesn't >> exist", backup_path) >> continue >> >> - shutil.move(backup_path, path) >> + shutil.copy(backup_path, path) # SELinux needs copy >> + os.remove(backup_path) >> + >> os.chown(path, int(uid), int(gid)) >> os.chmod(path, int(mode)) >> >> - tasks.restore_context(path) >> - > Same here. > Sorry I don't get it. Label is not copied from backup_file. I changed Selinux context, then copy to original location and context was restored when file does not exist. Do you mean case when the target file has different label than it should have? Martin^2 From gr8eate at gmail.com Wed Jul 15 15:42:05 2015 From: gr8eate at gmail.com (Email) Date: Wed, 15 Jul 2015 11:42:05 -0400 Subject: [Freeipa-devel] Sync useradd from IPA to AD Message-ID: Hi everyone, my name is Tony and this is my first post, so it's nice to meet all of you. I've been tasked with creating an AD and FreeIPA environment, and I'm looking into the sync between the two. It looks like creating a user in AD causes that user to be created in IPA, but not the other way around. But if I create them in IPA they will not be auto created in AD. I'm wondering why this is. See section 8.1 of the fedora documentation as a reference. Thanks in advance! ~Tony -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Jul 15 17:22:38 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 15 Jul 2015 11:22:38 -0600 Subject: [Freeipa-devel] Sync useradd from IPA to AD In-Reply-To: References: Message-ID: <55A696DE.2040604@redhat.com> On 07/15/2015 09:42 AM, Email wrote: > Hi everyone, my name is Tony and this is my first post, so it's nice > to meet all of you. I've been tasked with creating an AD and FreeIPA > environment, and I'm looking into the sync between the two. It looks > like creating a user in AD causes that user to be created in IPA, but > not the other way around. But if I create them in IPA they will not > be auto created in AD. I'm wondering why this is. This is intentional. If you are using FreeIPA and windows sync, it is assumed you want AD to be the provisioning system for new users, and not FreeIPA. I would seriously consider using trusts instead of windows sync. > See section 8.1 of the fedora documentation as a reference. Link please? We may need to clarify the language. > Thanks in advance! > > ~Tony > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cheimes at redhat.com Wed Jul 15 17:22:54 2015 From: cheimes at redhat.com (Christian Heimes) Date: Wed, 15 Jul 2015 19:22:54 +0200 Subject: [Freeipa-devel] [PATCH 005] otptoken: use ipapython.nsslib instead of Python's ssl module In-Reply-To: <559C00ED.4090408@redhat.com> References: <559C00ED.4090408@redhat.com> Message-ID: <55A696EE.2030901@redhat.com> On 2015-07-07 18:40, Christian Heimes wrote: > Hello, > > the patch removes the dependency on Python's ssl module and > python-backports-ssl_match_hostname. > > https://fedorahosted.org/freeipa/ticket/5068 > > Open question > ------------- > Is paths.IPA_NSSDB_DIR the correct NSSDB? My patch hasn't been processed since last week. Can somebody have a look, please? Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From simo at redhat.com Wed Jul 15 17:39:04 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 15 Jul 2015 13:39:04 -0400 (EDT) Subject: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package In-Reply-To: <55A51DC5.6090209@redhat.com> References: <5593D93D.7090000@redhat.com> <20150702070647.GH11876@redhat.com> <5594E598.7040400@redhat.com> <20150702073605.GI11876@redhat.com> <5594EEA5.3060504@redhat.com> <55A5017D.5010608@redhat.com> <55A51CBE.7040702@redhat.com> <55A51DC5.6090209@redhat.com> Message-ID: <187037684.17962032.1436981944717.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Petr Spacek" > To: "Jan Cholasta" , freeipa-devel at redhat.com, "Alexander Bokovoy" > Cc: "Simo Sorce" > Sent: Tuesday, July 14, 2015 10:33:41 AM > Subject: Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package > > On 14.7.2015 16:29, Jan Cholasta wrote: > > Dne 14.7.2015 v 14:33 Petr Spacek napsal(a): > >> On 2.7.2015 09:56, Petr Spacek wrote: > >>> On 2.7.2015 09:36, Alexander Bokovoy wrote: > >>>> On Thu, 02 Jul 2015, Jan Cholasta wrote: > >>>>>>>>> Can this be done without adding server-core? > >>>>>>>> I'm not aware of such method (except of adding all DNS dependencies > >>>>>>>> as > >>>>>>>> Requires straight into freeipa-server package). > >>>>>>>> > >>>>>>>>> Because it's not server core, > >>>>>>>>> it's the whole thing! Or maybe just rename it to server-common? > >>>>>>>> > >>>>>>>> I'm fine with 'common'. Ticket 4058 calls for sub-package for CA too > >>>>>>>> so my > >>>>>>>> idea was to create 'core' package which will be gradually reduced > >>>>>>>> more and more. > >>>>>>> > >>>>>>> Well, I don't like the fact that in order to install IPA server > >>>>>>> without DNS you have to install freeipa-server-core instead of just > >>>>>>> freeipa-server. Fedora packaging guidelines [1] state that the > >>>>>>> metapackage should be named freeipa-server-compat, so I guess > >>>>>>> renaming > >>>>>>> freeipa-server to freeipa-server-compat and freeipa-server-core to > >>>>>>> freeipa-server is good enough. > >>>>>> I think you are misunderstanding what the guidelines say. -compat > >>>>>> subpackage is something that only contains Requires: and Obsoletes:, > >>>>>> to > >>>>>> help to pull the right packages. It is not supposed to be a > >>>>>> full-featured package with content. > >>>>> > >>>>> With Petr's patch, freeipa-server is exactly that - a metapackage with > >>>>> requires and obsoletes only - hence my suggestion to rename it > >>>>> according to > >>>>> the guidelines. > >>>> That's not good. > >>>> > >>>>>> I think we are good enough with freeipa-server-dns. We have the same > >>>>>> situation with freeipa-server-trust-ad -- it is not required by the > >>>>>> main > >>>>>> package and pulls in Samba-related bits. We also don't have any > >>>>>> -compat > >>>>>> or metapackage for it. > >>>>> > >>>>> freeipa-server-dns is fine, what is IMO not fine is that it *is* > >>>>> required by > >>>>> the main freeipa-server package, *unlike* freeipa-server-trust-ad. > >>>>> > >>>>> We don't have a compat metapackage for freeipa-server-trust-ad, because > >>>>> there are no upgrade issues with it, which is what Petr is trying to > >>>>> solve > >>>>> with his patch. > >>>> So, the issue is that for installed bind+bind-dyndb-ldap combination we > >>>> need to switch to bind-pkcs11+bind-dyndb-ldap. Maybe instead of > >>>> modifying main freeipa package we could modify bind-dyndb-ldap package > >>>> to require bind-pkcs11 and corresponding bits of freeipa packages? > >>> > >>> Unfortunately, no. > >>> - bind-dyndb-ldap itself is used & supported even without FreeIPA. > >>> - bind-pkcs11 depends on properly configured SoftHSM (or other PKCS#11 > >>> provider) > >>> => upgrade could break non-FreeIPA installations. > >>> > >>> I'm attempting to rework the patch now, stay tuned. > >> > >> Apparently this thread was abandoned during my PTO so I'm sending new > >> patch > >> here. It includes the -compat package and works with YUM and DNF. > > > > I don't like that freeipa-server got renamed to freeipa-server-core, but I > > won't push against it if Alexander and others (CCing Simo) are OK with it. > > For the record, I was not able to make it work without the rename. My opinion is that if we run dnf install freeipa-server, then we need to get freeipa server packages. If this is what happens I am ok with patches, otherwise I am not. Simo. From npmccallum at redhat.com Wed Jul 15 17:42:01 2015 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Wed, 15 Jul 2015 13:42:01 -0400 (EDT) Subject: [Freeipa-devel] Finishing the Community Portal In-Reply-To: <55A54A92.90200@redhat.com> References: <55A54A92.90200@redhat.com> Message-ID: <2124651391.42007327.1436982121896.JavaMail.zimbra@redhat.com> I'm pretty excited about this. As I see it right now user creation requires manual intervention. Is this correct? Is it possible to have a fully automated process where a token is generated and mailed to the user to verify their email address? ----- Original Message ----- > Hi, all, > > I'm just about finished with the Community Portal, which I've said a > couple of times, but I really mean it this time. The Captcha was the > last technical detail that needed addressing. At this point, any further > programming is going to be dedicated to configuration of the application. > > Right now, a organization could deploy the community portal in about a > day, if they had a programmer handy who pulled down my source, changed a > bunch of hard-coded configuration, and stuck it on a server. > > This might be acceptable, especially in the first iteration of the > application, but it probably isn't. How do I go about packaging the web > app that I built so that it can be deployed quickly to a server? > Someone off-list, I think, mentioned making it deployable to OpenShift? > > Basically, what do I have to do to call this application Finished? > > The code is located at github.com/dperny/freeipa-communityportal > > Thanks, > > Drew Erny > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > From derny at redhat.com Wed Jul 15 18:19:10 2015 From: derny at redhat.com (Drew Erny) Date: Wed, 15 Jul 2015 14:19:10 -0400 Subject: [Freeipa-devel] Finishing the Community Portal In-Reply-To: <2124651391.42007327.1436982121896.JavaMail.zimbra@redhat.com> References: <55A54A92.90200@redhat.com> <2124651391.42007327.1436982121896.JavaMail.zimbra@redhat.com> Message-ID: <55A6A41E.7030803@redhat.com> Yeah, user creation requires manual intervention; an admin has to move the user from staging to the main user tree. It could be pretty easily modified to allow totally automated self sign-up though On 07/15/2015 01:42 PM, Nathaniel McCallum wrote: > I'm pretty excited about this. > > As I see it right now user creation requires manual intervention. Is this correct? > > Is it possible to have a fully automated process where a token is generated and mailed to the user to verify their email address? > > ----- Original Message ----- >> Hi, all, >> >> I'm just about finished with the Community Portal, which I've said a >> couple of times, but I really mean it this time. The Captcha was the >> last technical detail that needed addressing. At this point, any further >> programming is going to be dedicated to configuration of the application. >> >> Right now, a organization could deploy the community portal in about a >> day, if they had a programmer handy who pulled down my source, changed a >> bunch of hard-coded configuration, and stuck it on a server. >> >> This might be acceptable, especially in the first iteration of the >> application, but it probably isn't. How do I go about packaging the web >> app that I built so that it can be deployed quickly to a server? >> Someone off-list, I think, mentioned making it deployable to OpenShift? >> >> Basically, what do I have to do to call this application Finished? >> >> The code is located at github.com/dperny/freeipa-communityportal >> >> Thanks, >> >> Drew Erny >> >> -- >> Manage your subscription for the Freeipa-devel mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >> From npmccallum at redhat.com Wed Jul 15 20:32:59 2015 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Wed, 15 Jul 2015 16:32:59 -0400 (EDT) Subject: [Freeipa-devel] Finishing the Community Portal In-Reply-To: <55A6A41E.7030803@redhat.com> References: <55A54A92.90200@redhat.com> <2124651391.42007327.1436982121896.JavaMail.zimbra@redhat.com> <55A6A41E.7030803@redhat.com> Message-ID: <210740520.42089084.1436992379074.JavaMail.zimbra@redhat.com> I definitely see both models finding use. ----- Original Message ----- > Yeah, user creation requires manual intervention; an admin has to move > the user from staging to the main user tree. > > It could be pretty easily modified to allow totally automated self > sign-up though > From redhatrises at gmail.com Wed Jul 15 20:37:04 2015 From: redhatrises at gmail.com (Gabe Alford) Date: Wed, 15 Jul 2015 14:37:04 -0600 Subject: [Freeipa-devel] Finishing the Community Portal In-Reply-To: <210740520.42089084.1436992379074.JavaMail.zimbra@redhat.com> References: <55A54A92.90200@redhat.com> <2124651391.42007327.1436982121896.JavaMail.zimbra@redhat.com> <55A6A41E.7030803@redhat.com> <210740520.42089084.1436992379074.JavaMail.zimbra@redhat.com> Message-ID: On Wed, Jul 15, 2015 at 2:32 PM, Nathaniel McCallum wrote: > I definitely see both models finding use. > +1 > ----- Original Message ----- > > Yeah, user creation requires manual intervention; an admin has to move > > the user from staging to the main user tree. > > > > It could be pretty easily modified to allow totally automated self > > sign-up though > > > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > -------------- next part -------------- An HTML attachment was scrubbed... URL: From derny at redhat.com Wed Jul 15 20:45:56 2015 From: derny at redhat.com (Drew Erny) Date: Wed, 15 Jul 2015 16:45:56 -0400 Subject: [Freeipa-devel] Finishing the Community Portal In-Reply-To: References: <55A54A92.90200@redhat.com> <2124651391.42007327.1436982121896.JavaMail.zimbra@redhat.com> <55A6A41E.7030803@redhat.com> <210740520.42089084.1436992379074.JavaMail.zimbra@redhat.com> Message-ID: <55A6C684.7010108@redhat.com> Right now, I'm focusing on deployment of the application. I'm running out of time on my internship, so we'll see if I find time in the last couple of weeks to add that feature. On 07/15/2015 04:37 PM, Gabe Alford wrote: > On Wed, Jul 15, 2015 at 2:32 PM, Nathaniel McCallum > > wrote: > > I definitely see both models finding use. > > > +1 > > ----- Original Message ----- > > Yeah, user creation requires manual intervention; an admin has > to move > > the user from staging to the main user tree. > > > > It could be pretty easily modified to allow totally automated self > > sign-up though > > > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Thu Jul 16 06:08:09 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 16 Jul 2015 08:08:09 +0200 Subject: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package In-Reply-To: <187037684.17962032.1436981944717.JavaMail.zimbra@redhat.com> References: <5593D93D.7090000@redhat.com> <20150702070647.GH11876@redhat.com> <5594E598.7040400@redhat.com> <20150702073605.GI11876@redhat.com> <5594EEA5.3060504@redhat.com> <55A5017D.5010608@redhat.com> <55A51CBE.7040702@redhat.com> <55A51DC5.6090209@redhat.com> <187037684.17962032.1436981944717.JavaMail.zimbra@redhat.com> Message-ID: <55A74A49.6090507@redhat.com> Dne 15.7.2015 v 19:39 Simo Sorce napsal(a): > ----- Original Message ----- >> From: "Petr Spacek" >> To: "Jan Cholasta" , freeipa-devel at redhat.com, "Alexander Bokovoy" >> Cc: "Simo Sorce" >> Sent: Tuesday, July 14, 2015 10:33:41 AM >> Subject: Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package >> >> On 14.7.2015 16:29, Jan Cholasta wrote: >>> Dne 14.7.2015 v 14:33 Petr Spacek napsal(a): >>>> On 2.7.2015 09:56, Petr Spacek wrote: >>>>> On 2.7.2015 09:36, Alexander Bokovoy wrote: >>>>>> On Thu, 02 Jul 2015, Jan Cholasta wrote: >>>>>>>>>>> Can this be done without adding server-core? >>>>>>>>>> I'm not aware of such method (except of adding all DNS dependencies >>>>>>>>>> as >>>>>>>>>> Requires straight into freeipa-server package). >>>>>>>>>> >>>>>>>>>>> Because it's not server core, >>>>>>>>>>> it's the whole thing! Or maybe just rename it to server-common? >>>>>>>>>> >>>>>>>>>> I'm fine with 'common'. Ticket 4058 calls for sub-package for CA too >>>>>>>>>> so my >>>>>>>>>> idea was to create 'core' package which will be gradually reduced >>>>>>>>>> more and more. >>>>>>>>> >>>>>>>>> Well, I don't like the fact that in order to install IPA server >>>>>>>>> without DNS you have to install freeipa-server-core instead of just >>>>>>>>> freeipa-server. Fedora packaging guidelines [1] state that the >>>>>>>>> metapackage should be named freeipa-server-compat, so I guess >>>>>>>>> renaming >>>>>>>>> freeipa-server to freeipa-server-compat and freeipa-server-core to >>>>>>>>> freeipa-server is good enough. >>>>>>>> I think you are misunderstanding what the guidelines say. -compat >>>>>>>> subpackage is something that only contains Requires: and Obsoletes:, >>>>>>>> to >>>>>>>> help to pull the right packages. It is not supposed to be a >>>>>>>> full-featured package with content. >>>>>>> >>>>>>> With Petr's patch, freeipa-server is exactly that - a metapackage with >>>>>>> requires and obsoletes only - hence my suggestion to rename it >>>>>>> according to >>>>>>> the guidelines. >>>>>> That's not good. >>>>>> >>>>>>>> I think we are good enough with freeipa-server-dns. We have the same >>>>>>>> situation with freeipa-server-trust-ad -- it is not required by the >>>>>>>> main >>>>>>>> package and pulls in Samba-related bits. We also don't have any >>>>>>>> -compat >>>>>>>> or metapackage for it. >>>>>>> >>>>>>> freeipa-server-dns is fine, what is IMO not fine is that it *is* >>>>>>> required by >>>>>>> the main freeipa-server package, *unlike* freeipa-server-trust-ad. >>>>>>> >>>>>>> We don't have a compat metapackage for freeipa-server-trust-ad, because >>>>>>> there are no upgrade issues with it, which is what Petr is trying to >>>>>>> solve >>>>>>> with his patch. >>>>>> So, the issue is that for installed bind+bind-dyndb-ldap combination we >>>>>> need to switch to bind-pkcs11+bind-dyndb-ldap. Maybe instead of >>>>>> modifying main freeipa package we could modify bind-dyndb-ldap package >>>>>> to require bind-pkcs11 and corresponding bits of freeipa packages? >>>>> >>>>> Unfortunately, no. >>>>> - bind-dyndb-ldap itself is used & supported even without FreeIPA. >>>>> - bind-pkcs11 depends on properly configured SoftHSM (or other PKCS#11 >>>>> provider) >>>>> => upgrade could break non-FreeIPA installations. >>>>> >>>>> I'm attempting to rework the patch now, stay tuned. >>>> >>>> Apparently this thread was abandoned during my PTO so I'm sending new >>>> patch >>>> here. It includes the -compat package and works with YUM and DNF. >>> >>> I don't like that freeipa-server got renamed to freeipa-server-core, but I >>> won't push against it if Alexander and others (CCing Simo) are OK with it. >> >> For the record, I was not able to make it work without the rename. > > My opinion is that if we run dnf install freeipa-server, then we need to get freeipa server packages. > If this is what happens I am ok with patches, otherwise I am not. Without the patch, "dnf install freeipa-server" installs freeipa server without DNS dependencies. With the first version of the patch, "dnf install freeipa-server" installs freeipa server with all DNS dependencies. To install freeipa server without DNS dependencies, you need to run "dnf install freeipa-server-core". (Note that with this patch freeipa-server is a meta-package with no files.) With the second version of the patch, "dnf install freeipa-server" fails, because there is no freeipa-server anymore. To install freeipa server without DNS dependencies, you need to run "dnf install freeipa-server-core". -- Jan Cholasta From abokovoy at redhat.com Thu Jul 16 06:33:44 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 16 Jul 2015 09:33:44 +0300 Subject: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package In-Reply-To: <55A74A49.6090507@redhat.com> References: <5593D93D.7090000@redhat.com> <20150702070647.GH11876@redhat.com> <5594E598.7040400@redhat.com> <20150702073605.GI11876@redhat.com> <5594EEA5.3060504@redhat.com> <55A5017D.5010608@redhat.com> <55A51CBE.7040702@redhat.com> <55A51DC5.6090209@redhat.com> <187037684.17962032.1436981944717.JavaMail.zimbra@redhat.com> <55A74A49.6090507@redhat.com> Message-ID: <20150716063344.GK21928@redhat.com> On Thu, 16 Jul 2015, Jan Cholasta wrote: >Dne 15.7.2015 v 19:39 Simo Sorce napsal(a): >>----- Original Message ----- >>>From: "Petr Spacek" >>>To: "Jan Cholasta" , freeipa-devel at redhat.com, "Alexander Bokovoy" >>>Cc: "Simo Sorce" >>>Sent: Tuesday, July 14, 2015 10:33:41 AM >>>Subject: Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package >>> >>>On 14.7.2015 16:29, Jan Cholasta wrote: >>>>Dne 14.7.2015 v 14:33 Petr Spacek napsal(a): >>>>>On 2.7.2015 09:56, Petr Spacek wrote: >>>>>>On 2.7.2015 09:36, Alexander Bokovoy wrote: >>>>>>>On Thu, 02 Jul 2015, Jan Cholasta wrote: >>>>>>>>>>>>Can this be done without adding server-core? >>>>>>>>>>>I'm not aware of such method (except of adding all DNS dependencies >>>>>>>>>>>as >>>>>>>>>>>Requires straight into freeipa-server package). >>>>>>>>>>> >>>>>>>>>>>>Because it's not server core, >>>>>>>>>>>>it's the whole thing! Or maybe just rename it to server-common? >>>>>>>>>>> >>>>>>>>>>>I'm fine with 'common'. Ticket 4058 calls for sub-package for CA too >>>>>>>>>>>so my >>>>>>>>>>>idea was to create 'core' package which will be gradually reduced >>>>>>>>>>>more and more. >>>>>>>>>> >>>>>>>>>>Well, I don't like the fact that in order to install IPA server >>>>>>>>>>without DNS you have to install freeipa-server-core instead of just >>>>>>>>>>freeipa-server. Fedora packaging guidelines [1] state that the >>>>>>>>>>metapackage should be named freeipa-server-compat, so I guess >>>>>>>>>>renaming >>>>>>>>>>freeipa-server to freeipa-server-compat and freeipa-server-core to >>>>>>>>>>freeipa-server is good enough. >>>>>>>>>I think you are misunderstanding what the guidelines say. -compat >>>>>>>>>subpackage is something that only contains Requires: and Obsoletes:, >>>>>>>>>to >>>>>>>>>help to pull the right packages. It is not supposed to be a >>>>>>>>>full-featured package with content. >>>>>>>> >>>>>>>>With Petr's patch, freeipa-server is exactly that - a metapackage with >>>>>>>>requires and obsoletes only - hence my suggestion to rename it >>>>>>>>according to >>>>>>>>the guidelines. >>>>>>>That's not good. >>>>>>> >>>>>>>>>I think we are good enough with freeipa-server-dns. We have the same >>>>>>>>>situation with freeipa-server-trust-ad -- it is not required by the >>>>>>>>>main >>>>>>>>>package and pulls in Samba-related bits. We also don't have any >>>>>>>>>-compat >>>>>>>>>or metapackage for it. >>>>>>>> >>>>>>>>freeipa-server-dns is fine, what is IMO not fine is that it *is* >>>>>>>>required by >>>>>>>>the main freeipa-server package, *unlike* freeipa-server-trust-ad. >>>>>>>> >>>>>>>>We don't have a compat metapackage for freeipa-server-trust-ad, because >>>>>>>>there are no upgrade issues with it, which is what Petr is trying to >>>>>>>>solve >>>>>>>>with his patch. >>>>>>>So, the issue is that for installed bind+bind-dyndb-ldap combination we >>>>>>>need to switch to bind-pkcs11+bind-dyndb-ldap. Maybe instead of >>>>>>>modifying main freeipa package we could modify bind-dyndb-ldap package >>>>>>>to require bind-pkcs11 and corresponding bits of freeipa packages? >>>>>> >>>>>>Unfortunately, no. >>>>>>- bind-dyndb-ldap itself is used & supported even without FreeIPA. >>>>>>- bind-pkcs11 depends on properly configured SoftHSM (or other PKCS#11 >>>>>>provider) >>>>>>=> upgrade could break non-FreeIPA installations. >>>>>> >>>>>>I'm attempting to rework the patch now, stay tuned. >>>>> >>>>>Apparently this thread was abandoned during my PTO so I'm sending new >>>>>patch >>>>>here. It includes the -compat package and works with YUM and DNF. >>>> >>>>I don't like that freeipa-server got renamed to freeipa-server-core, but I >>>>won't push against it if Alexander and others (CCing Simo) are OK with it. >>> >>>For the record, I was not able to make it work without the rename. >> >>My opinion is that if we run dnf install freeipa-server, then we need to get freeipa server packages. >>If this is what happens I am ok with patches, otherwise I am not. > >Without the patch, "dnf install freeipa-server" installs freeipa >server without DNS dependencies. > >With the first version of the patch, "dnf install freeipa-server" >installs freeipa server with all DNS dependencies. To install freeipa >server without DNS dependencies, you need to run "dnf install >freeipa-server-core". (Note that with this patch freeipa-server is a >meta-package with no files.) > >With the second version of the patch, "dnf install freeipa-server" >fails, because there is no freeipa-server anymore. To install freeipa >server without DNS dependencies, you need to run "dnf install >freeipa-server-core". Can we do Provides: freeipa-server in freeipa-server-compat? -- / Alexander Bokovoy From pvoborni at redhat.com Thu Jul 16 08:25:09 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 16 Jul 2015 10:25:09 +0200 Subject: [Freeipa-devel] [PATCH] 904 do not import memcache on client Message-ID: <55A76A65.8050706@redhat.com> Fixes regression caused by cd3ca94ff2ef738cb3a9eae502193413058f976d. Which caused: * client installation failure (missing memcache) * invalid warning in CLI on server https://fedorahosted.org/freeipa/ticket/5133 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0904-do-not-import-memcache-on-client.patch Type: text/x-patch Size: 1110 bytes Desc: not available URL: From tbabej at redhat.com Thu Jul 16 09:24:29 2015 From: tbabej at redhat.com (Tomas Babej) Date: Thu, 16 Jul 2015 11:24:29 +0200 Subject: [Freeipa-devel] [PATCH] 904 do not import memcache on client In-Reply-To: <55A76A65.8050706@redhat.com> References: <55A76A65.8050706@redhat.com> Message-ID: <55A7784D.30703@redhat.com> On 07/16/2015 10:25 AM, Petr Vobornik wrote: > Fixes regression caused by cd3ca94ff2ef738cb3a9eae502193413058f976d. > > Which caused: > * client installation failure (missing memcache) > * invalid warning in CLI on server > > https://fedorahosted.org/freeipa/ticket/5133 > > Thanks for fixing this one! ACK. Pushed to: master: 9d69ad24282d19575295f1b2dd756ad9dd865c63 ipa-4-2: 6275d94df30c0c17d2317ad0fba3b28d433efa06 Tomas From dkupka at redhat.com Thu Jul 16 10:16:37 2015 From: dkupka at redhat.com (David Kupka) Date: Thu, 16 Jul 2015 12:16:37 +0200 Subject: [Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI. In-Reply-To: <55A66883.3080606@redhat.com> References: <55A65E71.7060701@redhat.com> <55A66181.9080700@redhat.com> <55A66883.3080606@redhat.com> Message-ID: <55A78485.6040407@redhat.com> On 15/07/15 16:04, David Kupka wrote: > On 15/07/15 15:34, Jan Cholasta wrote: >> Dne 15.7.2015 v 15:21 David Kupka napsal(a): >>> https://fedorahosted.org/freeipa/ticket/4953 >>> >>> To test this patch: >>> >>> 1. Migrate users from LDAP or other FreeIPA server >>> (https://www.freeipa.org/page/Howto/Migration) >>> >>> 2. Disable anonymous bind to Directory Server >>> (https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html) >>> >>> >>> >>> >>> 3. Go to FreeIPA migration page (ipa.example.com/ipa/migration/) and >>> enter name and password of one of the migrated users. >>> >>> Without this patch you will get an error page. >> >> NACK, you are calling do_bind with wrong arguments. >> > Updated patch attached. > > > With Honza, we've found better solution. Instead of binding to the LDAP just to get base DN we can instantiate api and use api.env.basedn variable. In the same time we can use api.anv.ldap_uri instead of searching filesystem for ldapi socket. Patch attached. -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0057.2-migration-Use-api.env-variables.patch Type: text/x-patch Size: 2624 bytes Desc: not available URL: From tbabej at redhat.com Thu Jul 16 10:44:52 2015 From: tbabej at redhat.com (Tomas Babej) Date: Thu, 16 Jul 2015 12:44:52 +0200 Subject: [Freeipa-devel] [PATCH] 0191 Add SELinux boolean for oddjobd-activated services In-Reply-To: <20150714113112.GK21928@redhat.com> References: <20150714113112.GK21928@redhat.com> Message-ID: <55A78B24.4020604@redhat.com> On 07/14/2015 01:31 PM, Alexander Bokovoy wrote: > Hi! > > An SELinux policy we need for one-way trust is now in Fedora > updates-testing repository. > Attached patch adds support for 'httpd_run_ipa' SELinux boolean. > > Below is how one-way trust is using the communication with oddjobd (it > is a slightly fixed copy of the description of bug > https://bugzilla.redhat.com/show_bug.cgi?id=1238165 for SELinux policy): > > ------------------------------------------------------------------- > In FreeIPA 4.2 we added support to establish one-way trust to Active > Directory. As a consequence of this, we need to change how certain > operations against AD LDAP are performed. Right now we are using a > feature of bi-directional cross-realm Kerberos trust: we authenticate as > HTTP/ipa.master at IPA.REALM from within Apache process and then talk to > ldap/ad.dc at AD.REALM or to cifs/ad.dc at AD.REALM services in AD. > > With one-way trust we cannot use this approach anymore because there is > no cross-realm Kerberos trust from IPA to AD, only the other way around. > Instead, there is an object in AD LDAP which represents IPA and we have > to authenticate as this object. > > Access to this object is highly regulated (by us) because possession of > the trust domain object (TDO) credentials impersonates whole trust link. > Thus, we want to avoid authenticating as TDO within Apache process. > > To achieve this I've implemented a scheme similar to oddjob-mkhomedir, > by providing a helper script which is executed by oddjobd on request > from Apache: > > Apache process sends DBus request to oddjobd daemon. Oddjobd daemon > executes an IPA helper. IPA helper accesses /etc/samba/samba.keytab and > authenticates as cifs/ipa.master at IPA.REALM. It then fetches TDO > credentials from IPA LDAP and authenticates with them to AD DC. Once > operation is performed, it connects again to IPA LDAP and updates it. > > Now, there are several moving parts here: > > 1. /etc/samba/samba.keytab is root:root, 0600, > unconfined_u:object_r:samba_etc_t:s0 > It is created by /usr/sbin/ipa-adtrust-install > > 2. /var/lib/sss/keytabs/ad.test.keytab is sssd:sssd, 0600, > unconfined_u:object_r:sssd_var_lib_t:s0 > It can be created by IPA helper or by SSSD, whoever runs into need > of the keytab first. The name is dependent on the AD forest root > name (ad.test in my case). > > 3. /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains is root:root, 0755, > system_u:object_r:ipa_helper_exec_t:s0 label. > It is the IPA helper oddjobd daemon will be calling in response to > Apache request. > The helper is written in Python. > > 4. /var/run/ipa/krb5cc_oddjob_trusts{,_fetch} -- credential caches used > by the helper. > They are root:root, 0600, system_u:object_r:ipa_var_run_t:s0 label. > > 5. oddjobd daemon runs under system_u:system_r:oddjob_t:s0-s0:c0.c1023 > context. > --------------------------------------------------------------------------------- > > > > ACK. Pushed to: master: 706c00361544a8255c4c05b253e5e9969187a68c ipa-4-2: 5b9ea329cef4d976694794f1b1b91714f6ac07c2 From cheimes at redhat.com Thu Jul 16 10:51:35 2015 From: cheimes at redhat.com (Christian Heimes) Date: Thu, 16 Jul 2015 12:51:35 +0200 Subject: [Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation Message-ID: <55A78CB7.7090009@redhat.com> Hi, the patch fixes the SELinux denial for kdcproxy's home directory. I have successfully tested a migration from FreeIPA 4.1. The user, group and home directory are successfully created with the correct permissions. https://fedorahosted.org/freeipa/ticket/5135 Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cheimes-0012-Create-pkiuser-user-and-group-during-installation.patch Type: text/x-patch Size: 2000 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From pvoborni at redhat.com Thu Jul 16 11:13:41 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 16 Jul 2015 13:13:41 +0200 Subject: [Freeipa-devel] 4.3 Branch? In-Reply-To: <1192868348.41149398.1436880184299.JavaMail.zimbra@redhat.com> References: <1192868348.41149398.1436880184299.JavaMail.zimbra@redhat.com> Message-ID: <55A791E5.7070104@redhat.com> On 07/14/2015 03:23 PM, Nathaniel McCallum wrote: > 4.3 is going to be a very narrow feature release. Should we branch > 4.3 early so that we can still land new features on master during > 4.3? > I did not like it at first but we should do it. -- Petr Vobornik From abokovoy at redhat.com Thu Jul 16 11:19:20 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 16 Jul 2015 14:19:20 +0300 Subject: [Freeipa-devel] [PATCH] 0192 oddjob: avoid chown keytab to sssd if sssd user does not exist Message-ID: <20150716111920.GN21928@redhat.com> Hi, a simple optimisation to allow FreeIPA 4.2 to work with SSSD 1.13 running as root instead of sssd user. Details in the commit message. This also fixes a simple exception in current Fedora 22 + mkosek/freeipa-4.2 repo because user 'sssd' does not exist. Fixes ticket https://fedorahosted.org/freeipa/ticket/5136 -- / Alexander Bokovoy -------------- next part -------------- From 5b341446a070f5d41e8363bf3e1d02c222dcc683 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 16 Jul 2015 14:11:26 +0300 Subject: [PATCH] oddjob: avoid chown keytab to sssd if sssd user does not exist If sssd user does not exist, it means SSSD does not run as sssd user. Currently SSSD has too tight check for keytab permissions and ownership. It assumes the keytab has to be owned by the same user it runs under and has to have 0600 permissions. ipa-getkeytab creates the file with right permissions and 'root:root' ownership. Jakub Hrozek promised to enhance SSSD keytab permissions check so that both sssd:sssd and root:root ownership is possible and then when SSSD switches to 'sssd' user, the former becomes the default. Since right now SSSD 1.13 is capable to run as 'sssd' user but doesn't create 'sssd' user in Fedora 22 / RHEL 7 environments, we can use its presence as a version trigger. https://fedorahosted.org/freeipa/ticket/5136 --- install/oddjob/com.redhat.idm.trust-fetch-domains | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains index 85e3cc9..e50c81e 100755 --- a/install/oddjob/com.redhat.idm.trust-fetch-domains +++ b/install/oddjob/com.redhat.idm.trust-fetch-domains @@ -45,8 +45,13 @@ def retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal): env={'KRB5CCNAME': ccache_name, 'LANG': 'C'}, raiseonerr=False) # Make sure SSSD is able to read the keytab - sssd = pwd.getpwnam('sssd') - os.chown(oneway_keytab_name, sssd[2], sssd[3]) + try: + sssd = pwd.getpwnam('sssd') + os.chown(oneway_keytab_name, sssd[2], sssd[3]) + except KeyError as e: + # If user 'sssd' does not exist, we don't need to chown from root to sssd + # because it means SSSD does not run as sssd user + pass def parse_options(): -- 2.4.3 From tbabej at redhat.com Thu Jul 16 11:25:37 2015 From: tbabej at redhat.com (Tomas Babej) Date: Thu, 16 Jul 2015 13:25:37 +0200 Subject: [Freeipa-devel] [PATCH 0340] dcerpc: Expand explanation for WERR_ACCESS_DENIED Message-ID: <55A794B1.2060501@redhat.com> Hi, It's possible for AD to contact a wrong IPA server in case the DNS SRV records on the AD sides are not properly configured. Mention this case in the error message as well. https://fedorahosted.org/freeipa/ticket/5013 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0340-dcerpc-Expand-explanation-for-WERR_ACCESS_DENIED.patch Type: text/x-patch Size: 3464 bytes Desc: not available URL: From tbabej at redhat.com Thu Jul 16 11:28:15 2015 From: tbabej at redhat.com (Tomas Babej) Date: Thu, 16 Jul 2015 13:28:15 +0200 Subject: [Freeipa-devel] 4.3 Branch? In-Reply-To: <55A791E5.7070104@redhat.com> References: <1192868348.41149398.1436880184299.JavaMail.zimbra@redhat.com> <55A791E5.7070104@redhat.com> Message-ID: <55A7954F.1090904@redhat.com> On 07/16/2015 01:13 PM, Petr Vobornik wrote: > On 07/14/2015 03:23 PM, Nathaniel McCallum wrote: >> 4.3 is going to be a very narrow feature release. Should we branch >> 4.3 early so that we can still land new features on master during >> 4.3? >> > > I did not like it at first but we should do it. We will have some little maintenance burden, as we will need to push to two branches concurrently. However, I find rebasing patches that do not apply cleanly painful.. when we release 4.3 and decide to land ~50-100 patches of fixes that didn't belong there, it might turn out to be a huge pain. I'd much rather go with the separate branch approach, as Nathaniel suggests. Tomas From tbabej at redhat.com Thu Jul 16 11:34:40 2015 From: tbabej at redhat.com (Tomas Babej) Date: Thu, 16 Jul 2015 13:34:40 +0200 Subject: [Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation In-Reply-To: <55A78CB7.7090009@redhat.com> References: <55A78CB7.7090009@redhat.com> Message-ID: <55A796D0.8090707@redhat.com> On 07/16/2015 12:51 PM, Christian Heimes wrote: > Hi, > > the patch fixes the SELinux denial for kdcproxy's home directory. I have > successfully tested a migration from FreeIPA 4.1. The user, group and > home directory are successfully created with the correct permissions. > > https://fedorahosted.org/freeipa/ticket/5135 > > Christian > > > This appears to be an incorrect patch :) Tomas From cheimes at redhat.com Thu Jul 16 11:35:16 2015 From: cheimes at redhat.com (Christian Heimes) Date: Thu, 16 Jul 2015 13:35:16 +0200 Subject: [Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation In-Reply-To: <55A78CB7.7090009@redhat.com> References: <55A78CB7.7090009@redhat.com> Message-ID: <55A796F4.8030202@redhat.com> On 2015-07-16 12:51, Christian Heimes wrote: > Hi, > > the patch fixes the SELinux denial for kdcproxy's home directory. I have > successfully tested a migration from FreeIPA 4.1. The user, group and > home directory are successfully created with the correct permissions. > > https://fedorahosted.org/freeipa/ticket/5135 I accidentally pushed the spec file fix for PKI. Here is the correct patch for FreeIPA. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0012-Fix-selinux-denial-during-kdcproxy-user-creation.patch Type: text/x-patch Size: 1868 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From tbabej at redhat.com Thu Jul 16 11:41:45 2015 From: tbabej at redhat.com (Tomas Babej) Date: Thu, 16 Jul 2015 13:41:45 +0200 Subject: [Freeipa-devel] [PATCH] 0192 oddjob: avoid chown keytab to sssd if sssd user does not exist In-Reply-To: <20150716111920.GN21928@redhat.com> References: <20150716111920.GN21928@redhat.com> Message-ID: <55A79879.3040905@redhat.com> On 07/16/2015 01:19 PM, Alexander Bokovoy wrote: > Hi, > > a simple optimisation to allow FreeIPA 4.2 to work with SSSD 1.13 > running as root instead of sssd user. Details in the commit message. > > This also fixes a simple exception in current Fedora 22 + > mkosek/freeipa-4.2 repo because user 'sssd' does not exist. > > Fixes ticket https://fedorahosted.org/freeipa/ticket/5136 > > > ACK! Pushed to: master: c6a1bd591e81cd82c0715c01bcc82f2947adf3bb ipa-4-2: d7f91dce493efc4e505ea758b073040716249561 Tomas From tbabej at redhat.com Thu Jul 16 11:46:49 2015 From: tbabej at redhat.com (Tomas Babej) Date: Thu, 16 Jul 2015 13:46:49 +0200 Subject: [Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation In-Reply-To: <55A796F4.8030202@redhat.com> References: <55A78CB7.7090009@redhat.com> <55A796F4.8030202@redhat.com> Message-ID: <55A799A9.1030207@redhat.com> On 07/16/2015 01:35 PM, Christian Heimes wrote: > On 2015-07-16 12:51, Christian Heimes wrote: >> Hi, >> >> the patch fixes the SELinux denial for kdcproxy's home directory. I have >> successfully tested a migration from FreeIPA 4.1. The user, group and >> home directory are successfully created with the correct permissions. >> >> https://fedorahosted.org/freeipa/ticket/5135 > > I accidentally pushed the spec file fix for PKI. Here is the correct > patch for FreeIPA. > > > ACK! Thanks for fixing this issue, actually it was haunting me for some time as I was unable to pinpoint the issue. Pushed to: master: 0700d340c7c88c295a62dd5d1a7d6866650d9de3 ipa-4-2: 9c3368a3eb091acab10b65ff3fc33d41d0d4c556 Tomas From pspacek at redhat.com Thu Jul 16 11:47:57 2015 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 16 Jul 2015 13:47:57 +0200 Subject: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package In-Reply-To: <20150716063344.GK21928@redhat.com> References: <5593D93D.7090000@redhat.com> <20150702070647.GH11876@redhat.com> <5594E598.7040400@redhat.com> <20150702073605.GI11876@redhat.com> <5594EEA5.3060504@redhat.com> <55A5017D.5010608@redhat.com> <55A51CBE.7040702@redhat.com> <55A51DC5.6090209@redhat.com> <187037684.17962032.1436981944717.JavaMail.zimbra@redhat.com> <55A74A49.6090507@redhat.com> <20150716063344.GK21928@redhat.com> Message-ID: <55A799ED.5010205@redhat.com> On 16.7.2015 08:33, Alexander Bokovoy wrote: > On Thu, 16 Jul 2015, Jan Cholasta wrote: >> Dne 15.7.2015 v 19:39 Simo Sorce napsal(a): >>> ----- Original Message ----- >>>> From: "Petr Spacek" >>>> To: "Jan Cholasta" , freeipa-devel at redhat.com, >>>> "Alexander Bokovoy" >>>> Cc: "Simo Sorce" >>>> Sent: Tuesday, July 14, 2015 10:33:41 AM >>>> Subject: Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package >>>> >>>> On 14.7.2015 16:29, Jan Cholasta wrote: >>>>> Dne 14.7.2015 v 14:33 Petr Spacek napsal(a): >>>>>> On 2.7.2015 09:56, Petr Spacek wrote: >>>>>>> On 2.7.2015 09:36, Alexander Bokovoy wrote: >>>>>>>> On Thu, 02 Jul 2015, Jan Cholasta wrote: >>>>>>>>>>>>> Can this be done without adding server-core? >>>>>>>>>>>> I'm not aware of such method (except of adding all DNS dependencies >>>>>>>>>>>> as >>>>>>>>>>>> Requires straight into freeipa-server package). >>>>>>>>>>>> >>>>>>>>>>>>> Because it's not server core, >>>>>>>>>>>>> it's the whole thing! Or maybe just rename it to server-common? >>>>>>>>>>>> >>>>>>>>>>>> I'm fine with 'common'. Ticket 4058 calls for sub-package for CA too >>>>>>>>>>>> so my >>>>>>>>>>>> idea was to create 'core' package which will be gradually reduced >>>>>>>>>>>> more and more. >>>>>>>>>>> >>>>>>>>>>> Well, I don't like the fact that in order to install IPA server >>>>>>>>>>> without DNS you have to install freeipa-server-core instead of just >>>>>>>>>>> freeipa-server. Fedora packaging guidelines [1] state that the >>>>>>>>>>> metapackage should be named freeipa-server-compat, so I guess >>>>>>>>>>> renaming >>>>>>>>>>> freeipa-server to freeipa-server-compat and freeipa-server-core to >>>>>>>>>>> freeipa-server is good enough. >>>>>>>>>> I think you are misunderstanding what the guidelines say. -compat >>>>>>>>>> subpackage is something that only contains Requires: and Obsoletes:, >>>>>>>>>> to >>>>>>>>>> help to pull the right packages. It is not supposed to be a >>>>>>>>>> full-featured package with content. >>>>>>>>> >>>>>>>>> With Petr's patch, freeipa-server is exactly that - a metapackage with >>>>>>>>> requires and obsoletes only - hence my suggestion to rename it >>>>>>>>> according to >>>>>>>>> the guidelines. >>>>>>>> That's not good. >>>>>>>> >>>>>>>>>> I think we are good enough with freeipa-server-dns. We have the same >>>>>>>>>> situation with freeipa-server-trust-ad -- it is not required by the >>>>>>>>>> main >>>>>>>>>> package and pulls in Samba-related bits. We also don't have any >>>>>>>>>> -compat >>>>>>>>>> or metapackage for it. >>>>>>>>> >>>>>>>>> freeipa-server-dns is fine, what is IMO not fine is that it *is* >>>>>>>>> required by >>>>>>>>> the main freeipa-server package, *unlike* freeipa-server-trust-ad. >>>>>>>>> >>>>>>>>> We don't have a compat metapackage for freeipa-server-trust-ad, because >>>>>>>>> there are no upgrade issues with it, which is what Petr is trying to >>>>>>>>> solve >>>>>>>>> with his patch. >>>>>>>> So, the issue is that for installed bind+bind-dyndb-ldap combination we >>>>>>>> need to switch to bind-pkcs11+bind-dyndb-ldap. Maybe instead of >>>>>>>> modifying main freeipa package we could modify bind-dyndb-ldap package >>>>>>>> to require bind-pkcs11 and corresponding bits of freeipa packages? >>>>>>> >>>>>>> Unfortunately, no. >>>>>>> - bind-dyndb-ldap itself is used & supported even without FreeIPA. >>>>>>> - bind-pkcs11 depends on properly configured SoftHSM (or other PKCS#11 >>>>>>> provider) >>>>>>> => upgrade could break non-FreeIPA installations. >>>>>>> >>>>>>> I'm attempting to rework the patch now, stay tuned. >>>>>> >>>>>> Apparently this thread was abandoned during my PTO so I'm sending new >>>>>> patch >>>>>> here. It includes the -compat package and works with YUM and DNF. >>>>> >>>>> I don't like that freeipa-server got renamed to freeipa-server-core, but I >>>>> won't push against it if Alexander and others (CCing Simo) are OK with it. >>>> >>>> For the record, I was not able to make it work without the rename. >>> >>> My opinion is that if we run dnf install freeipa-server, then we need to >>> get freeipa server packages. >>> If this is what happens I am ok with patches, otherwise I am not. >> >> Without the patch, "dnf install freeipa-server" installs freeipa server >> without DNS dependencies. >> >> With the first version of the patch, "dnf install freeipa-server" installs >> freeipa server with all DNS dependencies. To install freeipa server without >> DNS dependencies, you need to run "dnf install freeipa-server-core". (Note >> that with this patch freeipa-server is a meta-package with no files.) >> >> With the second version of the patch, "dnf install freeipa-server" fails, >> because there is no freeipa-server anymore. To install freeipa server >> without DNS dependencies, you need to run "dnf install freeipa-server-core". > Can we do > Provides: freeipa-server > in freeipa-server-compat? If I understood Honza correctly, he was objecting to this alias because it would pull in DNS dependencies. So I tried to add this Provides to freeipa-server-core package but I'm not able to make this alias to work with DNF at all. With old Yum it pulls in freeipa-server-dns instead of -core because the "Obsoletes" apparently has higher priority than Provides. (No, "Provides" with explicit version does not change anything.) The only text I found about this is the advice 'do not do it' :-) https://fedoraproject.org/wiki/Upgrade_paths_%E2%80%94_renaming_or_splitting_packages#Do_I_need_to_Provide_my_old_package_names.3F In other words, I'm not able to make to make the alias freeipa-server working with the second version of my patch. Again, this problem is related only to the second/alternative version of the patch where freeipa-server package does not pull in DNS dependencies. "dnf install freeipa-server" works with first version of my patch which pulls in DNS depencies. I'm more than happy to take advice how to fix that. For now I would say that first version of the patch is okay. It will solve the upgrade and we can remove the 'Requires' in the next release because it will not be necessary for upgrade anymore. -- Petr^2 Spacek From mbasti at redhat.com Thu Jul 16 11:48:21 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 16 Jul 2015 13:48:21 +0200 Subject: [Freeipa-devel] [PATCH 0047] ipa-ca-install: print more specific errors when CA is already installed In-Reply-To: <55A65663.9080100@redhat.com> References: <55A65663.9080100@redhat.com> Message-ID: <55A79A05.2030105@redhat.com> On 15/07/15 14:47, Martin Babinsky wrote: > Fixes https://fedorahosted.org/freeipa/ticket/4492 > > > ACK -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From cheimes at redhat.com Thu Jul 16 11:49:00 2015 From: cheimes at redhat.com (Christian Heimes) Date: Thu, 16 Jul 2015 13:49:00 +0200 Subject: [Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation In-Reply-To: <55A799A9.1030207@redhat.com> References: <55A78CB7.7090009@redhat.com> <55A796F4.8030202@redhat.com> <55A799A9.1030207@redhat.com> Message-ID: <55A79A2C.5050104@redhat.com> On 2015-07-16 13:46, Tomas Babej wrote: > > > On 07/16/2015 01:35 PM, Christian Heimes wrote: >> On 2015-07-16 12:51, Christian Heimes wrote: >>> Hi, >>> >>> the patch fixes the SELinux denial for kdcproxy's home directory. I have >>> successfully tested a migration from FreeIPA 4.1. The user, group and >>> home directory are successfully created with the correct permissions. >>> >>> https://fedorahosted.org/freeipa/ticket/5135 >> >> I accidentally pushed the spec file fix for PKI. Here is the correct >> patch for FreeIPA. >> >> >> > > ACK! Thanks for fixing this issue, actually it was haunting me for some > time as I was unable to pinpoint the issue. > > Pushed to: > master: 0700d340c7c88c295a62dd5d1a7d6866650d9de3 > ipa-4-2: 9c3368a3eb091acab10b65ff3fc33d41d0d4c556 You are welcome! Alexander deserves most of the credit for the patch. He analyzed the issue and explained it to me. The patch was a matter of minutes to write. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From mbasti at redhat.com Thu Jul 16 12:12:26 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 16 Jul 2015 14:12:26 +0200 Subject: [Freeipa-devel] [PATCH] 902 webui: fix user reset password dialog In-Reply-To: <55A53D2C.2070407@redhat.com> References: <55A53D2C.2070407@redhat.com> Message-ID: <55A79FAA.7000506@redhat.com> On 14/07/15 18:47, Petr Vobornik wrote: > Could not open user password dialog. > > regression introduced in ed78dcfa3acde7aeb1f381f49988c6911c5277ee > > https://fedorahosted.org/freeipa/ticket/5131 > > Works for me, ?CK -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Jul 16 13:18:59 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 16 Jul 2015 15:18:59 +0200 Subject: [Freeipa-devel] [PATCH] 903, 287 fix hbac rule/selinuxuser map search for non-admin users In-Reply-To: <55A53DC6.70105@redhat.com> References: <55A53DC6.70105@redhat.com> Message-ID: <55A7AF43.9020107@redhat.com> On 14/07/15 18:50, Petr Vobornik wrote: > hbacrule has it default attributes (which are used in search) attribute > 'memberhostgroup'. This attr is not in ACI nor in schema. If the search > contains an attribute which can't be read then the search won't return > anything. > > Therefore all searches with filter set fail. > > Also I don't think this is a proper fix because any custom ACIs will > cause the bug again. Same issue in > https://fedorahosted.org/freeipa/ticket/5055 > > https://fedorahosted.org/freeipa/ticket/5130 > > ACK Patch that fixes the similar issue with selinuxusermap is attached. -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0287-fix-selinuxusermap-search-for-non-admin-users.patch Type: text/x-patch Size: 1077 bytes Desc: not available URL: From pvoborni at redhat.com Thu Jul 16 13:29:12 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 16 Jul 2015 15:29:12 +0200 Subject: [Freeipa-devel] [PATCH] 902 webui: fix user reset password dialog In-Reply-To: <55A79FAA.7000506@redhat.com> References: <55A53D2C.2070407@redhat.com> <55A79FAA.7000506@redhat.com> Message-ID: <55A7B1A8.5080109@redhat.com> On 07/16/2015 02:12 PM, Martin Basti wrote: > On 14/07/15 18:47, Petr Vobornik wrote: >> Could not open user password dialog. >> >> regression introduced in ed78dcfa3acde7aeb1f381f49988c6911c5277ee >> >> https://fedorahosted.org/freeipa/ticket/5131 >> >> > Works for me, ?CK > Pushed to: master: 9083c528f75a958df062a9521729f30b65e5e551 ipa-4-2: cc5be14eb7f59f4ac507e110871f15f8c9d48402 -- Petr Vobornik From pvoborni at redhat.com Thu Jul 16 13:34:08 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 16 Jul 2015 15:34:08 +0200 Subject: [Freeipa-devel] [PATCH 0047] ipa-ca-install: print more specific errors when CA is already installed In-Reply-To: <55A79A05.2030105@redhat.com> References: <55A65663.9080100@redhat.com> <55A79A05.2030105@redhat.com> Message-ID: <55A7B2D0.7080105@redhat.com> On 07/16/2015 01:48 PM, Martin Basti wrote: > On 15/07/15 14:47, Martin Babinsky wrote: >> Fixes https://fedorahosted.org/freeipa/ticket/4492 >> >> >> > ACK > > Pushed to: master: 26dee66d1bf05aac5af5f82862ce54585ccde7e4 ipa-4-2: f5fa38399277ab16fa32832f53580651ad4a4026 -- Petr Vobornik From pvoborni at redhat.com Thu Jul 16 13:39:36 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 16 Jul 2015 15:39:36 +0200 Subject: [Freeipa-devel] [PATCH] 903, 287 fix hbac rule/selinuxuser map search for non-admin users In-Reply-To: <55A7AF43.9020107@redhat.com> References: <55A53DC6.70105@redhat.com> <55A7AF43.9020107@redhat.com> Message-ID: <55A7B418.2020301@redhat.com> On 07/16/2015 03:18 PM, Martin Basti wrote: > On 14/07/15 18:50, Petr Vobornik wrote: >> hbacrule has it default attributes (which are used in search) attribute >> 'memberhostgroup'. This attr is not in ACI nor in schema. If the search >> contains an attribute which can't be read then the search won't return >> anything. >> >> Therefore all searches with filter set fail. >> >> Also I don't think this is a proper fix because any custom ACIs will >> cause the bug again. Same issue in >> https://fedorahosted.org/freeipa/ticket/5055 >> >> https://fedorahosted.org/freeipa/ticket/5130 >> >> > ACK Pushed to: master: 2e80645ef21ff6dbcc1645caacda02e8aac8226a ipa-4-2: 6ead80d9ba6b775a6df3ba76b4d717050311b762 > > Patch that fixes the similar issue with selinuxusermap is attached. > ACK Pushed to: master: a0ce9e6b09f8e35284bc8c97bd63d1e019ca8142 ipa-4-2: c10de0aa91a5a10588aec56955f77bb636162efc -- Petr Vobornik From pspacek at redhat.com Thu Jul 16 14:35:59 2015 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 16 Jul 2015 16:35:59 +0200 Subject: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package In-Reply-To: <55A799ED.5010205@redhat.com> References: <5593D93D.7090000@redhat.com> <20150702070647.GH11876@redhat.com> <5594E598.7040400@redhat.com> <20150702073605.GI11876@redhat.com> <5594EEA5.3060504@redhat.com> <55A5017D.5010608@redhat.com> <55A51CBE.7040702@redhat.com> <55A51DC5.6090209@redhat.com> <187037684.17962032.1436981944717.JavaMail.zimbra@redhat.com> <55A74A49.6090507@redhat.com> <20150716063344.GK21928@redhat.com> <55A799ED.5010205@redhat.com> Message-ID: <55A7C14F.5080200@redhat.com> On 16.7.2015 13:47, Petr Spacek wrote: > On 16.7.2015 08:33, Alexander Bokovoy wrote: >> On Thu, 16 Jul 2015, Jan Cholasta wrote: >>> Dne 15.7.2015 v 19:39 Simo Sorce napsal(a): >>>> ----- Original Message ----- >>>>> From: "Petr Spacek" >>>>> To: "Jan Cholasta" , freeipa-devel at redhat.com, >>>>> "Alexander Bokovoy" >>>>> Cc: "Simo Sorce" >>>>> Sent: Tuesday, July 14, 2015 10:33:41 AM >>>>> Subject: Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package >>>>> >>>>> On 14.7.2015 16:29, Jan Cholasta wrote: >>>>>> Dne 14.7.2015 v 14:33 Petr Spacek napsal(a): >>>>>>> On 2.7.2015 09:56, Petr Spacek wrote: >>>>>>>> On 2.7.2015 09:36, Alexander Bokovoy wrote: >>>>>>>>> On Thu, 02 Jul 2015, Jan Cholasta wrote: >>>>>>>>>>>>>> Can this be done without adding server-core? >>>>>>>>>>>>> I'm not aware of such method (except of adding all DNS dependencies >>>>>>>>>>>>> as >>>>>>>>>>>>> Requires straight into freeipa-server package). >>>>>>>>>>>>> >>>>>>>>>>>>>> Because it's not server core, >>>>>>>>>>>>>> it's the whole thing! Or maybe just rename it to server-common? >>>>>>>>>>>>> >>>>>>>>>>>>> I'm fine with 'common'. Ticket 4058 calls for sub-package for CA too >>>>>>>>>>>>> so my >>>>>>>>>>>>> idea was to create 'core' package which will be gradually reduced >>>>>>>>>>>>> more and more. >>>>>>>>>>>> >>>>>>>>>>>> Well, I don't like the fact that in order to install IPA server >>>>>>>>>>>> without DNS you have to install freeipa-server-core instead of just >>>>>>>>>>>> freeipa-server. Fedora packaging guidelines [1] state that the >>>>>>>>>>>> metapackage should be named freeipa-server-compat, so I guess >>>>>>>>>>>> renaming >>>>>>>>>>>> freeipa-server to freeipa-server-compat and freeipa-server-core to >>>>>>>>>>>> freeipa-server is good enough. >>>>>>>>>>> I think you are misunderstanding what the guidelines say. -compat >>>>>>>>>>> subpackage is something that only contains Requires: and Obsoletes:, >>>>>>>>>>> to >>>>>>>>>>> help to pull the right packages. It is not supposed to be a >>>>>>>>>>> full-featured package with content. >>>>>>>>>> >>>>>>>>>> With Petr's patch, freeipa-server is exactly that - a metapackage with >>>>>>>>>> requires and obsoletes only - hence my suggestion to rename it >>>>>>>>>> according to >>>>>>>>>> the guidelines. >>>>>>>>> That's not good. >>>>>>>>> >>>>>>>>>>> I think we are good enough with freeipa-server-dns. We have the same >>>>>>>>>>> situation with freeipa-server-trust-ad -- it is not required by the >>>>>>>>>>> main >>>>>>>>>>> package and pulls in Samba-related bits. We also don't have any >>>>>>>>>>> -compat >>>>>>>>>>> or metapackage for it. >>>>>>>>>> >>>>>>>>>> freeipa-server-dns is fine, what is IMO not fine is that it *is* >>>>>>>>>> required by >>>>>>>>>> the main freeipa-server package, *unlike* freeipa-server-trust-ad. >>>>>>>>>> >>>>>>>>>> We don't have a compat metapackage for freeipa-server-trust-ad, because >>>>>>>>>> there are no upgrade issues with it, which is what Petr is trying to >>>>>>>>>> solve >>>>>>>>>> with his patch. >>>>>>>>> So, the issue is that for installed bind+bind-dyndb-ldap combination we >>>>>>>>> need to switch to bind-pkcs11+bind-dyndb-ldap. Maybe instead of >>>>>>>>> modifying main freeipa package we could modify bind-dyndb-ldap package >>>>>>>>> to require bind-pkcs11 and corresponding bits of freeipa packages? >>>>>>>> >>>>>>>> Unfortunately, no. >>>>>>>> - bind-dyndb-ldap itself is used & supported even without FreeIPA. >>>>>>>> - bind-pkcs11 depends on properly configured SoftHSM (or other PKCS#11 >>>>>>>> provider) >>>>>>>> => upgrade could break non-FreeIPA installations. >>>>>>>> >>>>>>>> I'm attempting to rework the patch now, stay tuned. >>>>>>> >>>>>>> Apparently this thread was abandoned during my PTO so I'm sending new >>>>>>> patch >>>>>>> here. It includes the -compat package and works with YUM and DNF. >>>>>> >>>>>> I don't like that freeipa-server got renamed to freeipa-server-core, but I >>>>>> won't push against it if Alexander and others (CCing Simo) are OK with it. >>>>> >>>>> For the record, I was not able to make it work without the rename. >>>> >>>> My opinion is that if we run dnf install freeipa-server, then we need to >>>> get freeipa server packages. >>>> If this is what happens I am ok with patches, otherwise I am not. >>> >>> Without the patch, "dnf install freeipa-server" installs freeipa server >>> without DNS dependencies. >>> >>> With the first version of the patch, "dnf install freeipa-server" installs >>> freeipa server with all DNS dependencies. To install freeipa server without >>> DNS dependencies, you need to run "dnf install freeipa-server-core". (Note >>> that with this patch freeipa-server is a meta-package with no files.) >>> >>> With the second version of the patch, "dnf install freeipa-server" fails, >>> because there is no freeipa-server anymore. To install freeipa server >>> without DNS dependencies, you need to run "dnf install freeipa-server-core". >> Can we do >> Provides: freeipa-server >> in freeipa-server-compat? > > If I understood Honza correctly, he was objecting to this alias because it > would pull in DNS dependencies. > > So I tried to add this Provides to freeipa-server-core package but I'm not > able to make this alias to work with DNF at all. With old Yum it pulls in > freeipa-server-dns instead of -core because the "Obsoletes" apparently has > higher priority than Provides. (No, "Provides" with explicit version does not > change anything.) > > The only text I found about this is the advice 'do not do it' :-) > > https://fedoraproject.org/wiki/Upgrade_paths_%E2%80%94_renaming_or_splitting_packages#Do_I_need_to_Provide_my_old_package_names.3F > > In other words, I'm not able to make to make the alias freeipa-server working > with the second version of my patch. > > Again, this problem is related only to the second/alternative version of the > patch where freeipa-server package does not pull in DNS dependencies. "dnf > install freeipa-server" works with first version of my patch which pulls in > DNS depencies. > > > I'm more than happy to take advice how to fix that. For now I would say that > first version of the patch is okay. It will solve the upgrade and we can > remove the 'Requires' in the next release because it will not be necessary for > upgrade anymore. Third version of the patch is attached, please view. Behavior: - freeipa-server package continues to exist and does not include DNS dependencies - freeipa-server-dns package is new and requires all DNS dependencies - install freeipa-server will not pull DNS dependencies - upgrade from freeipa-server < 4.2.0 will pull freeipa-server-dns package It turns out that nobody noticed missing Obsoletes in freeipa-server package. Please review. Note: Condition "Obsoletes: %{name}-server < 4.2.0" should be amended per-distro/per-repo so it contains latest version number which was available in form of RPM packages for that distro/repo (COPR). -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0052-3-Create-server-dns-sub-package.patch Type: text/x-patch Size: 3817 bytes Desc: not available URL: From abokovoy at redhat.com Thu Jul 16 14:50:46 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 16 Jul 2015 17:50:46 +0300 Subject: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package In-Reply-To: <55A7C14F.5080200@redhat.com> References: <20150702073605.GI11876@redhat.com> <5594EEA5.3060504@redhat.com> <55A5017D.5010608@redhat.com> <55A51CBE.7040702@redhat.com> <55A51DC5.6090209@redhat.com> <187037684.17962032.1436981944717.JavaMail.zimbra@redhat.com> <55A74A49.6090507@redhat.com> <20150716063344.GK21928@redhat.com> <55A799ED.5010205@redhat.com> <55A7C14F.5080200@redhat.com> Message-ID: <20150716145046.GQ21928@redhat.com> On Thu, 16 Jul 2015, Petr Spacek wrote: >Third version of the patch is attached, please view. > >Behavior: >- freeipa-server package continues to exist and does not include DNS dependencies >- freeipa-server-dns package is new and requires all DNS dependencies >- install freeipa-server will not pull DNS dependencies >- upgrade from freeipa-server < 4.2.0 will pull freeipa-server-dns package > >It turns out that nobody noticed missing Obsoletes in freeipa-server package. > >Please review. I like this. Looks clean and does keep previous behavior. I think we can live with upgrade pulling freeipa-server-dns even in the environments where DNS wasn't really used. > >Note: Condition "Obsoletes: %{name}-server < 4.2.0" >should be amended per-distro/per-repo so it contains latest version number >which was available in form of RPM packages for that distro/repo (COPR). May be just add the comment above into commit message? This and we'll need to add an entry into RPM changelog in the actual Fedora package that upgrade from pre-4.2.0 will pull freeipa-server-dns even if integrated DNS server is not used and recommend people to remove the package is they are not interested. ACK. >From c8486993b0b624ab7aa7b118e8ee7e420dd97891 Mon Sep 17 00:00:00 2001 >From: Petr Spacek >Date: Thu, 16 Jul 2015 15:09:45 +0200 >Subject: [PATCH] Create server-dns sub-package. > >This allows us to automatically pull in package bind-pkcs11 >and thus create upgrade path for on CentOS 7.1 -> 7.2. > >IPA previously had no requires on BIND packages and these had to be >installed manually before first ipa-dns-install run. >We need to pull additional bind-pkcs11 package during RPM upgrade >so ipa-dns-install cannot help with this. > >https://fedorahosted.org/freeipa/ticket/4058 >--- > freeipa.spec.in | 51 +++++++++++++++++++++++++++++++++++---------------- > 1 file changed, 35 insertions(+), 16 deletions(-) > >diff --git a/freeipa.spec.in b/freeipa.spec.in >index fabfaee619d4cf0203b2f87d7fe804c2e72026f3..60c28fd5d8b4c14f5fd583735db469a65cdb5331 100644 >--- a/freeipa.spec.in >+++ b/freeipa.spec.in >@@ -165,25 +165,13 @@ Requires: %{etc_systemd_dir} > > Conflicts: %{alt_name}-server > Obsoletes: %{alt_name}-server < %{version} >+# upgrade path from monolithic -server to -server + -server-dns >+Obsoletes: %{name}-server < 4.2.0 > > # With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the > # entire SELinux policy is stored in the system policy > Obsoletes: freeipa-server-selinux < 3.3.0 > >-# We have a soft-requires on bind. It is an optional part of >-# IPA but if it is configured we need a way to require versions >-# that work for us. >-Conflicts: bind-dyndb-ldap < 6.0-4 >-%if 0%{?fedora} >= 21 >-Conflicts: bind < 9.9.6-3 >-Conflicts: bind-utils < 9.9.6-3 >-%else >-Conflicts: bind < 9.9.4-21 >-Conflicts: bind-utils < 9.9.4-21 >-%endif >-# DNSSEC >-Conflicts: opendnssec < 1.4.6-4 >- > # Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to > # member. > Conflicts: nss-pam-ldapd < 0.8.4 >@@ -197,6 +185,35 @@ to install this package (in other words, most people should NOT install > this package). > > >+%package server-dns >+Summary: IPA integrated DNS server with support for automatic DNSSEC signing >+Group: System Environment/Base >+Requires: %{name}-server = %{version}-%{release} >+Requires: bind-dyndb-ldap >= 6.0-4 >+%if 0%{?fedora} >= 21 >+Requires: bind >= 9.9.6-3 >+Requires: bind-utils >= 9.9.6-3 >+Requires: bind-pkcs11 >= 9.9.6-3 >+Requires: bind-pkcs11-utils >= 9.9.6-3 >+%else >+Requires: bind >= 9.9.4-21 >+Requires: bind-utils >= 9.9.4-21 >+Requires: bind-pkcs11 >= 9.9.4-21 >+Requires: bind-pkcs11-utils >= 9.9.4-21 >+%endif >+Requires: opendnssec >= 1.4.6-4 >+ >+Conflicts: %{alt_name}-server-dns >+Obsoletes: %{alt_name}-server-dns < %{version} >+ >+# upgrade path from monolithic -server to -server + -server-dns >+Obsoletes: %{name}-server < 4.2.0 >+ >+%description server-dns >+IPA integrated DNS server with support for automatic DNSSEC signing. >+Integrated DNS server is BIND 9. OpenDNSSEC provides key management. >+ >+ > %package server-trust-ad > Summary: Virtual package to install packages required for Active Directory trusts > Group: System Environment/Base >@@ -683,7 +700,6 @@ fi > %{_sbindir}/ipa-backup > %{_sbindir}/ipa-restore > %{_sbindir}/ipa-ca-install >-%{_sbindir}/ipa-dns-install > %{_sbindir}/ipa-kra-install > %{_sbindir}/ipa-server-install > %{_sbindir}/ipa-replica-conncheck >@@ -857,7 +873,6 @@ fi > %{_mandir}/man1/ipa-server-certinstall.1.gz > %{_mandir}/man1/ipa-server-install.1.gz > %{_mandir}/man1/ipa-server-upgrade.1.gz >-%{_mandir}/man1/ipa-dns-install.1.gz > %{_mandir}/man1/ipa-ca-install.1.gz > %{_mandir}/man1/ipa-kra-install.1.gz > %{_mandir}/man1/ipa-compat-manage.1.gz >@@ -873,6 +888,10 @@ fi > %{_mandir}/man1/ipa-cacert-manage.1.gz > %{_mandir}/man1/ipa-winsync-migrate.1.gz > >+%files server-dns >+%{_sbindir}/ipa-dns-install >+%{_mandir}/man1/ipa-dns-install.1.gz >+ > %files server-trust-ad > %{_sbindir}/ipa-adtrust-install > %{_usr}/share/ipa/smb.conf.empty >-- >2.4.3 > -- / Alexander Bokovoy From mbasti at redhat.com Thu Jul 16 15:05:59 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 16 Jul 2015 17:05:59 +0200 Subject: [Freeipa-devel] [PATCH 0288] ipa-replica-manage: Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand Message-ID: <55A7C857.7050501@redhat.com> https://fedorahosted.org/freeipa/ticket/4988 Patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0288-Allow-value-no-for-replica-certify-all-attr-in-abort.patch Type: text/x-patch Size: 1967 bytes Desc: not available URL: From rcritten at redhat.com Thu Jul 16 15:07:07 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 16 Jul 2015 11:07:07 -0400 Subject: [Freeipa-devel] [PATCH 0288] ipa-replica-manage: Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand In-Reply-To: <55A7C857.7050501@redhat.com> References: <55A7C857.7050501@redhat.com> Message-ID: <55A7C89B.3020707@redhat.com> Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/4988 > > Patch attached. > IMHO this should be mentioned in the man page. rob From mbasti at redhat.com Thu Jul 16 16:22:35 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 16 Jul 2015 18:22:35 +0200 Subject: [Freeipa-devel] [PATCH 0288] ipa-replica-manage: Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand In-Reply-To: <55A7C89B.3020707@redhat.com> References: <55A7C857.7050501@redhat.com> <55A7C89B.3020707@redhat.com> Message-ID: <55A7DA4B.80709@redhat.com> On 16/07/15 17:07, Rob Crittenden wrote: > Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/4988 >> >> Patch attached. >> > > IMHO this should be mentioned in the man page. > > rob > Updated patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0288.2-Allow-value-no-for-replica-certify-all-attr-in-abort.patch Type: text/x-patch Size: 2815 bytes Desc: not available URL: From jcholast at redhat.com Fri Jul 17 03:46:43 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 17 Jul 2015 05:46:43 +0200 Subject: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package In-Reply-To: <20150716145046.GQ21928@redhat.com> References: <20150702073605.GI11876@redhat.com> <5594EEA5.3060504@redhat.com> <55A5017D.5010608@redhat.com> <55A51CBE.7040702@redhat.com> <55A51DC5.6090209@redhat.com> <187037684.17962032.1436981944717.JavaMail.zimbra@redhat.com> <55A74A49.6090507@redhat.com> <20150716063344.GK21928@redhat.com> <55A799ED.5010205@redhat.com> <55A7C14F.5080200@redhat.com> <20150716145046.GQ21928@redhat.com> Message-ID: <55A87AA3.2040108@redhat.com> Dne 16.7.2015 v 16:50 Alexander Bokovoy napsal(a): > On Thu, 16 Jul 2015, Petr Spacek wrote: >> Third version of the patch is attached, please view. >> >> Behavior: >> - freeipa-server package continues to exist and does not include DNS >> dependencies >> - freeipa-server-dns package is new and requires all DNS dependencies >> - install freeipa-server will not pull DNS dependencies >> - upgrade from freeipa-server < 4.2.0 will pull freeipa-server-dns >> package >> >> It turns out that nobody noticed missing Obsoletes in freeipa-server >> package. >> >> Please review. > I like this. Looks clean and does keep previous behavior. I think we can > live with upgrade pulling freeipa-server-dns even in the environments > where DNS wasn't really used. > >> >> Note: Condition "Obsoletes: %{name}-server < 4.2.0" >> should be amended per-distro/per-repo so it contains latest version >> number >> which was available in form of RPM packages for that distro/repo (COPR). > > May be just add the comment above into commit message? This and we'll > need to add an entry into RPM changelog in the actual Fedora package > that upgrade from pre-4.2.0 will pull freeipa-server-dns even if > integrated DNS server is not used and recommend people to remove the > package is they are not interested. > > ACK. +1 > >> From c8486993b0b624ab7aa7b118e8ee7e420dd97891 Mon Sep 17 00:00:00 2001 >> From: Petr Spacek >> Date: Thu, 16 Jul 2015 15:09:45 +0200 >> Subject: [PATCH] Create server-dns sub-package. >> >> This allows us to automatically pull in package bind-pkcs11 >> and thus create upgrade path for on CentOS 7.1 -> 7.2. >> >> IPA previously had no requires on BIND packages and these had to be >> installed manually before first ipa-dns-install run. >> We need to pull additional bind-pkcs11 package during RPM upgrade >> so ipa-dns-install cannot help with this. >> >> https://fedorahosted.org/freeipa/ticket/4058 >> --- >> freeipa.spec.in | 51 +++++++++++++++++++++++++++++++++++---------------- >> 1 file changed, 35 insertions(+), 16 deletions(-) >> >> diff --git a/freeipa.spec.in b/freeipa.spec.in >> index >> fabfaee619d4cf0203b2f87d7fe804c2e72026f3..60c28fd5d8b4c14f5fd583735db469a65cdb5331 >> 100644 >> --- a/freeipa.spec.in >> +++ b/freeipa.spec.in >> @@ -165,25 +165,13 @@ Requires: %{etc_systemd_dir} >> >> Conflicts: %{alt_name}-server >> Obsoletes: %{alt_name}-server < %{version} >> +# upgrade path from monolithic -server to -server + -server-dns >> +Obsoletes: %{name}-server < 4.2.0 Nitpick: I'd like to keep this visually separate from the alt_name bussiness, please move it below the "Obsoletes: freeipa-server-selinux < 3.3.0" line and separate them with an empty line. >> >> # With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the >> # entire SELinux policy is stored in the system policy >> Obsoletes: freeipa-server-selinux < 3.3.0 >> >> -# We have a soft-requires on bind. It is an optional part of >> -# IPA but if it is configured we need a way to require versions >> -# that work for us. >> -Conflicts: bind-dyndb-ldap < 6.0-4 >> -%if 0%{?fedora} >= 21 >> -Conflicts: bind < 9.9.6-3 >> -Conflicts: bind-utils < 9.9.6-3 >> -%else >> -Conflicts: bind < 9.9.4-21 >> -Conflicts: bind-utils < 9.9.4-21 >> -%endif >> -# DNSSEC >> -Conflicts: opendnssec < 1.4.6-4 >> - >> # Versions of nss-pam-ldapd < 0.8.4 require a mapping from >> uniqueMember to >> # member. >> Conflicts: nss-pam-ldapd < 0.8.4 >> @@ -197,6 +185,35 @@ to install this package (in other words, most >> people should NOT install >> this package). >> >> >> +%package server-dns >> +Summary: IPA integrated DNS server with support for automatic DNSSEC >> signing >> +Group: System Environment/Base >> +Requires: %{name}-server = %{version}-%{release} >> +Requires: bind-dyndb-ldap >= 6.0-4 >> +%if 0%{?fedora} >= 21 >> +Requires: bind >= 9.9.6-3 >> +Requires: bind-utils >= 9.9.6-3 >> +Requires: bind-pkcs11 >= 9.9.6-3 >> +Requires: bind-pkcs11-utils >= 9.9.6-3 >> +%else >> +Requires: bind >= 9.9.4-21 >> +Requires: bind-utils >= 9.9.4-21 >> +Requires: bind-pkcs11 >= 9.9.4-21 >> +Requires: bind-pkcs11-utils >= 9.9.4-21 >> +%endif >> +Requires: opendnssec >= 1.4.6-4 >> + >> +Conflicts: %{alt_name}-server-dns >> +Obsoletes: %{alt_name}-server-dns < %{version} >> + >> +# upgrade path from monolithic -server to -server + -server-dns >> +Obsoletes: %{name}-server < 4.2.0 >> + >> +%description server-dns >> +IPA integrated DNS server with support for automatic DNSSEC signing. >> +Integrated DNS server is BIND 9. OpenDNSSEC provides key management. >> + >> + >> %package server-trust-ad >> Summary: Virtual package to install packages required for Active >> Directory trusts >> Group: System Environment/Base >> @@ -683,7 +700,6 @@ fi >> %{_sbindir}/ipa-backup >> %{_sbindir}/ipa-restore >> %{_sbindir}/ipa-ca-install >> -%{_sbindir}/ipa-dns-install >> %{_sbindir}/ipa-kra-install >> %{_sbindir}/ipa-server-install >> %{_sbindir}/ipa-replica-conncheck >> @@ -857,7 +873,6 @@ fi >> %{_mandir}/man1/ipa-server-certinstall.1.gz >> %{_mandir}/man1/ipa-server-install.1.gz >> %{_mandir}/man1/ipa-server-upgrade.1.gz >> -%{_mandir}/man1/ipa-dns-install.1.gz >> %{_mandir}/man1/ipa-ca-install.1.gz >> %{_mandir}/man1/ipa-kra-install.1.gz >> %{_mandir}/man1/ipa-compat-manage.1.gz >> @@ -873,6 +888,10 @@ fi >> %{_mandir}/man1/ipa-cacert-manage.1.gz >> %{_mandir}/man1/ipa-winsync-migrate.1.gz >> >> +%files server-dns >> +%{_sbindir}/ipa-dns-install >> +%{_mandir}/man1/ipa-dns-install.1.gz >> + >> %files server-trust-ad >> %{_sbindir}/ipa-adtrust-install >> %{_usr}/share/ipa/smb.conf.empty >> -- >> 2.4.3 >> > > -- Jan Cholasta From jcholast at redhat.com Fri Jul 17 04:58:39 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 17 Jul 2015 06:58:39 +0200 Subject: [Freeipa-devel] [PATCH 0281] Validate adding a privilege to a permission In-Reply-To: <55A63A3F.9070307@redhat.com> References: <559E8B5A.5040909@redhat.com> <559F58E3.5000405@redhat.com> <559F859A.9000503@redhat.com> <55A63A3F.9070307@redhat.com> Message-ID: <55A88B7F.5010108@redhat.com> Dne 15.7.2015 v 12:47 Martin Basti napsal(a): > On 10/07/15 10:43, Martin Basti wrote: >> On 10/07/15 07:32, Jan Cholasta wrote: >>> Hi, >>> >>> Dne 9.7.2015 v 16:55 Martin Basti napsal(a): >>>> https://fedorahosted.org/freeipa/ticket/5075 >>>> >>>> Patch attached. >>> >>> the check is very plugin-specific, so I don't think it should be in >>> ipalib.util. You can keep it in privilege and import it from there in >>> permission just fine. >>> >>> Honza >>> >> Updated patch attached. >> >> >> > Updated patch attached. ACK. Pushed to: master: a619a1e211927c27f5c034dec8c1a1bbc03720f2 ipa-4-2: 652eb08672e3db5fb7f9ac00914643177c74e631 -- Jan Cholasta From jcholast at redhat.com Fri Jul 17 05:05:03 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 17 Jul 2015 07:05:03 +0200 Subject: [Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI. In-Reply-To: <55A78485.6040407@redhat.com> References: <55A65E71.7060701@redhat.com> <55A66181.9080700@redhat.com> <55A66883.3080606@redhat.com> <55A78485.6040407@redhat.com> Message-ID: <55A88CFF.2020206@redhat.com> Dne 16.7.2015 v 12:16 David Kupka napsal(a): > On 15/07/15 16:04, David Kupka wrote: >> On 15/07/15 15:34, Jan Cholasta wrote: >>> Dne 15.7.2015 v 15:21 David Kupka napsal(a): >>>> https://fedorahosted.org/freeipa/ticket/4953 >>>> >>>> To test this patch: >>>> >>>> 1. Migrate users from LDAP or other FreeIPA server >>>> (https://www.freeipa.org/page/Howto/Migration) >>>> >>>> 2. Disable anonymous bind to Directory Server >>>> (https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html) >>>> >>>> >>>> >>>> >>>> >>>> 3. Go to FreeIPA migration page (ipa.example.com/ipa/migration/) and >>>> enter name and password of one of the migrated users. >>>> >>>> Without this patch you will get an error page. >>> >>> NACK, you are calling do_bind with wrong arguments. >>> >> Updated patch attached. >> >> >> > > With Honza, we've found better solution. Instead of binding to the LDAP > just to get base DN we can instantiate api and use api.env.basedn > variable. In the same time we can use api.anv.ldap_uri instead of > searching filesystem for ldapi socket. > Patch attached. LGTM, but since I had a part in this, I'd like someone else (Petr?) to ACK this. -- Jan Cholasta From abokovoy at redhat.com Fri Jul 17 05:18:24 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 17 Jul 2015 08:18:24 +0300 Subject: [Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI. In-Reply-To: <55A88CFF.2020206@redhat.com> References: <55A65E71.7060701@redhat.com> <55A66181.9080700@redhat.com> <55A66883.3080606@redhat.com> <55A78485.6040407@redhat.com> <55A88CFF.2020206@redhat.com> Message-ID: <20150717051824.GU21928@redhat.com> On Fri, 17 Jul 2015, Jan Cholasta wrote: >Dne 16.7.2015 v 12:16 David Kupka napsal(a): >>On 15/07/15 16:04, David Kupka wrote: >>>On 15/07/15 15:34, Jan Cholasta wrote: >>>>Dne 15.7.2015 v 15:21 David Kupka napsal(a): >>>>>https://fedorahosted.org/freeipa/ticket/4953 >>>>> >>>>>To test this patch: >>>>> >>>>>1. Migrate users from LDAP or other FreeIPA server >>>>>(https://www.freeipa.org/page/Howto/Migration) >>>>> >>>>>2. Disable anonymous bind to Directory Server >>>>>(https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html) >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>3. Go to FreeIPA migration page (ipa.example.com/ipa/migration/) and >>>>>enter name and password of one of the migrated users. >>>>> >>>>>Without this patch you will get an error page. >>>> >>>>NACK, you are calling do_bind with wrong arguments. >>>> >>>Updated patch attached. >>> >>> >>> >> >>With Honza, we've found better solution. Instead of binding to the LDAP >>just to get base DN we can instantiate api and use api.env.basedn >>variable. In the same time we can use api.anv.ldap_uri instead of >>searching filesystem for ldapi socket. >>Patch attached. > >LGTM, but since I had a part in this, I'd like someone else (Petr?) to >ACK this. I went through the code and I think it is also a better approach than it was before, so ACK. -- / Alexander Bokovoy From pvoborni at redhat.com Fri Jul 17 08:31:11 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 17 Jul 2015 10:31:11 +0200 Subject: [Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI. In-Reply-To: <20150717051824.GU21928@redhat.com> References: <55A65E71.7060701@redhat.com> <55A66181.9080700@redhat.com> <55A66883.3080606@redhat.com> <55A78485.6040407@redhat.com> <55A88CFF.2020206@redhat.com> <20150717051824.GU21928@redhat.com> Message-ID: <55A8BD4F.9030309@redhat.com> On 07/17/2015 07:18 AM, Alexander Bokovoy wrote: > On Fri, 17 Jul 2015, Jan Cholasta wrote: >> Dne 16.7.2015 v 12:16 David Kupka napsal(a): >>> On 15/07/15 16:04, David Kupka wrote: >>>> On 15/07/15 15:34, Jan Cholasta wrote: >>>>> Dne 15.7.2015 v 15:21 David Kupka napsal(a): >>>>>> https://fedorahosted.org/freeipa/ticket/4953 >>>>>> >>>>>> To test this patch: >>>>>> >>>>>> 1. Migrate users from LDAP or other FreeIPA server >>>>>> (https://www.freeipa.org/page/Howto/Migration) >>>>>> >>>>>> 2. Disable anonymous bind to Directory Server >>>>>> (https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> 3. Go to FreeIPA migration page (ipa.example.com/ipa/migration/) and >>>>>> enter name and password of one of the migrated users. >>>>>> >>>>>> Without this patch you will get an error page. >>>>> >>>>> NACK, you are calling do_bind with wrong arguments. >>>>> >>>> Updated patch attached. >>>> >>>> >>>> >>> >>> With Honza, we've found better solution. Instead of binding to the LDAP >>> just to get base DN we can instantiate api and use api.env.basedn >>> variable. In the same time we can use api.anv.ldap_uri instead of >>> searching filesystem for ldapi socket. >>> Patch attached. >> >> LGTM, but since I had a part in this, I'd like someone else (Petr?) to >> ACK this. > I went through the code and I think it is also a better approach than it > was before, so ACK. ACK as well. Pushed to: master: e5d179b5b96bba5048a05135693acc5507d38163 ipa-4-2: 65877820b821884ac3b539e7f64e12c2cb3dd34f -- Petr Vobornik From tbabej at redhat.com Fri Jul 17 08:42:55 2015 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 17 Jul 2015 10:42:55 +0200 Subject: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package In-Reply-To: <55A87AA3.2040108@redhat.com> References: <20150702073605.GI11876@redhat.com> <5594EEA5.3060504@redhat.com> <55A5017D.5010608@redhat.com> <55A51CBE.7040702@redhat.com> <55A51DC5.6090209@redhat.com> <187037684.17962032.1436981944717.JavaMail.zimbra@redhat.com> <55A74A49.6090507@redhat.com> <20150716063344.GK21928@redhat.com> <55A799ED.5010205@redhat.com> <55A7C14F.5080200@redhat.com> <20150716145046.GQ21928@redhat.com> <55A87AA3.2040108@redhat.com> Message-ID: <55A8C00F.5040601@redhat.com> On 07/17/2015 05:46 AM, Jan Cholasta wrote: > Dne 16.7.2015 v 16:50 Alexander Bokovoy napsal(a): >> On Thu, 16 Jul 2015, Petr Spacek wrote: >>> Third version of the patch is attached, please view. >>> >>> Behavior: >>> - freeipa-server package continues to exist and does not include DNS >>> dependencies >>> - freeipa-server-dns package is new and requires all DNS dependencies >>> - install freeipa-server will not pull DNS dependencies >>> - upgrade from freeipa-server < 4.2.0 will pull freeipa-server-dns >>> package >>> >>> It turns out that nobody noticed missing Obsoletes in freeipa-server >>> package. >>> >>> Please review. >> I like this. Looks clean and does keep previous behavior. I think we can >> live with upgrade pulling freeipa-server-dns even in the environments >> where DNS wasn't really used. >> >>> >>> Note: Condition "Obsoletes: %{name}-server < 4.2.0" >>> should be amended per-distro/per-repo so it contains latest version >>> number >>> which was available in form of RPM packages for that distro/repo (COPR). >> >> May be just add the comment above into commit message? This and we'll >> need to add an entry into RPM changelog in the actual Fedora package >> that upgrade from pre-4.2.0 will pull freeipa-server-dns even if >> integrated DNS server is not used and recommend people to remove the >> package is they are not interested. >> >> ACK. > > +1 > >> >>> From c8486993b0b624ab7aa7b118e8ee7e420dd97891 Mon Sep 17 00:00:00 2001 >>> From: Petr Spacek >>> Date: Thu, 16 Jul 2015 15:09:45 +0200 >>> Subject: [PATCH] Create server-dns sub-package. >>> >>> This allows us to automatically pull in package bind-pkcs11 >>> and thus create upgrade path for on CentOS 7.1 -> 7.2. >>> >>> IPA previously had no requires on BIND packages and these had to be >>> installed manually before first ipa-dns-install run. >>> We need to pull additional bind-pkcs11 package during RPM upgrade >>> so ipa-dns-install cannot help with this. >>> >>> https://fedorahosted.org/freeipa/ticket/4058 >>> --- >>> freeipa.spec.in | 51 +++++++++++++++++++++++++++++++++++---------------- >>> 1 file changed, 35 insertions(+), 16 deletions(-) >>> >>> diff --git a/freeipa.spec.in b/freeipa.spec.in >>> index >>> fabfaee619d4cf0203b2f87d7fe804c2e72026f3..60c28fd5d8b4c14f5fd583735db469a65cdb5331 >>> >>> 100644 >>> --- a/freeipa.spec.in >>> +++ b/freeipa.spec.in >>> @@ -165,25 +165,13 @@ Requires: %{etc_systemd_dir} >>> >>> Conflicts: %{alt_name}-server >>> Obsoletes: %{alt_name}-server < %{version} >>> +# upgrade path from monolithic -server to -server + -server-dns >>> +Obsoletes: %{name}-server < 4.2.0 > > Nitpick: I'd like to keep this visually separate from the alt_name > bussiness, please move it below the "Obsoletes: freeipa-server-selinux < > 3.3.0" line and separate them with an empty line. > >>> >>> # With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the >>> # entire SELinux policy is stored in the system policy >>> Obsoletes: freeipa-server-selinux < 3.3.0 >>> >>> -# We have a soft-requires on bind. It is an optional part of >>> -# IPA but if it is configured we need a way to require versions >>> -# that work for us. >>> -Conflicts: bind-dyndb-ldap < 6.0-4 >>> -%if 0%{?fedora} >= 21 >>> -Conflicts: bind < 9.9.6-3 >>> -Conflicts: bind-utils < 9.9.6-3 >>> -%else >>> -Conflicts: bind < 9.9.4-21 >>> -Conflicts: bind-utils < 9.9.4-21 >>> -%endif >>> -# DNSSEC >>> -Conflicts: opendnssec < 1.4.6-4 >>> - >>> # Versions of nss-pam-ldapd < 0.8.4 require a mapping from >>> uniqueMember to >>> # member. >>> Conflicts: nss-pam-ldapd < 0.8.4 >>> @@ -197,6 +185,35 @@ to install this package (in other words, most >>> people should NOT install >>> this package). >>> >>> >>> +%package server-dns >>> +Summary: IPA integrated DNS server with support for automatic DNSSEC >>> signing >>> +Group: System Environment/Base >>> +Requires: %{name}-server = %{version}-%{release} >>> +Requires: bind-dyndb-ldap >= 6.0-4 >>> +%if 0%{?fedora} >= 21 >>> +Requires: bind >= 9.9.6-3 >>> +Requires: bind-utils >= 9.9.6-3 >>> +Requires: bind-pkcs11 >= 9.9.6-3 >>> +Requires: bind-pkcs11-utils >= 9.9.6-3 >>> +%else >>> +Requires: bind >= 9.9.4-21 >>> +Requires: bind-utils >= 9.9.4-21 >>> +Requires: bind-pkcs11 >= 9.9.4-21 >>> +Requires: bind-pkcs11-utils >= 9.9.4-21 >>> +%endif >>> +Requires: opendnssec >= 1.4.6-4 >>> + >>> +Conflicts: %{alt_name}-server-dns >>> +Obsoletes: %{alt_name}-server-dns < %{version} >>> + >>> +# upgrade path from monolithic -server to -server + -server-dns >>> +Obsoletes: %{name}-server < 4.2.0 >>> + >>> +%description server-dns >>> +IPA integrated DNS server with support for automatic DNSSEC signing. >>> +Integrated DNS server is BIND 9. OpenDNSSEC provides key management. >>> + >>> + >>> %package server-trust-ad >>> Summary: Virtual package to install packages required for Active >>> Directory trusts >>> Group: System Environment/Base >>> @@ -683,7 +700,6 @@ fi >>> %{_sbindir}/ipa-backup >>> %{_sbindir}/ipa-restore >>> %{_sbindir}/ipa-ca-install >>> -%{_sbindir}/ipa-dns-install >>> %{_sbindir}/ipa-kra-install >>> %{_sbindir}/ipa-server-install >>> %{_sbindir}/ipa-replica-conncheck >>> @@ -857,7 +873,6 @@ fi >>> %{_mandir}/man1/ipa-server-certinstall.1.gz >>> %{_mandir}/man1/ipa-server-install.1.gz >>> %{_mandir}/man1/ipa-server-upgrade.1.gz >>> -%{_mandir}/man1/ipa-dns-install.1.gz >>> %{_mandir}/man1/ipa-ca-install.1.gz >>> %{_mandir}/man1/ipa-kra-install.1.gz >>> %{_mandir}/man1/ipa-compat-manage.1.gz >>> @@ -873,6 +888,10 @@ fi >>> %{_mandir}/man1/ipa-cacert-manage.1.gz >>> %{_mandir}/man1/ipa-winsync-migrate.1.gz >>> >>> +%files server-dns >>> +%{_sbindir}/ipa-dns-install >>> +%{_mandir}/man1/ipa-dns-install.1.gz >>> + >>> %files server-trust-ad >>> %{_sbindir}/ipa-adtrust-install >>> %{_usr}/share/ipa/smb.conf.empty >>> -- >>> 2.4.3 >>> >> >> > > I fixed the issues Honza had with formatting and changed the < 4.2.0 to <= 4.2.0. Pushed to: master: f1f3ef478d8d2786269a919bb428cb2ee5372ba6 ipa-4-2: f555fe95dba9ec453fa10f160089dcc5404f724a From cheimes at redhat.com Fri Jul 17 10:21:05 2015 From: cheimes at redhat.com (Christian Heimes) Date: Fri, 17 Jul 2015 12:21:05 +0200 Subject: [Freeipa-devel] [PATCH 013] Fix minor typos Message-ID: <55A8D711.2020505@redhat.com> This patch from Yuri Chornoivan fixes some typos. All fixes look ok to me. https://fedorahosted.org/freeipa/ticket/5109 https://bugzilla.redhat.com/show_bug.cgi?id=1239132 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0013-Fix-minor-typos.patch Type: text/x-patch Size: 7901 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From mbabinsk at redhat.com Fri Jul 17 10:55:43 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 17 Jul 2015 12:55:43 +0200 Subject: [Freeipa-devel] [PATCHES 0279-0280] Backport index fixes into IPA 4.1 In-Reply-To: <559E5FF4.8020308@redhat.com> References: <559E5FF4.8020308@redhat.com> Message-ID: <55A8DF2F.2050206@redhat.com> On 07/09/2015 01:50 PM, Martin Basti wrote: > Backport following commits into IPA 4-1: > 57fba7a56f88c517b3ebb03842f1cc18bc129ebb > 16f47ed4520d4f89db39d1dc58be7a8efb1d8612 > > Patches attached. > > > > ACK -- Martin^3 Babinsky From mbasti at redhat.com Fri Jul 17 11:00:14 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 17 Jul 2015 13:00:14 +0200 Subject: [Freeipa-devel] [PATCH 0285] DNS: consolidate RR types in API and LDAP schema In-Reply-To: <55A686AA.4050801@redhat.com> References: <55A6551E.9070306@redhat.com> <55A662A3.3090505@redhat.com> <55A66839.80508@redhat.com> <55A67D49.7020208@redhat.com> <55A67E6C.3000401@redhat.com> <55A67EAF.8040803@redhat.com> <55A686AA.4050801@redhat.com> Message-ID: <55A8E03E.9060504@redhat.com> On 15/07/15 18:13, Petr Spacek wrote: > On 15.7.2015 17:39, Martin Basti wrote: >> On 15/07/15 17:38, Petr Spacek wrote: >>> On 15.7.2015 17:33, Martin Basti wrote: >>>> On 15/07/15 16:03, Martin Basti wrote: >>>>> On 15/07/15 15:39, Petr Vobornik wrote: >>>>>> On 07/15/2015 02:42 PM, Martin Basti wrote: >>>>>>> Patch attached. >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/4934 >>>>>>> https://fedorahosted.org/freeipa/ticket/5055 >>>>>>> >>>>>> Why are you adding RP, APL, IPSEC, DHCID, HIP, SPF records? Is there a plan >>>>>> to use them? Can't we just not use unsupported records in LDAPSearch'? >>>>>> (which would fix #5055) >>>>> I had discussion with Petr2, and we decided to do it this way, because these >>>>> records are valid. >>>>> >>>>> Removing unsupported records from search changes the behavior of the DNS >>>>> commands. Now IPA shows even unsupported records which cannot be modified by >>>>> API. AFAIK we want to keep this behavior. >>>>> >>>> Updated patch attached. >>>> >>>> I forgot to remove DNSKEY from object class definition. >>> Are you 100 % sure that it will not break on upgrade? Please double-check that >>> with Thierry. >>> >> IT was my change before we decided that DNSKEY should not be there, it is not >> in git repo. > I see, okay. > Updated patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0285.3-DNS-Consolidate-DNS-RR-types-in-API-and-schema.patch Type: text/x-patch Size: 51986 bytes Desc: not available URL: From abokovoy at redhat.com Fri Jul 17 11:04:16 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 17 Jul 2015 14:04:16 +0300 Subject: [Freeipa-devel] [PATCH 0286] Sysrestore: copy files instead of moving them to avoid SELinux issues In-Reply-To: <55A68728.7050606@redhat.com> References: <55A682FF.8000000@redhat.com> <20150715160118.GJ21928@redhat.com> <55A68728.7050606@redhat.com> Message-ID: <20150717110416.GZ21928@redhat.com> On Wed, 15 Jul 2015, Martin Basti wrote: >On 15/07/15 18:01, Alexander Bokovoy wrote: >>On Wed, 15 Jul 2015, Martin Basti wrote: >>>Moved files temporarily exist without a proper SElinux context >>>which causes issues when running SSSD/ntpd tries to work with >>>files. >>> >>>https://fedorahosted.org/freeipa/ticket/4923 >>> >>>Patch attached. >>> >>>-- >>>Martin Basti >>> >> >>>From a86424429eea3bede519284e2d986c4fad8755f8 Mon Sep 17 00:00:00 2001 >>>From: Martin Basti >>>Date: Wed, 15 Jul 2015 16:20:59 +0200 >>>Subject: [PATCH] sysrestore: copy files instead of moving them to avoind >>>SELinux issues >>> >>>Copying files restores SELinux context. >>> >>>https://fedorahosted.org/freeipa/ticket/4923 >>>--- >>>ipapython/sysrestore.py | 12 ++++++------ >>>1 file changed, 6 insertions(+), 6 deletions(-) >>> >>>diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py >>>index c058ff7c04d4604ba96c2a4ece68d476b5b6491f..354897240b542c2671b662a4fdad1a089652f899 >>>100644 >>>--- a/ipapython/sysrestore.py >>>+++ b/ipapython/sysrestore.py >>>@@ -186,12 +186,12 @@ class FileStore: >>> if new_path is not None: >>> path = new_path >>> >>>- shutil.move(backup_path, path) >>>+ shutil.copy(backup_path, path) # SELinux needs copy >>>+ os.remove(backup_path) >>>+ >>> os.chown(path, int(uid), int(gid)) >>> os.chmod(path, int(mode)) >>> >>>- tasks.restore_context(path) >>>- >>Please keep restorecon calls because we might have a case when old label >>was wrong in the backup. >> >> >>> del self.files[filename] >>> self.save() >>> >>>@@ -217,12 +217,12 @@ class FileStore: >>> root_logger.debug(" -> Not restoring - '%s' >>>doesn't exist", backup_path) >>> continue >>> >>>- shutil.move(backup_path, path) >>>+ shutil.copy(backup_path, path) # SELinux needs copy >>>+ os.remove(backup_path) >>>+ >>> os.chown(path, int(uid), int(gid)) >>> os.chmod(path, int(mode)) >>> >>>- tasks.restore_context(path) >>>- >>Same here. >> > >Sorry I don't get it. >Label is not copied from backup_file. >I changed Selinux context, then copy to original location and context >was restored when file does not exist. > >Do you mean case when the target file has different label than it >should have? Yes, it could happen quite often. -- / Alexander Bokovoy From pvoborni at redhat.com Fri Jul 17 11:17:48 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 17 Jul 2015 13:17:48 +0200 Subject: [Freeipa-devel] [PATCH 013] Fix minor typos In-Reply-To: <55A8D711.2020505@redhat.com> References: <55A8D711.2020505@redhat.com> Message-ID: <55A8E45C.6060807@redhat.com> On 07/17/2015 12:21 PM, Christian Heimes wrote: > This patch from Yuri Chornoivan fixes some typos. All fixes look ok to me. +1, one minor issue though. Btw, the Reviewed-By line is added by ipatool utility on push. > > https://fedorahosted.org/freeipa/ticket/5109 > https://bugzilla.redhat.com/show_bug.cgi?id=1239132 > > > freeipa-cheimes-0013-Fix-minor-typos.patch > > > > index 44aacd0916454e03c6611f106088b98ea0169979..5ba2c9760891c5d45f7bf9841a54c59fc99da01e 100644 > --- a/ipalib/__init__.py > +++ b/ipalib/__init__.py > @@ -711,7 +711,7 @@ assume these variables will all exist by the time the module containing their > plugin (or plugins) is imported. > > `Env._bootstrap()`, which is called by `API.bootstrap()`, will create several > -run-time variables that connot be overriden in configuration files or through > +run-time variables that connot be overridden in configuration files or through > command-line options. Here is an overview of this run-time information: > connot -- Petr Vobornik From mbasti at redhat.com Fri Jul 17 11:19:36 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 17 Jul 2015 13:19:36 +0200 Subject: [Freeipa-devel] [PATCH 0286] Sysrestore: copy files instead of moving them to avoid SELinux issues In-Reply-To: <20150717110416.GZ21928@redhat.com> References: <55A682FF.8000000@redhat.com> <20150715160118.GJ21928@redhat.com> <55A68728.7050606@redhat.com> <20150717110416.GZ21928@redhat.com> Message-ID: <55A8E4C8.2020706@redhat.com> On 17/07/15 13:04, Alexander Bokovoy wrote: > On Wed, 15 Jul 2015, Martin Basti wrote: >> On 15/07/15 18:01, Alexander Bokovoy wrote: >>> On Wed, 15 Jul 2015, Martin Basti wrote: >>>> Moved files temporarily exist without a proper SElinux context >>>> which causes issues when running SSSD/ntpd tries to work with files. >>>> >>>> https://fedorahosted.org/freeipa/ticket/4923 >>>> >>>> Patch attached. >>>> >>>> -- >>>> Martin Basti >>>> >>> >>>> From a86424429eea3bede519284e2d986c4fad8755f8 Mon Sep 17 00:00:00 2001 >>>> From: Martin Basti >>>> Date: Wed, 15 Jul 2015 16:20:59 +0200 >>>> Subject: [PATCH] sysrestore: copy files instead of moving them to >>>> avoind >>>> SELinux issues >>>> >>>> Copying files restores SELinux context. >>>> >>>> https://fedorahosted.org/freeipa/ticket/4923 >>>> --- >>>> ipapython/sysrestore.py | 12 ++++++------ >>>> 1 file changed, 6 insertions(+), 6 deletions(-) >>>> >>>> diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py >>>> index >>>> c058ff7c04d4604ba96c2a4ece68d476b5b6491f..354897240b542c2671b662a4fdad1a089652f899 >>>> 100644 >>>> --- a/ipapython/sysrestore.py >>>> +++ b/ipapython/sysrestore.py >>>> @@ -186,12 +186,12 @@ class FileStore: >>>> if new_path is not None: >>>> path = new_path >>>> >>>> - shutil.move(backup_path, path) >>>> + shutil.copy(backup_path, path) # SELinux needs copy >>>> + os.remove(backup_path) >>>> + >>>> os.chown(path, int(uid), int(gid)) >>>> os.chmod(path, int(mode)) >>>> >>>> - tasks.restore_context(path) >>>> - >>> Please keep restorecon calls because we might have a case when old >>> label >>> was wrong in the backup. >>> >>> >>>> del self.files[filename] >>>> self.save() >>>> >>>> @@ -217,12 +217,12 @@ class FileStore: >>>> root_logger.debug(" -> Not restoring - '%s' doesn't >>>> exist", backup_path) >>>> continue >>>> >>>> - shutil.move(backup_path, path) >>>> + shutil.copy(backup_path, path) # SELinux needs copy >>>> + os.remove(backup_path) >>>> + >>>> os.chown(path, int(uid), int(gid)) >>>> os.chmod(path, int(mode)) >>>> >>>> - tasks.restore_context(path) >>>> - >>> Same here. >>> >> >> Sorry I don't get it. >> Label is not copied from backup_file. >> I changed Selinux context, then copy to original location and context >> was restored when file does not exist. >> >> Do you mean case when the target file has different label than it >> should have? > Yes, it could happen quite often. Updated patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0286.2-Allow-value-no-for-replica-certify-all-attr-in-abort.patch Type: text/x-patch Size: 2815 bytes Desc: not available URL: From abokovoy at redhat.com Fri Jul 17 11:25:38 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 17 Jul 2015 14:25:38 +0300 Subject: [Freeipa-devel] [PATCH 0286] Sysrestore: copy files instead of moving them to avoid SELinux issues In-Reply-To: <55A8E4C8.2020706@redhat.com> References: <55A682FF.8000000@redhat.com> <20150715160118.GJ21928@redhat.com> <55A68728.7050606@redhat.com> <20150717110416.GZ21928@redhat.com> <55A8E4C8.2020706@redhat.com> Message-ID: <20150717112538.GA21928@redhat.com> On Fri, 17 Jul 2015, Martin Basti wrote: >On 17/07/15 13:04, Alexander Bokovoy wrote: >>On Wed, 15 Jul 2015, Martin Basti wrote: >>>On 15/07/15 18:01, Alexander Bokovoy wrote: >>>>On Wed, 15 Jul 2015, Martin Basti wrote: >>>>>Moved files temporarily exist without a proper SElinux context >>>>>which causes issues when running SSSD/ntpd tries to work with >>>>>files. >>>>> >>>>>https://fedorahosted.org/freeipa/ticket/4923 >>>>> >>>>>Patch attached. >>>>> >>>>>-- >>>>>Martin Basti >>>>> >>>> >>>>>From a86424429eea3bede519284e2d986c4fad8755f8 Mon Sep 17 00:00:00 2001 >>>>>From: Martin Basti >>>>>Date: Wed, 15 Jul 2015 16:20:59 +0200 >>>>>Subject: [PATCH] sysrestore: copy files instead of moving them >>>>>to avoind >>>>>SELinux issues >>>>> >>>>>Copying files restores SELinux context. >>>>> >>>>>https://fedorahosted.org/freeipa/ticket/4923 >>>>>--- >>>>>ipapython/sysrestore.py | 12 ++++++------ >>>>>1 file changed, 6 insertions(+), 6 deletions(-) >>>>> >>>>>diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py >>>>>index c058ff7c04d4604ba96c2a4ece68d476b5b6491f..354897240b542c2671b662a4fdad1a089652f899 >>>>>100644 >>>>>--- a/ipapython/sysrestore.py >>>>>+++ b/ipapython/sysrestore.py >>>>>@@ -186,12 +186,12 @@ class FileStore: >>>>> if new_path is not None: >>>>> path = new_path >>>>> >>>>>- shutil.move(backup_path, path) >>>>>+ shutil.copy(backup_path, path) # SELinux needs copy >>>>>+ os.remove(backup_path) >>>>>+ >>>>> os.chown(path, int(uid), int(gid)) >>>>> os.chmod(path, int(mode)) >>>>> >>>>>- tasks.restore_context(path) >>>>>- >>>>Please keep restorecon calls because we might have a case when >>>>old label >>>>was wrong in the backup. >>>> >>>> >>>>> del self.files[filename] >>>>> self.save() >>>>> >>>>>@@ -217,12 +217,12 @@ class FileStore: >>>>> root_logger.debug(" -> Not restoring - '%s' >>>>>doesn't exist", backup_path) >>>>> continue >>>>> >>>>>- shutil.move(backup_path, path) >>>>>+ shutil.copy(backup_path, path) # SELinux needs copy >>>>>+ os.remove(backup_path) >>>>>+ >>>>> os.chown(path, int(uid), int(gid)) >>>>> os.chmod(path, int(mode)) >>>>> >>>>>- tasks.restore_context(path) >>>>>- >>>>Same here. >>>> >>> >>>Sorry I don't get it. >>>Label is not copied from backup_file. >>>I changed Selinux context, then copy to original location and >>>context was restored when file does not exist. >>> >>>Do you mean case when the target file has different label than it >>>should have? >>Yes, it could happen quite often. > >Updated patch attached. You attached wrong patch > >-- >Martin Basti > >From d480d244266a84fb6c2c6b50011b1aba809e2aef Mon Sep 17 00:00:00 2001 >From: Martin Basti >Date: Thu, 16 Jul 2015 16:26:55 +0200 >Subject: [PATCH] Allow value 'no' for replica-certify-all attr in > abort-clean-ruv subcommand > >--force option set replica-certify-all to 'no' during abort-clean-ruv >subcommand > >https://fedorahosted.org/freeipa/ticket/4988 >--- > install/tools/ipa-replica-manage | 2 +- > install/tools/man/ipa-replica-manage.1 | 2 +- > ipaserver/install/replication.py | 3 ++- > 3 files changed, 4 insertions(+), 3 deletions(-) > >diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage >index e525a02f4c60350b7a943abab4b4aedd957e984a..50a57f70ec452c0df5bf2ea55d2a136e8149aa41 100755 >--- a/install/tools/ipa-replica-manage >+++ b/install/tools/ipa-replica-manage >@@ -470,7 +470,7 @@ def abort_clean_ruv(realm, ruv, options): > print > thisrepl = replication.ReplicationManager(realm, options.host, > options.dirman_passwd) >- thisrepl.abortcleanallruv(ruv) >+ thisrepl.abortcleanallruv(ruv, options.force) > > print "Cleanup task stopped" > >diff --git a/install/tools/man/ipa-replica-manage.1 b/install/tools/man/ipa-replica-manage.1 >index 8a7c78f39eeb6c7902ed99e7bed37e32eb0e92dc..c09ed362f3143e6e38716e1b3a96e90001a64674 100644 >--- a/install/tools/man/ipa-replica-manage.1 >+++ b/install/tools/man/ipa-replica-manage.1 >@@ -49,7 +49,7 @@ Manages the replication agreements of an IPA server. The available commands are: > \- Run the CLEANALLRUV task to remove a replication ID. > .TP > \fBabort\-clean\-ruv\fR [REPLICATION_ID] >-\- Abort a running CLEANALLRUV task. >+\- Abort a running CLEANALLRUV task. With \-\-force option the task does not wait for all the replica servers to have been sent the abort task, or be online, before completing. > .TP > \fBlist\-clean\-ruv\fR > \- List all running CLEANALLRUV and abort CLEANALLRUV tasks. >diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py >index 0f420106e093e8a7a277016857d27aaa48daa4dc..e9af88dc4356d4fd5495f4fea399ab09c75db953 100644 >--- a/ipaserver/install/replication.py >+++ b/ipaserver/install/replication.py >@@ -1451,7 +1451,7 @@ class ReplicationManager(object): > > wait_for_task(self.conn, dn) > >- def abortcleanallruv(self, replicaId): >+ def abortcleanallruv(self, replicaId, force=False): > """ > Create a task to abort a CLEANALLRUV operation. > """ >@@ -1465,6 +1465,7 @@ class ReplicationManager(object): > 'replica-id': [replicaId], > 'objectclass': ['top', 'extensibleObject'], > 'cn': ['abort %d' % replicaId], >+ 'replica-certify-all': ['no'] if force else ['yes'], > } > ) > try: >-- >2.4.3 > -- / Alexander Bokovoy From mbasti at redhat.com Fri Jul 17 11:29:31 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 17 Jul 2015 13:29:31 +0200 Subject: [Freeipa-devel] [PATCH 0286] Sysrestore: copy files instead of moving them to avoid SELinux issues In-Reply-To: <20150717112538.GA21928@redhat.com> References: <55A682FF.8000000@redhat.com> <20150715160118.GJ21928@redhat.com> <55A68728.7050606@redhat.com> <20150717110416.GZ21928@redhat.com> <55A8E4C8.2020706@redhat.com> <20150717112538.GA21928@redhat.com> Message-ID: <55A8E71B.4090103@redhat.com> On 17/07/15 13:25, Alexander Bokovoy wrote: > On Fri, 17 Jul 2015, Martin Basti wrote: >> On 17/07/15 13:04, Alexander Bokovoy wrote: >>> On Wed, 15 Jul 2015, Martin Basti wrote: >>>> On 15/07/15 18:01, Alexander Bokovoy wrote: >>>>> On Wed, 15 Jul 2015, Martin Basti wrote: >>>>>> Moved files temporarily exist without a proper SElinux context >>>>>> which causes issues when running SSSD/ntpd tries to work with files. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/4923 >>>>>> >>>>>> Patch attached. >>>>>> >>>>>> -- >>>>>> Martin Basti >>>>>> >>>>> >>>>>> From a86424429eea3bede519284e2d986c4fad8755f8 Mon Sep 17 00:00:00 >>>>>> 2001 >>>>>> From: Martin Basti >>>>>> Date: Wed, 15 Jul 2015 16:20:59 +0200 >>>>>> Subject: [PATCH] sysrestore: copy files instead of moving them to >>>>>> avoind >>>>>> SELinux issues >>>>>> >>>>>> Copying files restores SELinux context. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/4923 >>>>>> --- >>>>>> ipapython/sysrestore.py | 12 ++++++------ >>>>>> 1 file changed, 6 insertions(+), 6 deletions(-) >>>>>> >>>>>> diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py >>>>>> index >>>>>> c058ff7c04d4604ba96c2a4ece68d476b5b6491f..354897240b542c2671b662a4fdad1a089652f899 >>>>>> 100644 >>>>>> --- a/ipapython/sysrestore.py >>>>>> +++ b/ipapython/sysrestore.py >>>>>> @@ -186,12 +186,12 @@ class FileStore: >>>>>> if new_path is not None: >>>>>> path = new_path >>>>>> >>>>>> - shutil.move(backup_path, path) >>>>>> + shutil.copy(backup_path, path) # SELinux needs copy >>>>>> + os.remove(backup_path) >>>>>> + >>>>>> os.chown(path, int(uid), int(gid)) >>>>>> os.chmod(path, int(mode)) >>>>>> >>>>>> - tasks.restore_context(path) >>>>>> - >>>>> Please keep restorecon calls because we might have a case when old >>>>> label >>>>> was wrong in the backup. >>>>> >>>>> >>>>>> del self.files[filename] >>>>>> self.save() >>>>>> >>>>>> @@ -217,12 +217,12 @@ class FileStore: >>>>>> root_logger.debug(" -> Not restoring - '%s' >>>>>> doesn't exist", backup_path) >>>>>> continue >>>>>> >>>>>> - shutil.move(backup_path, path) >>>>>> + shutil.copy(backup_path, path) # SELinux needs copy >>>>>> + os.remove(backup_path) >>>>>> + >>>>>> os.chown(path, int(uid), int(gid)) >>>>>> os.chmod(path, int(mode)) >>>>>> >>>>>> - tasks.restore_context(path) >>>>>> - >>>>> Same here. >>>>> >>>> >>>> Sorry I don't get it. >>>> Label is not copied from backup_file. >>>> I changed Selinux context, then copy to original location and >>>> context was restored when file does not exist. >>>> >>>> Do you mean case when the target file has different label than it >>>> should have? >>> Yes, it could happen quite often. >> >> Updated patch attached. > You attached wrong patch > >> >> -- >> Martin Basti >> > >> From d480d244266a84fb6c2c6b50011b1aba809e2aef Mon Sep 17 00:00:00 2001 >> From: Martin Basti >> Date: Thu, 16 Jul 2015 16:26:55 +0200 >> Subject: [PATCH] Allow value 'no' for replica-certify-all attr in >> abort-clean-ruv subcommand >> >> --force option set replica-certify-all to 'no' during abort-clean-ruv >> subcommand >> >> https://fedorahosted.org/freeipa/ticket/4988 >> --- >> install/tools/ipa-replica-manage | 2 +- >> install/tools/man/ipa-replica-manage.1 | 2 +- >> ipaserver/install/replication.py | 3 ++- >> 3 files changed, 4 insertions(+), 3 deletions(-) >> >> diff --git a/install/tools/ipa-replica-manage >> b/install/tools/ipa-replica-manage >> index >> e525a02f4c60350b7a943abab4b4aedd957e984a..50a57f70ec452c0df5bf2ea55d2a136e8149aa41 >> 100755 >> --- a/install/tools/ipa-replica-manage >> +++ b/install/tools/ipa-replica-manage >> @@ -470,7 +470,7 @@ def abort_clean_ruv(realm, ruv, options): >> print >> thisrepl = replication.ReplicationManager(realm, options.host, >> options.dirman_passwd) >> - thisrepl.abortcleanallruv(ruv) >> + thisrepl.abortcleanallruv(ruv, options.force) >> >> print "Cleanup task stopped" >> >> diff --git a/install/tools/man/ipa-replica-manage.1 >> b/install/tools/man/ipa-replica-manage.1 >> index >> 8a7c78f39eeb6c7902ed99e7bed37e32eb0e92dc..c09ed362f3143e6e38716e1b3a96e90001a64674 >> 100644 >> --- a/install/tools/man/ipa-replica-manage.1 >> +++ b/install/tools/man/ipa-replica-manage.1 >> @@ -49,7 +49,7 @@ Manages the replication agreements of an IPA >> server. The available commands are: >> \- Run the CLEANALLRUV task to remove a replication ID. >> .TP >> \fBabort\-clean\-ruv\fR [REPLICATION_ID] >> -\- Abort a running CLEANALLRUV task. >> +\- Abort a running CLEANALLRUV task. With \-\-force option the task >> does not wait for all the replica servers to have been sent the abort >> task, or be online, before completing. >> .TP >> \fBlist\-clean\-ruv\fR >> \- List all running CLEANALLRUV and abort CLEANALLRUV tasks. >> diff --git a/ipaserver/install/replication.py >> b/ipaserver/install/replication.py >> index >> 0f420106e093e8a7a277016857d27aaa48daa4dc..e9af88dc4356d4fd5495f4fea399ab09c75db953 >> 100644 >> --- a/ipaserver/install/replication.py >> +++ b/ipaserver/install/replication.py >> @@ -1451,7 +1451,7 @@ class ReplicationManager(object): >> >> wait_for_task(self.conn, dn) >> >> - def abortcleanallruv(self, replicaId): >> + def abortcleanallruv(self, replicaId, force=False): >> """ >> Create a task to abort a CLEANALLRUV operation. >> """ >> @@ -1465,6 +1465,7 @@ class ReplicationManager(object): >> 'replica-id': [replicaId], >> 'objectclass': ['top', 'extensibleObject'], >> 'cn': ['abort %d' % replicaId], >> + 'replica-certify-all': ['no'] if force else ['yes'], >> } >> ) >> try: >> -- >> 2.4.3 >> > > Sorry :) Right patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0286.2-sysrestore-copy-files-instead-of-moving-them-to-avoi.patch Type: text/x-patch Size: 1358 bytes Desc: not available URL: From pspacek at redhat.com Fri Jul 17 11:34:18 2015 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 17 Jul 2015 13:34:18 +0200 Subject: [Freeipa-devel] [PATCH 0285] DNS: consolidate RR types in API and LDAP schema In-Reply-To: <55A8E03E.9060504@redhat.com> References: <55A6551E.9070306@redhat.com> <55A662A3.3090505@redhat.com> <55A66839.80508@redhat.com> <55A67D49.7020208@redhat.com> <55A67E6C.3000401@redhat.com> <55A67EAF.8040803@redhat.com> <55A686AA.4050801@redhat.com> <55A8E03E.9060504@redhat.com> Message-ID: <55A8E83A.7070809@redhat.com> On 17.7.2015 13:00, Martin Basti wrote: > On 15/07/15 18:13, Petr Spacek wrote: >> On 15.7.2015 17:39, Martin Basti wrote: >>> On 15/07/15 17:38, Petr Spacek wrote: >>>> On 15.7.2015 17:33, Martin Basti wrote: >>>>> On 15/07/15 16:03, Martin Basti wrote: >>>>>> On 15/07/15 15:39, Petr Vobornik wrote: >>>>>>> On 07/15/2015 02:42 PM, Martin Basti wrote: >>>>>>>> Patch attached. >>>>>>>> >>>>>>>> https://fedorahosted.org/freeipa/ticket/4934 >>>>>>>> https://fedorahosted.org/freeipa/ticket/5055 >>>>>>>> >>>>>>> Why are you adding RP, APL, IPSEC, DHCID, HIP, SPF records? Is there a >>>>>>> plan >>>>>>> to use them? Can't we just not use unsupported records in LDAPSearch'? >>>>>>> (which would fix #5055) >>>>>> I had discussion with Petr2, and we decided to do it this way, because >>>>>> these >>>>>> records are valid. >>>>>> >>>>>> Removing unsupported records from search changes the behavior of the DNS >>>>>> commands. Now IPA shows even unsupported records which cannot be >>>>>> modified by >>>>>> API. AFAIK we want to keep this behavior. >>>>>> >>>>> Updated patch attached. >>>>> >>>>> I forgot to remove DNSKEY from object class definition. >>>> Are you 100 % sure that it will not break on upgrade? Please double-check >>>> that >>>> with Thierry. >>>> >>> IT was my change before we decided that DNSKEY should not be there, it is not >>> in git repo. >> I see, okay. >> > Updated patch attached. The intent described in the commit message LGTM. Unfortunately I do not have time for further review, please find somebody else :-) -- Petr^2 Spacek From pvoborni at redhat.com Fri Jul 17 11:41:44 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 17 Jul 2015 13:41:44 +0200 Subject: [Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI. In-Reply-To: <55A8BD4F.9030309@redhat.com> References: <55A65E71.7060701@redhat.com> <55A66181.9080700@redhat.com> <55A66883.3080606@redhat.com> <55A78485.6040407@redhat.com> <55A88CFF.2020206@redhat.com> <20150717051824.GU21928@redhat.com> <55A8BD4F.9030309@redhat.com> Message-ID: <55A8E9F8.6020900@redhat.com> On 07/17/2015 10:31 AM, Petr Vobornik wrote: > On 07/17/2015 07:18 AM, Alexander Bokovoy wrote: >> On Fri, 17 Jul 2015, Jan Cholasta wrote: >>> Dne 16.7.2015 v 12:16 David Kupka napsal(a): >>>> On 15/07/15 16:04, David Kupka wrote: >>>>> On 15/07/15 15:34, Jan Cholasta wrote: >>>>>> Dne 15.7.2015 v 15:21 David Kupka napsal(a): >>>>>>> https://fedorahosted.org/freeipa/ticket/4953 >>>>>>> >>>>>>> To test this patch: >>>>>>> >>>>>>> 1. Migrate users from LDAP or other FreeIPA server >>>>>>> (https://www.freeipa.org/page/Howto/Migration) >>>>>>> >>>>>>> 2. Disable anonymous bind to Directory Server >>>>>>> (https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html) >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> 3. Go to FreeIPA migration page (ipa.example.com/ipa/migration/) and >>>>>>> enter name and password of one of the migrated users. >>>>>>> >>>>>>> Without this patch you will get an error page. >>>>>> >>>>>> NACK, you are calling do_bind with wrong arguments. >>>>>> >>>>> Updated patch attached. >>>>> >>>>> >>>>> >>>> >>>> With Honza, we've found better solution. Instead of binding to the LDAP >>>> just to get base DN we can instantiate api and use api.env.basedn >>>> variable. In the same time we can use api.anv.ldap_uri instead of >>>> searching filesystem for ldapi socket. >>>> Patch attached. >>> >>> LGTM, but since I had a part in this, I'd like someone else (Petr?) to >>> ACK this. >> I went through the code and I think it is also a better approach than it >> was before, so ACK. > > ACK as well. > > Pushed to: > master: e5d179b5b96bba5048a05135693acc5507d38163 > ipa-4-2: 65877820b821884ac3b539e7f64e12c2cb3dd34f Also tested and pushed to 4-1 (ticket is in 4-1) e40a6bc0824020af6ae9d95f444c69a09457cb24 -- Petr Vobornik From abokovoy at redhat.com Fri Jul 17 11:44:40 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 17 Jul 2015 14:44:40 +0300 Subject: [Freeipa-devel] [PATCH 0286] Sysrestore: copy files instead of moving them to avoid SELinux issues In-Reply-To: <55A8E71B.4090103@redhat.com> References: <55A682FF.8000000@redhat.com> <20150715160118.GJ21928@redhat.com> <55A68728.7050606@redhat.com> <20150717110416.GZ21928@redhat.com> <55A8E4C8.2020706@redhat.com> <20150717112538.GA21928@redhat.com> <55A8E71B.4090103@redhat.com> Message-ID: <20150717114440.GB21928@redhat.com> On Fri, 17 Jul 2015, Martin Basti wrote: >From b05f4a2e17ae00e5c20e5eb7bd046472f100e0ad Mon Sep 17 00:00:00 2001 >From: Martin Basti >Date: Wed, 15 Jul 2015 16:20:59 +0200 >Subject: [PATCH] sysrestore: copy files instead of moving them to avoind > SELinux issues > >Copying files restores SELinux context. > >https://fedorahosted.org/freeipa/ticket/4923 >--- > ipapython/sysrestore.py | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > >diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py >index c058ff7c04d4604ba96c2a4ece68d476b5b6491f..99d78b1b40c82a3350a7c5ba5ad9bf1f77ba887b 100644 >--- a/ipapython/sysrestore.py >+++ b/ipapython/sysrestore.py >@@ -186,7 +186,9 @@ class FileStore: > if new_path is not None: > path = new_path > >- shutil.move(backup_path, path) >+ shutil.copy(backup_path, path) # SELinux needs copy >+ os.remove(backup_path) >+ > os.chown(path, int(uid), int(gid)) > os.chmod(path, int(mode)) > >@@ -217,7 +219,9 @@ class FileStore: > root_logger.debug(" -> Not restoring - '%s' doesn't exist", backup_path) > continue > >- shutil.move(backup_path, path) >+ shutil.copy(backup_path, path) # SELinux needs copy >+ os.remove(backup_path) >+ > os.chown(path, int(uid), int(gid)) > os.chmod(path, int(mode)) > >-- >2.4.3 > ACK. -- / Alexander Bokovoy From pvoborni at redhat.com Fri Jul 17 11:46:43 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 17 Jul 2015 13:46:43 +0200 Subject: [Freeipa-devel] [PATCH 0286] Sysrestore: copy files instead of moving them to avoid SELinux issues In-Reply-To: <20150717114440.GB21928@redhat.com> References: <55A682FF.8000000@redhat.com> <20150715160118.GJ21928@redhat.com> <55A68728.7050606@redhat.com> <20150717110416.GZ21928@redhat.com> <55A8E4C8.2020706@redhat.com> <20150717112538.GA21928@redhat.com> <55A8E71B.4090103@redhat.com> <20150717114440.GB21928@redhat.com> Message-ID: <55A8EB23.7030802@redhat.com> On 07/17/2015 01:44 PM, Alexander Bokovoy wrote: > On Fri, 17 Jul 2015, Martin Basti wrote: >> From b05f4a2e17ae00e5c20e5eb7bd046472f100e0ad Mon Sep 17 00:00:00 2001 >> From: Martin Basti >> Date: Wed, 15 Jul 2015 16:20:59 +0200 >> Subject: [PATCH] sysrestore: copy files instead of moving them to avoind >> SELinux issues >> >> Copying files restores SELinux context. >> >> https://fedorahosted.org/freeipa/ticket/4923 >> --- >> ipapython/sysrestore.py | 8 ++++++-- >> 1 file changed, 6 insertions(+), 2 deletions(-) >> >> diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py >> index >> c058ff7c04d4604ba96c2a4ece68d476b5b6491f..99d78b1b40c82a3350a7c5ba5ad9bf1f77ba887b >> 100644 >> --- a/ipapython/sysrestore.py >> +++ b/ipapython/sysrestore.py >> @@ -186,7 +186,9 @@ class FileStore: >> if new_path is not None: >> path = new_path >> >> - shutil.move(backup_path, path) >> + shutil.copy(backup_path, path) # SELinux needs copy >> + os.remove(backup_path) >> + >> os.chown(path, int(uid), int(gid)) >> os.chmod(path, int(mode)) >> >> @@ -217,7 +219,9 @@ class FileStore: >> root_logger.debug(" -> Not restoring - '%s' doesn't >> exist", backup_path) >> continue >> >> - shutil.move(backup_path, path) >> + shutil.copy(backup_path, path) # SELinux needs copy >> + os.remove(backup_path) >> + >> os.chown(path, int(uid), int(gid)) >> os.chmod(path, int(mode)) >> >> -- >> 2.4.3 >> > > ACK. > Pushed to: master: 9f701283534745bf93b41a1886183e9ef1d06566 ipa-4-2: 92a73e8b2a5f26744b036a36de4b9956e8883f61 -- Petr Vobornik From pvoborni at redhat.com Fri Jul 17 11:57:31 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 17 Jul 2015 13:57:31 +0200 Subject: [Freeipa-devel] [PATCH 0286] Sysrestore: copy files instead of moving them to avoid SELinux issues In-Reply-To: <55A8EB23.7030802@redhat.com> References: <55A682FF.8000000@redhat.com> <20150715160118.GJ21928@redhat.com> <55A68728.7050606@redhat.com> <20150717110416.GZ21928@redhat.com> <55A8E4C8.2020706@redhat.com> <20150717112538.GA21928@redhat.com> <55A8E71B.4090103@redhat.com> <20150717114440.GB21928@redhat.com> <55A8EB23.7030802@redhat.com> Message-ID: <55A8EDAB.7050000@redhat.com> On 07/17/2015 01:46 PM, Petr Vobornik wrote: > On 07/17/2015 01:44 PM, Alexander Bokovoy wrote: >> On Fri, 17 Jul 2015, Martin Basti wrote: >>> From b05f4a2e17ae00e5c20e5eb7bd046472f100e0ad Mon Sep 17 00:00:00 2001 >>> From: Martin Basti >>> Date: Wed, 15 Jul 2015 16:20:59 +0200 >>> Subject: [PATCH] sysrestore: copy files instead of moving them to avoind >>> SELinux issues >> >> ACK. >> > > Pushed to: > master: 9f701283534745bf93b41a1886183e9ef1d06566 > ipa-4-2: 92a73e8b2a5f26744b036a36de4b9956e8883f61 Does it really fix the whole ticket? There is also in freeipa.spec.in %post client (i.e. upgrade): cat /etc/krb5.conf >> /etc/krb5.conf.ipanew mv /etc/krb5.conf.ipanew /etc/krb5.conf /sbin/restorecon /etc/krb5.conf + some others. Between the mv and restorecon, SSSD tries to access the file and raises AVC. In this case we can freely use mv -z since target platforms are Fedora and newest RHEL. -- Petr Vobornik From mbasti at redhat.com Fri Jul 17 11:59:54 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 17 Jul 2015 13:59:54 +0200 Subject: [Freeipa-devel] [PATCH 0286] Sysrestore: copy files instead of moving them to avoid SELinux issues In-Reply-To: <55A8EDAB.7050000@redhat.com> References: <55A682FF.8000000@redhat.com> <20150715160118.GJ21928@redhat.com> <55A68728.7050606@redhat.com> <20150717110416.GZ21928@redhat.com> <55A8E4C8.2020706@redhat.com> <20150717112538.GA21928@redhat.com> <55A8E71B.4090103@redhat.com> <20150717114440.GB21928@redhat.com> <55A8EB23.7030802@redhat.com> <55A8EDAB.7050000@redhat.com> Message-ID: <55A8EE3A.7010005@redhat.com> On 17/07/15 13:57, Petr Vobornik wrote: > On 07/17/2015 01:46 PM, Petr Vobornik wrote: >> On 07/17/2015 01:44 PM, Alexander Bokovoy wrote: >>> On Fri, 17 Jul 2015, Martin Basti wrote: >>>> From b05f4a2e17ae00e5c20e5eb7bd046472f100e0ad Mon Sep 17 00:00:00 2001 >>>> From: Martin Basti >>>> Date: Wed, 15 Jul 2015 16:20:59 +0200 >>>> Subject: [PATCH] sysrestore: copy files instead of moving them to >>>> avoind >>>> SELinux issues >>> >>> ACK. >>> >> >> Pushed to: >> master: 9f701283534745bf93b41a1886183e9ef1d06566 >> ipa-4-2: 92a73e8b2a5f26744b036a36de4b9956e8883f61 > > Does it really fix the whole ticket? > > There is also in freeipa.spec.in %post client (i.e. upgrade): > > cat /etc/krb5.conf >> /etc/krb5.conf.ipanew > mv /etc/krb5.conf.ipanew /etc/krb5.conf > /sbin/restorecon /etc/krb5.conf > > + some others. > > Between the mv and restorecon, SSSD tries to access the file and > raises AVC. > > In this case we can freely use mv -z since target platforms are Fedora > and newest RHEL. I didn't inspect specfile, I will take a look. Thank you for catch. -- Martin Basti From pvoborni at redhat.com Fri Jul 17 12:23:31 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 17 Jul 2015 14:23:31 +0200 Subject: [Freeipa-devel] [PATCHES 0279-0280] Backport index fixes into IPA 4.1 In-Reply-To: <55A8DF2F.2050206@redhat.com> References: <559E5FF4.8020308@redhat.com> <55A8DF2F.2050206@redhat.com> Message-ID: <55A8F3C3.5050809@redhat.com> On 07/17/2015 12:55 PM, Martin Babinsky wrote: > On 07/09/2015 01:50 PM, Martin Basti wrote: >> Backport following commits into IPA 4-1: >> 57fba7a56f88c517b3ebb03842f1cc18bc129ebb >> 16f47ed4520d4f89db39d1dc58be7a8efb1d8612 >> >> Patches attached. >> >> >> >> > ACK > pushed to ipa-4-1: * cf2587ce726f8ba5f374689b3ad818e04cabaadd Fix indicies ntUserDomainId, ntUniqueId * f6901e5a10434849cb64228ce0dcba31b52bc968 Server Upgrade: fix memberUid index -- Petr Vobornik From pvoborni at redhat.com Fri Jul 17 12:34:01 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 17 Jul 2015 14:34:01 +0200 Subject: [Freeipa-devel] [PATCH 013] Fix minor typos In-Reply-To: <55A8E45C.6060807@redhat.com> References: <55A8D711.2020505@redhat.com> <55A8E45C.6060807@redhat.com> Message-ID: <55A8F639.5010708@redhat.com> On 07/17/2015 01:17 PM, Petr Vobornik wrote: > On 07/17/2015 12:21 PM, Christian Heimes wrote: >> This patch from Yuri Chornoivan fixes some typos. All fixes look ok to >> me. > > +1, one minor issue though. Btw, the Reviewed-By line is added by > ipatool utility on push. > >> >> https://fedorahosted.org/freeipa/ticket/5109 >> https://bugzilla.redhat.com/show_bug.cgi?id=1239132 >> >> >> freeipa-cheimes-0013-Fix-minor-typos.patch >> >> >> >> index >> 44aacd0916454e03c6611f106088b98ea0169979..5ba2c9760891c5d45f7bf9841a54c59fc99da01e >> 100644 >> --- a/ipalib/__init__.py >> +++ b/ipalib/__init__.py >> @@ -711,7 +711,7 @@ assume these variables will all exist by the time >> the module containing their >> plugin (or plugins) is imported. >> >> `Env._bootstrap()`, which is called by `API.bootstrap()`, will >> create several >> -run-time variables that connot be overriden in configuration files or >> through >> +run-time variables that connot be overridden in configuration files >> or through >> command-line options. Here is an overview of this run-time >> information: >> > > connot > fixed and Pushed to: master: 75fde43491872d3e2f52e8a523af9e60486fd0e0 ipa-4-2: 2cd77df8f4eea0534b64aa703b59eecc4fef874d -- Petr Vobornik From mbasti at redhat.com Fri Jul 17 12:37:05 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 17 Jul 2015 14:37:05 +0200 Subject: [Freeipa-devel] [PATCH 0274] DNS: Check if dns package is installed In-Reply-To: <559633AD.7010005@redhat.com> References: <5593EBD3.2000902@redhat.com> <5593FD26.8010903@redhat.com> <55943181.5060604@redhat.com> <5594DF23.8060103@redhat.com> <55951919.6020101@redhat.com> <559521B0.8010001@redhat.com> <55952664.5030704@redhat.com> <5595288F.5020906@redhat.com> <559633AD.7010005@redhat.com> Message-ID: <55A8F6F1.1060208@redhat.com> On 03/07/15 09:03, Tomas Babej wrote: > > On 07/02/2015 02:03 PM, Petr Spacek wrote: >> On 2.7.2015 13:54, Jan Cholasta wrote: >>> Dne 2.7.2015 v 13:34 Petr Spacek napsal(a): >>>> On 2.7.2015 12:57, Tomas Babej wrote: >>>>> >>>>> On 07/02/2015 08:50 AM, Petr Spacek wrote: >>>>>> On 1.7.2015 20:29, Tomas Babej wrote: >>>>>>> >>>>>>> On 07/01/2015 04:45 PM, Petr Spacek wrote: >>>>>>>> On 1.7.2015 15:32, Martin Basti wrote: >>>>>>>>> https://fedorahosted.org/freeipa/ticket/4058 >>>>>>>>> Requires patch freeipa-pspacek-0052 >>>>>>>> ACK >>>>>>>> >>>>>>> I must admit I don't really like wrapping a constant in the method in >>>>>>> the TaskNamespace object. >>>>>>> >>>>>>> We're interested in the constant itself - there's no case I can imagine >>>>>>> where the name of the freeipa's dns package will be dynamic. >>>>>>> >>>>>>> For paths we have BasePathNamespace that contains all the paths, maybe >>>>>>> we should introduce something similar for the non-path platform >>>>>>> dependent constants? >>>>>> Generally I support this but it seems like a 4.3 material (and out of >>>>>> scope of >>>>>> #4058). We need to finish 4.2 now. >>>>>> >>>>>> Please ACK or NACK ASAP. >>>>>> >>>>> It's fairly straightforward to introduce a new platform namespace for >>>>> constants. >>>>> >>>>> See attached patch, it implements the namespace and already contains the >>>>> proper values for the dns package name. >>>>> >>>>> The original patch 274 would only need to use: >>>>> >>>>> >>> from ipaplatform.constants import constants >>>>> >>> constants.DNS_PACKAGE_NAME >>>>> 'freeipa-server-dns' >>>> I'm okay with that if Honza or somebody else knowledgable about the whole >>>> platform-thingy can ACK this, amend Martin^2's patch 274 and test the whole >>>> thing. >>>> >>>> Unfortunately I do not have time for it myself. If nobody does that please >>>> push the original patch (when it's dependency pspacek-0052 gets ACK). >>>> >>> I think you are overengineering this a little bit, adding whatever ipaplatform >>> stuff just because of an error message seems rather unnecessary to me. I think >>> changing the error message to "Integrated DNS requires 'freeipa-server-dns' >>> package" or even "Integrated DNS requires IPA DNS server package" would be >>> perfectly fine. >> The message should be as specific as possible but I do not care how it will be >> implemented. >> > Alright, let's not get stuck. Petr insists on specific message on each > platform. Given that package name is platform dependent, I think we > should keep it as platform constant, task makes little sense. > > Given that Martin's not available right now, I'll amend his patches and > send the updated version. > > Tomas Updated patches attached. ACK for 332 I just removed DNS constants from 332 patch -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0274-2-DNS-check-if-DNS-package-is-installed.patch Type: text/x-patch Size: 7153 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0332-2-ipaplatform-Add-constants-submodule.patch Type: text/x-patch Size: 4971 bytes Desc: not available URL: From simo at redhat.com Fri Jul 17 12:52:30 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 17 Jul 2015 08:52:30 -0400 (EDT) Subject: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package In-Reply-To: <55A74A49.6090507@redhat.com> References: <5593D93D.7090000@redhat.com> <20150702073605.GI11876@redhat.com> <5594EEA5.3060504@redhat.com> <55A5017D.5010608@redhat.com> <55A51CBE.7040702@redhat.com> <55A51DC5.6090209@redhat.com> <187037684.17962032.1436981944717.JavaMail.zimbra@redhat.com> <55A74A49.6090507@redhat.com> Message-ID: <1272814377.19037147.1437137550403.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Jan Cholasta" > To: "Simo Sorce" , "Petr Spacek" > Cc: freeipa-devel at redhat.com, "Alexander Bokovoy" > Sent: Thursday, July 16, 2015 2:08:09 AM > Subject: Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package > > Dne 15.7.2015 v 19:39 Simo Sorce napsal(a): > > ----- Original Message ----- > >> From: "Petr Spacek" > >> To: "Jan Cholasta" , freeipa-devel at redhat.com, > >> "Alexander Bokovoy" > >> Cc: "Simo Sorce" > >> Sent: Tuesday, July 14, 2015 10:33:41 AM > >> Subject: Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package > >> > >> On 14.7.2015 16:29, Jan Cholasta wrote: > >>> Dne 14.7.2015 v 14:33 Petr Spacek napsal(a): > >>>> On 2.7.2015 09:56, Petr Spacek wrote: > >>>>> On 2.7.2015 09:36, Alexander Bokovoy wrote: > >>>>>> On Thu, 02 Jul 2015, Jan Cholasta wrote: > >>>>>>>>>>> Can this be done without adding server-core? > >>>>>>>>>> I'm not aware of such method (except of adding all DNS > >>>>>>>>>> dependencies > >>>>>>>>>> as > >>>>>>>>>> Requires straight into freeipa-server package). > >>>>>>>>>> > >>>>>>>>>>> Because it's not server core, > >>>>>>>>>>> it's the whole thing! Or maybe just rename it to server-common? > >>>>>>>>>> > >>>>>>>>>> I'm fine with 'common'. Ticket 4058 calls for sub-package for CA > >>>>>>>>>> too > >>>>>>>>>> so my > >>>>>>>>>> idea was to create 'core' package which will be gradually reduced > >>>>>>>>>> more and more. > >>>>>>>>> > >>>>>>>>> Well, I don't like the fact that in order to install IPA server > >>>>>>>>> without DNS you have to install freeipa-server-core instead of just > >>>>>>>>> freeipa-server. Fedora packaging guidelines [1] state that the > >>>>>>>>> metapackage should be named freeipa-server-compat, so I guess > >>>>>>>>> renaming > >>>>>>>>> freeipa-server to freeipa-server-compat and freeipa-server-core to > >>>>>>>>> freeipa-server is good enough. > >>>>>>>> I think you are misunderstanding what the guidelines say. -compat > >>>>>>>> subpackage is something that only contains Requires: and Obsoletes:, > >>>>>>>> to > >>>>>>>> help to pull the right packages. It is not supposed to be a > >>>>>>>> full-featured package with content. > >>>>>>> > >>>>>>> With Petr's patch, freeipa-server is exactly that - a metapackage > >>>>>>> with > >>>>>>> requires and obsoletes only - hence my suggestion to rename it > >>>>>>> according to > >>>>>>> the guidelines. > >>>>>> That's not good. > >>>>>> > >>>>>>>> I think we are good enough with freeipa-server-dns. We have the same > >>>>>>>> situation with freeipa-server-trust-ad -- it is not required by the > >>>>>>>> main > >>>>>>>> package and pulls in Samba-related bits. We also don't have any > >>>>>>>> -compat > >>>>>>>> or metapackage for it. > >>>>>>> > >>>>>>> freeipa-server-dns is fine, what is IMO not fine is that it *is* > >>>>>>> required by > >>>>>>> the main freeipa-server package, *unlike* freeipa-server-trust-ad. > >>>>>>> > >>>>>>> We don't have a compat metapackage for freeipa-server-trust-ad, > >>>>>>> because > >>>>>>> there are no upgrade issues with it, which is what Petr is trying to > >>>>>>> solve > >>>>>>> with his patch. > >>>>>> So, the issue is that for installed bind+bind-dyndb-ldap combination > >>>>>> we > >>>>>> need to switch to bind-pkcs11+bind-dyndb-ldap. Maybe instead of > >>>>>> modifying main freeipa package we could modify bind-dyndb-ldap package > >>>>>> to require bind-pkcs11 and corresponding bits of freeipa packages? > >>>>> > >>>>> Unfortunately, no. > >>>>> - bind-dyndb-ldap itself is used & supported even without FreeIPA. > >>>>> - bind-pkcs11 depends on properly configured SoftHSM (or other PKCS#11 > >>>>> provider) > >>>>> => upgrade could break non-FreeIPA installations. > >>>>> > >>>>> I'm attempting to rework the patch now, stay tuned. > >>>> > >>>> Apparently this thread was abandoned during my PTO so I'm sending new > >>>> patch > >>>> here. It includes the -compat package and works with YUM and DNF. > >>> > >>> I don't like that freeipa-server got renamed to freeipa-server-core, but > >>> I > >>> won't push against it if Alexander and others (CCing Simo) are OK with > >>> it. > >> > >> For the record, I was not able to make it work without the rename. > > > > My opinion is that if we run dnf install freeipa-server, then we need to > > get freeipa server packages. > > If this is what happens I am ok with patches, otherwise I am not. > > Without the patch, "dnf install freeipa-server" installs freeipa server > without DNS dependencies. > > With the first version of the patch, "dnf install freeipa-server" > installs freeipa server with all DNS dependencies. To install freeipa > server without DNS dependencies, you need to run "dnf install > freeipa-server-core". (Note that with this patch freeipa-server is a > meta-package with no files.) > > With the second version of the patch, "dnf install freeipa-server" > fails, because there is no freeipa-server anymore. To install freeipa > server without DNS dependencies, you need to run "dnf install > freeipa-server-core". I do not find any of these alternatives satisfactory as they all break existing automation that our users may have built. However should nothing else come up the first version of the patch sounds better than the second. Simo. From simo at redhat.com Fri Jul 17 12:57:47 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 17 Jul 2015 08:57:47 -0400 (EDT) Subject: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package In-Reply-To: <55A799ED.5010205@redhat.com> References: <5593D93D.7090000@redhat.com> <55A5017D.5010608@redhat.com> <55A51CBE.7040702@redhat.com> <55A51DC5.6090209@redhat.com> <187037684.17962032.1436981944717.JavaMail.zimbra@redhat.com> <55A74A49.6090507@redhat.com> <20150716063344.GK21928@redhat.com> <55A799ED.5010205@redhat.com> Message-ID: <1099387473.19056756.1437137867536.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Petr Spacek" > To: "Alexander Bokovoy" , "Jan Cholasta" > Cc: "Simo Sorce" , freeipa-devel at redhat.com > Sent: Thursday, July 16, 2015 7:47:57 AM > Subject: Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package > > On 16.7.2015 08:33, Alexander Bokovoy wrote: > > On Thu, 16 Jul 2015, Jan Cholasta wrote: > >> Dne 15.7.2015 v 19:39 Simo Sorce napsal(a): > >>> ----- Original Message ----- > >>>> From: "Petr Spacek" > >>>> To: "Jan Cholasta" , freeipa-devel at redhat.com, > >>>> "Alexander Bokovoy" > >>>> Cc: "Simo Sorce" > >>>> Sent: Tuesday, July 14, 2015 10:33:41 AM > >>>> Subject: Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package > >>>> > >>>> On 14.7.2015 16:29, Jan Cholasta wrote: > >>>>> Dne 14.7.2015 v 14:33 Petr Spacek napsal(a): > >>>>>> On 2.7.2015 09:56, Petr Spacek wrote: > >>>>>>> On 2.7.2015 09:36, Alexander Bokovoy wrote: > >>>>>>>> On Thu, 02 Jul 2015, Jan Cholasta wrote: > >>>>>>>>>>>>> Can this be done without adding server-core? > >>>>>>>>>>>> I'm not aware of such method (except of adding all DNS > >>>>>>>>>>>> dependencies > >>>>>>>>>>>> as > >>>>>>>>>>>> Requires straight into freeipa-server package). > >>>>>>>>>>>> > >>>>>>>>>>>>> Because it's not server core, > >>>>>>>>>>>>> it's the whole thing! Or maybe just rename it to server-common? > >>>>>>>>>>>> > >>>>>>>>>>>> I'm fine with 'common'. Ticket 4058 calls for sub-package for CA > >>>>>>>>>>>> too > >>>>>>>>>>>> so my > >>>>>>>>>>>> idea was to create 'core' package which will be gradually > >>>>>>>>>>>> reduced > >>>>>>>>>>>> more and more. > >>>>>>>>>>> > >>>>>>>>>>> Well, I don't like the fact that in order to install IPA server > >>>>>>>>>>> without DNS you have to install freeipa-server-core instead of > >>>>>>>>>>> just > >>>>>>>>>>> freeipa-server. Fedora packaging guidelines [1] state that the > >>>>>>>>>>> metapackage should be named freeipa-server-compat, so I guess > >>>>>>>>>>> renaming > >>>>>>>>>>> freeipa-server to freeipa-server-compat and freeipa-server-core > >>>>>>>>>>> to > >>>>>>>>>>> freeipa-server is good enough. > >>>>>>>>>> I think you are misunderstanding what the guidelines say. -compat > >>>>>>>>>> subpackage is something that only contains Requires: and > >>>>>>>>>> Obsoletes:, > >>>>>>>>>> to > >>>>>>>>>> help to pull the right packages. It is not supposed to be a > >>>>>>>>>> full-featured package with content. > >>>>>>>>> > >>>>>>>>> With Petr's patch, freeipa-server is exactly that - a metapackage > >>>>>>>>> with > >>>>>>>>> requires and obsoletes only - hence my suggestion to rename it > >>>>>>>>> according to > >>>>>>>>> the guidelines. > >>>>>>>> That's not good. > >>>>>>>> > >>>>>>>>>> I think we are good enough with freeipa-server-dns. We have the > >>>>>>>>>> same > >>>>>>>>>> situation with freeipa-server-trust-ad -- it is not required by > >>>>>>>>>> the > >>>>>>>>>> main > >>>>>>>>>> package and pulls in Samba-related bits. We also don't have any > >>>>>>>>>> -compat > >>>>>>>>>> or metapackage for it. > >>>>>>>>> > >>>>>>>>> freeipa-server-dns is fine, what is IMO not fine is that it *is* > >>>>>>>>> required by > >>>>>>>>> the main freeipa-server package, *unlike* freeipa-server-trust-ad. > >>>>>>>>> > >>>>>>>>> We don't have a compat metapackage for freeipa-server-trust-ad, > >>>>>>>>> because > >>>>>>>>> there are no upgrade issues with it, which is what Petr is trying > >>>>>>>>> to > >>>>>>>>> solve > >>>>>>>>> with his patch. > >>>>>>>> So, the issue is that for installed bind+bind-dyndb-ldap combination > >>>>>>>> we > >>>>>>>> need to switch to bind-pkcs11+bind-dyndb-ldap. Maybe instead of > >>>>>>>> modifying main freeipa package we could modify bind-dyndb-ldap > >>>>>>>> package > >>>>>>>> to require bind-pkcs11 and corresponding bits of freeipa packages? > >>>>>>> > >>>>>>> Unfortunately, no. > >>>>>>> - bind-dyndb-ldap itself is used & supported even without FreeIPA. > >>>>>>> - bind-pkcs11 depends on properly configured SoftHSM (or other > >>>>>>> PKCS#11 > >>>>>>> provider) > >>>>>>> => upgrade could break non-FreeIPA installations. > >>>>>>> > >>>>>>> I'm attempting to rework the patch now, stay tuned. > >>>>>> > >>>>>> Apparently this thread was abandoned during my PTO so I'm sending new > >>>>>> patch > >>>>>> here. It includes the -compat package and works with YUM and DNF. > >>>>> > >>>>> I don't like that freeipa-server got renamed to freeipa-server-core, > >>>>> but I > >>>>> won't push against it if Alexander and others (CCing Simo) are OK with > >>>>> it. > >>>> > >>>> For the record, I was not able to make it work without the rename. > >>> > >>> My opinion is that if we run dnf install freeipa-server, then we need to > >>> get freeipa server packages. > >>> If this is what happens I am ok with patches, otherwise I am not. > >> > >> Without the patch, "dnf install freeipa-server" installs freeipa server > >> without DNS dependencies. > >> > >> With the first version of the patch, "dnf install freeipa-server" installs > >> freeipa server with all DNS dependencies. To install freeipa server > >> without > >> DNS dependencies, you need to run "dnf install freeipa-server-core". (Note > >> that with this patch freeipa-server is a meta-package with no files.) > >> > >> With the second version of the patch, "dnf install freeipa-server" fails, > >> because there is no freeipa-server anymore. To install freeipa server > >> without DNS dependencies, you need to run "dnf install > >> freeipa-server-core". > > Can we do > > Provides: freeipa-server > > in freeipa-server-compat? > > If I understood Honza correctly, he was objecting to this alias because it > would pull in DNS dependencies. > > So I tried to add this Provides to freeipa-server-core package but I'm not > able to make this alias to work with DNF at all. With old Yum it pulls in > freeipa-server-dns instead of -core because the "Obsoletes" apparently has > higher priority than Provides. (No, "Provides" with explicit version does not > change anything.) > > The only text I found about this is the advice 'do not do it' :-) > > https://fedoraproject.org/wiki/Upgrade_paths_%E2%80%94_renaming_or_splitting_packages#Do_I_need_to_Provide_my_old_package_names.3F > > In other words, I'm not able to make to make the alias freeipa-server working > with the second version of my patch. > > Again, this problem is related only to the second/alternative version of the > patch where freeipa-server package does not pull in DNS dependencies. "dnf > install freeipa-server" works with first version of my patch which pulls in > DNS depencies. > > > I'm more than happy to take advice how to fix that. For now I would say that > first version of the patch is okay. It will solve the upgrade and we can > remove the 'Requires' in the next release because it will not be necessary > for > upgrade anymore. This would be wrong, if someone skips a version than all breaks. Lot's of people skip an interim Fedora version in order to update only once a year, so this is common. We should not break these cases. Simo. From mbasti at redhat.com Fri Jul 17 13:51:15 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 17 Jul 2015 15:51:15 +0200 Subject: [Freeipa-devel] [PATCH 0289] [Py3] Replace tabs with space Message-ID: <55A90853.6020308@redhat.com> I accidentally found several tabs in code, so I fixed it, as py3 does not allow to mix tabs and spaces. Patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0289-Py3-replace-tab-with-space.patch Type: text/x-patch Size: 2866 bytes Desc: not available URL: From cheimes at redhat.com Fri Jul 17 13:58:05 2015 From: cheimes at redhat.com (Christian Heimes) Date: Fri, 17 Jul 2015 15:58:05 +0200 Subject: [Freeipa-devel] [PATCH 0289] [Py3] Replace tabs with space In-Reply-To: <55A90853.6020308@redhat.com> References: <55A90853.6020308@redhat.com> Message-ID: <55A909ED.8050204@redhat.com> On 2015-07-17 15:51, Martin Basti wrote: > I accidentally found several tabs in code, so I fixed it, as py3 does > not allow to mix tabs and spaces. ACK The other tabs are only in comments and doc strings: $ find . -name '*.py' | xargs grep -P '\t' ./ipaserver/dcerpc.py: self.local_domain.ftinfo_records = [] ./ipa-client/ipaclient/ntpconf.py:#broadcast 192.168.1.255 key 42 # broadcast server ./ipa-client/ipaclient/ntpconf.py:#broadcastclient # broadcast client ./ipa-client/ipaclient/ntpconf.py:#broadcast 224.0.1.1 key 42 # multicast server ./ipa-client/ipaclient/ntpconf.py:#multicastclient 224.0.1.1 # multicast client ./ipa-client/ipaclient/ntpconf.py:#manycastserver 239.255.254.254 # manycast server ./ipa-client/ipaclient/ntpconf.py:#manycastclient 239.255.254.254 key 42 # manycast client ./ipa-client/ipaclient/ntpconf.py:server 127.127.1.0 # local clock ./ipa-client/ipaclient/ntpconf.py:#fudge 127.127.1.0 stratum 10 ./ipalib/plugins/automount.py:/- auto.direct ./ipalib/plugins/automount.py:/mnt auto.mnt ./ipapython/dn.py: ava = AVA('cn', 'Bob') # case 1: two strings ./ipapython/sysrestore.py: #force file to be deleted ./ipatests/test_xmlrpc/test_old_permission_plugin.py: attrs=[u'cn'] ./ipatests/test_xmlrpc/test_old_permission_plugin.py: dn=permission3_dn, ./ipatests/test_xmlrpc/test_old_permission_plugin.py: dn=permission3_dn, ./daemons/ipa-otpd/test.py:ATTRIBUTE User-Name 1 string ./daemons/ipa-otpd/test.py:ATTRIBUTE User-Password 2 string ./daemons/ipa-otpd/test.py:ATTRIBUTE NAS-Identifier 32 string -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From mbasti at redhat.com Fri Jul 17 14:33:40 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 17 Jul 2015 16:33:40 +0200 Subject: [Freeipa-devel] [PATCH 0286, 0290] Sysrestore: copy files instead of moving them to avoid SELinux issues In-Reply-To: <55A8EDAB.7050000@redhat.com> References: <55A682FF.8000000@redhat.com> <20150715160118.GJ21928@redhat.com> <55A68728.7050606@redhat.com> <20150717110416.GZ21928@redhat.com> <55A8E4C8.2020706@redhat.com> <20150717112538.GA21928@redhat.com> <55A8E71B.4090103@redhat.com> <20150717114440.GB21928@redhat.com> <55A8EB23.7030802@redhat.com> <55A8EDAB.7050000@redhat.com> Message-ID: <55A91244.3050504@redhat.com> On 17/07/15 13:57, Petr Vobornik wrote: > On 07/17/2015 01:46 PM, Petr Vobornik wrote: >> On 07/17/2015 01:44 PM, Alexander Bokovoy wrote: >>> On Fri, 17 Jul 2015, Martin Basti wrote: >>>> From b05f4a2e17ae00e5c20e5eb7bd046472f100e0ad Mon Sep 17 00:00:00 2001 >>>> From: Martin Basti >>>> Date: Wed, 15 Jul 2015 16:20:59 +0200 >>>> Subject: [PATCH] sysrestore: copy files instead of moving them to >>>> avoind >>>> SELinux issues >>> >>> ACK. >>> >> >> Pushed to: >> master: 9f701283534745bf93b41a1886183e9ef1d06566 >> ipa-4-2: 92a73e8b2a5f26744b036a36de4b9956e8883f61 > > Does it really fix the whole ticket? > > There is also in freeipa.spec.in %post client (i.e. upgrade): > > cat /etc/krb5.conf >> /etc/krb5.conf.ipanew > mv /etc/krb5.conf.ipanew /etc/krb5.conf > /sbin/restorecon /etc/krb5.conf > > + some others. > > Between the mv and restorecon, SSSD tries to access the file and > raises AVC. > > In this case we can freely use mv -z since target platforms are Fedora > and newest RHEL. The new patch fixing specfile attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0290-Use-mv-Z-in-specfile-to-restore-SELinux-context.patch Type: text/x-patch Size: 2058 bytes Desc: not available URL: From pvoborni at redhat.com Fri Jul 17 14:48:23 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 17 Jul 2015 16:48:23 +0200 Subject: [Freeipa-devel] [PATCH 0288] ipa-replica-manage: Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand In-Reply-To: <55A7DA4B.80709@redhat.com> References: <55A7C857.7050501@redhat.com> <55A7C89B.3020707@redhat.com> <55A7DA4B.80709@redhat.com> Message-ID: <55A915B7.2000904@redhat.com> On 07/16/2015 06:22 PM, Martin Basti wrote: > On 16/07/15 17:07, Rob Crittenden wrote: >> Martin Basti wrote: >>> https://fedorahosted.org/freeipa/ticket/4988 >>> >>> Patch attached. >>> >> >> IMHO this should be mentioned in the man page. >> >> rob >> > Updated patch attached. > > ACK Pushed to: master: 82aaa1e6d07a13429381b94ffe4b5fc562427213 ipa-4-2: 58d0d335a4591398102f02c62a15290d64806cc4 -- Petr Vobornik From ofayans at redhat.com Fri Jul 17 15:03:05 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Fri, 17 Jul 2015 17:03:05 +0200 Subject: [Freeipa-devel] right way to connect to DS with Directory Manager creds from the test Message-ID: <55A91929.7080705@redhat.com> Hi everybody, What is the right way to connect to the Directory Server using Directory Manager credentials from the autotest? I need to execute something like ldapsearch -D "cn=Directory Manager" -w '' -b "cn=IPA Topology Configuration,cn=plugins,cn=config" form the python code. A quick look through the code showed that the following method is generally used to connect to ldap: self.ldapuri = 'ldap://%s' % ipautil.format_netloc(api.env.host) self.conn = ldap2(api, ldap_uri=self.ldapuri) self.conn.connect() (See ipatests/test_ipaserver/test_ldap.py) But this is an anonymous access. The existing solution to use the kerberos ticket cache to login as admin: self.ccache = paths.TMP_KRB5CC % os.getuid() self.conn.connect(ccache='FILE:%s' % self.ccache) (ipatests/test_ipaserver/test_ldap.py:test_GSSAPI) has two drawbacks: 1. It would never work if directory manager has different password than admin 2. It does not work anyway, because kerberos is configured to store the cache not in the FILE:/tmp/krb5cc_%{uid}file (as the test expects), but rather in KEYRING:persistent:%{uid}:%{gid} Thank you in advance. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From pvoborni at redhat.com Fri Jul 17 15:06:08 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 17 Jul 2015 17:06:08 +0200 Subject: [Freeipa-devel] [PATCH 0339] trusts: Check for AD root domain among our trusted domains In-Reply-To: <55A65516.6070303@redhat.com> References: <55A6510C.9040004@redhat.com> <20150715123140.GA15172@redhat.com> <55A65516.6070303@redhat.com> Message-ID: <55A919E0.9080602@redhat.com> On 07/15/2015 02:41 PM, Tomas Babej wrote: > > > On 07/15/2015 02:31 PM, Alexander Bokovoy wrote: >> On Wed, 15 Jul 2015, Tomas Babej wrote: >>> Hi, >>> >>> Check for the presence of the forest root DNS domain of the AD realm >>> among the IPA realm domains prior to esablishing the trust. >>> >>> This prevents creation of a failing setup, as trusts would not work >>> properly in this case. >>> >>> https://fedorahosted.org/freeipa/ticket/4799 >> LGTM. >> >> The only comment I have is for the error message text. Would it make >> sense to point to 'ipa realmdomans-mod --del-domain' command? >> >> > > Sure, why not. > > I actually abstained from generating the whole command (including the AD > domain argument), as I believe it's better the users are discouraged > from blindly copying commands around. > > Updated patch attached. > > Toams > > > ACK Pushed to: master: 45958d62197296eabe5513ea392e204e1d49d5c6 ipa-4-2: ddec4500161cce0fd258cbc011efca27ef1f5392 -- Petr Vobornik From rcritten at redhat.com Fri Jul 17 15:17:55 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 17 Jul 2015 11:17:55 -0400 Subject: [Freeipa-devel] right way to connect to DS with Directory Manager creds from the test In-Reply-To: <55A91929.7080705@redhat.com> References: <55A91929.7080705@redhat.com> Message-ID: <55A91CA3.3090200@redhat.com> Oleg Fayans wrote: > Hi everybody, > > What is the right way to connect to the Directory Server using Directory > Manager credentials from the autotest? > I need to execute something like > ldapsearch -D "cn=Directory Manager" -w '' > -b "cn=IPA Topology Configuration,cn=plugins,cn=config" > form the python code. > > A quick look through the code showed that the following method is > generally used to connect to ldap: > > self.ldapuri = 'ldap://%s' % ipautil.format_netloc(api.env.host) > self.conn = ldap2(api, ldap_uri=self.ldapuri) > self.conn.connect() > > (See ipatests/test_ipaserver/test_ldap.py) > But this is an anonymous access. In that same file is an example on how to do a simple bind with DM credentials: self.conn = ldap2(shared_instance=False, ldap_uri=self.ldapuri) self.conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=dm_password) rob From mbasti at redhat.com Fri Jul 17 15:19:00 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 17 Jul 2015 17:19:00 +0200 Subject: [Freeipa-devel] right way to connect to DS with Directory Manager creds from the test In-Reply-To: <55A91929.7080705@redhat.com> References: <55A91929.7080705@redhat.com> Message-ID: <55A91CE4.1040105@redhat.com> On 17/07/15 17:03, Oleg Fayans wrote: > Hi everybody, > > What is the right way to connect to the Directory Server using > Directory Manager credentials from the autotest? > I need to execute something like > ldapsearch -D "cn=Directory Manager" -w '' > -b "cn=IPA Topology Configuration,cn=plugins,cn=config" > form the python code. > > A quick look through the code showed that the following method is > generally used to connect to ldap: > > self.ldapuri = 'ldap://%s' % ipautil.format_netloc(api.env.host) > self.conn = ldap2(api, ldap_uri=self.ldapuri) > self.conn.connect() > > (See ipatests/test_ipaserver/test_ldap.py) > But this is an anonymous access. > > The existing solution to use the kerberos ticket cache to login as admin: > self.ccache = paths.TMP_KRB5CC % os.getuid() > self.conn.connect(ccache='FILE:%s' % self.ccache) > (ipatests/test_ipaserver/test_ldap.py:test_GSSAPI) > has two drawbacks: > 1. It would never work if directory manager has different password > than admin > 2. It does not work anyway, because kerberos is configured to store > the cache not in the > FILE:/tmp/krb5cc_%{uid}file (as the test expects), but rather in > KEYRING:persistent:%{uid}:%{gid} > > Thank you in advance. > You can use IPAdmin class in ipaldap conn = ipaldap.IPAdmin(host=api.env.host) conn.do_simple_bind(bindpw=password) # directory manager is default user there entry = conn.get_entry(...) Martin Basti From pvoborni at redhat.com Fri Jul 17 15:20:16 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 17 Jul 2015 17:20:16 +0200 Subject: [Freeipa-devel] [PATCH 0289] [Py3] Replace tabs with space In-Reply-To: <55A909ED.8050204@redhat.com> References: <55A90853.6020308@redhat.com> <55A909ED.8050204@redhat.com> Message-ID: <55A91D30.4030804@redhat.com> On 07/17/2015 03:58 PM, Christian Heimes wrote: > On 2015-07-17 15:51, Martin Basti wrote: >> I accidentally found several tabs in code, so I fixed it, as py3 does >> not allow to mix tabs and spaces. > > ACK Pushed to: master: c6c84faecf5b7017c0d648d76ba0db4a2eba2f03 ipa-4-2: 7e5a0be8d81c3648a0163ff454cd963eadd70ea9 > > The other tabs are only in comments and doc strings: > > $ find . -name '*.py' | xargs grep -P '\t' > ./ipaserver/dcerpc.py: self.local_domain.ftinfo_records = [] > ./ipa-client/ipaclient/ntpconf.py:#broadcast 192.168.1.255 key 42 > # broadcast server > ./ipa-client/ipaclient/ntpconf.py:#broadcastclient > # broadcast client > ./ipa-client/ipaclient/ntpconf.py:#broadcast 224.0.1.1 key 42 > # multicast server > ./ipa-client/ipaclient/ntpconf.py:#multicastclient 224.0.1.1 > # multicast client > ./ipa-client/ipaclient/ntpconf.py:#manycastserver 239.255.254.254 > # manycast server > ./ipa-client/ipaclient/ntpconf.py:#manycastclient 239.255.254.254 key 42 > # manycast client > ./ipa-client/ipaclient/ntpconf.py:server 127.127.1.0 # local > clock > ./ipa-client/ipaclient/ntpconf.py:#fudge 127.127.1.0 stratum 10 > ./ipalib/plugins/automount.py:/- auto.direct > ./ipalib/plugins/automount.py:/mnt auto.mnt > ./ipapython/dn.py: ava = AVA('cn', 'Bob') # case 1: two strings > ./ipapython/sysrestore.py: #force file to be deleted > ./ipatests/test_xmlrpc/test_old_permission_plugin.py: > attrs=[u'cn'] > ./ipatests/test_xmlrpc/test_old_permission_plugin.py: > dn=permission3_dn, > ./ipatests/test_xmlrpc/test_old_permission_plugin.py: > dn=permission3_dn, > ./daemons/ipa-otpd/test.py:ATTRIBUTE User-Name 1 string > ./daemons/ipa-otpd/test.py:ATTRIBUTE User-Password 2 string > ./daemons/ipa-otpd/test.py:ATTRIBUTE NAS-Identifier 32 string > > > > -- Petr Vobornik From ofayans at redhat.com Mon Jul 20 09:57:55 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Mon, 20 Jul 2015 11:57:55 +0200 Subject: [Freeipa-devel] [PATCH 0001] Test Topology plugin is listed among DS plugins Message-ID: <55ACC623.20601@redhat.com> A simple test to check that Topology Plugin has registered itself in the ldap tree. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0001-test-topology-plugin-is-listed-among-DS-plugin.patch Type: text/x-patch Size: 3508 bytes Desc: not available URL: From mbasti at redhat.com Mon Jul 20 10:46:58 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 20 Jul 2015 12:46:58 +0200 Subject: [Freeipa-devel] [PATCH 0001] Test Topology plugin is listed among DS plugins In-Reply-To: <55ACC623.20601@redhat.com> References: <55ACC623.20601@redhat.com> Message-ID: <55ACD1A2.5030202@redhat.com> On 20/07/15 11:57, Oleg Fayans wrote: > + pwfile = api.env.dot_ipa + os.sep + ".dmpw" > + if ipautil.file_exists(pwfile): > + fp = open(pwfile, "r") > + dm_password = fp.read().rstrip() > + fp.close() > + else: Hello, 1) Can you use os.path.join() instead of "+ os.sep +" please 2) Can you use with statement with file? with open(pwfile, "r") as f: dm_password = f.read().rstrip() 3) Please keep PEP8 in new code ./ipatests/test_ipaserver/test_topology_plugin.py:30:80: E501 line too long (102 > 79 characters) ./ipatests/test_ipaserver/test_topology_plugin.py:33:80: E501 line too long (92 > 79 characters) ./ipatests/test_ipaserver/test_topology_plugin.py:39:80: E501 line too long (124 > 79 characters) ./ipatests/test_ipaserver/test_topology_plugin.py:44:80: E501 line too long (92 > 79 characters) ./ipatests/test_ipaserver/test_topology_plugin.py:45:48: E128 continuation line under-indented for visual indent ./ipatests/test_ipaserver/test_topology_plugin.py:45:80: E501 line too long (89 > 79 characters) ./ipatests/test_ipaserver/test_topology_plugin.py:46:48: E128 continuation line under-indented for visual indent ./ipatests/test_ipaserver/test_topology_plugin.py:46:80: E501 line too long (89 > 79 characters) ./ipatests/test_ipaserver/test_topology_plugin.py:58:80: E501 line too long (87 > 79 characters) 4) Missing nose import raise nose.SkipTest("No directory manager password in %s" % pwfile) 5) Can you use sets here instead of sorted lists? assert(sorted(entry.keys()) == sorted(pluginattrs.keys())) Martin^2 -- Martin Basti From ofayans at redhat.com Mon Jul 20 10:47:47 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Mon, 20 Jul 2015 12:47:47 +0200 Subject: [Freeipa-devel] general error message at the attempt to set domain level to 0 Message-ID: <55ACD1D3.7040205@redhat.com> Hi everybody, I keep receiving the same non-specific error message during attepts to set domain level to 0: $ ipa domainlevel-set 0 ipa: ERROR: an internal error has occurred This error does not get recorded in the directory server errors log. Real-time observations on the access log show that only the following lines get added: [20/Jul/2015:06:45:07 -0400] conn=151 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [20/Jul/2015:06:45:07 -0400] conn=2 op=984 RESULT err=0 tag=101 nentries=1 etime=0 [20/Jul/2015:06:45:07 -0400] conn=151 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [20/Jul/2015:06:45:08 -0400] conn=151 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [20/Jul/2015:06:45:08 -0400] conn=151 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [20/Jul/2015:06:45:08 -0400] conn=151 op=3 SRCH base="cn=ipaconfig,cn=etc,dc=pesen,dc=net" scope=0 filter="(objectClass=*)" attrs=ALL [20/Jul/2015:06:45:08 -0400] conn=151 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=pesen,dc=net" [20/Jul/2015:06:45:08 -0400] conn=151 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [20/Jul/2015:06:45:08 -0400] conn=151 op=4 SRCH base="cn=Domain Level,cn=ipa,cn=etc,dc=pesen,dc=net" scope=0 filter="(objectClass=*)" attrs=ALL [20/Jul/2015:06:45:08 -0400] conn=151 op=4 RESULT err=0 tag=101 nentries=1 etime=0 [20/Jul/2015:06:45:08 -0400] conn=151 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [20/Jul/2015:06:45:08 -0400] conn=151 op=5 UNBIND [20/Jul/2015:06:45:08 -0400] conn=151 op=5 fd=102 closed - U1 According to Ludwig, decreasing of the domain level is not supported, so we should provide some meaningfull error message in this case P. S. $ rpm -q freeipa-server freeipa-server-4.2.90.201507171036GITf1f3ef4-0.fc22.x86_64 The packages were built on Friday from the upstream master. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From mbasti at redhat.com Mon Jul 20 11:04:11 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 20 Jul 2015 13:04:11 +0200 Subject: [Freeipa-devel] general error message at the attempt to set domain level to 0 In-Reply-To: <55ACD1D3.7040205@redhat.com> References: <55ACD1D3.7040205@redhat.com> Message-ID: <55ACD5AB.9030001@redhat.com> On 20/07/15 12:47, Oleg Fayans wrote: > Hi everybody, > > I keep receiving the same non-specific error message during attepts to > set domain level to 0: > $ ipa domainlevel-set 0 > ipa: ERROR: an internal error has occurred > > This error does not get recorded in the directory server errors log. > Real-time observations on the access log show that only the following > lines get added: > > [20/Jul/2015:06:45:07 -0400] conn=151 op=0 BIND dn="" method=sasl > version=3 mech=GSSAPI > [20/Jul/2015:06:45:07 -0400] conn=2 op=984 RESULT err=0 tag=101 > nentries=1 etime=0 > [20/Jul/2015:06:45:07 -0400] conn=151 op=0 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > [20/Jul/2015:06:45:08 -0400] conn=151 op=1 BIND dn="" method=sasl > version=3 mech=GSSAPI > [20/Jul/2015:06:45:08 -0400] conn=151 op=2 BIND dn="" method=sasl > version=3 mech=GSSAPI > [20/Jul/2015:06:45:08 -0400] conn=151 op=3 SRCH > base="cn=ipaconfig,cn=etc,dc=pesen,dc=net" scope=0 > filter="(objectClass=*)" attrs=ALL > [20/Jul/2015:06:45:08 -0400] conn=151 op=2 RESULT err=0 tag=97 > nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=pesen,dc=net" > [20/Jul/2015:06:45:08 -0400] conn=151 op=3 RESULT err=0 tag=101 > nentries=1 etime=0 > [20/Jul/2015:06:45:08 -0400] conn=151 op=4 SRCH base="cn=Domain > Level,cn=ipa,cn=etc,dc=pesen,dc=net" scope=0 filter="(objectClass=*)" > attrs=ALL > [20/Jul/2015:06:45:08 -0400] conn=151 op=4 RESULT err=0 tag=101 > nentries=1 etime=0 > [20/Jul/2015:06:45:08 -0400] conn=151 op=1 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > [20/Jul/2015:06:45:08 -0400] conn=151 op=5 UNBIND > [20/Jul/2015:06:45:08 -0400] conn=151 op=5 fd=102 closed - U1 > > According to Ludwig, decreasing of the domain level is not supported, > so we should provide some meaningfull error message in this case > > P. S. > $ rpm -q freeipa-server > freeipa-server-4.2.90.201507171036GITf1f3ef4-0.fc22.x86_64 > The packages were built on Friday from the upstream master. > Can you paste apache error log here please? -- Martin Basti From pvoborni at redhat.com Mon Jul 20 11:08:20 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 20 Jul 2015 13:08:20 +0200 Subject: [Freeipa-devel] general error message at the attempt to set domain level to 0 In-Reply-To: <55ACD5AB.9030001@redhat.com> References: <55ACD1D3.7040205@redhat.com> <55ACD5AB.9030001@redhat.com> Message-ID: <55ACD6A4.5000605@redhat.com> On 07/20/2015 01:04 PM, Martin Basti wrote: > On 20/07/15 12:47, Oleg Fayans wrote: >> Hi everybody, >> >> I keep receiving the same non-specific error message during attepts to >> set domain level to 0: >> $ ipa domainlevel-set 0 >> ipa: ERROR: an internal error has occurred >> >> This error does not get recorded in the directory server errors log. >> Real-time observations on the access log show that only the following >> lines get added: >> >> [20/Jul/2015:06:45:07 -0400] conn=151 op=0 BIND dn="" method=sasl >> version=3 mech=GSSAPI >> [20/Jul/2015:06:45:07 -0400] conn=2 op=984 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [20/Jul/2015:06:45:07 -0400] conn=151 op=0 RESULT err=14 tag=97 >> nentries=0 etime=0, SASL bind in progress >> [20/Jul/2015:06:45:08 -0400] conn=151 op=1 BIND dn="" method=sasl >> version=3 mech=GSSAPI >> [20/Jul/2015:06:45:08 -0400] conn=151 op=2 BIND dn="" method=sasl >> version=3 mech=GSSAPI >> [20/Jul/2015:06:45:08 -0400] conn=151 op=3 SRCH >> base="cn=ipaconfig,cn=etc,dc=pesen,dc=net" scope=0 >> filter="(objectClass=*)" attrs=ALL >> [20/Jul/2015:06:45:08 -0400] conn=151 op=2 RESULT err=0 tag=97 >> nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=pesen,dc=net" >> [20/Jul/2015:06:45:08 -0400] conn=151 op=3 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [20/Jul/2015:06:45:08 -0400] conn=151 op=4 SRCH base="cn=Domain >> Level,cn=ipa,cn=etc,dc=pesen,dc=net" scope=0 filter="(objectClass=*)" >> attrs=ALL >> [20/Jul/2015:06:45:08 -0400] conn=151 op=4 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [20/Jul/2015:06:45:08 -0400] conn=151 op=1 RESULT err=14 tag=97 >> nentries=0 etime=0, SASL bind in progress >> [20/Jul/2015:06:45:08 -0400] conn=151 op=5 UNBIND >> [20/Jul/2015:06:45:08 -0400] conn=151 op=5 fd=102 closed - U1 >> >> According to Ludwig, decreasing of the domain level is not supported, >> so we should provide some meaningfull error message in this case >> >> P. S. >> $ rpm -q freeipa-server >> freeipa-server-4.2.90.201507171036GITf1f3ef4-0.fc22.x86_64 >> The packages were built on Friday from the upstream master. >> > Can you paste apache error log here please? > ipa: ERROR: non-public: ValueError: non-generic 'InvalidDomainLevelError' needs format=None; got format=Gettext('Domain Level cannot be lowered.', domain='ipa', localedir=None) Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 347, in wsgi_execute result = self.Command[name](*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760, in run return self.execute(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/plugins/domainlevel.py", line 123, in execute raise errors.InvalidDomainLevelError(message) File "/usr/lib/python2.7/site-packages/ipalib/errors.py", line 248, in __init__ messages.process_message_arguments(self, format, message, **kw) File "/usr/lib/python2.7/site-packages/ipalib/messages.py", line 52, in process_message_arguments name, format) ValueError: non-generic 'InvalidDomainLevelError' needs format=None; got format=Gettext('Domain Level cannot be lowered.', domain='ipa', localedir=None) -- Petr Vobornik From ofayans at redhat.com Mon Jul 20 11:21:26 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Mon, 20 Jul 2015 13:21:26 +0200 Subject: [Freeipa-devel] general error message at the attempt to set domain level to 0 In-Reply-To: <55ACD5AB.9030001@redhat.com> References: <55ACD1D3.7040205@redhat.com> <55ACD5AB.9030001@redhat.com> Message-ID: <55ACD9B6.1050207@redhat.com> Hi Martin, [Mon Jul 20 06:41:09.540097 2015] [wsgi:error] [pid 15186] ipa: ERROR: non-public: ValueError: non-generic 'InvalidDomainLevelError' needs format=None; got format=Gettext('Domain Level cannot be lowered.', domain='ipa', localedir=None) [Mon Jul 20 06:41:09.540118 2015] [wsgi:error] [pid 15186] Traceback (most recent call last): [Mon Jul 20 06:41:09.540121 2015] [wsgi:error] [pid 15186] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 347, in wsgi_execute [Mon Jul 20 06:41:09.540122 2015] [wsgi:error] [pid 15186] result = self.Command[name](*args, **options) [Mon Jul 20 06:41:09.540124 2015] [wsgi:error] [pid 15186] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__ [Mon Jul 20 06:41:09.540125 2015] [wsgi:error] [pid 15186] ret = self.run(*args, **options) [Mon Jul 20 06:41:09.540127 2015] [wsgi:error] [pid 15186] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760, in run [Mon Jul 20 06:41:09.540128 2015] [wsgi:error] [pid 15186] return self.execute(*args, **options) [Mon Jul 20 06:41:09.540129 2015] [wsgi:error] [pid 15186] File "/usr/lib/python2.7/site-packages/ipalib/plugins/domainlevel.py", line 123, in execute [Mon Jul 20 06:41:09.540131 2015] [wsgi:error] [pid 15186] raise errors.InvalidDomainLevelError(message) [Mon Jul 20 06:41:09.540132 2015] [wsgi:error] [pid 15186] File "/usr/lib/python2.7/site-packages/ipalib/errors.py", line 248, in __init__ [Mon Jul 20 06:41:09.540133 2015] [wsgi:error] [pid 15186] messages.process_message_arguments(self, format, message, **kw) [Mon Jul 20 06:41:09.540135 2015] [wsgi:error] [pid 15186] File "/usr/lib/python2.7/site-packages/ipalib/messages.py", line 52, in process_message_arguments [Mon Jul 20 06:41:09.540136 2015] [wsgi:error] [pid 15186] name, format) On 07/20/2015 01:04 PM, Martin Basti wrote: > On 20/07/15 12:47, Oleg Fayans wrote: >> Hi everybody, >> >> I keep receiving the same non-specific error message during attepts >> to set domain level to 0: >> $ ipa domainlevel-set 0 >> ipa: ERROR: an internal error has occurred >> >> This error does not get recorded in the directory server errors log. >> Real-time observations on the access log show that only the following >> lines get added: >> >> [20/Jul/2015:06:45:07 -0400] conn=151 op=0 BIND dn="" method=sasl >> version=3 mech=GSSAPI >> [20/Jul/2015:06:45:07 -0400] conn=2 op=984 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [20/Jul/2015:06:45:07 -0400] conn=151 op=0 RESULT err=14 tag=97 >> nentries=0 etime=0, SASL bind in progress >> [20/Jul/2015:06:45:08 -0400] conn=151 op=1 BIND dn="" method=sasl >> version=3 mech=GSSAPI >> [20/Jul/2015:06:45:08 -0400] conn=151 op=2 BIND dn="" method=sasl >> version=3 mech=GSSAPI >> [20/Jul/2015:06:45:08 -0400] conn=151 op=3 SRCH >> base="cn=ipaconfig,cn=etc,dc=pesen,dc=net" scope=0 >> filter="(objectClass=*)" attrs=ALL >> [20/Jul/2015:06:45:08 -0400] conn=151 op=2 RESULT err=0 tag=97 >> nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=pesen,dc=net" >> [20/Jul/2015:06:45:08 -0400] conn=151 op=3 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [20/Jul/2015:06:45:08 -0400] conn=151 op=4 SRCH base="cn=Domain >> Level,cn=ipa,cn=etc,dc=pesen,dc=net" scope=0 filter="(objectClass=*)" >> attrs=ALL >> [20/Jul/2015:06:45:08 -0400] conn=151 op=4 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [20/Jul/2015:06:45:08 -0400] conn=151 op=1 RESULT err=14 tag=97 >> nentries=0 etime=0, SASL bind in progress >> [20/Jul/2015:06:45:08 -0400] conn=151 op=5 UNBIND >> [20/Jul/2015:06:45:08 -0400] conn=151 op=5 fd=102 closed - U1 >> >> According to Ludwig, decreasing of the domain level is not supported, >> so we should provide some meaningfull error message in this case >> >> P. S. >> $ rpm -q freeipa-server >> freeipa-server-4.2.90.201507171036GITf1f3ef4-0.fc22.x86_64 >> The packages were built on Friday from the upstream master. >> > Can you paste apache error log here please? > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From mbasti at redhat.com Mon Jul 20 11:32:25 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 20 Jul 2015 13:32:25 +0200 Subject: [Freeipa-devel] general error message at the attempt to set domain level to 0 In-Reply-To: <55ACD9B6.1050207@redhat.com> References: <55ACD1D3.7040205@redhat.com> <55ACD5AB.9030001@redhat.com> <55ACD9B6.1050207@redhat.com> Message-ID: <55ACDC49.2030704@redhat.com> On 20/07/15 13:21, Oleg Fayans wrote: > Hi Martin, > > [Mon Jul 20 06:41:09.540097 2015] [wsgi:error] [pid 15186] ipa: ERROR: > non-public: ValueError: non-generic 'InvalidDomainLevelError' needs > format=None; got format=Gettext('Domain Level cannot be lowered.', > domain='ipa', localedir=None) > [Mon Jul 20 06:41:09.540118 2015] [wsgi:error] [pid 15186] Traceback > (most recent call last): > [Mon Jul 20 06:41:09.540121 2015] [wsgi:error] [pid 15186] File > "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 347, > in wsgi_execute > [Mon Jul 20 06:41:09.540122 2015] [wsgi:error] [pid 15186] result = > self.Command[name](*args, **options) > [Mon Jul 20 06:41:09.540124 2015] [wsgi:error] [pid 15186] File > "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in > __call__ > [Mon Jul 20 06:41:09.540125 2015] [wsgi:error] [pid 15186] ret = > self.run(*args, **options) > [Mon Jul 20 06:41:09.540127 2015] [wsgi:error] [pid 15186] File > "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760, in run > [Mon Jul 20 06:41:09.540128 2015] [wsgi:error] [pid 15186] return > self.execute(*args, **options) > [Mon Jul 20 06:41:09.540129 2015] [wsgi:error] [pid 15186] File > "/usr/lib/python2.7/site-packages/ipalib/plugins/domainlevel.py", line > 123, in execute > [Mon Jul 20 06:41:09.540131 2015] [wsgi:error] [pid 15186] raise > errors.InvalidDomainLevelError(message) > [Mon Jul 20 06:41:09.540132 2015] [wsgi:error] [pid 15186] File > "/usr/lib/python2.7/site-packages/ipalib/errors.py", line 248, in > __init__ > [Mon Jul 20 06:41:09.540133 2015] [wsgi:error] [pid 15186] > messages.process_message_arguments(self, format, message, **kw) > [Mon Jul 20 06:41:09.540135 2015] [wsgi:error] [pid 15186] File > "/usr/lib/python2.7/site-packages/ipalib/messages.py", line 52, in > process_message_arguments > [Mon Jul 20 06:41:09.540136 2015] [wsgi:error] [pid 15186] name, format) > Can you please file this as a bug? We need fix it in 4.3 Thank you. > > On 07/20/2015 01:04 PM, Martin Basti wrote: >> On 20/07/15 12:47, Oleg Fayans wrote: >>> Hi everybody, >>> >>> I keep receiving the same non-specific error message during attepts >>> to set domain level to 0: >>> $ ipa domainlevel-set 0 >>> ipa: ERROR: an internal error has occurred >>> >>> This error does not get recorded in the directory server errors log. >>> Real-time observations on the access log show that only the >>> following lines get added: >>> >>> [20/Jul/2015:06:45:07 -0400] conn=151 op=0 BIND dn="" method=sasl >>> version=3 mech=GSSAPI >>> [20/Jul/2015:06:45:07 -0400] conn=2 op=984 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [20/Jul/2015:06:45:07 -0400] conn=151 op=0 RESULT err=14 tag=97 >>> nentries=0 etime=0, SASL bind in progress >>> [20/Jul/2015:06:45:08 -0400] conn=151 op=1 BIND dn="" method=sasl >>> version=3 mech=GSSAPI >>> [20/Jul/2015:06:45:08 -0400] conn=151 op=2 BIND dn="" method=sasl >>> version=3 mech=GSSAPI >>> [20/Jul/2015:06:45:08 -0400] conn=151 op=3 SRCH >>> base="cn=ipaconfig,cn=etc,dc=pesen,dc=net" scope=0 >>> filter="(objectClass=*)" attrs=ALL >>> [20/Jul/2015:06:45:08 -0400] conn=151 op=2 RESULT err=0 tag=97 >>> nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=pesen,dc=net" >>> [20/Jul/2015:06:45:08 -0400] conn=151 op=3 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [20/Jul/2015:06:45:08 -0400] conn=151 op=4 SRCH base="cn=Domain >>> Level,cn=ipa,cn=etc,dc=pesen,dc=net" scope=0 >>> filter="(objectClass=*)" attrs=ALL >>> [20/Jul/2015:06:45:08 -0400] conn=151 op=4 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [20/Jul/2015:06:45:08 -0400] conn=151 op=1 RESULT err=14 tag=97 >>> nentries=0 etime=0, SASL bind in progress >>> [20/Jul/2015:06:45:08 -0400] conn=151 op=5 UNBIND >>> [20/Jul/2015:06:45:08 -0400] conn=151 op=5 fd=102 closed - U1 >>> >>> According to Ludwig, decreasing of the domain level is not >>> supported, so we should provide some meaningfull error message in >>> this case >>> >>> P. S. >>> $ rpm -q freeipa-server >>> freeipa-server-4.2.90.201507171036GITf1f3ef4-0.fc22.x86_64 >>> The packages were built on Friday from the upstream master. >>> >> Can you paste apache error log here please? >> > -- Martin Basti From tbabej at redhat.com Mon Jul 20 11:55:23 2015 From: tbabej at redhat.com (Tomas Babej) Date: Mon, 20 Jul 2015 13:55:23 +0200 Subject: [Freeipa-devel] general error message at the attempt to set domain level to 0 In-Reply-To: <55ACDC49.2030704@redhat.com> References: <55ACD1D3.7040205@redhat.com> <55ACD5AB.9030001@redhat.com> <55ACD9B6.1050207@redhat.com> <55ACDC49.2030704@redhat.com> Message-ID: <55ACE1AB.2090800@redhat.com> On 07/20/2015 01:32 PM, Martin Basti wrote: > On 20/07/15 13:21, Oleg Fayans wrote: >> Hi Martin, >> >> [Mon Jul 20 06:41:09.540097 2015] [wsgi:error] [pid 15186] ipa: ERROR: >> non-public: ValueError: non-generic 'InvalidDomainLevelError' needs >> format=None; got format=Gettext('Domain Level cannot be lowered.', >> domain='ipa', localedir=None) >> [Mon Jul 20 06:41:09.540118 2015] [wsgi:error] [pid 15186] Traceback >> (most recent call last): >> [Mon Jul 20 06:41:09.540121 2015] [wsgi:error] [pid 15186] File >> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 347, >> in wsgi_execute >> [Mon Jul 20 06:41:09.540122 2015] [wsgi:error] [pid 15186] result = >> self.Command[name](*args, **options) >> [Mon Jul 20 06:41:09.540124 2015] [wsgi:error] [pid 15186] File >> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in >> __call__ >> [Mon Jul 20 06:41:09.540125 2015] [wsgi:error] [pid 15186] ret = >> self.run(*args, **options) >> [Mon Jul 20 06:41:09.540127 2015] [wsgi:error] [pid 15186] File >> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760, in run >> [Mon Jul 20 06:41:09.540128 2015] [wsgi:error] [pid 15186] return >> self.execute(*args, **options) >> [Mon Jul 20 06:41:09.540129 2015] [wsgi:error] [pid 15186] File >> "/usr/lib/python2.7/site-packages/ipalib/plugins/domainlevel.py", line >> 123, in execute >> [Mon Jul 20 06:41:09.540131 2015] [wsgi:error] [pid 15186] raise >> errors.InvalidDomainLevelError(message) >> [Mon Jul 20 06:41:09.540132 2015] [wsgi:error] [pid 15186] File >> "/usr/lib/python2.7/site-packages/ipalib/errors.py", line 248, in >> __init__ >> [Mon Jul 20 06:41:09.540133 2015] [wsgi:error] [pid 15186] >> messages.process_message_arguments(self, format, message, **kw) >> [Mon Jul 20 06:41:09.540135 2015] [wsgi:error] [pid 15186] File >> "/usr/lib/python2.7/site-packages/ipalib/messages.py", line 52, in >> process_message_arguments >> [Mon Jul 20 06:41:09.540136 2015] [wsgi:error] [pid 15186] name, format) >> > Can you please file this as a bug? > We need fix it in 4.3 > > Thank you. >> >> On 07/20/2015 01:04 PM, Martin Basti wrote: >>> On 20/07/15 12:47, Oleg Fayans wrote: >>>> Hi everybody, >>>> >>>> I keep receiving the same non-specific error message during attepts >>>> to set domain level to 0: >>>> $ ipa domainlevel-set 0 >>>> ipa: ERROR: an internal error has occurred >>>> >>>> This error does not get recorded in the directory server errors log. >>>> Real-time observations on the access log show that only the >>>> following lines get added: >>>> >>>> [20/Jul/2015:06:45:07 -0400] conn=151 op=0 BIND dn="" method=sasl >>>> version=3 mech=GSSAPI >>>> [20/Jul/2015:06:45:07 -0400] conn=2 op=984 RESULT err=0 tag=101 >>>> nentries=1 etime=0 >>>> [20/Jul/2015:06:45:07 -0400] conn=151 op=0 RESULT err=14 tag=97 >>>> nentries=0 etime=0, SASL bind in progress >>>> [20/Jul/2015:06:45:08 -0400] conn=151 op=1 BIND dn="" method=sasl >>>> version=3 mech=GSSAPI >>>> [20/Jul/2015:06:45:08 -0400] conn=151 op=2 BIND dn="" method=sasl >>>> version=3 mech=GSSAPI >>>> [20/Jul/2015:06:45:08 -0400] conn=151 op=3 SRCH >>>> base="cn=ipaconfig,cn=etc,dc=pesen,dc=net" scope=0 >>>> filter="(objectClass=*)" attrs=ALL >>>> [20/Jul/2015:06:45:08 -0400] conn=151 op=2 RESULT err=0 tag=97 >>>> nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=pesen,dc=net" >>>> [20/Jul/2015:06:45:08 -0400] conn=151 op=3 RESULT err=0 tag=101 >>>> nentries=1 etime=0 >>>> [20/Jul/2015:06:45:08 -0400] conn=151 op=4 SRCH base="cn=Domain >>>> Level,cn=ipa,cn=etc,dc=pesen,dc=net" scope=0 >>>> filter="(objectClass=*)" attrs=ALL >>>> [20/Jul/2015:06:45:08 -0400] conn=151 op=4 RESULT err=0 tag=101 >>>> nentries=1 etime=0 >>>> [20/Jul/2015:06:45:08 -0400] conn=151 op=1 RESULT err=14 tag=97 >>>> nentries=0 etime=0, SASL bind in progress >>>> [20/Jul/2015:06:45:08 -0400] conn=151 op=5 UNBIND >>>> [20/Jul/2015:06:45:08 -0400] conn=151 op=5 fd=102 closed - U1 >>>> >>>> According to Ludwig, decreasing of the domain level is not >>>> supported, so we should provide some meaningfull error message in >>>> this case >>>> >>>> P. S. >>>> $ rpm -q freeipa-server >>>> freeipa-server-4.2.90.201507171036GITf1f3ef4-0.fc22.x86_64 >>>> The packages were built on Friday from the upstream master. >>>> >>> Can you paste apache error log here please? >>> >> > > This is just an incorrect initialization of the InvalidDomainLevelError. Pushed to master: 37b1af9a7cea72f41ac468ab80259f39b0a7b3db -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0341-domainlevel-Fix-incorrect-initializations-of-Invalid.patch Type: text/x-patch Size: 2282 bytes Desc: not available URL: From ofayans at redhat.com Mon Jul 20 12:02:37 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Mon, 20 Jul 2015 14:02:37 +0200 Subject: [Freeipa-devel] general error message at the attempt to set domain level to 0 In-Reply-To: <55ACE1AB.2090800@redhat.com> References: <55ACD1D3.7040205@redhat.com> <55ACD5AB.9030001@redhat.com> <55ACD9B6.1050207@redhat.com> <55ACDC49.2030704@redhat.com> <55ACE1AB.2090800@redhat.com> Message-ID: <55ACE35D.1080105@redhat.com> Wow, Tomas, that was fast! Thanks! On 07/20/2015 01:55 PM, Tomas Babej wrote: > > On 07/20/2015 01:32 PM, Martin Basti wrote: >> On 20/07/15 13:21, Oleg Fayans wrote: >>> Hi Martin, >>> >>> [Mon Jul 20 06:41:09.540097 2015] [wsgi:error] [pid 15186] ipa: ERROR: >>> non-public: ValueError: non-generic 'InvalidDomainLevelError' needs >>> format=None; got format=Gettext('Domain Level cannot be lowered.', >>> domain='ipa', localedir=None) >>> [Mon Jul 20 06:41:09.540118 2015] [wsgi:error] [pid 15186] Traceback >>> (most recent call last): >>> [Mon Jul 20 06:41:09.540121 2015] [wsgi:error] [pid 15186] File >>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 347, >>> in wsgi_execute >>> [Mon Jul 20 06:41:09.540122 2015] [wsgi:error] [pid 15186] result = >>> self.Command[name](*args, **options) >>> [Mon Jul 20 06:41:09.540124 2015] [wsgi:error] [pid 15186] File >>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in >>> __call__ >>> [Mon Jul 20 06:41:09.540125 2015] [wsgi:error] [pid 15186] ret = >>> self.run(*args, **options) >>> [Mon Jul 20 06:41:09.540127 2015] [wsgi:error] [pid 15186] File >>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760, in run >>> [Mon Jul 20 06:41:09.540128 2015] [wsgi:error] [pid 15186] return >>> self.execute(*args, **options) >>> [Mon Jul 20 06:41:09.540129 2015] [wsgi:error] [pid 15186] File >>> "/usr/lib/python2.7/site-packages/ipalib/plugins/domainlevel.py", line >>> 123, in execute >>> [Mon Jul 20 06:41:09.540131 2015] [wsgi:error] [pid 15186] raise >>> errors.InvalidDomainLevelError(message) >>> [Mon Jul 20 06:41:09.540132 2015] [wsgi:error] [pid 15186] File >>> "/usr/lib/python2.7/site-packages/ipalib/errors.py", line 248, in >>> __init__ >>> [Mon Jul 20 06:41:09.540133 2015] [wsgi:error] [pid 15186] >>> messages.process_message_arguments(self, format, message, **kw) >>> [Mon Jul 20 06:41:09.540135 2015] [wsgi:error] [pid 15186] File >>> "/usr/lib/python2.7/site-packages/ipalib/messages.py", line 52, in >>> process_message_arguments >>> [Mon Jul 20 06:41:09.540136 2015] [wsgi:error] [pid 15186] name, format) >>> >> Can you please file this as a bug? >> We need fix it in 4.3 >> >> Thank you. >>> On 07/20/2015 01:04 PM, Martin Basti wrote: >>>> On 20/07/15 12:47, Oleg Fayans wrote: >>>>> Hi everybody, >>>>> >>>>> I keep receiving the same non-specific error message during attepts >>>>> to set domain level to 0: >>>>> $ ipa domainlevel-set 0 >>>>> ipa: ERROR: an internal error has occurred >>>>> >>>>> This error does not get recorded in the directory server errors log. >>>>> Real-time observations on the access log show that only the >>>>> following lines get added: >>>>> >>>>> [20/Jul/2015:06:45:07 -0400] conn=151 op=0 BIND dn="" method=sasl >>>>> version=3 mech=GSSAPI >>>>> [20/Jul/2015:06:45:07 -0400] conn=2 op=984 RESULT err=0 tag=101 >>>>> nentries=1 etime=0 >>>>> [20/Jul/2015:06:45:07 -0400] conn=151 op=0 RESULT err=14 tag=97 >>>>> nentries=0 etime=0, SASL bind in progress >>>>> [20/Jul/2015:06:45:08 -0400] conn=151 op=1 BIND dn="" method=sasl >>>>> version=3 mech=GSSAPI >>>>> [20/Jul/2015:06:45:08 -0400] conn=151 op=2 BIND dn="" method=sasl >>>>> version=3 mech=GSSAPI >>>>> [20/Jul/2015:06:45:08 -0400] conn=151 op=3 SRCH >>>>> base="cn=ipaconfig,cn=etc,dc=pesen,dc=net" scope=0 >>>>> filter="(objectClass=*)" attrs=ALL >>>>> [20/Jul/2015:06:45:08 -0400] conn=151 op=2 RESULT err=0 tag=97 >>>>> nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=pesen,dc=net" >>>>> [20/Jul/2015:06:45:08 -0400] conn=151 op=3 RESULT err=0 tag=101 >>>>> nentries=1 etime=0 >>>>> [20/Jul/2015:06:45:08 -0400] conn=151 op=4 SRCH base="cn=Domain >>>>> Level,cn=ipa,cn=etc,dc=pesen,dc=net" scope=0 >>>>> filter="(objectClass=*)" attrs=ALL >>>>> [20/Jul/2015:06:45:08 -0400] conn=151 op=4 RESULT err=0 tag=101 >>>>> nentries=1 etime=0 >>>>> [20/Jul/2015:06:45:08 -0400] conn=151 op=1 RESULT err=14 tag=97 >>>>> nentries=0 etime=0, SASL bind in progress >>>>> [20/Jul/2015:06:45:08 -0400] conn=151 op=5 UNBIND >>>>> [20/Jul/2015:06:45:08 -0400] conn=151 op=5 fd=102 closed - U1 >>>>> >>>>> According to Ludwig, decreasing of the domain level is not >>>>> supported, so we should provide some meaningfull error message in >>>>> this case >>>>> >>>>> P. S. >>>>> $ rpm -q freeipa-server >>>>> freeipa-server-4.2.90.201507171036GITf1f3ef4-0.fc22.x86_64 >>>>> The packages were built on Friday from the upstream master. >>>>> >>>> Can you paste apache error log here please? >>>> >> > This is just an incorrect initialization of the InvalidDomainLevelError. > > Pushed to master: 37b1af9a7cea72f41ac468ab80259f39b0a7b3db -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From ofayans at redhat.com Mon Jul 20 12:07:31 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Mon, 20 Jul 2015 14:07:31 +0200 Subject: [Freeipa-devel] [PATCH 0001] Test Topology plugin is listed among DS plugins In-Reply-To: <55ACD1A2.5030202@redhat.com> References: <55ACC623.20601@redhat.com> <55ACD1A2.5030202@redhat.com> Message-ID: <55ACE483.5030504@redhat.com> Hi Martin, Updated. On 07/20/2015 12:46 PM, Martin Basti wrote: > On 20/07/15 11:57, Oleg Fayans wrote: >> + pwfile = api.env.dot_ipa + os.sep + ".dmpw" >> + if ipautil.file_exists(pwfile): >> + fp = open(pwfile, "r") >> + dm_password = fp.read().rstrip() >> + fp.close() >> + else: > Hello, > > 1) Can you use os.path.join() instead of "+ os.sep +" please > > 2) Can you use with statement with file? > > with open(pwfile, "r") as f: > dm_password = f.read().rstrip() > > 3) Please keep PEP8 in new code > > ./ipatests/test_ipaserver/test_topology_plugin.py:30:80: E501 line too > long (102 > 79 characters) > ./ipatests/test_ipaserver/test_topology_plugin.py:33:80: E501 line too > long (92 > 79 characters) > ./ipatests/test_ipaserver/test_topology_plugin.py:39:80: E501 line too > long (124 > 79 characters) > ./ipatests/test_ipaserver/test_topology_plugin.py:44:80: E501 line too > long (92 > 79 characters) > ./ipatests/test_ipaserver/test_topology_plugin.py:45:48: E128 > continuation line under-indented for visual indent > ./ipatests/test_ipaserver/test_topology_plugin.py:45:80: E501 line too > long (89 > 79 characters) > ./ipatests/test_ipaserver/test_topology_plugin.py:46:48: E128 > continuation line under-indented for visual indent > ./ipatests/test_ipaserver/test_topology_plugin.py:46:80: E501 line too > long (89 > 79 characters) > ./ipatests/test_ipaserver/test_topology_plugin.py:58:80: E501 line too > long (87 > 79 characters) > > 4) Missing nose import > raise nose.SkipTest("No directory manager password in %s" > % pwfile) > > 5) Can you use sets here instead of sorted lists? > assert(sorted(entry.keys()) == sorted(pluginattrs.keys())) > > > Martin^2 > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0001.1-test-topology-plugin-is-listed-among-DS-plugin.patch Type: text/x-patch Size: 3571 bytes Desc: not available URL: From mbasti at redhat.com Mon Jul 20 12:11:26 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 20 Jul 2015 14:11:26 +0200 Subject: [Freeipa-devel] [PATCH 0023] enable debugging of spawned ntpd command during client install In-Reply-To: <55A4E229.2090304@redhat.com> References: <5512C588.3010002@redhat.com> <5512D1C9.6090308@redhat.com> <5513F841.4050306@redhat.com> <551927B9.7020100@redhat.com> <55A4E229.2090304@redhat.com> Message-ID: <55ACE56E.1060504@redhat.com> On 14/07/15 12:19, Martin Babinsky wrote: > On 03/30/2015 12:38 PM, Martin Babinsky wrote: >> On 03/26/2015 01:14 PM, Martin Kosek wrote: >>> On 03/25/2015 04:18 PM, Jan Cholasta wrote: >>>> Hi, >>>> >>>> Dne 25.3.2015 v 15:26 Martin Babinsky napsal(a): >>>>> The attached patch related to >>>>> https://fedorahosted.org/freeipa/ticket/4931 >>>> >>>> Please make sure stays >>>> fixed. >>>> >>>>> >>>>> It is certainly not a final solution, more of an initial "hack" of >>>>> sorts >>>>> just to gather some suggestions, since I am not even sure if this is >>>>> the >>>>> right thing to do. >>>>> >>>>> The reporter from bugzilla suggests to enable debugging of ALL >>>>> commands >>>>> called through ipautil.run(), but I think that fixing all cca 157 >>>>> found >>>>> usages of run() is too much work with a quite small benefit. >>>>> >>>>> Anyway I would welcome some opinions about this: should the external >>>>> commands really inherit the debug settings of ipa-* utilities, and if >>>>> so, is the method showed in this patch the right way to do it? >>>> >>>> I am not a fan of this method, ipautil.run does not know anything >>>> about the >>>> command it runs and I think it should stay that way. >>>> >>>> I would prefer to have an ipautil.run wrapper with debug flag using >>>> appropriate >>>> debugging option for each command where we need to conditionally >>>> enable >>>> debugging. Or just add the debugging option unconditionally to every >>>> command >>>> where it could be useful. >>> >>> +1, I do not like this change to ipautil.run either. It should be sole >>> responsibility of the caller to specify the right combinations of >>> options, >>> including debug option, where applicable. >>> >> Attaching updated patch. >> >> >> > Reviving this patch from the dead. Attaching rebased version for > master branch and ipa-4-1. > > > Works for me, ACK -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkupka at redhat.com Mon Jul 20 13:10:24 2015 From: dkupka at redhat.com (David Kupka) Date: Mon, 20 Jul 2015 15:10:24 +0200 Subject: [Freeipa-devel] [PATCH 0054] cermonger: Use private unix socket when DBus SystemBus is not, available. In-Reply-To: <55A646DC.6060102@redhat.com> References: <5593F9A5.4080703@redhat.com> <55952FDE.8080408@redhat.com> <55962E91.4040104@redhat.com> <55962FB5.906@redhat.com> <559BE76A.9040505@redhat.com> <55A646DC.6060102@redhat.com> Message-ID: <55ACF340.6070901@redhat.com> On 15/07/15 13:41, Jan Cholasta wrote: > Dne 7.7.2015 v 16:51 David Kupka napsal(a): >> On 03/07/15 08:46, Martin Kosek wrote: >>> On 07/03/2015 08:41 AM, Jan Cholasta wrote: >>>> Dne 2.7.2015 v 14:34 David Kupka napsal(a): >>>>> On 01/07/15 16:31, David Kupka wrote: >>>>>> >>>>>> >>>>>> >>>>> Updated patch attached. >>>> >>>> Client install works, but uninstall does not: >>>> >>>> # ipa-client-install --uninstall -U >>>> certmonger failed to start: Command ''/bin/systemctl' 'start' >>>> 'certmonger.service'' returned non-zero exit status 1 >>>> certmonger failed to stop tracking certificate: Failed to start >>>> certmonger: >>>> Timeouted >>>> 2015-07-03 02:38:15 [17242] Error reading PIN from >>>> "/etc/ipa/nssdb/pwdfile.txt": No such file or directory. >>>> Failed to start certmonger: Timeouted >>>> >>>> The patch needs a rebase. >>>> >>> >>> Also, "Timeouted" is not a word, try "Timed out" instead :-) >> >> Updated patch attached. Also attaching patch that removes unneeded >> certmonger (re)starting and DBus starting from ipa-client-install. >> > > NACK. > > When dbus is not available and ipa-client-install is run *without* > --request-cert, certmonger tracks "Local IPA host" in /etc/ipa/nssdb. > > When ipa-client-install is run *with* --request-cert, the certificate is > not issued, but I guess this is not caused by your patch. > Updated patch attached. -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0054.3-cermonger-Use-private-unix-socket-when-DBus-SystemBu.patch Type: text/x-patch Size: 10947 bytes Desc: not available URL: From abokovoy at redhat.com Mon Jul 20 13:23:06 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 20 Jul 2015 16:23:06 +0300 Subject: [Freeipa-devel] [PATCH] 0193 fix Coverity issue in extdom plugin Message-ID: <20150720132306.GG21928@redhat.com> Hi, this patch fixes Coverity CID 13130. The bug turned out to be impossible to cause crash in 389-ds externally because all conditions that could cause not to properly allocate req could not be influenced via extended operation (req could be NULL only if calloc() in parse_request_data() failed). The finding is still correct as calloc() indeed could fail. -- / Alexander Bokovoy -------------- next part -------------- From b4a2ce6eb23843616b3afbcd9cf67b6653d99970 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 20 Jul 2015 14:31:33 +0300 Subject: [PATCH] extdom: do not fail to process error case when no request is specified Coverity CID 13130 --- daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c index 708d0e4..81fe5a6 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c @@ -149,7 +149,7 @@ static int ipa_extdom_extop(Slapi_PBlock *pb) rc = LDAP_SUCCESS; done: - if (req->err_msg != NULL) { + if ((req != NULL) && (req->err_msg != NULL)) { err_msg = req->err_msg; } if (err_msg != NULL) { -- 2.4.3 From mbabinsk at redhat.com Mon Jul 20 13:33:22 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 20 Jul 2015 15:33:22 +0200 Subject: [Freeipa-devel] [PATCH 0285] DNS: consolidate RR types in API and LDAP schema In-Reply-To: <55A8E03E.9060504@redhat.com> References: <55A6551E.9070306@redhat.com> <55A662A3.3090505@redhat.com> <55A66839.80508@redhat.com> <55A67D49.7020208@redhat.com> <55A67E6C.3000401@redhat.com> <55A67EAF.8040803@redhat.com> <55A686AA.4050801@redhat.com> <55A8E03E.9060504@redhat.com> Message-ID: <55ACF8A2.9070808@redhat.com> On 07/17/2015 01:00 PM, Martin Basti wrote: > On 15/07/15 18:13, Petr Spacek wrote: >> On 15.7.2015 17:39, Martin Basti wrote: >>> On 15/07/15 17:38, Petr Spacek wrote: >>>> On 15.7.2015 17:33, Martin Basti wrote: >>>>> On 15/07/15 16:03, Martin Basti wrote: >>>>>> On 15/07/15 15:39, Petr Vobornik wrote: >>>>>>> On 07/15/2015 02:42 PM, Martin Basti wrote: >>>>>>>> Patch attached. >>>>>>>> >>>>>>>> https://fedorahosted.org/freeipa/ticket/4934 >>>>>>>> https://fedorahosted.org/freeipa/ticket/5055 >>>>>>>> >>>>>>> Why are you adding RP, APL, IPSEC, DHCID, HIP, SPF records? Is >>>>>>> there a plan >>>>>>> to use them? Can't we just not use unsupported records in >>>>>>> LDAPSearch'? >>>>>>> (which would fix #5055) >>>>>> I had discussion with Petr2, and we decided to do it this way, >>>>>> because these >>>>>> records are valid. >>>>>> >>>>>> Removing unsupported records from search changes the behavior of >>>>>> the DNS >>>>>> commands. Now IPA shows even unsupported records which cannot be >>>>>> modified by >>>>>> API. AFAIK we want to keep this behavior. >>>>>> >>>>> Updated patch attached. >>>>> >>>>> I forgot to remove DNSKEY from object class definition. >>>> Are you 100 % sure that it will not break on upgrade? Please >>>> double-check that >>>> with Thierry. >>>> >>> IT was my change before we decided that DNSKEY should not be there, >>> it is not >>> in git repo. >> I see, okay. >> > Updated patch attached. > > > ACK -- Martin^3 Babinsky From cheimes at redhat.com Mon Jul 20 13:34:24 2015 From: cheimes at redhat.com (Christian Heimes) Date: Mon, 20 Jul 2015 15:34:24 +0200 Subject: [Freeipa-devel] [PATCH] 0193 fix Coverity issue in extdom plugin In-Reply-To: <20150720132306.GG21928@redhat.com> References: <20150720132306.GG21928@redhat.com> Message-ID: <55ACF8E0.70805@redhat.com> On 2015-07-20 15:23, Alexander Bokovoy wrote: > Hi, > > this patch fixes Coverity CID 13130. The bug turned out to be impossible > to cause crash in 389-ds externally because all conditions that could > cause not to properly allocate req could not be influenced via extended > operation (req could be NULL only if calloc() in parse_request_data() > failed). > > The finding is still correct as calloc() indeed could fail. ACK Coverity is really good in finding this kind of bugs. Over the last years I've fixed several similar issue in Python. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From jcholast at redhat.com Mon Jul 20 14:20:14 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 20 Jul 2015 16:20:14 +0200 Subject: [Freeipa-devel] [PATCH 0023] enable debugging of spawned ntpd command during client install In-Reply-To: <55ACE56E.1060504@redhat.com> References: <5512C588.3010002@redhat.com> <5512D1C9.6090308@redhat.com> <5513F841.4050306@redhat.com> <551927B9.7020100@redhat.com> <55A4E229.2090304@redhat.com> <55ACE56E.1060504@redhat.com> Message-ID: <55AD039E.8060902@redhat.com> Dne 20.7.2015 v 14:11 Martin Basti napsal(a): > On 14/07/15 12:19, Martin Babinsky wrote: >> On 03/30/2015 12:38 PM, Martin Babinsky wrote: >>> On 03/26/2015 01:14 PM, Martin Kosek wrote: >>>> On 03/25/2015 04:18 PM, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> Dne 25.3.2015 v 15:26 Martin Babinsky napsal(a): >>>>>> The attached patch related to >>>>>> https://fedorahosted.org/freeipa/ticket/4931 >>>>> >>>>> Please make sure stays >>>>> fixed. >>>>> >>>>>> >>>>>> It is certainly not a final solution, more of an initial "hack" of >>>>>> sorts >>>>>> just to gather some suggestions, since I am not even sure if this is >>>>>> the >>>>>> right thing to do. >>>>>> >>>>>> The reporter from bugzilla suggests to enable debugging of ALL >>>>>> commands >>>>>> called through ipautil.run(), but I think that fixing all cca 157 >>>>>> found >>>>>> usages of run() is too much work with a quite small benefit. >>>>>> >>>>>> Anyway I would welcome some opinions about this: should the external >>>>>> commands really inherit the debug settings of ipa-* utilities, and if >>>>>> so, is the method showed in this patch the right way to do it? >>>>> >>>>> I am not a fan of this method, ipautil.run does not know anything >>>>> about the >>>>> command it runs and I think it should stay that way. >>>>> >>>>> I would prefer to have an ipautil.run wrapper with debug flag using >>>>> appropriate >>>>> debugging option for each command where we need to conditionally >>>>> enable >>>>> debugging. Or just add the debugging option unconditionally to every >>>>> command >>>>> where it could be useful. >>>> >>>> +1, I do not like this change to ipautil.run either. It should be sole >>>> responsibility of the caller to specify the right combinations of >>>> options, >>>> including debug option, where applicable. >>>> >>> Attaching updated patch. >>> >>> >>> >> Reviving this patch from the dead. Attaching rebased version for >> master branch and ipa-4-1. >> >> >> > Works for me, ACK Pushed to: master: 1ec174b92d2a734bd5859689bc67de5974270b06 ipa-4-2: a637e21d8810f14cbc4d212f13206fc08dfd1f86 ipa-4-1: bd1e3146c42c5c36e5a19b7558d268a823d45e0c -- Jan Cholasta From jcholast at redhat.com Mon Jul 20 14:28:36 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 20 Jul 2015 16:28:36 +0200 Subject: [Freeipa-devel] [PATCH 0054] cermonger: Use private unix socket when DBus SystemBus is not, available. In-Reply-To: <55ACF340.6070901@redhat.com> References: <5593F9A5.4080703@redhat.com> <55952FDE.8080408@redhat.com> <55962E91.4040104@redhat.com> <55962FB5.906@redhat.com> <559BE76A.9040505@redhat.com> <55A646DC.6060102@redhat.com> <55ACF340.6070901@redhat.com> Message-ID: <55AD0594.90304@redhat.com> Dne 20.7.2015 v 15:10 David Kupka napsal(a): > On 15/07/15 13:41, Jan Cholasta wrote: >> Dne 7.7.2015 v 16:51 David Kupka napsal(a): >>> On 03/07/15 08:46, Martin Kosek wrote: >>>> On 07/03/2015 08:41 AM, Jan Cholasta wrote: >>>>> Dne 2.7.2015 v 14:34 David Kupka napsal(a): >>>>>> On 01/07/15 16:31, David Kupka wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>> Updated patch attached. >>>>> >>>>> Client install works, but uninstall does not: >>>>> >>>>> # ipa-client-install --uninstall -U >>>>> certmonger failed to start: Command ''/bin/systemctl' 'start' >>>>> 'certmonger.service'' returned non-zero exit status 1 >>>>> certmonger failed to stop tracking certificate: Failed to start >>>>> certmonger: >>>>> Timeouted >>>>> 2015-07-03 02:38:15 [17242] Error reading PIN from >>>>> "/etc/ipa/nssdb/pwdfile.txt": No such file or directory. >>>>> Failed to start certmonger: Timeouted >>>>> >>>>> The patch needs a rebase. >>>>> >>>> >>>> Also, "Timeouted" is not a word, try "Timed out" instead :-) >>> >>> Updated patch attached. Also attaching patch that removes unneeded >>> certmonger (re)starting and DBus starting from ipa-client-install. >>> >> >> NACK. >> >> When dbus is not available and ipa-client-install is run *without* >> --request-cert, certmonger tracks "Local IPA host" in /etc/ipa/nssdb. >> >> When ipa-client-install is run *with* --request-cert, the certificate is >> not issued, but I guess this is not caused by your patch. >> > Updated patch attached. Thanks, ACK. Pushed to: master: e384aad729bc0eb75ee42810007ade45669f9305 ipa-4-2: d3f2fd438cac824077c237b0c76bd6f0ac9c1ac7 -- Jan Cholasta From mbasti at redhat.com Mon Jul 20 14:45:10 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 20 Jul 2015 16:45:10 +0200 Subject: [Freeipa-devel] [PATCH 0291] Limit max age of replication changelog Message-ID: <55AD0976.4070402@redhat.com> https://fedorahosted.org/freeipa/ticket/5086 Patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0291-Limit-max-age-of-replication-changelog.patch Type: text/x-patch Size: 1586 bytes Desc: not available URL: From rcritten at redhat.com Mon Jul 20 15:24:13 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Jul 2015 11:24:13 -0400 Subject: [Freeipa-devel] [PATCH 0291] Limit max age of replication changelog In-Reply-To: <55AD0976.4070402@redhat.com> References: <55AD0976.4070402@redhat.com> Message-ID: <55AD129D.8020608@redhat.com> Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5086 > > Patch attached. Is this going to be a shock on upgrades for people who until now may be relying on the fact that there is no limit? Should there be a way for an admin to manage this, via the config module perhaps? IMHO this is a significant change and red flags need to be raised so users are aware of it. rob From mareynol at redhat.com Mon Jul 20 15:33:24 2015 From: mareynol at redhat.com (Mark Reynolds) Date: Mon, 20 Jul 2015 11:33:24 -0400 Subject: [Freeipa-devel] [PATCH 0291] Limit max age of replication changelog In-Reply-To: <55AD129D.8020608@redhat.com> References: <55AD0976.4070402@redhat.com> <55AD129D.8020608@redhat.com> Message-ID: <55AD14C4.4040903@redhat.com> On 07/20/2015 11:24 AM, Rob Crittenden wrote: > Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5086 >> >> Patch attached. > > Is this going to be a shock on upgrades for people who until now may > be relying on the fact that there is no limit? Just throwing my 2 cents in. The replication changelog is not something that can typically be used externally, unlike the retro changelog. It's really a blackbox to the outside world. The risk of setting a changelog max age depends on how long any replica has been down for. So if the max age is set to 7 days, and a replica has been down for more than 7 days, then when it comes online it will not be able to catch up with the other active replicas and it will need to be reinitialized. Mark > > Should there be a way for an admin to manage this, via the config > module perhaps? > > IMHO this is a significant change and red flags need to be raised so > users are aware of it. > > rob > From pvoborni at redhat.com Mon Jul 20 15:48:39 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 20 Jul 2015 17:48:39 +0200 Subject: [Freeipa-devel] [PATCH 0291] Limit max age of replication changelog In-Reply-To: <55AD129D.8020608@redhat.com> References: <55AD0976.4070402@redhat.com> <55AD129D.8020608@redhat.com> Message-ID: <55AD1857.8090209@redhat.com> On 07/20/2015 05:24 PM, Rob Crittenden wrote: > Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5086 >> >> Patch attached. > > Is this going to be a shock on upgrades for people who until now may be > relying on the fact that there is no limit? Not making any point, but have to note: Ludwig raised a question on users list but there was no feedback from users. https://www.redhat.com/archives/freeipa-users/2015-July/msg00022.html > > Should there be a way for an admin to manage this, via the config module > perhaps? > > IMHO this is a significant change and red flags need to be raised so > users are aware of it. > > rob > -- Petr Vobornik From mbasti at redhat.com Mon Jul 20 16:50:51 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 20 Jul 2015 18:50:51 +0200 Subject: [Freeipa-devel] [PATCH 0291] Limit max age of replication changelog In-Reply-To: <55AD1857.8090209@redhat.com> References: <55AD0976.4070402@redhat.com> <55AD129D.8020608@redhat.com> <55AD1857.8090209@redhat.com> Message-ID: <55AD26EB.5030303@redhat.com> On 20/07/15 17:48, Petr Vobornik wrote: > On 07/20/2015 05:24 PM, Rob Crittenden wrote: >> Martin Basti wrote: >>> https://fedorahosted.org/freeipa/ticket/5086 >>> >>> Patch attached. >> >> Is this going to be a shock on upgrades for people who until now may be >> relying on the fact that there is no limit? > > Not making any point, but have to note: Ludwig raised a question on > users list but there was no feedback from users. > > https://www.redhat.com/archives/freeipa-users/2015-July/msg00022.html > >> >> Should there be a way for an admin to manage this, via the config module >> perhaps? >> >> IMHO this is a significant change and red flags need to be raised so >> users are aware of it. >> >> rob >> > > IIUC there is purge delay 7 days, so if changelog max age is 7 or more days, it will not break replication. The issue is if somebody uses changelog for different purpose, right? -- Martin Basti From mbabinsk at redhat.com Mon Jul 20 17:00:05 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 20 Jul 2015 19:00:05 +0200 Subject: [Freeipa-devel] [PATCH 0274] DNS: Check if dns package is installed In-Reply-To: <55A8F6F1.1060208@redhat.com> References: <5593EBD3.2000902@redhat.com> <5593FD26.8010903@redhat.com> <55943181.5060604@redhat.com> <5594DF23.8060103@redhat.com> <55951919.6020101@redhat.com> <559521B0.8010001@redhat.com> <55952664.5030704@redhat.com> <5595288F.5020906@redhat.com> <559633AD.7010005@redhat.com> <55A8F6F1.1060208@redhat.com> Message-ID: <55AD2915.70707@redhat.com> On 07/17/2015 02:37 PM, Martin Basti wrote: > On 03/07/15 09:03, Tomas Babej wrote: >> >> On 07/02/2015 02:03 PM, Petr Spacek wrote: >>> On 2.7.2015 13:54, Jan Cholasta wrote: >>>> Dne 2.7.2015 v 13:34 Petr Spacek napsal(a): >>>>> On 2.7.2015 12:57, Tomas Babej wrote: >>>>>> >>>>>> On 07/02/2015 08:50 AM, Petr Spacek wrote: >>>>>>> On 1.7.2015 20:29, Tomas Babej wrote: >>>>>>>> >>>>>>>> On 07/01/2015 04:45 PM, Petr Spacek wrote: >>>>>>>>> On 1.7.2015 15:32, Martin Basti wrote: >>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4058 >>>>>>>>>> Requires patch freeipa-pspacek-0052 >>>>>>>>> ACK >>>>>>>>> >>>>>>>> I must admit I don't really like wrapping a constant in the >>>>>>>> method in >>>>>>>> the TaskNamespace object. >>>>>>>> >>>>>>>> We're interested in the constant itself - there's no case I can >>>>>>>> imagine >>>>>>>> where the name of the freeipa's dns package will be dynamic. >>>>>>>> >>>>>>>> For paths we have BasePathNamespace that contains all the paths, >>>>>>>> maybe >>>>>>>> we should introduce something similar for the non-path platform >>>>>>>> dependent constants? >>>>>>> Generally I support this but it seems like a 4.3 material (and >>>>>>> out of >>>>>>> scope of >>>>>>> #4058). We need to finish 4.2 now. >>>>>>> >>>>>>> Please ACK or NACK ASAP. >>>>>>> >>>>>> It's fairly straightforward to introduce a new platform namespace for >>>>>> constants. >>>>>> >>>>>> See attached patch, it implements the namespace and already >>>>>> contains the >>>>>> proper values for the dns package name. >>>>>> >>>>>> The original patch 274 would only need to use: >>>>>> >>>>>> >>> from ipaplatform.constants import constants >>>>>> >>> constants.DNS_PACKAGE_NAME >>>>>> 'freeipa-server-dns' >>>>> I'm okay with that if Honza or somebody else knowledgable about the >>>>> whole >>>>> platform-thingy can ACK this, amend Martin^2's patch 274 and test >>>>> the whole >>>>> thing. >>>>> >>>>> Unfortunately I do not have time for it myself. If nobody does that >>>>> please >>>>> push the original patch (when it's dependency pspacek-0052 gets ACK). >>>>> >>>> I think you are overengineering this a little bit, adding whatever >>>> ipaplatform >>>> stuff just because of an error message seems rather unnecessary to >>>> me. I think >>>> changing the error message to "Integrated DNS requires >>>> 'freeipa-server-dns' >>>> package" or even "Integrated DNS requires IPA DNS server package" >>>> would be >>>> perfectly fine. >>> The message should be as specific as possible but I do not care how >>> it will be >>> implemented. >>> >> Alright, let's not get stuck. Petr insists on specific message on each >> platform. Given that package name is platform dependent, I think we >> should keep it as platform constant, task makes little sense. >> >> Given that Martin's not available right now, I'll amend his patches and >> send the updated version. >> >> Tomas > Updated patches attached. > > ACK for 332 > I just removed DNS constants from 332 patch > > > ACK for Martin's patch. -- Martin^3 Babinsky From mareynol at redhat.com Mon Jul 20 17:04:09 2015 From: mareynol at redhat.com (Mark Reynolds) Date: Mon, 20 Jul 2015 13:04:09 -0400 Subject: [Freeipa-devel] [PATCH 0291] Limit max age of replication changelog In-Reply-To: <55AD26EB.5030303@redhat.com> References: <55AD0976.4070402@redhat.com> <55AD129D.8020608@redhat.com> <55AD1857.8090209@redhat.com> <55AD26EB.5030303@redhat.com> Message-ID: <55AD2A09.9070101@redhat.com> On 07/20/2015 12:50 PM, Martin Basti wrote: > On 20/07/15 17:48, Petr Vobornik wrote: >> On 07/20/2015 05:24 PM, Rob Crittenden wrote: >>> Martin Basti wrote: >>>> https://fedorahosted.org/freeipa/ticket/5086 >>>> >>>> Patch attached. >>> >>> Is this going to be a shock on upgrades for people who until now may be >>> relying on the fact that there is no limit? >> >> Not making any point, but have to note: Ludwig raised a question on >> users list but there was no feedback from users. >> >> https://www.redhat.com/archives/freeipa-users/2015-July/msg00022.html >> >>> >>> Should there be a way for an admin to manage this, via the config >>> module >>> perhaps? >>> >>> IMHO this is a significant change and red flags need to be raised so >>> users are aware of it. >>> >>> rob >>> >> >> > > IIUC there is purge delay 7 days, so if changelog max age is 7 or more > days, it will not break replication. > The issue is if somebody uses changelog for different purpose, right? Well the replication changelog can not be used for anything else but the multimaster replication plugin. If a customer increased the replication purge delay you could potentially run into issues, but again this only comes into play when a replica is down for a very long time. I'm not sure if IPA even provides the option to adjust the replication purge delay, but that doesn't mean a customer can not adjust these settings on their own. Mark From tbabej at redhat.com Tue Jul 21 10:47:41 2015 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 21 Jul 2015 12:47:41 +0200 Subject: [Freeipa-devel] [PATCH 0342] idviews: Check for the Default Trust View only if applying Message-ID: <55AE234D.9010902@redhat.com> Hi, Currently, the code wrongly validates the idview-unapply command. Move check for the forbidden application of the Default Trust View into the correct logical branch. https://fedorahosted.org/freeipa/ticket/4969 Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0342-idviews-Check-for-the-Default-Trust-View-only-if-app.patch Type: text/x-patch Size: 1792 bytes Desc: not available URL: From sbose at redhat.com Tue Jul 21 11:41:14 2015 From: sbose at redhat.com (Sumit Bose) Date: Tue, 21 Jul 2015 13:41:14 +0200 Subject: [Freeipa-devel] [PATCH 149] IPA KDB: allow case in-sensitive realm in AS request Message-ID: <20150721114114.GA7078@p.redhat.com> Hi, this patch is my suggestion to solve https://fedorahosted.org/freeipa/ticket/4844 . The original issue in the ticket has two part. One is a loop in libkrb5 which is already fixed. The other is to handle canonicalization better. The general way to allow canonicalization on a principal is to add the attributes 'krbcanonicalname'[1] and 'ipakrbprincipalalias' together with the objectclass 'ipaKrbPrincipal' to the user object. Then the IPA KDB backend will use 'ipakrbprincipalalias' for case in-sensitive matches and the principal from 'krbcanonicalname' will be the canonical principal used further on. The 'krbPrincipalName' is not suitable for either because it has caseExact* matching rules and is a multivalue attribute [2]. What I got from the comments in the ticket and the related bugzilla ticket is that it should be possible to get a TGT for a user even if the realm is given in lower-case if canonicalization is enabled. Please note that the client can only send such request because we have 'dns_lookup_kdc = true' in krb.conf and DNS is case in-sensitive. If you set 'dns_lookup_kdc = false' the client will fail immediately without sending a request at all, because it is not able to find a KDC for the lower-case realm. On the server-side the request is processed because of http://k5wiki.kerberos.org/wiki/Projects/Aliases which made parts of processing case in-sensitive. With the attached patch a second lookup is done if the lookup with the original input returned no result, canonicalization is enabled and the realm from the original input matches the IPA realm case in-sensitive. For the second lookup the realm is replace with the IPA realm. This approach adds a bit redundant code but does not add extra processing requests which would be successful before. Without the patch kinit ipauser at IPA.REALM -> success kinit -C ipauser at IPA.REALM -> success kinit ipauser at ipa.realm -> failure kinit -C ipauser at ipa.realm -> failure With the patch kinit ipauser at IPA.REALM -> success kinit -C ipauser at IPA.REALM -> success kinit ipauser at ipa.realm -> success kinit -C ipauser at ipa.realm -> success where 'ipa.realm' can be replace by mixed case version like 'iPa.ReAlM' as well. bye, Sumit [1] I was not able to add 'krbcanonicalname' as admin user because of an ACI denial. I wonder if this is expected or if the ACI rules should be extended here? [2] We might to skip the requirement that 'krbcanonicalname' must exists if 'ipaKrbPrincipal' only has a single value but canonicalization will fail immediately if someone adds a second value so I guess it would be more safe to keep it as it is. -------------- next part -------------- From 39744160f1779cf8e5ff00531b432c88fc53200b Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 21 Jul 2015 12:12:56 +0200 Subject: [PATCH] IPA KDB: allow case in-sensitive realm in AS request If the canonicalization flag is set the realm of the client principal in an AS request (kinit) may only match case in-sensitive. Resolves https://fedorahosted.org/freeipa/ticket/4844 --- daemons/ipa-kdb/ipa_kdb_principals.c | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index b3f8b1ad7784f55f55b4d6edd05f778a9389de27..344d44fb9b20f74615993a561b8b39f34f57cf25 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -1026,6 +1026,8 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext, LDAPMessage *res = NULL; LDAPMessage *lentry; uint32_t pol; + size_t realm_len; + char *p; ipactx = ipadb_get_context(kcontext); if (!ipactx) { @@ -1044,7 +1046,34 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext, kerr = ipadb_find_principal(kcontext, flags, res, &principal, &lentry); if (kerr != 0) { - goto done; + realm_len = strlen(ipactx->realm); + + /* If canonicalization is enabled and the realm only differs in case + * from the IPA realm retry with the correct case. */ + if (kerr == KRB5_KDB_NOENTRY + && (flags & KRB5_KDB_FLAG_ALIAS_OK) != 0 + && krb5_princ_realm(kcontext, search_for)->length == realm_len + && strncasecmp(krb5_princ_realm(kcontext,search_for)->data, + ipactx->realm, realm_len) == 0) { + p = strchr(principal, '@'); + if (p == NULL || *(++p + realm_len) != '\0') { + goto done; + } + memcpy(p, ipactx->realm, realm_len); + + kerr = ipadb_fetch_principals(ipactx, flags, principal, &res); + if (kerr != 0) { + goto done; + } + + kerr = ipadb_find_principal(kcontext, flags, res, &principal, + &lentry); + if (kerr != 0) { + goto done; + } + } else { + goto done; + } } kerr = ipadb_parse_ldap_entry(kcontext, principal, lentry, entry, &pol); -- 2.1.0 From msimacek at redhat.com Tue Jul 21 12:02:26 2015 From: msimacek at redhat.com (Michael Simacek) Date: Tue, 21 Jul 2015 08:02:26 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi In-Reply-To: <940015405.1320157.1437479609434.JavaMail.zimbra@redhat.com> Message-ID: <2026883365.1326941.1437480146008.JavaMail.zimbra@redhat.com> Hi, This is a first part of my effort to port FreeIPA from Python3-incompatible Kerberos libraries to python-gssapi. This patch should replace python-kerberos with python-gssapi (both use C GSSAPI behind the scenes). -- Michael Simacek >From bca55a6bd9cdb9cdea9d81b55cfdbc2c1279f031 Mon Sep 17 00:00:00 2001 From: Michael Simacek Date: Thu, 16 Jul 2015 18:22:00 +0200 Subject: [PATCH] Port from python-kerberos library to python-gssapi kerberos library doesn't support Python 3 and probably never will. python-gssapi library is Python 3 compatible. --- BUILD.txt | 2 +- freeipa.spec.in | 2 +- ipalib/rpc.py | 42 +++++++++++++++++++++--------------------- ipalib/util.py | 14 +++++++------- ipapython/ipautil.py | 17 ----------------- 5 files changed, 30 insertions(+), 47 deletions(-) diff --git a/BUILD.txt b/BUILD.txt index 6a28beb..53012b1 100644 --- a/BUILD.txt +++ b/BUILD.txt @@ -20,7 +20,7 @@ systemd-units samba-devel samba-python libwbclient-devel libtalloc-devel \ libtevent-devel nspr-devel nss-devel openssl-devel openldap-devel krb5-devel \ krb5-workstation libuuid-devel libcurl-devel xmlrpc-c-devel popt-devel \ autoconf automake m4 libtool gettext python-devel python-ldap \ -python-setuptools python-krbV python-nss python-netaddr python-kerberos \ +python-setuptools python-krbV python-nss python-netaddr python-gssapi \ python-rhsm pyOpenSSL pylint python-polib libipa_hbac-python python-memcached \ sssd python-lxml python-pyasn1 python-qrcode-core python-dns m2crypto \ check libsss_idmap-devel libsss_nss_idmap-devel java-headless rhino \ diff --git a/freeipa.spec.in b/freeipa.spec.in index fef20e1..5e10022 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -72,7 +72,7 @@ BuildRequires: python-krbV BuildRequires: python-nss BuildRequires: python-cryptography BuildRequires: python-netaddr -BuildRequires: python-kerberos >= 1.1-14 +BuildRequires: python-gssapi >= 1.1.1 BuildRequires: python-rhsm BuildRequires: pyOpenSSL BuildRequires: pylint >= 1.0 diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 466b49a..bbedcc9 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -44,7 +44,7 @@ from urllib2 import urlparse from xmlrpclib import (Binary, Fault, DateTime, dumps, loads, ServerProxy, Transport, ProtocolError, MININT, MAXINT) -import kerberos +import gssapi from dns import resolver, rdatatype from dns.exception import DNSException from nss.error import NSPRError @@ -510,24 +510,27 @@ class KerbTransport(SSLTransport): """ Handles Kerberos Negotiation authentication to an XML-RPC server. """ - flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG + flags = gssapi.IntEnumFlagSet(gssapi.RequirementFlag, + [gssapi.RequirementFlag.mutual_authentication, + gssapi.RequirementFlag.out_of_sequence_detection]) def _handle_exception(self, e, service=None): - (major, minor) = ipautil.get_gsserror(e) - if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: + # kerberos library coerced error codes to signed, gssapi uses unsigned + minor = e.min_code - (1 << 32) + if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: raise errors.ServiceError(service=service) - elif minor[1] == KRB5_FCC_NOFILE: + elif minor == KRB5_FCC_NOFILE: raise errors.NoCCacheError() - elif minor[1] == KRB5KRB_AP_ERR_TKT_EXPIRED: + elif minor == KRB5KRB_AP_ERR_TKT_EXPIRED: raise errors.TicketExpired() - elif minor[1] == KRB5_FCC_PERM: + elif minor == KRB5_FCC_PERM: raise errors.BadCCachePerms() - elif minor[1] == KRB5_CC_FORMAT: + elif minor == KRB5_CC_FORMAT: raise errors.BadCCacheFormat() - elif minor[1] == KRB5_REALM_CANT_RESOLVE: + elif minor == KRB5_REALM_CANT_RESOLVE: raise errors.CannotResolveKDC() else: - raise errors.KerberosError(major=major, minor=minor) + raise errors.KerberosError(major=e.maj_code, minor=minor) def get_host_info(self, host): """ @@ -548,14 +551,9 @@ class KerbTransport(SSLTransport): service = "HTTP@" + host.split(':')[0] try: - (rc, vc) = kerberos.authGSSClientInit(service=service, - gssflags=self.flags) - except kerberos.GSSError, e: - self._handle_exception(e) - - try: - kerberos.authGSSClientStep(vc, "") - except kerberos.GSSError, e: + name = gssapi.Name(service, gssapi.NameType.hostbased_service) + response = gssapi.raw.init_sec_context(name, flags=self.flags).token + except gssapi.exceptions.GSSError as e: self._handle_exception(e, service=service) for (h, v) in extra_headers: @@ -564,7 +562,7 @@ class KerbTransport(SSLTransport): break extra_headers.append( - ('Authorization', 'negotiate %s' % kerberos.authGSSClientResponse(vc)) + ('Authorization', 'negotiate %s' % base64.b64encode(response)) ) return (host, extra_headers, x509) @@ -632,8 +630,10 @@ class DelegatedKerbTransport(KerbTransport): Handles Kerberos Negotiation authentication and TGT delegation to an XML-RPC server. """ - flags = kerberos.GSS_C_DELEG_FLAG | kerberos.GSS_C_MUTUAL_FLAG | \ - kerberos.GSS_C_SEQUENCE_FLAG + flags = gssapi.IntEnumFlagSet(gssapi.RequirementFlag, + [gssapi.RequirementFlag.delegate_to_peer, + gssapi.RequirementFlag.mutual_authentication, + gssapi.RequirementFlag.out_of_sequence_detection]) class RPCClient(Connectible): diff --git a/ipalib/util.py b/ipalib/util.py index 649a487..aea3ba9 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -63,15 +63,15 @@ def json_serialize(obj): def get_current_principal(): try: - import kerberos - rc, vc = kerberos.authGSSClientInit("notempty") - rc = kerberos.authGSSClientInquireCred(vc) - username = kerberos.authGSSClientUserName(vc) - kerberos.authGSSClientClean(vc) + import gssapi + cred = gssapi.raw.acquire_cred(usage='initiate').creds + name = gssapi.raw.inquire_cred(cred, lifetime=False, usage=False, + mechs=False).name + username = gssapi.raw.display_name(name, name_type=False).name return unicode(username) except ImportError: - raise RuntimeError('python-kerberos is not available.') - except kerberos.GSSError, e: + raise RuntimeError('python-gssapi is not available.') + except gssapi.exceptions.GSSError: #TODO: do a kinit? raise errors.CCacheError() diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 88e8970..05a7eeb 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -783,23 +783,6 @@ def user_input(prompt, default = None, allow_empty = True): return ret -def get_gsserror(e): - """ - A GSSError exception looks differently in python 2.4 than it does - in python 2.5. Deal with it. - """ - - try: - major = e[0] - minor = e[1] - except: - major = e[0][0] - minor = e[0][1] - - return (major, minor) - - - def host_port_open(host, port, socket_type=socket.SOCK_STREAM, socket_timeout=None): for res in socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket_type): af, socktype, proto, canonname, sa = res -- 2.1.0 From cheimes at redhat.com Tue Jul 21 12:23:06 2015 From: cheimes at redhat.com (Christian Heimes) Date: Tue, 21 Jul 2015 14:23:06 +0200 Subject: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi In-Reply-To: <2026883365.1326941.1437480146008.JavaMail.zimbra@redhat.com> References: <2026883365.1326941.1437480146008.JavaMail.zimbra@redhat.com> Message-ID: <55AE39AA.1040804@redhat.com> On 2015-07-21 14:02, Michael Simacek wrote: > Hi, > > This is a first part of my effort to port FreeIPA from Python3-incompatible > Kerberos libraries to python-gssapi. This patch should replace python-kerberos > with python-gssapi (both use C GSSAPI behind the scenes). > def _handle_exception(self, e, service=None): > - (major, minor) = ipautil.get_gsserror(e) > - if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: > + # kerberos library coerced error codes to signed, gssapi uses unsigned > + minor = e.min_code - (1 << 32) > + if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: The unsigned to sign conversion is not correct. Although it doesn't make a difference here, please use the technical correct way: minor = e.min_code if minor & (1 << 31): minor -= 1 << 32 or if you prefer hex: if minor & 0x80000000: minor -= 0x100000000 Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From sbose at redhat.com Tue Jul 21 12:28:44 2015 From: sbose at redhat.com (Sumit Bose) Date: Tue, 21 Jul 2015 14:28:44 +0200 Subject: [Freeipa-devel] [PATCH 149] IPA KDB: allow case in-sensitive realm in AS request In-Reply-To: <20150721114114.GA7078@p.redhat.com> References: <20150721114114.GA7078@p.redhat.com> Message-ID: <20150721122844.GC7078@p.redhat.com> On Tue, Jul 21, 2015 at 01:41:14PM +0200, Sumit Bose wrote: > Hi, > > this patch is my suggestion to solve > https://fedorahosted.org/freeipa/ticket/4844 . > > The original issue in the ticket has two part. One is a loop in libkrb5 > which is already fixed. The other is to handle canonicalization better. > > The general way to allow canonicalization on a principal is to add the > attributes 'krbcanonicalname'[1] and 'ipakrbprincipalalias' together > with the objectclass 'ipaKrbPrincipal' to the user object. Then the IPA > KDB backend will use 'ipakrbprincipalalias' for case in-sensitive > matches and the principal from 'krbcanonicalname' will be the canonical > principal used further on. The 'krbPrincipalName' is not suitable for > either because it has caseExact* matching rules and is a multivalue > attribute [2]. > > What I got from the comments in the ticket and the related bugzilla > ticket is that it should be possible to get a TGT for a user even if the > realm is given in lower-case if canonicalization is enabled. Please note > that the client can only send such request because we have > 'dns_lookup_kdc = true' in krb.conf and DNS is case in-sensitive. If you > set 'dns_lookup_kdc = false' the client will fail immediately without > sending a request at all, because it is not able to find a KDC for the > lower-case realm. > > On the server-side the request is processed because of > http://k5wiki.kerberos.org/wiki/Projects/Aliases which made parts of > processing case in-sensitive. > > With the attached patch a second lookup is done if the lookup with the > original input returned no result, canonicalization is > enabled and the realm from the original input matches the IPA realm case > in-sensitive. For the second lookup the realm is replace with the IPA > realm. This approach adds a bit redundant code but does not add extra > processing requests which would be successful before. > > Without the patch > kinit ipauser at IPA.REALM -> success > kinit -C ipauser at IPA.REALM -> success > kinit ipauser at ipa.realm -> failure > kinit -C ipauser at ipa.realm -> failure > > With the patch > kinit ipauser at IPA.REALM -> success > kinit -C ipauser at IPA.REALM -> success > kinit ipauser at ipa.realm -> success ah, sorry, copy-and-paste error, this will of course still fail. Even if we would automatically canonicalize it on the server the client wouldn't accept the changed principal without the -C option. bye, Sumit > kinit -C ipauser at ipa.realm -> success > > where 'ipa.realm' can be replace by mixed case version like 'iPa.ReAlM' > as well. > > bye, > Sumit > > [1] I was not able to add 'krbcanonicalname' as admin user because of an > ACI denial. I wonder if this is expected or if the ACI rules should be > extended here? > > [2] We might to skip the requirement that 'krbcanonicalname' must exists > if 'ipaKrbPrincipal' only has a single value but canonicalization will > fail immediately if someone adds a second value so I guess it would be > more safe to keep it as it is. > From msimacek at redhat.com Tue Jul 21 13:26:24 2015 From: msimacek at redhat.com (Michael Simacek) Date: Tue, 21 Jul 2015 09:26:24 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi In-Reply-To: <55AE39AA.1040804@redhat.com> References: <2026883365.1326941.1437480146008.JavaMail.zimbra@redhat.com> <55AE39AA.1040804@redhat.com> Message-ID: <86112597.1414964.1437485184829.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Christian Heimes" > To: freeipa-devel at redhat.com, msimacek at redhat.com > Sent: Tuesday, July 21, 2015 2:23:06 PM > Subject: Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi > > On 2015-07-21 14:02, Michael Simacek wrote: > > Hi, > > > > This is a first part of my effort to port FreeIPA from Python3-incompatible > > Kerberos libraries to python-gssapi. This patch should replace > > python-kerberos > > with python-gssapi (both use C GSSAPI behind the scenes). > > > def _handle_exception(self, e, service=None): > > - (major, minor) = ipautil.get_gsserror(e) > > - if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: > > + # kerberos library coerced error codes to signed, gssapi uses > > unsigned > > + minor = e.min_code - (1 << 32) > > + if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: > > The unsigned to sign conversion is not correct. Although it doesn't make > a difference here, please use the technical correct way: > > minor = e.min_code > if minor & (1 << 31): > minor -= 1 << 32 > > or if you prefer hex: > > if minor & 0x80000000: > minor -= 0x100000000 > Fixed, thank you. Hopefully, when FreeIPA will use python-gssapi everywhere, such coercions won't be needed. -- Michael Simacek >From c59cadae8d461aa0c771cb56a34d53c9533a4248 Mon Sep 17 00:00:00 2001 From: Michael Simacek Date: Thu, 16 Jul 2015 18:22:00 +0200 Subject: [PATCH] Port from python-kerberos library to python-gssapi kerberos library doesn't support Python 3 and probably never will. python-gssapi library is Python 3 compatible. --- BUILD.txt | 2 +- freeipa.spec.in | 2 +- ipalib/rpc.py | 44 +++++++++++++++++++++++--------------------- ipalib/util.py | 14 +++++++------- ipapython/ipautil.py | 17 ----------------- 5 files changed, 32 insertions(+), 47 deletions(-) diff --git a/BUILD.txt b/BUILD.txt index 6a28beb..53012b1 100644 --- a/BUILD.txt +++ b/BUILD.txt @@ -20,7 +20,7 @@ systemd-units samba-devel samba-python libwbclient-devel libtalloc-devel \ libtevent-devel nspr-devel nss-devel openssl-devel openldap-devel krb5-devel \ krb5-workstation libuuid-devel libcurl-devel xmlrpc-c-devel popt-devel \ autoconf automake m4 libtool gettext python-devel python-ldap \ -python-setuptools python-krbV python-nss python-netaddr python-kerberos \ +python-setuptools python-krbV python-nss python-netaddr python-gssapi \ python-rhsm pyOpenSSL pylint python-polib libipa_hbac-python python-memcached \ sssd python-lxml python-pyasn1 python-qrcode-core python-dns m2crypto \ check libsss_idmap-devel libsss_nss_idmap-devel java-headless rhino \ diff --git a/freeipa.spec.in b/freeipa.spec.in index fef20e1..5e10022 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -72,7 +72,7 @@ BuildRequires: python-krbV BuildRequires: python-nss BuildRequires: python-cryptography BuildRequires: python-netaddr -BuildRequires: python-kerberos >= 1.1-14 +BuildRequires: python-gssapi >= 1.1.1 BuildRequires: python-rhsm BuildRequires: pyOpenSSL BuildRequires: pylint >= 1.0 diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 466b49a..9e8c97d 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -44,7 +44,7 @@ from urllib2 import urlparse from xmlrpclib import (Binary, Fault, DateTime, dumps, loads, ServerProxy, Transport, ProtocolError, MININT, MAXINT) -import kerberos +import gssapi from dns import resolver, rdatatype from dns.exception import DNSException from nss.error import NSPRError @@ -510,24 +510,29 @@ class KerbTransport(SSLTransport): """ Handles Kerberos Negotiation authentication to an XML-RPC server. """ - flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG + flags = gssapi.IntEnumFlagSet(gssapi.RequirementFlag, + [gssapi.RequirementFlag.mutual_authentication, + gssapi.RequirementFlag.out_of_sequence_detection]) def _handle_exception(self, e, service=None): - (major, minor) = ipautil.get_gsserror(e) - if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: + # kerberos library coerced error codes to signed, gssapi uses unsigned + minor = e.min_code + if minor & (1 << 31): + minor -= 1 << 32 + if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: raise errors.ServiceError(service=service) - elif minor[1] == KRB5_FCC_NOFILE: + elif minor == KRB5_FCC_NOFILE: raise errors.NoCCacheError() - elif minor[1] == KRB5KRB_AP_ERR_TKT_EXPIRED: + elif minor == KRB5KRB_AP_ERR_TKT_EXPIRED: raise errors.TicketExpired() - elif minor[1] == KRB5_FCC_PERM: + elif minor == KRB5_FCC_PERM: raise errors.BadCCachePerms() - elif minor[1] == KRB5_CC_FORMAT: + elif minor == KRB5_CC_FORMAT: raise errors.BadCCacheFormat() - elif minor[1] == KRB5_REALM_CANT_RESOLVE: + elif minor == KRB5_REALM_CANT_RESOLVE: raise errors.CannotResolveKDC() else: - raise errors.KerberosError(major=major, minor=minor) + raise errors.KerberosError(major=e.maj_code, minor=minor) def get_host_info(self, host): """ @@ -548,14 +553,9 @@ class KerbTransport(SSLTransport): service = "HTTP@" + host.split(':')[0] try: - (rc, vc) = kerberos.authGSSClientInit(service=service, - gssflags=self.flags) - except kerberos.GSSError, e: - self._handle_exception(e) - - try: - kerberos.authGSSClientStep(vc, "") - except kerberos.GSSError, e: + name = gssapi.Name(service, gssapi.NameType.hostbased_service) + response = gssapi.raw.init_sec_context(name, flags=self.flags).token + except gssapi.exceptions.GSSError as e: self._handle_exception(e, service=service) for (h, v) in extra_headers: @@ -564,7 +564,7 @@ class KerbTransport(SSLTransport): break extra_headers.append( - ('Authorization', 'negotiate %s' % kerberos.authGSSClientResponse(vc)) + ('Authorization', 'negotiate %s' % base64.b64encode(response)) ) return (host, extra_headers, x509) @@ -632,8 +632,10 @@ class DelegatedKerbTransport(KerbTransport): Handles Kerberos Negotiation authentication and TGT delegation to an XML-RPC server. """ - flags = kerberos.GSS_C_DELEG_FLAG | kerberos.GSS_C_MUTUAL_FLAG | \ - kerberos.GSS_C_SEQUENCE_FLAG + flags = gssapi.IntEnumFlagSet(gssapi.RequirementFlag, + [gssapi.RequirementFlag.delegate_to_peer, + gssapi.RequirementFlag.mutual_authentication, + gssapi.RequirementFlag.out_of_sequence_detection]) class RPCClient(Connectible): diff --git a/ipalib/util.py b/ipalib/util.py index 649a487..aea3ba9 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -63,15 +63,15 @@ def json_serialize(obj): def get_current_principal(): try: - import kerberos - rc, vc = kerberos.authGSSClientInit("notempty") - rc = kerberos.authGSSClientInquireCred(vc) - username = kerberos.authGSSClientUserName(vc) - kerberos.authGSSClientClean(vc) + import gssapi + cred = gssapi.raw.acquire_cred(usage='initiate').creds + name = gssapi.raw.inquire_cred(cred, lifetime=False, usage=False, + mechs=False).name + username = gssapi.raw.display_name(name, name_type=False).name return unicode(username) except ImportError: - raise RuntimeError('python-kerberos is not available.') - except kerberos.GSSError, e: + raise RuntimeError('python-gssapi is not available.') + except gssapi.exceptions.GSSError: #TODO: do a kinit? raise errors.CCacheError() diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 88e8970..05a7eeb 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -783,23 +783,6 @@ def user_input(prompt, default = None, allow_empty = True): return ret -def get_gsserror(e): - """ - A GSSError exception looks differently in python 2.4 than it does - in python 2.5. Deal with it. - """ - - try: - major = e[0] - minor = e[1] - except: - major = e[0][0] - minor = e[0][1] - - return (major, minor) - - - def host_port_open(host, port, socket_type=socket.SOCK_STREAM, socket_timeout=None): for res in socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket_type): af, socktype, proto, canonname, sa = res -- 2.1.0 From abokovoy at redhat.com Tue Jul 21 14:00:04 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 21 Jul 2015 17:00:04 +0300 Subject: [Freeipa-devel] [PATCH 149] IPA KDB: allow case in-sensitive realm in AS request In-Reply-To: <20150721114114.GA7078@p.redhat.com> References: <20150721114114.GA7078@p.redhat.com> Message-ID: <20150721140004.GM21928@redhat.com> On Tue, 21 Jul 2015, Sumit Bose wrote: >Hi, > >this patch is my suggestion to solve >https://fedorahosted.org/freeipa/ticket/4844 . > >The original issue in the ticket has two part. One is a loop in libkrb5 >which is already fixed. The other is to handle canonicalization better. > >The general way to allow canonicalization on a principal is to add the >attributes 'krbcanonicalname'[1] and 'ipakrbprincipalalias' together >with the objectclass 'ipaKrbPrincipal' to the user object. Then the IPA >KDB backend will use 'ipakrbprincipalalias' for case in-sensitive >matches and the principal from 'krbcanonicalname' will be the canonical >principal used further on. The 'krbPrincipalName' is not suitable for >either because it has caseExact* matching rules and is a multivalue >attribute [2]. Yes. Right now we only have alias support built in into services, not users. >What I got from the comments in the ticket and the related bugzilla >ticket is that it should be possible to get a TGT for a user even if the >realm is given in lower-case if canonicalization is enabled. Please note >that the client can only send such request because we have >'dns_lookup_kdc = true' in krb.conf and DNS is case in-sensitive. If you >set 'dns_lookup_kdc = false' the client will fail immediately without >sending a request at all, because it is not able to find a KDC for the >lower-case realm. > >On the server-side the request is processed because of >http://k5wiki.kerberos.org/wiki/Projects/Aliases which made parts of >processing case in-sensitive. > >With the attached patch a second lookup is done if the lookup with the >original input returned no result, canonicalization is >enabled and the realm from the original input matches the IPA realm case >in-sensitive. For the second lookup the realm is replace with the IPA >realm. This approach adds a bit redundant code but does not add extra >processing requests which would be successful before. > >Without the patch >kinit ipauser at IPA.REALM -> success >kinit -C ipauser at IPA.REALM -> success >kinit ipauser at ipa.realm -> failure >kinit -C ipauser at ipa.realm -> failure > >With the patch >kinit ipauser at IPA.REALM -> success >kinit -C ipauser at IPA.REALM -> success >kinit ipauser at ipa.realm -> success Failure here (as you wrote in the other email). >kinit -C ipauser at ipa.realm -> success > >where 'ipa.realm' can be replace by mixed case version like 'iPa.ReAlM' >as well. > >bye, >Sumit > >[1] I was not able to add 'krbcanonicalname' as admin user because of an >ACI denial. I wonder if this is expected or if the ACI rules should be >extended here? ACIs need to be extended to allow setting the attribute, yes. >[2] We might to skip the requirement that 'krbcanonicalname' must exists >if 'ipaKrbPrincipal' only has a single value but canonicalization will >fail immediately if someone adds a second value so I guess it would be >more safe to keep it as it is. yep. >From 39744160f1779cf8e5ff00531b432c88fc53200b Mon Sep 17 00:00:00 2001 >From: Sumit Bose >Date: Tue, 21 Jul 2015 12:12:56 +0200 >Subject: [PATCH] IPA KDB: allow case in-sensitive realm in AS request > >If the canonicalization flag is set the realm of the client principal in >an AS request (kinit) may only match case in-sensitive. > >Resolves https://fedorahosted.org/freeipa/ticket/4844 >--- > daemons/ipa-kdb/ipa_kdb_principals.c | 31 ++++++++++++++++++++++++++++++- > 1 file changed, 30 insertions(+), 1 deletion(-) > >diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c >index b3f8b1ad7784f55f55b4d6edd05f778a9389de27..344d44fb9b20f74615993a561b8b39f34f57cf25 100644 >--- a/daemons/ipa-kdb/ipa_kdb_principals.c >+++ b/daemons/ipa-kdb/ipa_kdb_principals.c >@@ -1026,6 +1026,8 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext, > LDAPMessage *res = NULL; > LDAPMessage *lentry; > uint32_t pol; >+ size_t realm_len; >+ char *p; > > ipactx = ipadb_get_context(kcontext); > if (!ipactx) { >@@ -1044,7 +1046,34 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext, > > kerr = ipadb_find_principal(kcontext, flags, res, &principal, &lentry); > if (kerr != 0) { >- goto done; >+ realm_len = strlen(ipactx->realm); >+ >+ /* If canonicalization is enabled and the realm only differs in case >+ * from the IPA realm retry with the correct case. */ >+ if (kerr == KRB5_KDB_NOENTRY >+ && (flags & KRB5_KDB_FLAG_ALIAS_OK) != 0 >+ && krb5_princ_realm(kcontext, search_for)->length == realm_len >+ && strncasecmp(krb5_princ_realm(kcontext,search_for)->data, >+ ipactx->realm, realm_len) == 0) { It would probably be better to use ulc_casecmp() here like in ipadb_get_principal(). >+ p = strchr(principal, '@'); Should it be strrchr()? >+ if (p == NULL || *(++p + realm_len) != '\0') { >+ goto done; >+ } >+ memcpy(p, ipactx->realm, realm_len); >+ >+ kerr = ipadb_fetch_principals(ipactx, flags, principal, &res); >+ if (kerr != 0) { >+ goto done; >+ } >+ >+ kerr = ipadb_find_principal(kcontext, flags, res, &principal, >+ &lentry); >+ if (kerr != 0) { >+ goto done; >+ } >+ } else { >+ goto done; >+ } > } > > kerr = ipadb_parse_ldap_entry(kcontext, principal, lentry, entry, &pol); >-- >2.1.0 > >-- >Manage your subscription for the Freeipa-devel mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-devel >Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- / Alexander Bokovoy From jcholast at redhat.com Tue Jul 21 15:18:55 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 21 Jul 2015 17:18:55 +0200 Subject: [Freeipa-devel] [PATCH 0285] DNS: consolidate RR types in API and LDAP schema In-Reply-To: <55ACF8A2.9070808@redhat.com> References: <55A6551E.9070306@redhat.com> <55A662A3.3090505@redhat.com> <55A66839.80508@redhat.com> <55A67D49.7020208@redhat.com> <55A67E6C.3000401@redhat.com> <55A67EAF.8040803@redhat.com> <55A686AA.4050801@redhat.com> <55A8E03E.9060504@redhat.com> <55ACF8A2.9070808@redhat.com> Message-ID: <55AE62DF.3020405@redhat.com> Dne 20.7.2015 v 15:33 Martin Babinsky napsal(a): > On 07/17/2015 01:00 PM, Martin Basti wrote: >> On 15/07/15 18:13, Petr Spacek wrote: >>> On 15.7.2015 17:39, Martin Basti wrote: >>>> On 15/07/15 17:38, Petr Spacek wrote: >>>>> On 15.7.2015 17:33, Martin Basti wrote: >>>>>> On 15/07/15 16:03, Martin Basti wrote: >>>>>>> On 15/07/15 15:39, Petr Vobornik wrote: >>>>>>>> On 07/15/2015 02:42 PM, Martin Basti wrote: >>>>>>>>> Patch attached. >>>>>>>>> >>>>>>>>> https://fedorahosted.org/freeipa/ticket/4934 >>>>>>>>> https://fedorahosted.org/freeipa/ticket/5055 >>>>>>>>> >>>>>>>> Why are you adding RP, APL, IPSEC, DHCID, HIP, SPF records? Is >>>>>>>> there a plan >>>>>>>> to use them? Can't we just not use unsupported records in >>>>>>>> LDAPSearch'? >>>>>>>> (which would fix #5055) >>>>>>> I had discussion with Petr2, and we decided to do it this way, >>>>>>> because these >>>>>>> records are valid. >>>>>>> >>>>>>> Removing unsupported records from search changes the behavior of >>>>>>> the DNS >>>>>>> commands. Now IPA shows even unsupported records which cannot be >>>>>>> modified by >>>>>>> API. AFAIK we want to keep this behavior. >>>>>>> >>>>>> Updated patch attached. >>>>>> >>>>>> I forgot to remove DNSKEY from object class definition. >>>>> Are you 100 % sure that it will not break on upgrade? Please >>>>> double-check that >>>>> with Thierry. >>>>> >>>> IT was my change before we decided that DNSKEY should not be there, >>>> it is not >>>> in git repo. >>> I see, okay. >>> >> Updated patch attached. >> >> >> > ACK Pushed to: master: 5ea41abe9836c94579115f9b220a8205b15d520d ipa-4-2: bb6498547e1d638a064e4af259e195b7b95288b3 -- Jan Cholasta From jcholast at redhat.com Tue Jul 21 15:30:46 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 21 Jul 2015 17:30:46 +0200 Subject: [Freeipa-devel] [PATCH 0274] DNS: Check if dns package is installed In-Reply-To: <55AD2915.70707@redhat.com> References: <5593EBD3.2000902@redhat.com> <5593FD26.8010903@redhat.com> <55943181.5060604@redhat.com> <5594DF23.8060103@redhat.com> <55951919.6020101@redhat.com> <559521B0.8010001@redhat.com> <55952664.5030704@redhat.com> <5595288F.5020906@redhat.com> <559633AD.7010005@redhat.com> <55A8F6F1.1060208@redhat.com> <55AD2915.70707@redhat.com> Message-ID: <55AE65A6.3090704@redhat.com> Dne 20.7.2015 v 19:00 Martin Babinsky napsal(a): > On 07/17/2015 02:37 PM, Martin Basti wrote: >> On 03/07/15 09:03, Tomas Babej wrote: >>> >>> On 07/02/2015 02:03 PM, Petr Spacek wrote: >>>> On 2.7.2015 13:54, Jan Cholasta wrote: >>>>> Dne 2.7.2015 v 13:34 Petr Spacek napsal(a): >>>>>> On 2.7.2015 12:57, Tomas Babej wrote: >>>>>>> >>>>>>> On 07/02/2015 08:50 AM, Petr Spacek wrote: >>>>>>>> On 1.7.2015 20:29, Tomas Babej wrote: >>>>>>>>> >>>>>>>>> On 07/01/2015 04:45 PM, Petr Spacek wrote: >>>>>>>>>> On 1.7.2015 15:32, Martin Basti wrote: >>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4058 >>>>>>>>>>> Requires patch freeipa-pspacek-0052 >>>>>>>>>> ACK >>>>>>>>>> >>>>>>>>> I must admit I don't really like wrapping a constant in the >>>>>>>>> method in >>>>>>>>> the TaskNamespace object. >>>>>>>>> >>>>>>>>> We're interested in the constant itself - there's no case I can >>>>>>>>> imagine >>>>>>>>> where the name of the freeipa's dns package will be dynamic. >>>>>>>>> >>>>>>>>> For paths we have BasePathNamespace that contains all the paths, >>>>>>>>> maybe >>>>>>>>> we should introduce something similar for the non-path platform >>>>>>>>> dependent constants? >>>>>>>> Generally I support this but it seems like a 4.3 material (and >>>>>>>> out of >>>>>>>> scope of >>>>>>>> #4058). We need to finish 4.2 now. >>>>>>>> >>>>>>>> Please ACK or NACK ASAP. >>>>>>>> >>>>>>> It's fairly straightforward to introduce a new platform namespace >>>>>>> for >>>>>>> constants. >>>>>>> >>>>>>> See attached patch, it implements the namespace and already >>>>>>> contains the >>>>>>> proper values for the dns package name. >>>>>>> >>>>>>> The original patch 274 would only need to use: >>>>>>> >>>>>>> >>> from ipaplatform.constants import constants >>>>>>> >>> constants.DNS_PACKAGE_NAME >>>>>>> 'freeipa-server-dns' >>>>>> I'm okay with that if Honza or somebody else knowledgable about the >>>>>> whole >>>>>> platform-thingy can ACK this, amend Martin^2's patch 274 and test >>>>>> the whole >>>>>> thing. >>>>>> >>>>>> Unfortunately I do not have time for it myself. If nobody does that >>>>>> please >>>>>> push the original patch (when it's dependency pspacek-0052 gets ACK). >>>>>> >>>>> I think you are overengineering this a little bit, adding whatever >>>>> ipaplatform >>>>> stuff just because of an error message seems rather unnecessary to >>>>> me. I think >>>>> changing the error message to "Integrated DNS requires >>>>> 'freeipa-server-dns' >>>>> package" or even "Integrated DNS requires IPA DNS server package" >>>>> would be >>>>> perfectly fine. >>>> The message should be as specific as possible but I do not care how >>>> it will be >>>> implemented. >>>> >>> Alright, let's not get stuck. Petr insists on specific message on each >>> platform. Given that package name is platform dependent, I think we >>> should keep it as platform constant, task makes little sense. >>> >>> Given that Martin's not available right now, I'll amend his patches and >>> send the updated version. >>> >>> Tomas >> Updated patches attached. >> >> ACK for 332 >> I just removed DNS constants from 332 patch >> >> >> > ACK for Martin's patch. Pushed to: master: 92828d3cf50e00fe75ebf3ec9e0edc8b9c8eae35 ipa-4-2: eefe6dc3a2a6fb316650638c3db90ed63f8551de -- Jan Cholasta From rharwood at redhat.com Tue Jul 21 15:41:54 2015 From: rharwood at redhat.com (Robbie Harwood) Date: Tue, 21 Jul 2015 11:41:54 -0400 Subject: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi In-Reply-To: <86112597.1414964.1437485184829.JavaMail.zimbra@redhat.com> References: <2026883365.1326941.1437480146008.JavaMail.zimbra@redhat.com> <55AE39AA.1040804@redhat.com> <86112597.1414964.1437485184829.JavaMail.zimbra@redhat.com> Message-ID: Michael Simacek writes: > ----- Original Message ----- >> From: "Christian Heimes" >> To: freeipa-devel at redhat.com, msimacek at redhat.com >> Sent: Tuesday, July 21, 2015 2:23:06 PM >> Subject: Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi >> >> On 2015-07-21 14:02, Michael Simacek wrote: >> > Hi, >> > >> > This is a first part of my effort to port FreeIPA from Python3-incompatible >> > Kerberos libraries to python-gssapi. This patch should replace >> > python-kerberos >> > with python-gssapi (both use C GSSAPI behind the scenes). This looks good to me! I'm glad the port is progressing well, and please feel free to contact me if you hit trouble with python-gssapi. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 818 bytes Desc: not available URL: From mbasti at redhat.com Tue Jul 21 15:45:07 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 21 Jul 2015 17:45:07 +0200 Subject: [Freeipa-devel] [PATCH 0001] Test Topology plugin is listed among DS plugins In-Reply-To: <55ACE483.5030504@redhat.com> References: <55ACC623.20601@redhat.com> <55ACD1A2.5030202@redhat.com> <55ACE483.5030504@redhat.com> Message-ID: <55AE6903.4040202@redhat.com> On 20/07/15 14:07, Oleg Fayans wrote: > Hi Martin, > > Updated. > > > On 07/20/2015 12:46 PM, Martin Basti wrote: >> On 20/07/15 11:57, Oleg Fayans wrote: >>> + pwfile = api.env.dot_ipa + os.sep + ".dmpw" >>> + if ipautil.file_exists(pwfile): >>> + fp = open(pwfile, "r") >>> + dm_password = fp.read().rstrip() >>> + fp.close() >>> + else: >> Hello, >> >> 1) Can you use os.path.join() instead of "+ os.sep +" please >> >> 2) Can you use with statement with file? >> >> with open(pwfile, "r") as f: >> dm_password = f.read().rstrip() >> >> 3) Please keep PEP8 in new code >> >> ./ipatests/test_ipaserver/test_topology_plugin.py:30:80: E501 line >> too long (102 > 79 characters) >> ./ipatests/test_ipaserver/test_topology_plugin.py:33:80: E501 line >> too long (92 > 79 characters) >> ./ipatests/test_ipaserver/test_topology_plugin.py:39:80: E501 line >> too long (124 > 79 characters) >> ./ipatests/test_ipaserver/test_topology_plugin.py:44:80: E501 line >> too long (92 > 79 characters) >> ./ipatests/test_ipaserver/test_topology_plugin.py:45:48: E128 >> continuation line under-indented for visual indent >> ./ipatests/test_ipaserver/test_topology_plugin.py:45:80: E501 line >> too long (89 > 79 characters) >> ./ipatests/test_ipaserver/test_topology_plugin.py:46:48: E128 >> continuation line under-indented for visual indent >> ./ipatests/test_ipaserver/test_topology_plugin.py:46:80: E501 line >> too long (89 > 79 characters) >> ./ipatests/test_ipaserver/test_topology_plugin.py:58:80: E501 line >> too long (87 > 79 characters) >> >> 4) Missing nose import >> raise nose.SkipTest("No directory manager password in %s" >> % pwfile) >> >> 5) Can you use sets here instead of sorted lists? >> assert(sorted(entry.keys()) == sorted(pluginattrs.keys())) >> >> >> Martin^2 >> > 1) Sorry, I didn't notice before, but there is missing header in that file. 2) You don't need to specify ldap_uri, you just need to call ldap2(api), by default api.env.ldap_uri is used, which is the same as you specified 3) Can you indent values of dict which are on newline? It is readable better. u'nsslapd-topo-plugin-shared-config-base': [u'cn=ipa,cn=etc,dc=example,dc=com'], u'nsslapd-pluginDescription': [u'ipa-topology-plugin'], 4) Please use lower F as variable, in python we use capital letters for class definitions with open(pwfile, "r") as F: dm_password = F.read().rstrip() Otherwise it works as expected. Martin^2 -- Martin Basti From tbabej at redhat.com Tue Jul 21 16:01:04 2015 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 21 Jul 2015 18:01:04 +0200 Subject: [Freeipa-devel] [PATCH 0343] tests: user_plugin: Add preserved flag when --all is used Message-ID: <55AE6CC0.7080305@redhat.com> Hi, this patch fixes failing tests for the user plugin where preserved attribute is missing. Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0343-tests-user_plugin-Add-preserved-flag-when-all-is-use.patch Type: text/x-patch Size: 1746 bytes Desc: not available URL: From tbabej at redhat.com Tue Jul 21 16:01:45 2015 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 21 Jul 2015 18:01:45 +0200 Subject: [Freeipa-devel] [PATCH 0344] tests: service_plugin: Make sure the cert is decoded from Message-ID: <55AE6CE9.3020106@redhat.com> Hi, this patch fixes an issue in tests where the certificate was not decoded from base64 representation. Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0344-tests-service_plugin-Make-sure-the-cert-is-decoded-f.patch Type: text/x-patch Size: 1237 bytes Desc: not available URL: From tbabej at redhat.com Tue Jul 21 16:02:02 2015 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 21 Jul 2015 18:02:02 +0200 Subject: [Freeipa-devel] [PATCH 0345] tests: realmdomains_plugin: Add explanatory comment Message-ID: <55AE6CFA.20000@redhat.com> Hi, The realmdomains_mod command will fail if the testing environment is configured improperly and the IPA domain's NS/SOA records are not resolvable. This can easily happen if the machine's DNS server is not configured to the IPA server. Leave a explanatory note in the class. Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0345-tests-realmdomains_plugin-Add-explanatory-comment.patch Type: text/x-patch Size: 1324 bytes Desc: not available URL: From tbabej at redhat.com Tue Jul 21 16:02:25 2015 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 21 Jul 2015 18:02:25 +0200 Subject: [Freeipa-devel] [PATCH 0346] tests: Version is currently generated during command call Message-ID: <55AE6D11.8010601@redhat.com> Hi, In the previous versions, version in the response was generated as part of the process_keyword_arguments method. This is no longer true, and so the explicit check for it should be removed. Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0346-tests-Version-is-currently-generated-during-command-.patch Type: text/x-patch Size: 7110 bytes Desc: not available URL: From tbabej at redhat.com Tue Jul 21 16:03:00 2015 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 21 Jul 2015 18:03:00 +0200 Subject: [Freeipa-devel] [PATCH 0347] tests: vault_plugin: Skip tests if KRA not available Message-ID: <55AE6D34.2080700@redhat.com> Hi, the vault tests should be skipped in case the KRA is not available on the machine. Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0347-tests-vault_plugin-Skip-tests-if-KRA-not-available.patch Type: text/x-patch Size: 1363 bytes Desc: not available URL: From tbabej at redhat.com Tue Jul 21 16:03:16 2015 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 21 Jul 2015 18:03:16 +0200 Subject: [Freeipa-devel] [PATCH 0348] tests: test_rpc: Create connection for the current thread Message-ID: <55AE6D44.60707@redhat.com> Hi, Both context.xmlclient and context.xmlclient_ need to be created in order to successfully call the Command.forward method. Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0348-tests-test_rpc-Create-connection-for-the-current-thr.patch Type: text/x-patch Size: 1009 bytes Desc: not available URL: From tbabej at redhat.com Tue Jul 21 16:03:33 2015 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 21 Jul 2015 18:03:33 +0200 Subject: [Freeipa-devel] [PATCH 0349] tests: test_cert: Services can have multiple certificates Message-ID: <55AE6D55.60206@redhat.com> Hi, Old certificates of the services are no longer removed and revoked after new ones have been issued. Check that both old and new certificates are present. Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0349-tests-test_cert-Services-can-have-multiple-certifica.patch Type: text/x-patch Size: 1448 bytes Desc: not available URL: From mbasti at redhat.com Tue Jul 21 16:51:51 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 21 Jul 2015 18:51:51 +0200 Subject: [Freeipa-devel] [PATCH 0343] tests: user_plugin: Add preserved flag when --all is used In-Reply-To: <55AE6CC0.7080305@redhat.com> References: <55AE6CC0.7080305@redhat.com> Message-ID: <55AE78A7.1080900@redhat.com> On 21/07/15 18:01, Tomas Babej wrote: > Hi, > > this patch fixes failing tests for the user plugin where preserved > attribute is missing. > > Tomas > > > > ACK -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbabej at redhat.com Tue Jul 21 17:00:10 2015 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 21 Jul 2015 19:00:10 +0200 Subject: [Freeipa-devel] [PATCH 0343] tests: user_plugin: Add preserved flag when --all is used In-Reply-To: <55AE78A7.1080900@redhat.com> References: <55AE6CC0.7080305@redhat.com> <55AE78A7.1080900@redhat.com> Message-ID: <55AE7A9A.1070405@redhat.com> On 07/21/2015 06:51 PM, Martin Basti wrote: > On 21/07/15 18:01, Tomas Babej wrote: >> Hi, >> >> this patch fixes failing tests for the user plugin where preserved >> attribute is missing. >> >> Tomas >> >> >> >> > ACK > > -- > Martin Basti > Pushed to: master: 705603a396bff251a453aec73fc973a5d85c6d44 ipa-4-2: e59127e5c12679bf85ee494f378197912932c82b From redhatrises at gmail.com Tue Jul 21 17:10:50 2015 From: redhatrises at gmail.com (Gabe Alford) Date: Tue, 21 Jul 2015 11:10:50 -0600 Subject: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi In-Reply-To: <86112597.1414964.1437485184829.JavaMail.zimbra@redhat.com> References: <2026883365.1326941.1437480146008.JavaMail.zimbra@redhat.com> <55AE39AA.1040804@redhat.com> <86112597.1414964.1437485184829.JavaMail.zimbra@redhat.com> Message-ID: Hello, Would you mind formatting your patch following the format described at http://www.freeipa.org/page/Contribute/Patch_Format and attach the patch to this thread? Please attach your patch to the corresponding trac ticket as well. thanks, Gabe On Tue, Jul 21, 2015 at 7:26 AM, Michael Simacek wrote: > ----- Original Message ----- > > From: "Christian Heimes" > > To: freeipa-devel at redhat.com, msimacek at redhat.com > > Sent: Tuesday, July 21, 2015 2:23:06 PM > > Subject: Re: [Freeipa-devel] [PATCH] Port from python-kerberos library > to python-gssapi > > > > On 2015-07-21 14:02, Michael Simacek wrote: > > > Hi, > > > > > > This is a first part of my effort to port FreeIPA from > Python3-incompatible > > > Kerberos libraries to python-gssapi. This patch should replace > > > python-kerberos > > > with python-gssapi (both use C GSSAPI behind the scenes). > > > > > def _handle_exception(self, e, service=None): > > > - (major, minor) = ipautil.get_gsserror(e) > > > - if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: > > > + # kerberos library coerced error codes to signed, gssapi uses > > > unsigned > > > + minor = e.min_code - (1 << 32) > > > + if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: > > > > The unsigned to sign conversion is not correct. Although it doesn't make > > a difference here, please use the technical correct way: > > > > minor = e.min_code > > if minor & (1 << 31): > > minor -= 1 << 32 > > > > or if you prefer hex: > > > > if minor & 0x80000000: > > minor -= 0x100000000 > > > > Fixed, thank you. Hopefully, when FreeIPA will use python-gssapi > everywhere, such coercions won't be needed. > > -- > Michael Simacek > > > > >From c59cadae8d461aa0c771cb56a34d53c9533a4248 Mon Sep 17 00:00:00 2001 > From: Michael Simacek > Date: Thu, 16 Jul 2015 18:22:00 +0200 > Subject: [PATCH] Port from python-kerberos library to python-gssapi > > kerberos library doesn't support Python 3 and probably never will. > python-gssapi library is Python 3 compatible. > --- > BUILD.txt | 2 +- > freeipa.spec.in | 2 +- > ipalib/rpc.py | 44 +++++++++++++++++++++++--------------------- > ipalib/util.py | 14 +++++++------- > ipapython/ipautil.py | 17 ----------------- > 5 files changed, 32 insertions(+), 47 deletions(-) > > diff --git a/BUILD.txt b/BUILD.txt > index 6a28beb..53012b1 100644 > --- a/BUILD.txt > +++ b/BUILD.txt > @@ -20,7 +20,7 @@ systemd-units samba-devel samba-python libwbclient-devel > libtalloc-devel \ > libtevent-devel nspr-devel nss-devel openssl-devel openldap-devel > krb5-devel \ > krb5-workstation libuuid-devel libcurl-devel xmlrpc-c-devel popt-devel \ > autoconf automake m4 libtool gettext python-devel python-ldap \ > -python-setuptools python-krbV python-nss python-netaddr python-kerberos \ > +python-setuptools python-krbV python-nss python-netaddr python-gssapi \ > python-rhsm pyOpenSSL pylint python-polib libipa_hbac-python > python-memcached \ > sssd python-lxml python-pyasn1 python-qrcode-core python-dns m2crypto \ > check libsss_idmap-devel libsss_nss_idmap-devel java-headless rhino \ > diff --git a/freeipa.spec.in b/freeipa.spec.in > index fef20e1..5e10022 100644 > --- a/freeipa.spec.in > +++ b/freeipa.spec.in > @@ -72,7 +72,7 @@ BuildRequires: python-krbV > BuildRequires: python-nss > BuildRequires: python-cryptography > BuildRequires: python-netaddr > -BuildRequires: python-kerberos >= 1.1-14 > +BuildRequires: python-gssapi >= 1.1.1 > BuildRequires: python-rhsm > BuildRequires: pyOpenSSL > BuildRequires: pylint >= 1.0 > diff --git a/ipalib/rpc.py b/ipalib/rpc.py > index 466b49a..9e8c97d 100644 > --- a/ipalib/rpc.py > +++ b/ipalib/rpc.py > @@ -44,7 +44,7 @@ from urllib2 import urlparse > > from xmlrpclib import (Binary, Fault, DateTime, dumps, loads, ServerProxy, > Transport, ProtocolError, MININT, MAXINT) > -import kerberos > +import gssapi > from dns import resolver, rdatatype > from dns.exception import DNSException > from nss.error import NSPRError > @@ -510,24 +510,29 @@ class KerbTransport(SSLTransport): > """ > Handles Kerberos Negotiation authentication to an XML-RPC server. > """ > - flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG > + flags = gssapi.IntEnumFlagSet(gssapi.RequirementFlag, > + > [gssapi.RequirementFlag.mutual_authentication, > + > gssapi.RequirementFlag.out_of_sequence_detection]) > > def _handle_exception(self, e, service=None): > - (major, minor) = ipautil.get_gsserror(e) > - if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: > + # kerberos library coerced error codes to signed, gssapi uses > unsigned > + minor = e.min_code > + if minor & (1 << 31): > + minor -= 1 << 32 > + if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: > raise errors.ServiceError(service=service) > - elif minor[1] == KRB5_FCC_NOFILE: > + elif minor == KRB5_FCC_NOFILE: > raise errors.NoCCacheError() > - elif minor[1] == KRB5KRB_AP_ERR_TKT_EXPIRED: > + elif minor == KRB5KRB_AP_ERR_TKT_EXPIRED: > raise errors.TicketExpired() > - elif minor[1] == KRB5_FCC_PERM: > + elif minor == KRB5_FCC_PERM: > raise errors.BadCCachePerms() > - elif minor[1] == KRB5_CC_FORMAT: > + elif minor == KRB5_CC_FORMAT: > raise errors.BadCCacheFormat() > - elif minor[1] == KRB5_REALM_CANT_RESOLVE: > + elif minor == KRB5_REALM_CANT_RESOLVE: > raise errors.CannotResolveKDC() > else: > - raise errors.KerberosError(major=major, minor=minor) > + raise errors.KerberosError(major=e.maj_code, minor=minor) > > def get_host_info(self, host): > """ > @@ -548,14 +553,9 @@ class KerbTransport(SSLTransport): > service = "HTTP@" + host.split(':')[0] > > try: > - (rc, vc) = kerberos.authGSSClientInit(service=service, > - gssflags=self.flags) > - except kerberos.GSSError, e: > - self._handle_exception(e) > - > - try: > - kerberos.authGSSClientStep(vc, "") > - except kerberos.GSSError, e: > + name = gssapi.Name(service, gssapi.NameType.hostbased_service) > + response = gssapi.raw.init_sec_context(name, > flags=self.flags).token > + except gssapi.exceptions.GSSError as e: > self._handle_exception(e, service=service) > > for (h, v) in extra_headers: > @@ -564,7 +564,7 @@ class KerbTransport(SSLTransport): > break > > extra_headers.append( > - ('Authorization', 'negotiate %s' % > kerberos.authGSSClientResponse(vc)) > + ('Authorization', 'negotiate %s' % base64.b64encode(response)) > ) > > return (host, extra_headers, x509) > @@ -632,8 +632,10 @@ class DelegatedKerbTransport(KerbTransport): > Handles Kerberos Negotiation authentication and TGT delegation to an > XML-RPC server. > """ > - flags = kerberos.GSS_C_DELEG_FLAG | kerberos.GSS_C_MUTUAL_FLAG | \ > - kerberos.GSS_C_SEQUENCE_FLAG > + flags = gssapi.IntEnumFlagSet(gssapi.RequirementFlag, > + > [gssapi.RequirementFlag.delegate_to_peer, > + > gssapi.RequirementFlag.mutual_authentication, > + > gssapi.RequirementFlag.out_of_sequence_detection]) > > > class RPCClient(Connectible): > diff --git a/ipalib/util.py b/ipalib/util.py > index 649a487..aea3ba9 100644 > --- a/ipalib/util.py > +++ b/ipalib/util.py > @@ -63,15 +63,15 @@ def json_serialize(obj): > > def get_current_principal(): > try: > - import kerberos > - rc, vc = kerberos.authGSSClientInit("notempty") > - rc = kerberos.authGSSClientInquireCred(vc) > - username = kerberos.authGSSClientUserName(vc) > - kerberos.authGSSClientClean(vc) > + import gssapi > + cred = gssapi.raw.acquire_cred(usage='initiate').creds > + name = gssapi.raw.inquire_cred(cred, lifetime=False, usage=False, > + mechs=False).name > + username = gssapi.raw.display_name(name, name_type=False).name > return unicode(username) > except ImportError: > - raise RuntimeError('python-kerberos is not available.') > - except kerberos.GSSError, e: > + raise RuntimeError('python-gssapi is not available.') > + except gssapi.exceptions.GSSError: > #TODO: do a kinit? > raise errors.CCacheError() > > diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py > index 88e8970..05a7eeb 100644 > --- a/ipapython/ipautil.py > +++ b/ipapython/ipautil.py > @@ -783,23 +783,6 @@ def user_input(prompt, default = None, allow_empty = > True): > return ret > > > -def get_gsserror(e): > - """ > - A GSSError exception looks differently in python 2.4 than it does > - in python 2.5. Deal with it. > - """ > - > - try: > - major = e[0] > - minor = e[1] > - except: > - major = e[0][0] > - minor = e[0][1] > - > - return (major, minor) > - > - > - > def host_port_open(host, port, socket_type=socket.SOCK_STREAM, > socket_timeout=None): > for res in socket.getaddrinfo(host, port, socket.AF_UNSPEC, > socket_type): > af, socktype, proto, canonname, sa = res > -- > 2.1.0 > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Tue Jul 21 17:11:36 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 21 Jul 2015 19:11:36 +0200 Subject: [Freeipa-devel] [PATCH 0340] dcerpc: Expand explanation for WERR_ACCESS_DENIED In-Reply-To: <55A794B1.2060501@redhat.com> References: <55A794B1.2060501@redhat.com> Message-ID: <55AE7D48.1080302@redhat.com> On 07/16/2015 01:25 PM, Tomas Babej wrote: > Hi, > > It's possible for AD to contact a wrong IPA server in case the DNS > SRV records on the AD sides are not properly configured. > > Mention this case in the error message as well. > > https://fedorahosted.org/freeipa/ticket/5013 > > > ACK Pushed to: master: 1299c60a83ccaf669abd74d35845f8c321e4ed5e ipa-4-2: 0eec93ebb00b3db58f947cf1214c890c8773151b -- Petr Vobornik From rharwood at redhat.com Tue Jul 21 17:59:26 2015 From: rharwood at redhat.com (Robbie Harwood) Date: Tue, 21 Jul 2015 13:59:26 -0400 Subject: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi In-Reply-To: <2026883365.1326941.1437480146008.JavaMail.zimbra@redhat.com> References: <2026883365.1326941.1437480146008.JavaMail.zimbra@redhat.com> Message-ID: Michael Simacek writes: > This is a first part of my effort to port FreeIPA from Python3-incompatible > Kerberos libraries to python-gssapi. This patch should replace python-kerberos > with python-gssapi (both use C GSSAPI behind the scenes). Okay, Solly and I went through this again, and there might be a problem. > @@ -548,14 +551,9 @@ class KerbTransport(SSLTransport): > service = "HTTP@" + host.split(':')[0] > > try: > - (rc, vc) = kerberos.authGSSClientInit(service=service, > - gssflags=self.flags) > - except kerberos.GSSError, e: > - self._handle_exception(e) > - > - try: > - kerberos.authGSSClientStep(vc, "") > - except kerberos.GSSError, e: > + name = gssapi.Name(service, gssapi.NameType.hostbased_service) > + response = gssapi.raw.init_sec_context(name, flags=self.flags).token > + except gssapi.exceptions.GSSError as e: > self._handle_exception(e, service=service) > > for (h, v) in extra_headers: > @@ -564,7 +562,7 @@ class KerbTransport(SSLTransport): > break > > extra_headers.append( > - ('Authorization', 'negotiate %s' % kerberos.authGSSClientResponse(vc)) > + ('Authorization', 'negotiate %s' % base64.b64encode(response)) > ) If you call init_sec_context, the token returned may be an error token, and the error will be deferred until the next use of the context. This behavior can be turned off by setting __DEFER_STEP_ERRORS__ to false on the class. More information: https://pythonhosted.org/gssapi/gssapi.html#gssapi.sec_contexts.SecurityContext.step -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 818 bytes Desc: not available URL: From mbabinsk at redhat.com Wed Jul 22 06:40:33 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 22 Jul 2015 08:40:33 +0200 Subject: [Freeipa-devel] [PATCH 0344] tests: service_plugin: Make sure the cert is decoded from In-Reply-To: <55AE6CE9.3020106@redhat.com> References: <55AE6CE9.3020106@redhat.com> Message-ID: <55AF3AE1.5060007@redhat.com> On 07/21/2015 06:01 PM, Tomas Babej wrote: > Hi, > > this patch fixes an issue in tests where the certificate was not decoded > from base64 representation. > > Tomas > > > ACK -- Martin^3 Babinsky From mbabinsk at redhat.com Wed Jul 22 06:41:53 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 22 Jul 2015 08:41:53 +0200 Subject: [Freeipa-devel] [PATCH 0347] tests: vault_plugin: Skip tests if KRA not available In-Reply-To: <55AE6D34.2080700@redhat.com> References: <55AE6D34.2080700@redhat.com> Message-ID: <55AF3B31.8000906@redhat.com> On 07/21/2015 06:03 PM, Tomas Babej wrote: > Hi, > > the vault tests should be skipped in case the KRA is not available on > the machine. > > Tomas > > > ACK -- Martin^3 Babinsky From mbabinsk at redhat.com Wed Jul 22 06:44:16 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 22 Jul 2015 08:44:16 +0200 Subject: [Freeipa-devel] [PATCH 0349] tests: test_cert: Services can have multiple certificates In-Reply-To: <55AE6D55.60206@redhat.com> References: <55AE6D55.60206@redhat.com> Message-ID: <55AF3BC0.2010802@redhat.com> On 07/21/2015 06:03 PM, Tomas Babej wrote: > Hi, > > Old certificates of the services are no longer removed and revoked > after new ones have been issued. > > Check that both old and new certificates are present. > > Tomas > > > ACK -- Martin^3 Babinsky From mbasti at redhat.com Wed Jul 22 06:56:40 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 22 Jul 2015 08:56:40 +0200 Subject: [Freeipa-devel] [PATCH 0346] tests: Version is currently generated during command call In-Reply-To: <55AE6D11.8010601@redhat.com> References: <55AE6D11.8010601@redhat.com> Message-ID: <55AF3EA8.7020508@redhat.com> On 21/07/15 18:02, Tomas Babej wrote: > Hi, > > In the previous versions, version in the response was generated > as part of the process_keyword_arguments method. This is no longer true, > and so the explicit check for it should be removed. > > Tomas > > ACK -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Jul 22 07:04:55 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 22 Jul 2015 09:04:55 +0200 Subject: [Freeipa-devel] [PATCH 0342] idviews: Check for the Default Trust View only if applying In-Reply-To: <55AE234D.9010902@redhat.com> References: <55AE234D.9010902@redhat.com> Message-ID: <55AF4097.8080508@redhat.com> On 21/07/15 12:47, Tomas Babej wrote: > Hi, > > Currently, the code wrongly validates the idview-unapply command. Move > check for the forbidden application of the Default Trust View into > the correct logical branch. > > https://fedorahosted.org/freeipa/ticket/4969 > > Tomas > > ACK -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Jul 22 07:07:40 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 22 Jul 2015 09:07:40 +0200 Subject: [Freeipa-devel] [PATCH 0345] tests: realmdomains_plugin: Add explanatory comment In-Reply-To: <55AE6CFA.20000@redhat.com> References: <55AE6CFA.20000@redhat.com> Message-ID: <55AF413C.8030608@redhat.com> On 21/07/15 18:02, Tomas Babej wrote: > Hi, > > The realmdomains_mod command will fail if the testing environment > is configured improperly and the IPA domain's NS/SOA records are > not resolvable. This can easily happen if the machine's DNS server > is not configured to the IPA server. > > Leave a explanatory note in the class. > > Tomas > > ACK -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Jul 22 07:09:21 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 22 Jul 2015 09:09:21 +0200 Subject: [Freeipa-devel] [PATCH 0348] tests: test_rpc: Create connection for the current thread In-Reply-To: <55AE6D44.60707@redhat.com> References: <55AE6D44.60707@redhat.com> Message-ID: <55AF41A1.7000301@redhat.com> On 21/07/15 18:03, Tomas Babej wrote: > Hi, > > Both context.xmlclient and context.xmlclient_ need to be created > in order to successfully call the Command.forward method. > > Tomas > > ACK -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From ofayans at redhat.com Wed Jul 22 07:23:13 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 22 Jul 2015 09:23:13 +0200 Subject: [Freeipa-devel] [PATCH 0001] Test Topology plugin is listed among DS plugins In-Reply-To: <55AE6903.4040202@redhat.com> References: <55ACC623.20601@redhat.com> <55ACD1A2.5030202@redhat.com> <55ACE483.5030504@redhat.com> <55AE6903.4040202@redhat.com> Message-ID: <55AF44E1.3030500@redhat.com> Hi Martin, Patch updated. Thank you for the review! On 07/21/2015 05:45 PM, Martin Basti wrote: > On 20/07/15 14:07, Oleg Fayans wrote: >> Hi Martin, >> >> Updated. >> >> >> On 07/20/2015 12:46 PM, Martin Basti wrote: >>> On 20/07/15 11:57, Oleg Fayans wrote: >>>> + pwfile = api.env.dot_ipa + os.sep + ".dmpw" >>>> + if ipautil.file_exists(pwfile): >>>> + fp = open(pwfile, "r") >>>> + dm_password = fp.read().rstrip() >>>> + fp.close() >>>> + else: >>> Hello, >>> >>> 1) Can you use os.path.join() instead of "+ os.sep +" please >>> >>> 2) Can you use with statement with file? >>> >>> with open(pwfile, "r") as f: >>> dm_password = f.read().rstrip() >>> >>> 3) Please keep PEP8 in new code >>> >>> ./ipatests/test_ipaserver/test_topology_plugin.py:30:80: E501 line >>> too long (102 > 79 characters) >>> ./ipatests/test_ipaserver/test_topology_plugin.py:33:80: E501 line >>> too long (92 > 79 characters) >>> ./ipatests/test_ipaserver/test_topology_plugin.py:39:80: E501 line >>> too long (124 > 79 characters) >>> ./ipatests/test_ipaserver/test_topology_plugin.py:44:80: E501 line >>> too long (92 > 79 characters) >>> ./ipatests/test_ipaserver/test_topology_plugin.py:45:48: E128 >>> continuation line under-indented for visual indent >>> ./ipatests/test_ipaserver/test_topology_plugin.py:45:80: E501 line >>> too long (89 > 79 characters) >>> ./ipatests/test_ipaserver/test_topology_plugin.py:46:48: E128 >>> continuation line under-indented for visual indent >>> ./ipatests/test_ipaserver/test_topology_plugin.py:46:80: E501 line >>> too long (89 > 79 characters) >>> ./ipatests/test_ipaserver/test_topology_plugin.py:58:80: E501 line >>> too long (87 > 79 characters) >>> >>> 4) Missing nose import >>> raise nose.SkipTest("No directory manager password in >>> %s" % pwfile) >>> >>> 5) Can you use sets here instead of sorted lists? >>> assert(sorted(entry.keys()) == sorted(pluginattrs.keys())) >>> >>> >>> Martin^2 >>> >> > 1) > Sorry, I didn't notice before, but there is missing header in that file. > > 2) > You don't need to specify ldap_uri, you just need to call ldap2(api), > by default api.env.ldap_uri is used, which is the same as you specified > > 3) > Can you indent values of dict which are on newline? It is readable > better. > u'nsslapd-topo-plugin-shared-config-base': > [u'cn=ipa,cn=etc,dc=example,dc=com'], > u'nsslapd-pluginDescription': [u'ipa-topology-plugin'], > > 4) > Please use lower F as variable, in python we use capital letters for > class definitions > with open(pwfile, "r") as F: > dm_password = F.read().rstrip() > > Otherwise it works as expected. > > Martin^2 > > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0001.2-test-topology-plugin-is-listed-among-DS-plugins.patch Type: text/x-patch Size: 4274 bytes Desc: not available URL: From mbasti at redhat.com Wed Jul 22 07:26:12 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 22 Jul 2015 09:26:12 +0200 Subject: [Freeipa-devel] [PATCH 0001] Test Topology plugin is listed among DS plugins In-Reply-To: <55AF44E1.3030500@redhat.com> References: <55ACC623.20601@redhat.com> <55ACD1A2.5030202@redhat.com> <55ACE483.5030504@redhat.com> <55AE6903.4040202@redhat.com> <55AF44E1.3030500@redhat.com> Message-ID: <55AF4594.10704@redhat.com> On 22/07/15 09:23, Oleg Fayans wrote: > Hi Martin, > > Patch updated. Thank you for the review! > > On 07/21/2015 05:45 PM, Martin Basti wrote: >> On 20/07/15 14:07, Oleg Fayans wrote: >>> Hi Martin, >>> >>> Updated. >>> >>> >>> On 07/20/2015 12:46 PM, Martin Basti wrote: >>>> On 20/07/15 11:57, Oleg Fayans wrote: >>>>> + pwfile = api.env.dot_ipa + os.sep + ".dmpw" >>>>> + if ipautil.file_exists(pwfile): >>>>> + fp = open(pwfile, "r") >>>>> + dm_password = fp.read().rstrip() >>>>> + fp.close() >>>>> + else: >>>> Hello, >>>> >>>> 1) Can you use os.path.join() instead of "+ os.sep +" please >>>> >>>> 2) Can you use with statement with file? >>>> >>>> with open(pwfile, "r") as f: >>>> dm_password = f.read().rstrip() >>>> >>>> 3) Please keep PEP8 in new code >>>> >>>> ./ipatests/test_ipaserver/test_topology_plugin.py:30:80: E501 line >>>> too long (102 > 79 characters) >>>> ./ipatests/test_ipaserver/test_topology_plugin.py:33:80: E501 line >>>> too long (92 > 79 characters) >>>> ./ipatests/test_ipaserver/test_topology_plugin.py:39:80: E501 line >>>> too long (124 > 79 characters) >>>> ./ipatests/test_ipaserver/test_topology_plugin.py:44:80: E501 line >>>> too long (92 > 79 characters) >>>> ./ipatests/test_ipaserver/test_topology_plugin.py:45:48: E128 >>>> continuation line under-indented for visual indent >>>> ./ipatests/test_ipaserver/test_topology_plugin.py:45:80: E501 line >>>> too long (89 > 79 characters) >>>> ./ipatests/test_ipaserver/test_topology_plugin.py:46:48: E128 >>>> continuation line under-indented for visual indent >>>> ./ipatests/test_ipaserver/test_topology_plugin.py:46:80: E501 line >>>> too long (89 > 79 characters) >>>> ./ipatests/test_ipaserver/test_topology_plugin.py:58:80: E501 line >>>> too long (87 > 79 characters) >>>> >>>> 4) Missing nose import >>>> raise nose.SkipTest("No directory manager password in >>>> %s" % pwfile) >>>> >>>> 5) Can you use sets here instead of sorted lists? >>>> assert(sorted(entry.keys()) == sorted(pluginattrs.keys())) >>>> >>>> >>>> Martin^2 >>>> >>> >> 1) >> Sorry, I didn't notice before, but there is missing header in that file. >> >> 2) >> You don't need to specify ldap_uri, you just need to call ldap2(api), >> by default api.env.ldap_uri is used, which is the same as you specified >> >> 3) >> Can you indent values of dict which are on newline? It is readable >> better. >> u'nsslapd-topo-plugin-shared-config-base': >> [u'cn=ipa,cn=etc,dc=example,dc=com'], >> u'nsslapd-pluginDescription': [u'ipa-topology-plugin'], >> >> 4) >> Please use lower F as variable, in python we use capital letters for >> class definitions >> with open(pwfile, "r") as F: >> dm_password = F.read().rstrip() >> >> Otherwise it works as expected. >> >> Martin^2 >> >> >> >> > Sorry. You added there old license format, we now use in new files new format # # Copyright (C) 2015 FreeIPA Contributors see COPYING for license # -- Martin Basti From mbasti at redhat.com Wed Jul 22 08:38:05 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 22 Jul 2015 10:38:05 +0200 Subject: [Freeipa-devel] [PATCH] otptoken: use ipapython.nsslib instead of Python's ssl module In-Reply-To: <559C00ED.4090408@redhat.com> References: <559C00ED.4090408@redhat.com> Message-ID: <55AF566D.8070208@redhat.com> On 07/07/15 18:40, Christian Heimes wrote: > Hello, > > the patch removes the dependency on Python's ssl module and > python-backports-ssl_match_hostname. > > https://fedorahosted.org/freeipa/ticket/5068 > > Open question > ------------- > Is paths.IPA_NSSDB_DIR the correct NSSDB? Should be. > > Christian > > Works for me, ACK. -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Jul 22 08:41:26 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 22 Jul 2015 10:41:26 +0200 Subject: [Freeipa-devel] [PATCH 0050] Fix client ca.crt to match the server's cert In-Reply-To: <55A3DF6A.6080206@redhat.com> References: <5592ACFE.8020803@redhat.com> <5593913D.8000303@redhat.com> <5593AABB.607@redhat.com> <55A3DF6A.6080206@redhat.com> Message-ID: <55AF5736.6030406@redhat.com> On 13/07/15 17:55, Martin Basti wrote: > On 08/07/15 16:09, Gabe Alford wrote: >> Thanks, Martin. Update patch attached. >> >> I was getting an 'No newline at the end of file' in my environment >> hence an extra '\n' at the end. >> Please let me know if you see the same thing. >> >> Thanks, >> >> Gabe >> >> On Wed, Jul 1, 2015 at 2:54 AM, Martin Basti > > wrote: >> >> On 01/07/15 09:05, Martin Basti wrote: >>> On 30/06/15 17:31, Gabe Alford wrote: >>>> On Tue, Jun 30, 2015 at 8:51 AM, Martin Basti >>>> wrote: >>>> >>>> On 16/06/15 16:58, Gabe Alford wrote: >>>>> I know you guys are busy. Bump for review. >>>>> >>>>> Thanks, >>>>> >>>>> Gabe >>>>> >>>>> On Tue, May 26, 2015 at 8:16 AM, Gabe Alford >>>>> wrote: >>>>> >>>>> Hello, >>>>> >>>>> Fix for https://fedorahosted.org/freeipa/ticket/3809 >>>>> >>>>> Thanks, >>>>> >>>>> Gabe >>>>> >>>>> >>>>> >>>>> >>>> I'm getting certificate on server without extra '\n' at the >>>> end. >>>> >>>> So certificate files are not the same. >>>> >>>> >>>> I assume you did a diff of the server /etc/ipa/ca.crt and the >>>> client /etc/ipa/ca.crt, right? Did you setup a server and then >>>> connect a client (just wonder what your steps were so that I >>>> can also reproduce)? >>> >>> Yes. I did that. >>> >>> I will retest it today. >>> >> Retested and ca.cert on client has extra '\n' at the end. >>>> >>>> >>>> -- >>>> Martin Basti >>>> >>>> >>> >>> >>> -- >>> Martin Basti >>> >>> >> >> >> -- >> Martin Basti >> >> > Thank you! > ACK > > -- > Martin Basti > > This patch has not been pushed yet. -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbabej at redhat.com Wed Jul 22 09:08:22 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 22 Jul 2015 11:08:22 +0200 Subject: [Freeipa-devel] [PATCH 0342] idviews: Check for the Default Trust View only if applying In-Reply-To: <55AF4097.8080508@redhat.com> References: <55AE234D.9010902@redhat.com> <55AF4097.8080508@redhat.com> Message-ID: <55AF5D86.3090703@redhat.com> On 07/22/2015 09:04 AM, Martin Basti wrote: > On 21/07/15 12:47, Tomas Babej wrote: >> Hi, >> >> Currently, the code wrongly validates the idview-unapply command. Move >> check for the forbidden application of the Default Trust View into >> the correct logical branch. >> >> https://fedorahosted.org/freeipa/ticket/4969 >> >> Tomas >> >> > > ACK > > -- > Martin Basti > Pushed to master: a76c92ccd44ff0a28b789fdbfed5cf45d164eb80 Pushed to ipa-4-2: bcb82784ebdde12f8aa94477d20dc352f7c74b81 From tbabej at redhat.com Wed Jul 22 09:10:27 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 22 Jul 2015 11:10:27 +0200 Subject: [Freeipa-devel] [PATCH 0344] tests: service_plugin: Make sure the cert is decoded from In-Reply-To: <55AF3AE1.5060007@redhat.com> References: <55AE6CE9.3020106@redhat.com> <55AF3AE1.5060007@redhat.com> Message-ID: <55AF5E03.9000501@redhat.com> On 07/22/2015 08:40 AM, Martin Babinsky wrote: > On 07/21/2015 06:01 PM, Tomas Babej wrote: >> Hi, >> >> this patch fixes an issue in tests where the certificate was not decoded >> from base64 representation. >> >> Tomas >> >> >> > ACK > Pushed to: master: 12395a94f38f4db23e356a6f7d96629155c02532 ipa-4-2: 0fe31fa58a45ad0f957d3b6e4eb87d776c41bd48 From tbabej at redhat.com Wed Jul 22 09:11:14 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 22 Jul 2015 11:11:14 +0200 Subject: [Freeipa-devel] [PATCH 0345] tests: realmdomains_plugin: Add explanatory comment In-Reply-To: <55AF413C.8030608@redhat.com> References: <55AE6CFA.20000@redhat.com> <55AF413C.8030608@redhat.com> Message-ID: <55AF5E32.90408@redhat.com> On 07/22/2015 09:07 AM, Martin Basti wrote: > On 21/07/15 18:02, Tomas Babej wrote: >> Hi, >> >> The realmdomains_mod command will fail if the testing environment >> is configured improperly and the IPA domain's NS/SOA records are >> not resolvable. This can easily happen if the machine's DNS server >> is not configured to the IPA server. >> >> Leave a explanatory note in the class. >> >> Tomas >> >> > > ACK > > -- > Martin Basti > Pushed to: master: 5f8fd8a8e3dfbd8542d4948f799e5f6ee986c957 ipa-4-2: 4292641eddced3f3482c2cc604fbd093f1163cff From tbabej at redhat.com Wed Jul 22 09:12:45 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 22 Jul 2015 11:12:45 +0200 Subject: [Freeipa-devel] [PATCH 0346] tests: Version is currently generated during command call In-Reply-To: <55AF3EA8.7020508@redhat.com> References: <55AE6D11.8010601@redhat.com> <55AF3EA8.7020508@redhat.com> Message-ID: <55AF5E8D.7050807@redhat.com> On 07/22/2015 08:56 AM, Martin Basti wrote: > On 21/07/15 18:02, Tomas Babej wrote: >> Hi, >> >> In the previous versions, version in the response was generated >> as part of the process_keyword_arguments method. This is no longer true, >> and so the explicit check for it should be removed. >> >> Tomas >> >> > ACK > > -- > Martin Basti > Pushed to: master: 083c64eb706a09d936935a94f6a9176c81553617 ipa-4-2: d66e5b761d52d89125c415cca6ecfab2131e74d1 From tbabej at redhat.com Wed Jul 22 09:13:28 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 22 Jul 2015 11:13:28 +0200 Subject: [Freeipa-devel] [PATCH 0347] tests: vault_plugin: Skip tests if KRA not available In-Reply-To: <55AF3B31.8000906@redhat.com> References: <55AE6D34.2080700@redhat.com> <55AF3B31.8000906@redhat.com> Message-ID: <55AF5EB8.9020602@redhat.com> On 07/22/2015 08:41 AM, Martin Babinsky wrote: > On 07/21/2015 06:03 PM, Tomas Babej wrote: >> Hi, >> >> the vault tests should be skipped in case the KRA is not available on >> the machine. >> >> Tomas >> >> >> > ACK > Pushed to: master: 8eb26e9230e43eb2683778b8d667c6c7e632ec36 ipa-4-2: dafab2ab3b4fa4a88d59557e29ee266b8b956ede From tbabej at redhat.com Wed Jul 22 09:14:08 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 22 Jul 2015 11:14:08 +0200 Subject: [Freeipa-devel] [PATCH 0348] tests: test_rpc: Create connection for the current thread In-Reply-To: <55AF41A1.7000301@redhat.com> References: <55AE6D44.60707@redhat.com> <55AF41A1.7000301@redhat.com> Message-ID: <55AF5EE0.4000708@redhat.com> On 07/22/2015 09:09 AM, Martin Basti wrote: > On 21/07/15 18:03, Tomas Babej wrote: >> Hi, >> >> Both context.xmlclient and context.xmlclient_ need to be created >> in order to successfully call the Command.forward method. >> >> Tomas >> >> > ACK > > -- > Martin Basti > Pushed to: master: d71899696ab30c76a220a9fe444fc577a246a978 ipa-4-2: 86cc9c2ba2d4ac8bd26652907c30615eb309a2b3 From tbabej at redhat.com Wed Jul 22 09:14:40 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 22 Jul 2015 11:14:40 +0200 Subject: [Freeipa-devel] [PATCH 0349] tests: test_cert: Services can have multiple certificates In-Reply-To: <55AF3BC0.2010802@redhat.com> References: <55AE6D55.60206@redhat.com> <55AF3BC0.2010802@redhat.com> Message-ID: <55AF5F00.6020801@redhat.com> On 07/22/2015 08:44 AM, Martin Babinsky wrote: > On 07/21/2015 06:03 PM, Tomas Babej wrote: >> Hi, >> >> Old certificates of the services are no longer removed and revoked >> after new ones have been issued. >> >> Check that both old and new certificates are present. >> >> Tomas >> >> >> > ACK > Pushed to: master: 106e9043379231a8cebf76d5088927364d098112 ipa-4-2: 1a5ada51647f95540837105d03f777d631febe6c From pvoborni at redhat.com Wed Jul 22 12:00:56 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 22 Jul 2015 14:00:56 +0200 Subject: [Freeipa-devel] [PATCH] 905 webui: add Kerberos configuration instructions for Chrome Message-ID: <55AF85F8.3080104@redhat.com> * IE section moved at the end * Chrome section added * FF and IE icons removed https://fedorahosted.org/freeipa/ticket/823 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0905-webui-add-Kerberos-configuration-instructions-for-Ch.patch Type: text/x-patch Size: 22385 bytes Desc: not available URL: From tbabej at redhat.com Wed Jul 22 12:32:19 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 22 Jul 2015 14:32:19 +0200 Subject: [Freeipa-devel] [PATCH 0350] dcerpc: Fix UnboundLocalError for ccache_name Message-ID: <55AF8D53.8050600@redhat.com> Hi, this fixes a UnboudLocalError in DomainValidator.__search_in_dc. Alexander gave an ACK over IRC. Pushed to: master: cf59981cc2c6bb13c286188aa27cb10a49ff4a5e ipa-4-2: fe3fa23e5f34219fda7cba182de50b5bd8074fb7 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0350-dcerpc-Fix-UnboundLocalError-for-ccache_name.patch Type: text/x-patch Size: 746 bytes Desc: not available URL: From ofayans at redhat.com Wed Jul 22 13:19:34 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 22 Jul 2015 15:19:34 +0200 Subject: [Freeipa-devel] [PATCH 0001] Test Topology plugin is listed among DS plugins In-Reply-To: <55AF4594.10704@redhat.com> References: <55ACC623.20601@redhat.com> <55ACD1A2.5030202@redhat.com> <55ACE483.5030504@redhat.com> <55AE6903.4040202@redhat.com> <55AF44E1.3030500@redhat.com> <55AF4594.10704@redhat.com> Message-ID: <55AF9866.3050002@redhat.com> Hi Martin, Fixed. On 07/22/2015 09:26 AM, Martin Basti wrote: > On 22/07/15 09:23, Oleg Fayans wrote: >> Hi Martin, >> >> Patch updated. Thank you for the review! >> >> On 07/21/2015 05:45 PM, Martin Basti wrote: >>> On 20/07/15 14:07, Oleg Fayans wrote: >>>> Hi Martin, >>>> >>>> Updated. >>>> >>>> >>>> On 07/20/2015 12:46 PM, Martin Basti wrote: >>>>> On 20/07/15 11:57, Oleg Fayans wrote: >>>>>> + pwfile = api.env.dot_ipa + os.sep + ".dmpw" >>>>>> + if ipautil.file_exists(pwfile): >>>>>> + fp = open(pwfile, "r") >>>>>> + dm_password = fp.read().rstrip() >>>>>> + fp.close() >>>>>> + else: >>>>> Hello, >>>>> >>>>> 1) Can you use os.path.join() instead of "+ os.sep +" please >>>>> >>>>> 2) Can you use with statement with file? >>>>> >>>>> with open(pwfile, "r") as f: >>>>> dm_password = f.read().rstrip() >>>>> >>>>> 3) Please keep PEP8 in new code >>>>> >>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:30:80: E501 line >>>>> too long (102 > 79 characters) >>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:33:80: E501 line >>>>> too long (92 > 79 characters) >>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:39:80: E501 line >>>>> too long (124 > 79 characters) >>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:44:80: E501 line >>>>> too long (92 > 79 characters) >>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:45:48: E128 >>>>> continuation line under-indented for visual indent >>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:45:80: E501 line >>>>> too long (89 > 79 characters) >>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:46:48: E128 >>>>> continuation line under-indented for visual indent >>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:46:80: E501 line >>>>> too long (89 > 79 characters) >>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:58:80: E501 line >>>>> too long (87 > 79 characters) >>>>> >>>>> 4) Missing nose import >>>>> raise nose.SkipTest("No directory manager password in >>>>> %s" % pwfile) >>>>> >>>>> 5) Can you use sets here instead of sorted lists? >>>>> assert(sorted(entry.keys()) == sorted(pluginattrs.keys())) >>>>> >>>>> >>>>> Martin^2 >>>>> >>>> >>> 1) >>> Sorry, I didn't notice before, but there is missing header in that >>> file. >>> >>> 2) >>> You don't need to specify ldap_uri, you just need to call >>> ldap2(api), by default api.env.ldap_uri is used, which is the same >>> as you specified >>> >>> 3) >>> Can you indent values of dict which are on newline? It is readable >>> better. >>> u'nsslapd-topo-plugin-shared-config-base': >>> [u'cn=ipa,cn=etc,dc=example,dc=com'], >>> u'nsslapd-pluginDescription': [u'ipa-topology-plugin'], >>> >>> 4) >>> Please use lower F as variable, in python we use capital letters for >>> class definitions >>> with open(pwfile, "r") as F: >>> dm_password = F.read().rstrip() >>> >>> Otherwise it works as expected. >>> >>> Martin^2 >>> >>> >>> >>> >> > Sorry. > You added there old license format, we now use in new files new format > > # > # Copyright (C) 2015 FreeIPA Contributors see COPYING for license > # > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0001.3-test-topologyplugin-is-listed-among-DS-plugins.patch Type: text/x-patch Size: 3560 bytes Desc: not available URL: From cheimes at redhat.com Wed Jul 22 13:32:59 2015 From: cheimes at redhat.com (Christian Heimes) Date: Wed, 22 Jul 2015 15:32:59 +0200 Subject: [Freeipa-devel] [PATCH 0015] mod_auth_gssapi: Remove ntlmssp support and restrict, mechanism to krb5 Message-ID: <55AF9B8B.4030509@redhat.com> By default mod_auth_gssapi allows all locally available mechanisms. If the gssntlmssp package is installed, it also offers ntlmssp. This has the annoying side effect that some browser will pop up a username/password request dialog if no Krb5 credentials are available. The patch restricts the mechanism to krb5 and removes ntlmssp and iakerb support from Apache's ipa.conf. The new feature was added to mod_auth_gssapi 1.3.0. https://fedorahosted.org/freeipa/ticket/5114 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0015-mod_auth_gssapi-Remove-ntlmssp-support-and-restrict-.patch Type: text/x-patch Size: 1828 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From ssorce at redhat.com Wed Jul 22 13:41:51 2015 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 22 Jul 2015 09:41:51 -0400 (EDT) Subject: [Freeipa-devel] [PATCH 149] IPA KDB: allow case in-sensitive realm in AS request In-Reply-To: <20150721114114.GA7078@p.redhat.com> References: <20150721114114.GA7078@p.redhat.com> Message-ID: <721412384.2383594.1437572511320.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Sumit Bose" > To: "freeipa-devel" > Sent: Tuesday, July 21, 2015 7:41:14 AM > Subject: [Freeipa-devel] [PATCH 149] IPA KDB: allow case in-sensitive realm in AS request > > Hi, > > this patch is my suggestion to solve > https://fedorahosted.org/freeipa/ticket/4844 . > > The original issue in the ticket has two part. One is a loop in libkrb5 > which is already fixed. The other is to handle canonicalization better. Sorry Sumit, I see several issues with this patck. first of all you should really not change ipadb_get_principal(), that's the wrong place to apply your logic. To support searching for the realm name case-insensitively all we should do is to always forcibly upper case the realm name at the same time we build the filter (in ipadb_fetch_principals(), if canonicalization was requested. Because we will never store (code to prevent that should probably be dded with this patch) a realm name that is not all caps. Then the post search matches should be done straight within ipadb_find_principal(). > The general way to allow canonicalization on a principal is to add the > attributes 'krbcanonicalname'[1] and 'ipakrbprincipalalias' together > with the objectclass 'ipaKrbPrincipal' to the user object. We have already a ticket open since long to remove krbprincipalalias, it was a mistake to add it and any patch that depends on it will be nacked by me. We need to use krbPrincipalName and krbCanonicalName. > Then the IPA > KDB backend will use 'ipakrbprincipalalias' for case in-sensitive > matches and the principal from 'krbcanonicalname' will be the canonical > principal used further on. The 'krbPrincipalName' is not suitable for > either because it has caseExact* matching rules and is a multivalue > attribute [2]. Case-exact match is a problem only if we do not canonicalize names when storing them, otherwise all you need to do is store a "search form" in krbPrincipalName and always change searches to that form (forcibly upper case realm, forcibly lowercase components) when canonicalization is requested. Additionally in the patch you are using stcasecmp(), that function is not acceptable, look at ipadb_find_principal() and you'll see we use ulc_casecmp() there. Also modyfing the principal before searching is done wrong (you use strchr() to find the @ sign, but you could find an @ in the components this way, you should use strrchr() at the very least), and is dangerous if done outside of the inner functions because then we never have a way to know the original form should it be needed. In any case as said above realm should be forcibly uppercase, given a flag in the escape function instead. > What I got from the comments in the ticket and the related bugzilla > ticket is that it should be possible to get a TGT for a user even if the > realm is given in lower-case if canonicalization is enabled. Please note > that the client can only send such request because we have > 'dns_lookup_kdc = true' in krb.conf and DNS is case in-sensitive. If you > set 'dns_lookup_kdc = false' the client will fail immediately without > sending a request at all, because it is not able to find a KDC for the > lower-case realm. > > On the server-side the request is processed because of > http://k5wiki.kerberos.org/wiki/Projects/Aliases which made parts of > processing case in-sensitive. > > With the attached patch a second lookup is done if the lookup with the > original input returned no result, canonicalization is > enabled and the realm from the original input matches the IPA realm case > in-sensitive. For the second lookup the realm is replace with the IPA > realm. This approach adds a bit redundant code but does not add extra > processing requests which would be successful before. > > Without the patch > kinit ipauser at IPA.REALM -> success > kinit -C ipauser at IPA.REALM -> success > kinit ipauser at ipa.realm -> failure > kinit -C ipauser at ipa.realm -> failure > > With the patch > kinit ipauser at IPA.REALM -> success > kinit -C ipauser at IPA.REALM -> success > kinit ipauser at ipa.realm -> success > kinit -C ipauser at ipa.realm -> success > > where 'ipa.realm' can be replace by mixed case version like 'iPa.ReAlM' > as well. > > bye, > Sumit > > [1] I was not able to add 'krbcanonicalname' as admin user because of an > ACI denial. I wonder if this is expected or if the ACI rules should be > extended here? Yes, we need to fix this, it's a bug that admins can't set the canonical name. > [2] We might to skip the requirement that 'krbcanonicalname' must exists > if 'ipaKrbPrincipal' only has a single value but canonicalization will > fail immediately if someone adds a second value so I guess it would be > more safe to keep it as it is. If someone adds a second value we must have code to set krbCanonicalName anyway or we will not know anymore what is the canonical name. So this also needs fixing in this patchset probably, by adding checks to the add/modify principal functions. HTH, Simo. -- Simo Sorce * Red Hat, Inc. * New York From ssorce at redhat.com Wed Jul 22 13:47:34 2015 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 22 Jul 2015 09:47:34 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi In-Reply-To: <2026883365.1326941.1437480146008.JavaMail.zimbra@redhat.com> References: <2026883365.1326941.1437480146008.JavaMail.zimbra@redhat.com> Message-ID: <1747692317.2396484.1437572854418.JavaMail.zimbra@redhat.com> Comments inline. ----- Original Message ----- > From: "Michael Simacek" > To: freeipa-devel at redhat.com > Sent: Tuesday, July 21, 2015 8:02:26 AM > Subject: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi > > Hi, > > This is a first part of my effort to port FreeIPA from Python3-incompatible > Kerberos libraries to python-gssapi. This patch should replace > python-kerberos > with python-gssapi (both use C GSSAPI behind the scenes). > > -- > Michael Simacek > > > >From bca55a6bd9cdb9cdea9d81b55cfdbc2c1279f031 Mon Sep 17 00:00:00 2001 > From: Michael Simacek > Date: Thu, 16 Jul 2015 18:22:00 +0200 > Subject: [PATCH] Port from python-kerberos library to python-gssapi > > kerberos library doesn't support Python 3 and probably never will. > python-gssapi library is Python 3 compatible. > --- > BUILD.txt | 2 +- > freeipa.spec.in | 2 +- > ipalib/rpc.py | 42 +++++++++++++++++++++--------------------- > ipalib/util.py | 14 +++++++------- > ipapython/ipautil.py | 17 ----------------- > 5 files changed, 30 insertions(+), 47 deletions(-) > > diff --git a/BUILD.txt b/BUILD.txt > index 6a28beb..53012b1 100644 > --- a/BUILD.txt > +++ b/BUILD.txt > @@ -20,7 +20,7 @@ systemd-units samba-devel samba-python libwbclient-devel > libtalloc-devel \ > libtevent-devel nspr-devel nss-devel openssl-devel openldap-devel krb5-devel > \ > krb5-workstation libuuid-devel libcurl-devel xmlrpc-c-devel popt-devel \ > autoconf automake m4 libtool gettext python-devel python-ldap \ > -python-setuptools python-krbV python-nss python-netaddr python-kerberos \ > +python-setuptools python-krbV python-nss python-netaddr python-gssapi \ > python-rhsm pyOpenSSL pylint python-polib libipa_hbac-python > python-memcached \ > sssd python-lxml python-pyasn1 python-qrcode-core python-dns m2crypto \ > check libsss_idmap-devel libsss_nss_idmap-devel java-headless rhino \ > diff --git a/freeipa.spec.in b/freeipa.spec.in > index fef20e1..5e10022 100644 > --- a/freeipa.spec.in > +++ b/freeipa.spec.in > @@ -72,7 +72,7 @@ BuildRequires: python-krbV > BuildRequires: python-nss > BuildRequires: python-cryptography > BuildRequires: python-netaddr > -BuildRequires: python-kerberos >= 1.1-14 > +BuildRequires: python-gssapi >= 1.1.1 > BuildRequires: python-rhsm > BuildRequires: pyOpenSSL > BuildRequires: pylint >= 1.0 > diff --git a/ipalib/rpc.py b/ipalib/rpc.py > index 466b49a..bbedcc9 100644 > --- a/ipalib/rpc.py > +++ b/ipalib/rpc.py > @@ -44,7 +44,7 @@ from urllib2 import urlparse > > from xmlrpclib import (Binary, Fault, DateTime, dumps, loads, ServerProxy, > Transport, ProtocolError, MININT, MAXINT) > -import kerberos > +import gssapi > from dns import resolver, rdatatype > from dns.exception import DNSException > from nss.error import NSPRError > @@ -510,24 +510,27 @@ class KerbTransport(SSLTransport): > """ > Handles Kerberos Negotiation authentication to an XML-RPC server. > """ > - flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG > + flags = gssapi.IntEnumFlagSet(gssapi.RequirementFlag, > + > [gssapi.RequirementFlag.mutual_authentication, > + > gssapi.RequirementFlag.out_of_sequence_detection]) > > def _handle_exception(self, e, service=None): > - (major, minor) = ipautil.get_gsserror(e) > - if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: > + # kerberos library coerced error codes to signed, gssapi uses > unsigned > + minor = e.min_code - (1 << 32) > + if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: > raise errors.ServiceError(service=service) > - elif minor[1] == KRB5_FCC_NOFILE: > + elif minor == KRB5_FCC_NOFILE: > raise errors.NoCCacheError() > - elif minor[1] == KRB5KRB_AP_ERR_TKT_EXPIRED: > + elif minor == KRB5KRB_AP_ERR_TKT_EXPIRED: > raise errors.TicketExpired() > - elif minor[1] == KRB5_FCC_PERM: > + elif minor == KRB5_FCC_PERM: > raise errors.BadCCachePerms() > - elif minor[1] == KRB5_CC_FORMAT: > + elif minor == KRB5_CC_FORMAT: > raise errors.BadCCacheFormat() > - elif minor[1] == KRB5_REALM_CANT_RESOLVE: > + elif minor == KRB5_REALM_CANT_RESOLVE: > raise errors.CannotResolveKDC() > else: > - raise errors.KerberosError(major=major, minor=minor) > + raise errors.KerberosError(major=e.maj_code, minor=minor) > > def get_host_info(self, host): > """ > @@ -548,14 +551,9 @@ class KerbTransport(SSLTransport): > service = "HTTP@" + host.split(':')[0] > > try: > - (rc, vc) = kerberos.authGSSClientInit(service=service, > - gssflags=self.flags) > - except kerberos.GSSError, e: > - self._handle_exception(e) > - > - try: > - kerberos.authGSSClientStep(vc, "") > - except kerberos.GSSError, e: > + name = gssapi.Name(service, gssapi.NameType.hostbased_service) > + response = gssapi.raw.init_sec_context(name, > flags=self.flags).token Please do not use the raw api unless you have no other option. Use the high level api, also do not refernce a member while instantiating a class. Instantiate, then reference please, we want readable code. > + except gssapi.exceptions.GSSError as e: > self._handle_exception(e, service=service) > > for (h, v) in extra_headers: > @@ -564,7 +562,7 @@ class KerbTransport(SSLTransport): > break > > extra_headers.append( > - ('Authorization', 'negotiate %s' % > kerberos.authGSSClientResponse(vc)) > + ('Authorization', 'negotiate %s' % base64.b64encode(response)) > ) > > return (host, extra_headers, x509) > @@ -632,8 +630,10 @@ class DelegatedKerbTransport(KerbTransport): > Handles Kerberos Negotiation authentication and TGT delegation to an > XML-RPC server. > """ > - flags = kerberos.GSS_C_DELEG_FLAG | kerberos.GSS_C_MUTUAL_FLAG | \ > - kerberos.GSS_C_SEQUENCE_FLAG > + flags = gssapi.IntEnumFlagSet(gssapi.RequirementFlag, > + [gssapi.RequirementFlag.delegate_to_peer, > + > gssapi.RequirementFlag.mutual_authentication, > + > gssapi.RequirementFlag.out_of_sequence_detection]) > > > class RPCClient(Connectible): > diff --git a/ipalib/util.py b/ipalib/util.py > index 649a487..aea3ba9 100644 > --- a/ipalib/util.py > +++ b/ipalib/util.py > @@ -63,15 +63,15 @@ def json_serialize(obj): > > def get_current_principal(): > try: > - import kerberos > - rc, vc = kerberos.authGSSClientInit("notempty") > - rc = kerberos.authGSSClientInquireCred(vc) > - username = kerberos.authGSSClientUserName(vc) > - kerberos.authGSSClientClean(vc) > + import gssapi > + cred = gssapi.raw.acquire_cred(usage='initiate').creds > + name = gssapi.raw.inquire_cred(cred, lifetime=False, usage=False, > + mechs=False).name > + username = gssapi.raw.display_name(name, name_type=False).name Same as above. Create a credential and inquire it with the high level api > return unicode(username) > except ImportError: > - raise RuntimeError('python-kerberos is not available.') > - except kerberos.GSSError, e: > + raise RuntimeError('python-gssapi is not available.') > + except gssapi.exceptions.GSSError: > #TODO: do a kinit? > raise errors.CCacheError() > > diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py > index 88e8970..05a7eeb 100644 > --- a/ipapython/ipautil.py > +++ b/ipapython/ipautil.py > @@ -783,23 +783,6 @@ def user_input(prompt, default = None, allow_empty = > True): > return ret > > > -def get_gsserror(e): > - """ > - A GSSError exception looks differently in python 2.4 than it does > - in python 2.5. Deal with it. > - """ > - > - try: > - major = e[0] > - minor = e[1] > - except: > - major = e[0][0] > - minor = e[0][1] > - > - return (major, minor) > - > - > - > def host_port_open(host, port, socket_type=socket.SOCK_STREAM, > socket_timeout=None): > for res in socket.getaddrinfo(host, port, socket.AF_UNSPEC, > socket_type): > af, socktype, proto, canonname, sa = res > -- > 2.1.0 > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > -- Simo Sorce * Red Hat, Inc. * New York From ssorce at redhat.com Wed Jul 22 13:49:50 2015 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 22 Jul 2015 09:49:50 -0400 (EDT) Subject: [Freeipa-devel] [PATCH 0015] mod_auth_gssapi: Remove ntlmssp support and restrict, mechanism to krb5 In-Reply-To: <55AF9B8B.4030509@redhat.com> References: <55AF9B8B.4030509@redhat.com> Message-ID: <1874088905.2398755.1437572990514.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Christian Heimes" > To: "freeipa-devel" > Sent: Wednesday, July 22, 2015 9:32:59 AM > Subject: [Freeipa-devel] [PATCH 0015] mod_auth_gssapi: Remove ntlmssp support and restrict, mechanism to krb5 > > By default mod_auth_gssapi allows all locally available mechanisms. If > the gssntlmssp package is installed, it also offers ntlmssp. This has > the annoying side effect that some browser will pop up a > username/password request dialog if no Krb5 credentials are available. > > The patch restricts the mechanism to krb5 and removes ntlmssp and > iakerb support from Apache's ipa.conf. > > The new feature was added to mod_auth_gssapi 1.3.0. > > https://fedorahosted.org/freeipa/ticket/5114 LGTM Simo. -- Simo Sorce * Red Hat, Inc. * New York From mbasti at redhat.com Wed Jul 22 13:56:37 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 22 Jul 2015 15:56:37 +0200 Subject: [Freeipa-devel] [PATCH 0293] Allow to set number of DB locks during install Message-ID: <55AFA115.2050404@redhat.com> Hello all, I attached WIP patch to solve https://fedorahosted.org/freeipa/ticket/4949 I received several suggestions: 1) (implemented in patch) is to add the option --db-locks to installer (maybe as hidden option) 2) Configure the nsslapd-db-locks to higher value as default (what is the right value?) 3) Combination of 1and 2: set default higher value and also have hidden option to allow configure higher number of locks during install Comments are more than welcome :-) -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0293-Allow-to-set-up-nsslapd-db-locks-during-install.patch Type: text/x-patch Size: 6961 bytes Desc: not available URL: From jcholast at redhat.com Wed Jul 22 14:01:45 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 22 Jul 2015 16:01:45 +0200 Subject: [Freeipa-devel] [PATCH 0293] Allow to set number of DB locks during install In-Reply-To: <55AFA115.2050404@redhat.com> References: <55AFA115.2050404@redhat.com> Message-ID: <55AFA249.7080604@redhat.com> Dne 22.7.2015 v 15:56 Martin Basti napsal(a): > Hello all, > > I attached WIP patch to solve https://fedorahosted.org/freeipa/ticket/4949 > > I received several suggestions: > > 1) (implemented in patch) is to add the option --db-locks to installer > (maybe as hidden option) > > 2) Configure the nsslapd-db-locks to higher value as default (what is > the right value?) > > 3) Combination of 1and 2: set default higher value and also have hidden > option to allow configure higher number of locks during install > > Comments are more than welcome :-) Name the option "--ds-db-locks" please. + cli_name='db-locks', This is the default cli_name, no need to set it explicitly. + if value < 0: + raise ValueError("Number of database locks must be positive number") 0 is not positive. -- Jan Cholasta From lkrispen at redhat.com Wed Jul 22 14:52:54 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 22 Jul 2015 16:52:54 +0200 Subject: [Freeipa-devel] [PATCH 0293] Allow to set number of DB locks during install In-Reply-To: <55AFA115.2050404@redhat.com> References: <55AFA115.2050404@redhat.com> Message-ID: <55AFAE46.4000008@redhat.com> On 07/22/2015 03:56 PM, Martin Basti wrote: > Hello all, > > I attached WIP patch to solve > https://fedorahosted.org/freeipa/ticket/4949 > > I received several suggestions: > > 1) (implemented in patch) is to add the option --db-locks to installer > (maybe as hidden option) > > 2) Configure the nsslapd-db-locks to higher value as default (what is > the right value?) this is a good question, I just looked into the ticket and the BZ, but don't understand WHY it is running out of locks. I think adding the option is ok to be prepared, but I would not change the default before undestanding the reason for the lock consumtion and a relation to the data. Maybe we can also reduce the number of locks needed - do you have a setup to show this failure ? > > 3) Combination of 1and 2: set default higher value and also have > hidden option to allow configure higher number of locks during install > > Comments are more than welcome :-) > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Jul 22 14:54:28 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 22 Jul 2015 16:54:28 +0200 Subject: [Freeipa-devel] [PATCH 0293] Allow to set number of DB locks during install In-Reply-To: <55AFAE46.4000008@redhat.com> References: <55AFA115.2050404@redhat.com> <55AFAE46.4000008@redhat.com> Message-ID: <55AFAEA4.6010404@redhat.com> On 22/07/15 16:52, Ludwig Krispenz wrote: > > On 07/22/2015 03:56 PM, Martin Basti wrote: >> Hello all, >> >> I attached WIP patch to solve >> https://fedorahosted.org/freeipa/ticket/4949 >> >> I received several suggestions: >> >> 1) (implemented in patch) is to add the option --db-locks to >> installer (maybe as hidden option) >> >> 2) Configure the nsslapd-db-locks to higher value as default (what is >> the right value?) > this is a good question, I just looked into the ticket and the BZ, but > don't understand WHY it is running out of locks. > I think adding the option is ok to be prepared, but I would not change > the default before undestanding the reason for the lock consumtion and > a relation to the data. > Maybe we can also reduce the number of locks needed - do you have a > setup to show this failure ? I don't have any setup, Petr1 did any testing with huge amount of user, he may have got some VMs. >> >> 3) Combination of 1and 2: set default higher value and also have >> hidden option to allow configure higher number of locks during install >> >> Comments are more than welcome :-) >> >> >> > > > -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Wed Jul 22 15:02:59 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 22 Jul 2015 17:02:59 +0200 Subject: [Freeipa-devel] [PATCH 0293] Allow to set number of DB locks during install In-Reply-To: <55AFAEA4.6010404@redhat.com> References: <55AFA115.2050404@redhat.com> <55AFAE46.4000008@redhat.com> <55AFAEA4.6010404@redhat.com> Message-ID: <55AFB0A3.5020705@redhat.com> On 07/22/2015 04:54 PM, Martin Basti wrote: > On 22/07/15 16:52, Ludwig Krispenz wrote: >> >> On 07/22/2015 03:56 PM, Martin Basti wrote: >>> Hello all, >>> >>> I attached WIP patch to solve >>> https://fedorahosted.org/freeipa/ticket/4949 >>> >>> I received several suggestions: >>> >>> 1) (implemented in patch) is to add the option --db-locks to >>> installer (maybe as hidden option) >>> >>> 2) Configure the nsslapd-db-locks to higher value as default (what is >>> the right value?) >> this is a good question, I just looked into the ticket and the BZ, but >> don't understand WHY it is running out of locks. >> I think adding the option is ok to be prepared, but I would not change >> the default before undestanding the reason for the lock consumtion and >> a relation to the data. >> Maybe we can also reduce the number of locks needed - do you have a >> setup to show this failure ? > I don't have any setup, Petr1 did any testing with huge amount of user, > he may have got some VMs. This happened during ipa-replica-install in installation with 160K users. during replica initialization, there were: libdb: BDB2055 Lock table is out of available lock entries idl_new.c BAD 2, err=12 Cannot allocate memory database index operation failed BAD 1050, err=12 errors in log. I don't know anymore details, but increasing the number of locks in /usr/share/dirsrv/data/template-dse.ldif template worked as a workaround. Not sure if I remember it correctly, other instance of db locks error was when I was adding a group of 30K users as a member of other group. I think memberof plugin caused it. > >>> >>> 3) Combination of 1and 2: set default higher value and also have >>> hidden option to allow configure higher number of locks during install >>> >>> Comments are more than welcome :-) >>> -- Petr Vobornik From mbasti at redhat.com Wed Jul 22 15:03:42 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 22 Jul 2015 17:03:42 +0200 Subject: [Freeipa-devel] [PATCH 0291, 0292] Limit max age of replication changelog In-Reply-To: <55AD2A09.9070101@redhat.com> References: <55AD0976.4070402@redhat.com> <55AD129D.8020608@redhat.com> <55AD1857.8090209@redhat.com> <55AD26EB.5030303@redhat.com> <55AD2A09.9070101@redhat.com> Message-ID: <55AFB0CE.3020508@redhat.com> On 20/07/15 19:04, Mark Reynolds wrote: > > > On 07/20/2015 12:50 PM, Martin Basti wrote: >> On 20/07/15 17:48, Petr Vobornik wrote: >>> On 07/20/2015 05:24 PM, Rob Crittenden wrote: >>>> Martin Basti wrote: >>>>> https://fedorahosted.org/freeipa/ticket/5086 >>>>> >>>>> Patch attached. >>>> >>>> Is this going to be a shock on upgrades for people who until now >>>> may be >>>> relying on the fact that there is no limit? >>> >>> Not making any point, but have to note: Ludwig raised a question on >>> users list but there was no feedback from users. >>> >>> https://www.redhat.com/archives/freeipa-users/2015-July/msg00022.html >>> >>>> >>>> Should there be a way for an admin to manage this, via the config >>>> module >>>> perhaps? >>>> >>>> IMHO this is a significant change and red flags need to be raised so >>>> users are aware of it. >>>> >>>> rob >>>> >>> >>> >> >> IIUC there is purge delay 7 days, so if changelog max age is 7 or >> more days, it will not break replication. >> The issue is if somebody uses changelog for different purpose, right? > Well the replication changelog can not be used for anything else but > the multimaster replication plugin. If a customer increased the > replication purge delay you could potentially run into issues, but > again this only comes into play when a replica is down for a very long > time. I'm not sure if IPA even provides the option to adjust the > replication purge delay, but that doesn't mean a customer can not > adjust these settings on their own. > > Mark > I'm attaching new patch, that modifies behavior of 'addifnew' keyword in update files. addifnew will no create new entry if doesn't exist. This is required for proper working of patch 292 Rob are you okay with these patches, as Mark wrote, changelog is used only for replication plugins, so it should not cause any issues to users. Martin^2 -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0291-Limit-max-age-of-replication-changelog.patch Type: text/x-patch Size: 1586 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0292-Server-Upgrade-addifnew-should-not-create-entry.patch Type: text/x-patch Size: 1375 bytes Desc: not available URL: From gparente at redhat.com Wed Jul 22 15:13:50 2015 From: gparente at redhat.com (German Parente) Date: Wed, 22 Jul 2015 11:13:50 -0400 (EDT) Subject: [Freeipa-devel] [PATCH 0293] Allow to set number of DB locks during install In-Reply-To: <55AFA115.2050404@redhat.com> References: <55AFA115.2050404@redhat.com> Message-ID: <1330409210.1837962.1437578030630.JavaMail.zimbra@redhat.com> Hi Martin, imho, nsslapd-db-locks is an "advanced" parameter and should be set by customer at RHDS level, not at replica creation. The problem we have had at customer site is that the default was not enough to do the replication total update. So, replica creation was failing and we couldn't workaround it but by changing the dse template. What I was thinking, since any node in IPA is rather identical, and keeps the same database, is that some settings could be copied from master replica. To explain a little bit my idea, if I configure a master node with, for instance, some "cache" settings or "maximum number of locks", it's clear that I would like all the other nodes with similar settings since the db they will contain is the same. So, if I configure master to have some particular number of db-locks or particular cache size, why not helping the customer to have the same values in all their nodes ? Ok, we could think that he could have a different hardware/resources by node but in general, it would be reasonable to keep those settings through all the nodes. The problem of the initial value for db-locks is not still solved (Ludwig could probably give a hint here) but having this sort of "configuration copy", in a future situation, we could ask the customer to, eventually, change the db locks at master node side, and this will be propagated to all nodes to have, in this case, total update succeessful. Of course, I don't know the internals and scenarios enough to see if this could be reasonable to implement or if there's any drawback. Thanks and regards, German. ----- Original Message ----- > From: "Martin Basti" > To: "freeipa-devel" , "German Parente" > Sent: Wednesday, July 22, 2015 3:56:37 PM > Subject: [PATCH 0293] Allow to set number of DB locks during install > > Hello all, > > I attached WIP patch to solve https://fedorahosted.org/freeipa/ticket/4949 > > I received several suggestions: > > 1) (implemented in patch) is to add the option --db-locks to installer > (maybe as hidden option) > > 2) Configure the nsslapd-db-locks to higher value as default (what is > the right value?) > > 3) Combination of 1and 2: set default higher value and also have hidden > option to allow configure higher number of locks during install > > Comments are more than welcome :-) > > -- > Martin Basti > > From mbasti at redhat.com Wed Jul 22 15:36:35 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 22 Jul 2015 17:36:35 +0200 Subject: [Freeipa-devel] [PATCH 0293] Allow to set number of DB locks during install In-Reply-To: <1330409210.1837962.1437578030630.JavaMail.zimbra@redhat.com> References: <55AFA115.2050404@redhat.com> <1330409210.1837962.1437578030630.JavaMail.zimbra@redhat.com> Message-ID: <55AFB883.4000405@redhat.com> On 22/07/15 17:13, German Parente wrote: > Hi Martin, > > imho, nsslapd-db-locks is an "advanced" parameter and should be set by customer at RHDS level, not at replica creation. > > The problem we have had at customer site is that the default was not enough to do the replication total update. So, replica creation was failing and we couldn't workaround it but by changing the dse template. > > What I was thinking, since any node in IPA is rather identical, and keeps the same database, is that some settings could be copied from master replica. > > To explain a little bit my idea, if I configure a master node with, for instance, some "cache" settings or "maximum number of locks", it's clear that I would like all the other nodes with similar settings since the db they will contain is the same. > > So, if I configure master to have some particular number of db-locks or particular cache size, why not helping the customer to have the same values in all their nodes ? Ok, we could think that he could have a different hardware/resources by node but in general, it would be reasonable to keep those settings through all the nodes. > > The problem of the initial value for db-locks is not still solved (Ludwig could probably give a hint here) but having this sort of "configuration copy", in a future situation, we could ask the customer to, eventually, change the db locks at master node side, and this will be propagated to all nodes to have, in this case, total update succeessful. We do not support this kind of central configuration (yet?). Changes in cn=config tree are local only, and currently IPA has no way how to change that on all replicas at once, so that value will not be in sync with other replicas. And also DS must be in shutdown state to be able to change the db locks value, this is even level above. > Of course, I don't know the internals and scenarios enough to see if this could be reasonable to implement or if there's any drawback. > > Thanks and regards, > > German. I would wait for Ludwig investigation/recommendation, which solution use. > > ----- Original Message ----- >> From: "Martin Basti" >> To: "freeipa-devel" , "German Parente" >> Sent: Wednesday, July 22, 2015 3:56:37 PM >> Subject: [PATCH 0293] Allow to set number of DB locks during install >> >> Hello all, >> >> I attached WIP patch to solve https://fedorahosted.org/freeipa/ticket/4949 >> >> I received several suggestions: >> >> 1) (implemented in patch) is to add the option --db-locks to installer >> (maybe as hidden option) >> >> 2) Configure the nsslapd-db-locks to higher value as default (what is >> the right value?) >> >> 3) Combination of 1and 2: set default higher value and also have hidden >> option to allow configure higher number of locks during install >> >> Comments are more than welcome :-) >> >> -- >> Martin Basti >> >> -- Martin Basti From mbasti at redhat.com Wed Jul 22 15:48:37 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 22 Jul 2015 17:48:37 +0200 Subject: [Freeipa-devel] [PATCH 0001] Test Topology plugin is listed among DS plugins In-Reply-To: <55AF9866.3050002@redhat.com> References: <55ACC623.20601@redhat.com> <55ACD1A2.5030202@redhat.com> <55ACE483.5030504@redhat.com> <55AE6903.4040202@redhat.com> <55AF44E1.3030500@redhat.com> <55AF4594.10704@redhat.com> <55AF9866.3050002@redhat.com> Message-ID: <55AFBB55.8000002@redhat.com> On 22/07/15 15:19, Oleg Fayans wrote: > Hi Martin, > > Fixed. > > On 07/22/2015 09:26 AM, Martin Basti wrote: >> On 22/07/15 09:23, Oleg Fayans wrote: >>> Hi Martin, >>> >>> Patch updated. Thank you for the review! >>> >>> On 07/21/2015 05:45 PM, Martin Basti wrote: >>>> On 20/07/15 14:07, Oleg Fayans wrote: >>>>> Hi Martin, >>>>> >>>>> Updated. >>>>> >>>>> >>>>> On 07/20/2015 12:46 PM, Martin Basti wrote: >>>>>> On 20/07/15 11:57, Oleg Fayans wrote: >>>>>>> + pwfile = api.env.dot_ipa + os.sep + ".dmpw" >>>>>>> + if ipautil.file_exists(pwfile): >>>>>>> + fp = open(pwfile, "r") >>>>>>> + dm_password = fp.read().rstrip() >>>>>>> + fp.close() >>>>>>> + else: >>>>>> Hello, >>>>>> >>>>>> 1) Can you use os.path.join() instead of "+ os.sep +" please >>>>>> >>>>>> 2) Can you use with statement with file? >>>>>> >>>>>> with open(pwfile, "r") as f: >>>>>> dm_password = f.read().rstrip() >>>>>> >>>>>> 3) Please keep PEP8 in new code >>>>>> >>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:30:80: E501 >>>>>> line too long (102 > 79 characters) >>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:33:80: E501 >>>>>> line too long (92 > 79 characters) >>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:39:80: E501 >>>>>> line too long (124 > 79 characters) >>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:44:80: E501 >>>>>> line too long (92 > 79 characters) >>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:45:48: E128 >>>>>> continuation line under-indented for visual indent >>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:45:80: E501 >>>>>> line too long (89 > 79 characters) >>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:46:48: E128 >>>>>> continuation line under-indented for visual indent >>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:46:80: E501 >>>>>> line too long (89 > 79 characters) >>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:58:80: E501 >>>>>> line too long (87 > 79 characters) >>>>>> >>>>>> 4) Missing nose import >>>>>> raise nose.SkipTest("No directory manager password in >>>>>> %s" % pwfile) >>>>>> >>>>>> 5) Can you use sets here instead of sorted lists? >>>>>> assert(sorted(entry.keys()) == sorted(pluginattrs.keys())) >>>>>> >>>>>> >>>>>> Martin^2 >>>>>> >>>>> >>>> 1) >>>> Sorry, I didn't notice before, but there is missing header in that >>>> file. >>>> >>>> 2) >>>> You don't need to specify ldap_uri, you just need to call >>>> ldap2(api), by default api.env.ldap_uri is used, which is the same >>>> as you specified >>>> >>>> 3) >>>> Can you indent values of dict which are on newline? It is readable >>>> better. >>>> u'nsslapd-topo-plugin-shared-config-base': >>>> [u'cn=ipa,cn=etc,dc=example,dc=com'], >>>> u'nsslapd-pluginDescription': [u'ipa-topology-plugin'], >>>> >>>> 4) >>>> Please use lower F as variable, in python we use capital letters >>>> for class definitions >>>> with open(pwfile, "r") as F: >>>> dm_password = F.read().rstrip() >>>> >>>> Otherwise it works as expected. >>>> >>>> Martin^2 >>>> >>>> >>>> >>>> >>> >> Sorry. >> You added there old license format, we now use in new files new format >> >> # >> # Copyright (C) 2015 FreeIPA Contributors see COPYING for license >> # >> > I cannot apply the last patch $ git am freeipa-ofayans-0001.3-test-topologyplugin-is-listed-among-DS-plugins.patch -3 Applying: Added test - topology plugin is listed among DS plugins fatal: corrupt patch at line 83 Repository lacks necessary blobs to fall back on 3-way merge. Cannot fall back to three-way merge. -- Martin Basti From npmccallum at redhat.com Wed Jul 22 18:23:23 2015 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Wed, 22 Jul 2015 14:23:23 -0400 Subject: [Freeipa-devel] [PATCH 0085] Limit request sizes to /KdcProxy Message-ID: <1437589403.2927.1.camel@redhat.com> Related: CVE-2015-5159 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-npmccallum-0085-Limit-request-sizes-to-KdcProxy.patch Type: text/x-patch Size: 777 bytes Desc: not available URL: From cheimes at redhat.com Wed Jul 22 18:34:43 2015 From: cheimes at redhat.com (Christian Heimes) Date: Wed, 22 Jul 2015 20:34:43 +0200 Subject: [Freeipa-devel] [PATCH 0085] Limit request sizes to /KdcProxy In-Reply-To: <1437589403.2927.1.camel@redhat.com> References: <1437589403.2927.1.camel@redhat.com> Message-ID: <55AFE243.8030801@redhat.com> On 2015-07-22 20:23, Nathaniel McCallum wrote: > Related: CVE-2015-5159 https://bugzilla.redhat.com/show_bug.cgi?id=1245200 The patch prevents a flood attack but I consider more a workaround than a solution. I'll update kdcproxy tomorrow. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From npmccallum at redhat.com Wed Jul 22 18:38:29 2015 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Wed, 22 Jul 2015 14:38:29 -0400 Subject: [Freeipa-devel] [PATCH 0085] Limit request sizes to /KdcProxy In-Reply-To: <55AFE243.8030801@redhat.com> References: <1437589403.2927.1.camel@redhat.com> <55AFE243.8030801@redhat.com> Message-ID: <1437590309.2927.9.camel@redhat.com> On Wed, 2015-07-22 at 20:34 +0200, Christian Heimes wrote: > On 2015-07-22 20:23, Nathaniel McCallum wrote: > > Related: CVE-2015-5159 > > https://bugzilla.redhat.com/show_bug.cgi?id=1245200 > > The patch prevents a flood attack but I consider more a workaround > than > a solution. I'll update kdcproxy tomorrow. The problem is that while we can provide a sane default, special applications might require different sizes (either smaller or larger). I think this fix is acceptable since it keeps the solution entirely within the configuration domain. Nathaniel From npmccallum at redhat.com Wed Jul 22 18:44:07 2015 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Wed, 22 Jul 2015 14:44:07 -0400 Subject: [Freeipa-devel] [PATCH 0085] Limit request sizes to /KdcProxy In-Reply-To: <1437590309.2927.9.camel@redhat.com> References: <1437589403.2927.1.camel@redhat.com> <55AFE243.8030801@redhat.com> <1437590309.2927.9.camel@redhat.com> Message-ID: <1437590647.2927.10.camel@redhat.com> On Wed, 2015-07-22 at 14:38 -0400, Nathaniel McCallum wrote: > On Wed, 2015-07-22 at 20:34 +0200, Christian Heimes wrote: > > On 2015-07-22 20:23, Nathaniel McCallum wrote: > > > Related: CVE-2015-5159 > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1245200 > > > > The patch prevents a flood attack but I consider more a workaround > > than > > a solution. I'll update kdcproxy tomorrow. > > The problem is that while we can provide a sane default, special > applications might require different sizes (either smaller or > larger). > I think this fix is acceptable since it keeps the solution entirely > within the configuration domain. Also, this method comes with free documentation. :) Nathaniel From cheimes at redhat.com Wed Jul 22 18:47:17 2015 From: cheimes at redhat.com (Christian Heimes) Date: Wed, 22 Jul 2015 20:47:17 +0200 Subject: [Freeipa-devel] [PATCH 0085] Limit request sizes to /KdcProxy In-Reply-To: <1437590309.2927.9.camel@redhat.com> References: <1437589403.2927.1.camel@redhat.com> <55AFE243.8030801@redhat.com> <1437590309.2927.9.camel@redhat.com> Message-ID: <55AFE535.9030502@redhat.com> On 2015-07-22 20:38, Nathaniel McCallum wrote: > On Wed, 2015-07-22 at 20:34 +0200, Christian Heimes wrote: >> On 2015-07-22 20:23, Nathaniel McCallum wrote: >>> Related: CVE-2015-5159 >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1245200 >> >> The patch prevents a flood attack but I consider more a workaround >> than >> a solution. I'll update kdcproxy tomorrow. > > The problem is that while we can provide a sane default, special > applications might require different sizes (either smaller or larger). > I think this fix is acceptable since it keeps the solution entirely > within the configuration domain. The python-kdcproxy package may be used by other parties with different web servers. I also like to see a countermeasure in kdcproxy. Other installations should not fall victim to the same issue. How about we set the default maximum size to a rather large value (like 5 or 10 MB) and make it configurable in kdcproxy.conf? 5 MB is very, very large for a Kerberos request but still prevents DoS and OOM killer Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From npmccallum at redhat.com Wed Jul 22 18:50:07 2015 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Wed, 22 Jul 2015 14:50:07 -0400 Subject: [Freeipa-devel] [PATCH 0085] Limit request sizes to /KdcProxy In-Reply-To: <55AFE535.9030502@redhat.com> References: <1437589403.2927.1.camel@redhat.com> <55AFE243.8030801@redhat.com> <1437590309.2927.9.camel@redhat.com> <55AFE535.9030502@redhat.com> Message-ID: <1437591007.2927.11.camel@redhat.com> On Wed, 2015-07-22 at 20:47 +0200, Christian Heimes wrote: > On 2015-07-22 20:38, Nathaniel McCallum wrote: > > On Wed, 2015-07-22 at 20:34 +0200, Christian Heimes wrote: > > > On 2015-07-22 20:23, Nathaniel McCallum wrote: > > > > Related: CVE-2015-5159 > > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1245200 > > > > > > The patch prevents a flood attack but I consider more a > > > workaround > > > than > > > a solution. I'll update kdcproxy tomorrow. > > > > The problem is that while we can provide a sane default, special > > applications might require different sizes (either smaller or > > larger). > > I think this fix is acceptable since it keeps the solution entirely > > within the configuration domain. > > The python-kdcproxy package may be used by other parties with > different > web servers. I also like to see a countermeasure in kdcproxy. Other > installations should not fall victim to the same issue. > > How about we set the default maximum size to a rather large value > (like > 5 or 10 MB) and make it configurable in kdcproxy.conf? 5 MB is very, > very large for a Kerberos request but still prevents DoS and OOM > killer Fine by me. Nathaniel From abokovoy at redhat.com Wed Jul 22 19:47:03 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 22 Jul 2015 22:47:03 +0300 Subject: [Freeipa-devel] [PATCH 0085] Limit request sizes to /KdcProxy In-Reply-To: <55AFE535.9030502@redhat.com> References: <1437589403.2927.1.camel@redhat.com> <55AFE243.8030801@redhat.com> <1437590309.2927.9.camel@redhat.com> <55AFE535.9030502@redhat.com> Message-ID: <20150722194703.GC21928@redhat.com> On Wed, 22 Jul 2015, Christian Heimes wrote: >On 2015-07-22 20:38, Nathaniel McCallum wrote: >> On Wed, 2015-07-22 at 20:34 +0200, Christian Heimes wrote: >>> On 2015-07-22 20:23, Nathaniel McCallum wrote: >>>> Related: CVE-2015-5159 >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=1245200 >>> >>> The patch prevents a flood attack but I consider more a workaround >>> than >>> a solution. I'll update kdcproxy tomorrow. >> >> The problem is that while we can provide a sane default, special >> applications might require different sizes (either smaller or larger). >> I think this fix is acceptable since it keeps the solution entirely >> within the configuration domain. > >The python-kdcproxy package may be used by other parties with different >web servers. I also like to see a countermeasure in kdcproxy. Other >installations should not fall victim to the same issue. > >How about we set the default maximum size to a rather large value (like >5 or 10 MB) and make it configurable in kdcproxy.conf? 5 MB is very, >very large for a Kerberos request but still prevents DoS and OOM killer Even with Microsoft implementations, Max Token Size could be way less (it is set to 12000 bytes by default). There is hard limit of 1015 group a user could be a member of, thus even if all of those groups were specified as SIDs (coming from different domains), you'd get (8+15*4)*1015=69020 bytes plus the rest which is lower than 30000 bytes for sure. Thus setting it as 100KiB would be enough. -- / Alexander Bokovoy From ofayans at redhat.com Thu Jul 23 08:32:47 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 23 Jul 2015 10:32:47 +0200 Subject: [Freeipa-devel] [PATCH 0001] Test Topology plugin is listed among DS plugins In-Reply-To: <55AFBB55.8000002@redhat.com> References: <55ACC623.20601@redhat.com> <55ACD1A2.5030202@redhat.com> <55ACE483.5030504@redhat.com> <55AE6903.4040202@redhat.com> <55AF44E1.3030500@redhat.com> <55AF4594.10704@redhat.com> <55AF9866.3050002@redhat.com> <55AFBB55.8000002@redhat.com> Message-ID: <55B0A6AF.4090807@redhat.com> Hi Martin, On 07/22/2015 05:48 PM, Martin Basti wrote: > On 22/07/15 15:19, Oleg Fayans wrote: >> Hi Martin, >> >> Fixed. >> >> On 07/22/2015 09:26 AM, Martin Basti wrote: >>> On 22/07/15 09:23, Oleg Fayans wrote: >>>> Hi Martin, >>>> >>>> Patch updated. Thank you for the review! >>>> >>>> On 07/21/2015 05:45 PM, Martin Basti wrote: >>>>> On 20/07/15 14:07, Oleg Fayans wrote: >>>>>> Hi Martin, >>>>>> >>>>>> Updated. >>>>>> >>>>>> >>>>>> On 07/20/2015 12:46 PM, Martin Basti wrote: >>>>>>> On 20/07/15 11:57, Oleg Fayans wrote: >>>>>>>> + pwfile = api.env.dot_ipa + os.sep + ".dmpw" >>>>>>>> + if ipautil.file_exists(pwfile): >>>>>>>> + fp = open(pwfile, "r") >>>>>>>> + dm_password = fp.read().rstrip() >>>>>>>> + fp.close() >>>>>>>> + else: >>>>>>> Hello, >>>>>>> >>>>>>> 1) Can you use os.path.join() instead of "+ os.sep +" please >>>>>>> >>>>>>> 2) Can you use with statement with file? >>>>>>> >>>>>>> with open(pwfile, "r") as f: >>>>>>> dm_password = f.read().rstrip() >>>>>>> >>>>>>> 3) Please keep PEP8 in new code >>>>>>> >>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:30:80: E501 >>>>>>> line too long (102 > 79 characters) >>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:33:80: E501 >>>>>>> line too long (92 > 79 characters) >>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:39:80: E501 >>>>>>> line too long (124 > 79 characters) >>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:44:80: E501 >>>>>>> line too long (92 > 79 characters) >>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:45:48: E128 >>>>>>> continuation line under-indented for visual indent >>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:45:80: E501 >>>>>>> line too long (89 > 79 characters) >>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:46:48: E128 >>>>>>> continuation line under-indented for visual indent >>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:46:80: E501 >>>>>>> line too long (89 > 79 characters) >>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:58:80: E501 >>>>>>> line too long (87 > 79 characters) >>>>>>> >>>>>>> 4) Missing nose import >>>>>>> raise nose.SkipTest("No directory manager password >>>>>>> in %s" % pwfile) >>>>>>> >>>>>>> 5) Can you use sets here instead of sorted lists? >>>>>>> assert(sorted(entry.keys()) == sorted(pluginattrs.keys())) >>>>>>> >>>>>>> >>>>>>> Martin^2 >>>>>>> >>>>>> >>>>> 1) >>>>> Sorry, I didn't notice before, but there is missing header in that >>>>> file. >>>>> >>>>> 2) >>>>> You don't need to specify ldap_uri, you just need to call >>>>> ldap2(api), by default api.env.ldap_uri is used, which is the same >>>>> as you specified >>>>> >>>>> 3) >>>>> Can you indent values of dict which are on newline? It is readable >>>>> better. >>>>> u'nsslapd-topo-plugin-shared-config-base': >>>>> [u'cn=ipa,cn=etc,dc=example,dc=com'], >>>>> u'nsslapd-pluginDescription': [u'ipa-topology-plugin'], >>>>> >>>>> 4) >>>>> Please use lower F as variable, in python we use capital letters >>>>> for class definitions >>>>> with open(pwfile, "r") as F: >>>>> dm_password = F.read().rstrip() >>>>> >>>>> Otherwise it works as expected. >>>>> >>>>> Martin^2 >>>>> >>>>> >>>>> >>>>> >>>> >>> Sorry. >>> You added there old license format, we now use in new files new format >>> >>> # >>> # Copyright (C) 2015 FreeIPA Contributors see COPYING for license >>> # >>> >> > I cannot apply the last patch > > $ git am > freeipa-ofayans-0001.3-test-topologyplugin-is-listed-among-DS-plugins.patch > -3 > Applying: Added test - topology plugin is listed among DS plugins > fatal: corrupt patch at line 83 > Repository lacks necessary blobs to fall back on 3-way merge. > Cannot fall back to three-way merge. > Fixed. Tested it locally, it applies -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From cheimes at redhat.com Thu Jul 23 08:43:02 2015 From: cheimes at redhat.com (Christian Heimes) Date: Thu, 23 Jul 2015 10:43:02 +0200 Subject: [Freeipa-devel] [PATCH 0014] [py3] Replace M2Crypto RC4 with python-cryptography ARC4 Message-ID: <55B0A916.9000700@redhat.com> This patch removes the dependency on M2Crypto in favor for cryptography. Cryptography is more strict about the key size and doesn't support non-standard key sizes: >>> from M2Crypto import RC4 >>> from ipaserver.dcerpc import arcfour_encrypt >>> RC4.RC4(b'key').update(b'data') 'o\r@\x8c' >>> arcfour_encrypt(b'key', b'data') Traceback (most recent call last): ... ValueError: Invalid key size (24) for RC4. Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported: >>> arcfour_encrypt(b'key12', b'data') '\xcd\xf80d' >>> RC4.RC4(b'key12').update(b'data') '\xcd\xf80d' http://cryptography.readthedocs.org/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.ARC4 https://fedorahosted.org/freeipa/ticket/5148 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0014-py3-Replace-M2Crypto-RC4-with-python-cryptography-AR.patch Type: text/x-patch Size: 3207 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From lkrispen at redhat.com Thu Jul 23 08:46:40 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 23 Jul 2015 10:46:40 +0200 Subject: [Freeipa-devel] [PATCH 0019] handle cleanRUV in the topology plugin Message-ID: <55B0A9F0.4010602@redhat.com> The attached patch moves the cleaning of the RUV into the topology plugin. I encountered a problem when removing a replica, which disconnects the topology, but it was fixed with my WIP for #5072. I want to keep these issues separate, so please review and test the patch and let me know about issues found Ludwig -------------- next part -------------- A non-text attachment was scrubbed... Name: lkrispen-freeipa-0019-handle-cleaning-of-RUV-in-the-topology-plugin.patch Type: text/x-patch Size: 6706 bytes Desc: not available URL: From jcholast at redhat.com Thu Jul 23 08:54:52 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 23 Jul 2015 10:54:52 +0200 Subject: [Freeipa-devel] [PATCH 0014] [py3] Replace M2Crypto RC4 with python-cryptography ARC4 In-Reply-To: <55B0A916.9000700@redhat.com> References: <55B0A916.9000700@redhat.com> Message-ID: <55B0ABDC.7050509@redhat.com> Hi, Dne 23.7.2015 v 10:43 Christian Heimes napsal(a): > This patch removes the dependency on M2Crypto in favor for cryptography. > Cryptography is more strict about the key size and doesn't support > non-standard key sizes: > >>>> from M2Crypto import RC4 >>>> from ipaserver.dcerpc import arcfour_encrypt >>>> RC4.RC4(b'key').update(b'data') > 'o\r@\x8c' >>>> arcfour_encrypt(b'key', b'data') > Traceback (most recent call last): > ... > ValueError: Invalid key size (24) for RC4. > > Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported: > >>>> arcfour_encrypt(b'key12', b'data') > '\xcd\xf80d' >>>> RC4.RC4(b'key12').update(b'data') > '\xcd\xf80d' > > http://cryptography.readthedocs.org/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.ARC4 > https://fedorahosted.org/freeipa/ticket/5148 NACK on the spec file change. There is a BuildRequires and Requires on m2crypto, replace them with BuildRequires and Requires on python-cryptography. Honza -- Jan Cholasta From abokovoy at redhat.com Thu Jul 23 08:54:46 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 23 Jul 2015 11:54:46 +0300 Subject: [Freeipa-devel] [PATCH 0014] [py3] Replace M2Crypto RC4 with python-cryptography ARC4 In-Reply-To: <55B0A916.9000700@redhat.com> References: <55B0A916.9000700@redhat.com> Message-ID: <20150723085446.GF21928@redhat.com> On Thu, 23 Jul 2015, Christian Heimes wrote: >This patch removes the dependency on M2Crypto in favor for cryptography. >Cryptography is more strict about the key size and doesn't support >non-standard key sizes: > >>>> from M2Crypto import RC4 >>>> from ipaserver.dcerpc import arcfour_encrypt >>>> RC4.RC4(b'key').update(b'data') >'o\r@\x8c' >>>> arcfour_encrypt(b'key', b'data') >Traceback (most recent call last): >... >ValueError: Invalid key size (24) for RC4. > >Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported: > >>>> arcfour_encrypt(b'key12', b'data') >'\xcd\xf80d' >>>> RC4.RC4(b'key12').update(b'data') >'\xcd\xf80d' > >http://cryptography.readthedocs.org/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.ARC4 >https://fedorahosted.org/freeipa/ticket/5148 >From da4aa9baa932e335ad0bd0f3cfe2551667c7ca76 Mon Sep 17 00:00:00 2001 >From: Christian Heimes >Date: Tue, 21 Jul 2015 15:18:40 +0200 >Subject: [PATCH] [py3] Replace M2Crypto RC4 with python-cryptography ARC4 > >This patch removes the dependency on M2Crypto in favor for cryptography. >Cryptography is more strict about the key size and doesn't support >non-standard key sizes: > >>>> from M2Crypto import RC4 >>>> from ipaserver.dcerpc import arcfour_encrypt >>>> RC4.RC4(b'key').update(b'data') >'o\r@\x8c' >>>> arcfour_encrypt(b'key', b'data') >Traceback (most recent call last): >... >ValueError: Invalid key size (24) for RC4. > >Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported: > >>>> arcfour_encrypt(b'key12', b'data') >'\xcd\xf80d' >>>> RC4.RC4(b'key12').update(b'data') >'\xcd\xf80d' > >http://cryptography.readthedocs.org/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.ARC4 >https://fedorahosted.org/freeipa/ticket/5148 >--- > freeipa.spec.in | 1 + > ipaserver/dcerpc.py | 15 ++++++++++----- > 2 files changed, 11 insertions(+), 5 deletions(-) > >diff --git a/freeipa.spec.in b/freeipa.spec.in >index fef20e1f7e6fde9b90851a2686e515a6a779f954..afae22430515a9f15eced9e16e0a6e192400e6e2 100644 >--- a/freeipa.spec.in >+++ b/freeipa.spec.in >@@ -150,6 +150,7 @@ Requires(preun): python systemd-units > Requires(postun): python systemd-units > Requires: python-dns >= 1.11.1 > Requires: python-kdcproxy >= 0.3 >+Requires: python-cryptography > Requires: zip > Requires: policycoreutils >= 2.1.12-5 > Requires: tar >diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py >index 4de5afb540e880e8948749c2cfa9a019eb807c47..578b3ee209ee988bca4d75bd5b898f339625236c 100644 >--- a/ipaserver/dcerpc.py >+++ b/ipaserver/dcerpc.py >@@ -42,7 +42,8 @@ from samba.ndr import ndr_pack, ndr_print > from samba import net > import samba > import random >-from M2Crypto import RC4 >+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms >+from cryptography.hazmat.backends import default_backend > try: > from ldap.controls import RequestControl as LDAPControl #pylint: disable=F0401 > except ImportError: >@@ -120,6 +121,14 @@ def assess_dcerpc_exception(num=None,message=None): > message "%(message)s" (both may be "None")''') % dict(num=num, message=message) > return errors.RemoteRetrieveError(reason=reason) > >+ >+def arcfour_encrypt(key, data): >+ algorithm = algorithms.ARC4(key) >+ cipher = Cipher(algorithm, mode=None, backend=default_backend()) >+ encryptor = cipher.encryptor() >+ return encryptor.update(data) >+ >+ > class ExtendedDNControl(LDAPControl): > # This class attempts to implement LDAP control that would work > # with both python-ldap 2.4.x and 2.3.x, thus there is mix of properties >@@ -910,10 +919,6 @@ class TrustDomainInstance(object): > self.info['is_pdc'] = (result.role == lsa.LSA_ROLE_PRIMARY) > > def generate_auth(self, trustdom_secret): >- def arcfour_encrypt(key, data): >- c = RC4.RC4(key) >- return c.update(data) >- > password_blob = string_to_array(trustdom_secret.encode('utf-16-le')) > > clear_value = drsblobs.AuthInfoClear() >-- >2.4.3 > ACK. Tested by re-establishing trust to AD. -- / Alexander Bokovoy From mbabinsk at redhat.com Thu Jul 23 08:55:49 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 23 Jul 2015 10:55:49 +0200 Subject: [Freeipa-devel] [PATCH 0049] fix broken search for users by their manager Message-ID: <55B0AC15.5040505@redhat.com> Fixes https://fedorahosted.org/freeipa/ticket/5146 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0049-fix-broken-search-for-users-by-their-manager.patch Type: text/x-patch Size: 1992 bytes Desc: not available URL: From cheimes at redhat.com Thu Jul 23 09:06:00 2015 From: cheimes at redhat.com (Christian Heimes) Date: Thu, 23 Jul 2015 11:06:00 +0200 Subject: [Freeipa-devel] [PATCH 0014] [py3] Replace M2Crypto RC4 with python-cryptography ARC4 In-Reply-To: <55B0ABDC.7050509@redhat.com> References: <55B0A916.9000700@redhat.com> <55B0ABDC.7050509@redhat.com> Message-ID: <55B0AE78.2060804@redhat.com> On 2015-07-23 10:54, Jan Cholasta wrote: > Hi, > > Dne 23.7.2015 v 10:43 Christian Heimes napsal(a): >> This patch removes the dependency on M2Crypto in favor for cryptography. >> Cryptography is more strict about the key size and doesn't support >> non-standard key sizes: >> >>>>> from M2Crypto import RC4 >>>>> from ipaserver.dcerpc import arcfour_encrypt >>>>> RC4.RC4(b'key').update(b'data') >> 'o\r@\x8c' >>>>> arcfour_encrypt(b'key', b'data') >> Traceback (most recent call last): >> ... >> ValueError: Invalid key size (24) for RC4. >> >> Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported: >> >>>>> arcfour_encrypt(b'key12', b'data') >> '\xcd\xf80d' >>>>> RC4.RC4(b'key12').update(b'data') >> '\xcd\xf80d' >> >> http://cryptography.readthedocs.org/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.ARC4 >> >> https://fedorahosted.org/freeipa/ticket/5148 > > NACK on the spec file change. There is a BuildRequires and Requires on > m2crypto, replace them with BuildRequires and Requires on > python-cryptography. Argh, m2crypto ... I was looking for M2Crypto (case sensitive). Here is an updated patch. An additional Requires: python-cryptography is not required. server-trust-ad depends on ipa-server which depends on the ipa-python package. The ipa-python package already has Requires: python-cryptography. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0014-2-py3-Replace-M2Crypto-RC4-with-python-cryptography-AR.patch Type: text/x-patch Size: 3605 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From abokovoy at redhat.com Thu Jul 23 09:06:18 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 23 Jul 2015 12:06:18 +0300 Subject: [Freeipa-devel] [PATCH 0014] [py3] Replace M2Crypto RC4 with python-cryptography ARC4 In-Reply-To: <55B0A916.9000700@redhat.com> References: <55B0A916.9000700@redhat.com> Message-ID: <20150723090618.GG21928@redhat.com> On Thu, 23 Jul 2015, Christian Heimes wrote: >This patch removes the dependency on M2Crypto in favor for cryptography. >Cryptography is more strict about the key size and doesn't support >non-standard key sizes: > >>>> from M2Crypto import RC4 >>>> from ipaserver.dcerpc import arcfour_encrypt >>>> RC4.RC4(b'key').update(b'data') >'o\r@\x8c' >>>> arcfour_encrypt(b'key', b'data') >Traceback (most recent call last): >... >ValueError: Invalid key size (24) for RC4. > >Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported: > >>>> arcfour_encrypt(b'key12', b'data') >'\xcd\xf80d' >>>> RC4.RC4(b'key12').update(b'data') >'\xcd\xf80d' Note that we are using NTLMv2 or Kerberos user session keys which are 128 bit long in this context. And please rework the spec file change as Honza noted. -- / Alexander Bokovoy From cheimes at redhat.com Thu Jul 23 09:16:20 2015 From: cheimes at redhat.com (Christian Heimes) Date: Thu, 23 Jul 2015 11:16:20 +0200 Subject: [Freeipa-devel] [PATCH 0014] [py3] Replace M2Crypto RC4 with python-cryptography ARC4 In-Reply-To: <20150723090618.GG21928@redhat.com> References: <55B0A916.9000700@redhat.com> <20150723090618.GG21928@redhat.com> Message-ID: <55B0B0E4.4060309@redhat.com> On 2015-07-23 11:06, Alexander Bokovoy wrote: > On Thu, 23 Jul 2015, Christian Heimes wrote: >> This patch removes the dependency on M2Crypto in favor for cryptography. >> Cryptography is more strict about the key size and doesn't support >> non-standard key sizes: >> >>>>> from M2Crypto import RC4 >>>>> from ipaserver.dcerpc import arcfour_encrypt >>>>> RC4.RC4(b'key').update(b'data') >> 'o\r@\x8c' >>>>> arcfour_encrypt(b'key', b'data') >> Traceback (most recent call last): >> ... >> ValueError: Invalid key size (24) for RC4. >> >> Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported: >> >>>>> arcfour_encrypt(b'key12', b'data') >> '\xcd\xf80d' >>>>> RC4.RC4(b'key12').update(b'data') >> '\xcd\xf80d' > Note that we are using NTLMv2 or Kerberos user session keys which are > 128 bit long in this context. > > And please rework the spec file change as Honza noted. Thanks for the feedback regarding the key size, 128bit works. Is RC4 really the only supported algorithm for session keys? RC4 is insecure, especially the first few bytes have a high bias. It may not be much of an issue for short-lived session keys, though. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From tbabej at redhat.com Thu Jul 23 09:18:49 2015 From: tbabej at redhat.com (Tomas Babej) Date: Thu, 23 Jul 2015 11:18:49 +0200 Subject: [Freeipa-devel] [PATCH 0049] fix broken search for users by their manager In-Reply-To: <55B0AC15.5040505@redhat.com> References: <55B0AC15.5040505@redhat.com> Message-ID: <55B0B179.1060806@redhat.com> On 07/23/2015 10:55 AM, Martin Babinsky wrote: > Fixes https://fedorahosted.org/freeipa/ticket/5146 > > > The patch fixes the mentioned issue. However, there is some code made redundant in stageuser_find.execute, which does the same thing, can you please remove it? Tomas From mbabinsk at redhat.com Thu Jul 23 09:31:28 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 23 Jul 2015 11:31:28 +0200 Subject: [Freeipa-devel] [PATCH 0049] fix broken search for users by their manager In-Reply-To: <55B0B179.1060806@redhat.com> References: <55B0AC15.5040505@redhat.com> <55B0B179.1060806@redhat.com> Message-ID: <55B0B470.8090904@redhat.com> On 07/23/2015 11:18 AM, Tomas Babej wrote: > > > On 07/23/2015 10:55 AM, Martin Babinsky wrote: >> Fixes https://fedorahosted.org/freeipa/ticket/5146 >> >> >> > > The patch fixes the mentioned issue. > > However, there is some code made redundant in stageuser_find.execute, > which does the same thing, can you please remove it? > > Tomas > Sorry I didn't notice that. Actually, now the whole stageuser_find.execute is made obsolete so I removed the whole method. Attaching updated patch. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0049.1-fix-broken-search-for-users-by-their-manager.patch Type: text/x-patch Size: 2826 bytes Desc: not available URL: From abokovoy at redhat.com Thu Jul 23 09:40:58 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 23 Jul 2015 12:40:58 +0300 Subject: [Freeipa-devel] [PATCH 0014] [py3] Replace M2Crypto RC4 with python-cryptography ARC4 In-Reply-To: <55B0B0E4.4060309@redhat.com> References: <55B0A916.9000700@redhat.com> <20150723090618.GG21928@redhat.com> <55B0B0E4.4060309@redhat.com> Message-ID: <20150723094058.GH21928@redhat.com> On Thu, 23 Jul 2015, Christian Heimes wrote: >On 2015-07-23 11:06, Alexander Bokovoy wrote: >> On Thu, 23 Jul 2015, Christian Heimes wrote: >>> This patch removes the dependency on M2Crypto in favor for cryptography. >>> Cryptography is more strict about the key size and doesn't support >>> non-standard key sizes: >>> >>>>>> from M2Crypto import RC4 >>>>>> from ipaserver.dcerpc import arcfour_encrypt >>>>>> RC4.RC4(b'key').update(b'data') >>> 'o\r@\x8c' >>>>>> arcfour_encrypt(b'key', b'data') >>> Traceback (most recent call last): >>> ... >>> ValueError: Invalid key size (24) for RC4. >>> >>> Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported: >>> >>>>>> arcfour_encrypt(b'key12', b'data') >>> '\xcd\xf80d' >>>>>> RC4.RC4(b'key12').update(b'data') >>> '\xcd\xf80d' >> Note that we are using NTLMv2 or Kerberos user session keys which are >> 128 bit long in this context. >> >> And please rework the spec file change as Honza noted. > >Thanks for the feedback regarding the key size, 128bit works. > >Is RC4 really the only supported algorithm for session keys? RC4 is >insecure, especially the first few bytes have a high bias. It may not be >much of an issue for short-lived session keys, though. It is not a session key algorithm. It is an algorithm used to encrypt trust authentication information when passing it over. We pass trust authentication information in clear, then encrypt it with a session key for the transfer and on the receiving side DC does unwrapping and uses the clear-text version of the trust secret to derive all needed cross-realm keys. MS-LSAD puts it this way (5.1.1): ------------------------- Implementations of this protocol protect the LSAPR_TRUSTED_DOMAIN_AUTH_BLOB structure by encrypting the data referenced by that structure's AuthBlob field. The RC4 algorithm is used to encrypt the data on request (and reply) and decrypt the data on receipt. The key, required during runtime by the RC4 algorithm, is the 16-byte key specified by the method that uses this structure (for example, see section 3.1.4.7.10). The size of data (the AuthSize field of LSAPR_TRUSTED_DOMAIN_AUTH_BLOB) must remain unencrypted. ------------------------ -- / Alexander Bokovoy From ofayans at redhat.com Thu Jul 23 09:42:59 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 23 Jul 2015 11:42:59 +0200 Subject: [Freeipa-devel] [PATCH 0001] Test Topology plugin is listed among DS plugins In-Reply-To: <55B0A6AF.4090807@redhat.com> References: <55ACC623.20601@redhat.com> <55ACD1A2.5030202@redhat.com> <55ACE483.5030504@redhat.com> <55AE6903.4040202@redhat.com> <55AF44E1.3030500@redhat.com> <55AF4594.10704@redhat.com> <55AF9866.3050002@redhat.com> <55AFBB55.8000002@redhat.com> <55B0A6AF.4090807@redhat.com> Message-ID: <55B0B723.7070801@redhat.com> Forgot to attach the new version, sorry! On 07/23/2015 10:32 AM, Oleg Fayans wrote: > Hi Martin, > > On 07/22/2015 05:48 PM, Martin Basti wrote: >> On 22/07/15 15:19, Oleg Fayans wrote: >>> Hi Martin, >>> >>> Fixed. >>> >>> On 07/22/2015 09:26 AM, Martin Basti wrote: >>>> On 22/07/15 09:23, Oleg Fayans wrote: >>>>> Hi Martin, >>>>> >>>>> Patch updated. Thank you for the review! >>>>> >>>>> On 07/21/2015 05:45 PM, Martin Basti wrote: >>>>>> On 20/07/15 14:07, Oleg Fayans wrote: >>>>>>> Hi Martin, >>>>>>> >>>>>>> Updated. >>>>>>> >>>>>>> >>>>>>> On 07/20/2015 12:46 PM, Martin Basti wrote: >>>>>>>> On 20/07/15 11:57, Oleg Fayans wrote: >>>>>>>>> + pwfile = api.env.dot_ipa + os.sep + ".dmpw" >>>>>>>>> + if ipautil.file_exists(pwfile): >>>>>>>>> + fp = open(pwfile, "r") >>>>>>>>> + dm_password = fp.read().rstrip() >>>>>>>>> + fp.close() >>>>>>>>> + else: >>>>>>>> Hello, >>>>>>>> >>>>>>>> 1) Can you use os.path.join() instead of "+ os.sep +" please >>>>>>>> >>>>>>>> 2) Can you use with statement with file? >>>>>>>> >>>>>>>> with open(pwfile, "r") as f: >>>>>>>> dm_password = f.read().rstrip() >>>>>>>> >>>>>>>> 3) Please keep PEP8 in new code >>>>>>>> >>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:30:80: E501 >>>>>>>> line too long (102 > 79 characters) >>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:33:80: E501 >>>>>>>> line too long (92 > 79 characters) >>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:39:80: E501 >>>>>>>> line too long (124 > 79 characters) >>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:44:80: E501 >>>>>>>> line too long (92 > 79 characters) >>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:45:48: E128 >>>>>>>> continuation line under-indented for visual indent >>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:45:80: E501 >>>>>>>> line too long (89 > 79 characters) >>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:46:48: E128 >>>>>>>> continuation line under-indented for visual indent >>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:46:80: E501 >>>>>>>> line too long (89 > 79 characters) >>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:58:80: E501 >>>>>>>> line too long (87 > 79 characters) >>>>>>>> >>>>>>>> 4) Missing nose import >>>>>>>> raise nose.SkipTest("No directory manager password >>>>>>>> in %s" % pwfile) >>>>>>>> >>>>>>>> 5) Can you use sets here instead of sorted lists? >>>>>>>> assert(sorted(entry.keys()) == sorted(pluginattrs.keys())) >>>>>>>> >>>>>>>> >>>>>>>> Martin^2 >>>>>>>> >>>>>>> >>>>>> 1) >>>>>> Sorry, I didn't notice before, but there is missing header in >>>>>> that file. >>>>>> >>>>>> 2) >>>>>> You don't need to specify ldap_uri, you just need to call >>>>>> ldap2(api), by default api.env.ldap_uri is used, which is the >>>>>> same as you specified >>>>>> >>>>>> 3) >>>>>> Can you indent values of dict which are on newline? It is >>>>>> readable better. >>>>>> u'nsslapd-topo-plugin-shared-config-base': >>>>>> [u'cn=ipa,cn=etc,dc=example,dc=com'], >>>>>> u'nsslapd-pluginDescription': [u'ipa-topology-plugin'], >>>>>> >>>>>> 4) >>>>>> Please use lower F as variable, in python we use capital letters >>>>>> for class definitions >>>>>> with open(pwfile, "r") as F: >>>>>> dm_password = F.read().rstrip() >>>>>> >>>>>> Otherwise it works as expected. >>>>>> >>>>>> Martin^2 >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>> Sorry. >>>> You added there old license format, we now use in new files new format >>>> >>>> # >>>> # Copyright (C) 2015 FreeIPA Contributors see COPYING for license >>>> # >>>> >>> >> I cannot apply the last patch >> >> $ git am >> freeipa-ofayans-0001.3-test-topologyplugin-is-listed-among-DS-plugins.patch >> -3 >> Applying: Added test - topology plugin is listed among DS plugins >> fatal: corrupt patch at line 83 >> Repository lacks necessary blobs to fall back on 3-way merge. >> Cannot fall back to three-way merge. >> > Fixed. Tested it locally, it applies > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0001.4-test-topologyplugin-is-listed-among-DS-plugins.patch Type: text/x-patch Size: 3560 bytes Desc: not available URL: From tbabej at redhat.com Thu Jul 23 09:48:01 2015 From: tbabej at redhat.com (Tomas Babej) Date: Thu, 23 Jul 2015 11:48:01 +0200 Subject: [Freeipa-devel] [PATCH 0049] fix broken search for users by their manager In-Reply-To: <55B0B470.8090904@redhat.com> References: <55B0AC15.5040505@redhat.com> <55B0B179.1060806@redhat.com> <55B0B470.8090904@redhat.com> Message-ID: <55B0B851.70507@redhat.com> On 07/23/2015 11:31 AM, Martin Babinsky wrote: > On 07/23/2015 11:18 AM, Tomas Babej wrote: >> >> >> On 07/23/2015 10:55 AM, Martin Babinsky wrote: >>> Fixes https://fedorahosted.org/freeipa/ticket/5146 >>> >>> >>> >> >> The patch fixes the mentioned issue. >> >> However, there is some code made redundant in stageuser_find.execute, >> which does the same thing, can you please remove it? >> >> Tomas >> > > Sorry I didn't notice that. Actually, now the whole > stageuser_find.execute is made obsolete so I removed the whole method. > > Attaching updated patch. > ACK. Pushed to master: 7ceaa8e26c3073f3ff3f253025177d49259072f0 Pushed to ipa-4-2: dae3d0ecab7c1b9f4e8cde618d1593edff579a9f From msimacek at redhat.com Thu Jul 23 10:07:27 2015 From: msimacek at redhat.com (=?UTF-8?B?TWljaGFlbCDFoGltw6HEjWVr?=) Date: Thu, 23 Jul 2015 12:07:27 +0200 Subject: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi In-Reply-To: <1747692317.2396484.1437572854418.JavaMail.zimbra@redhat.com> References: <2026883365.1326941.1437480146008.JavaMail.zimbra@redhat.com> <1747692317.2396484.1437572854418.JavaMail.zimbra@redhat.com> Message-ID: <55B0BCDF.4070006@redhat.com> On 2015-07-22 15:47, Simo Sorce wrote: > Comments inline. > > ----- Original Message ----- >> From: "Michael Simacek" >> To: freeipa-devel at redhat.com >> Sent: Tuesday, July 21, 2015 8:02:26 AM >> Subject: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi >> >> Hi, >> >> This is a first part of my effort to port FreeIPA from Python3-incompatible >> Kerberos libraries to python-gssapi. This patch should replace >> python-kerberos >> with python-gssapi (both use C GSSAPI behind the scenes). >> >> -- >> Michael Simacek >> >> >> >From bca55a6bd9cdb9cdea9d81b55cfdbc2c1279f031 Mon Sep 17 00:00:00 2001 >> From: Michael Simacek >> Date: Thu, 16 Jul 2015 18:22:00 +0200 >> Subject: [PATCH] Port from python-kerberos library to python-gssapi >> >> kerberos library doesn't support Python 3 and probably never will. >> python-gssapi library is Python 3 compatible. >> --- >> BUILD.txt | 2 +- >> freeipa.spec.in | 2 +- >> ipalib/rpc.py | 42 +++++++++++++++++++++--------------------- >> ipalib/util.py | 14 +++++++------- >> ipapython/ipautil.py | 17 ----------------- >> 5 files changed, 30 insertions(+), 47 deletions(-) >> >> diff --git a/BUILD.txt b/BUILD.txt >> index 6a28beb..53012b1 100644 >> --- a/BUILD.txt >> +++ b/BUILD.txt >> @@ -20,7 +20,7 @@ systemd-units samba-devel samba-python libwbclient-devel >> libtalloc-devel \ >> libtevent-devel nspr-devel nss-devel openssl-devel openldap-devel krb5-devel >> \ >> krb5-workstation libuuid-devel libcurl-devel xmlrpc-c-devel popt-devel \ >> autoconf automake m4 libtool gettext python-devel python-ldap \ >> -python-setuptools python-krbV python-nss python-netaddr python-kerberos \ >> +python-setuptools python-krbV python-nss python-netaddr python-gssapi \ >> python-rhsm pyOpenSSL pylint python-polib libipa_hbac-python >> python-memcached \ >> sssd python-lxml python-pyasn1 python-qrcode-core python-dns m2crypto \ >> check libsss_idmap-devel libsss_nss_idmap-devel java-headless rhino \ >> diff --git a/freeipa.spec.in b/freeipa.spec.in >> index fef20e1..5e10022 100644 >> --- a/freeipa.spec.in >> +++ b/freeipa.spec.in >> @@ -72,7 +72,7 @@ BuildRequires: python-krbV >> BuildRequires: python-nss >> BuildRequires: python-cryptography >> BuildRequires: python-netaddr >> -BuildRequires: python-kerberos >= 1.1-14 >> +BuildRequires: python-gssapi >= 1.1.1 >> BuildRequires: python-rhsm >> BuildRequires: pyOpenSSL >> BuildRequires: pylint >= 1.0 >> diff --git a/ipalib/rpc.py b/ipalib/rpc.py >> index 466b49a..bbedcc9 100644 >> --- a/ipalib/rpc.py >> +++ b/ipalib/rpc.py >> @@ -44,7 +44,7 @@ from urllib2 import urlparse >> >> from xmlrpclib import (Binary, Fault, DateTime, dumps, loads, ServerProxy, >> Transport, ProtocolError, MININT, MAXINT) >> -import kerberos >> +import gssapi >> from dns import resolver, rdatatype >> from dns.exception import DNSException >> from nss.error import NSPRError >> @@ -510,24 +510,27 @@ class KerbTransport(SSLTransport): >> """ >> Handles Kerberos Negotiation authentication to an XML-RPC server. >> """ >> - flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG >> + flags = gssapi.IntEnumFlagSet(gssapi.RequirementFlag, >> + >> [gssapi.RequirementFlag.mutual_authentication, >> + >> gssapi.RequirementFlag.out_of_sequence_detection]) >> >> def _handle_exception(self, e, service=None): >> - (major, minor) = ipautil.get_gsserror(e) >> - if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: >> + # kerberos library coerced error codes to signed, gssapi uses >> unsigned >> + minor = e.min_code - (1 << 32) >> + if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: >> raise errors.ServiceError(service=service) >> - elif minor[1] == KRB5_FCC_NOFILE: >> + elif minor == KRB5_FCC_NOFILE: >> raise errors.NoCCacheError() >> - elif minor[1] == KRB5KRB_AP_ERR_TKT_EXPIRED: >> + elif minor == KRB5KRB_AP_ERR_TKT_EXPIRED: >> raise errors.TicketExpired() >> - elif minor[1] == KRB5_FCC_PERM: >> + elif minor == KRB5_FCC_PERM: >> raise errors.BadCCachePerms() >> - elif minor[1] == KRB5_CC_FORMAT: >> + elif minor == KRB5_CC_FORMAT: >> raise errors.BadCCacheFormat() >> - elif minor[1] == KRB5_REALM_CANT_RESOLVE: >> + elif minor == KRB5_REALM_CANT_RESOLVE: >> raise errors.CannotResolveKDC() >> else: >> - raise errors.KerberosError(major=major, minor=minor) >> + raise errors.KerberosError(major=e.maj_code, minor=minor) >> >> def get_host_info(self, host): >> """ >> @@ -548,14 +551,9 @@ class KerbTransport(SSLTransport): >> service = "HTTP@" + host.split(':')[0] >> >> try: >> - (rc, vc) = kerberos.authGSSClientInit(service=service, >> - gssflags=self.flags) >> - except kerberos.GSSError, e: >> - self._handle_exception(e) >> - >> - try: >> - kerberos.authGSSClientStep(vc, "") >> - except kerberos.GSSError, e: >> + name = gssapi.Name(service, gssapi.NameType.hostbased_service) >> + response = gssapi.raw.init_sec_context(name, >> flags=self.flags).token > > Please do not use the raw api unless you have no other option. > Use the high level api, also do not refernce a member while instantiating a class. > Instantiate, then reference please, we want readable code. Done, but the code now needs to deal with __DEFER_STEP_ERRORS__. > >> + except gssapi.exceptions.GSSError as e: >> self._handle_exception(e, service=service) >> >> for (h, v) in extra_headers: >> @@ -564,7 +562,7 @@ class KerbTransport(SSLTransport): >> break >> >> extra_headers.append( >> - ('Authorization', 'negotiate %s' % >> kerberos.authGSSClientResponse(vc)) >> + ('Authorization', 'negotiate %s' % base64.b64encode(response)) >> ) >> >> return (host, extra_headers, x509) >> @@ -632,8 +630,10 @@ class DelegatedKerbTransport(KerbTransport): >> Handles Kerberos Negotiation authentication and TGT delegation to an >> XML-RPC server. >> """ >> - flags = kerberos.GSS_C_DELEG_FLAG | kerberos.GSS_C_MUTUAL_FLAG | \ >> - kerberos.GSS_C_SEQUENCE_FLAG >> + flags = gssapi.IntEnumFlagSet(gssapi.RequirementFlag, >> + [gssapi.RequirementFlag.delegate_to_peer, >> + >> gssapi.RequirementFlag.mutual_authentication, >> + >> gssapi.RequirementFlag.out_of_sequence_detection]) >> >> >> class RPCClient(Connectible): >> diff --git a/ipalib/util.py b/ipalib/util.py >> index 649a487..aea3ba9 100644 >> --- a/ipalib/util.py >> +++ b/ipalib/util.py >> @@ -63,15 +63,15 @@ def json_serialize(obj): >> >> def get_current_principal(): >> try: >> - import kerberos >> - rc, vc = kerberos.authGSSClientInit("notempty") >> - rc = kerberos.authGSSClientInquireCred(vc) >> - username = kerberos.authGSSClientUserName(vc) >> - kerberos.authGSSClientClean(vc) >> + import gssapi >> + cred = gssapi.raw.acquire_cred(usage='initiate').creds >> + name = gssapi.raw.inquire_cred(cred, lifetime=False, usage=False, >> + mechs=False).name >> + username = gssapi.raw.display_name(name, name_type=False).name > > Same as above. > Create a credential and inquire it with the high level api Done, but I still use raw.display_name as I don't see how to get it from high-level API (besides parsing repr). > >> return unicode(username) >> except ImportError: >> - raise RuntimeError('python-kerberos is not available.') >> - except kerberos.GSSError, e: >> + raise RuntimeError('python-gssapi is not available.') >> + except gssapi.exceptions.GSSError: >> #TODO: do a kinit? >> raise errors.CCacheError() >> >> diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py >> index 88e8970..05a7eeb 100644 >> --- a/ipapython/ipautil.py >> +++ b/ipapython/ipautil.py >> @@ -783,23 +783,6 @@ def user_input(prompt, default = None, allow_empty = >> True): >> return ret >> >> >> -def get_gsserror(e): >> - """ >> - A GSSError exception looks differently in python 2.4 than it does >> - in python 2.5. Deal with it. >> - """ >> - >> - try: >> - major = e[0] >> - minor = e[1] >> - except: >> - major = e[0][0] >> - minor = e[0][1] >> - >> - return (major, minor) >> - >> - >> - >> def host_port_open(host, port, socket_type=socket.SOCK_STREAM, >> socket_timeout=None): >> for res in socket.getaddrinfo(host, port, socket.AF_UNSPEC, >> socket_type): >> af, socktype, proto, canonname, sa = res >> -- >> 2.1.0 >> >> -- >> Manage your subscription for the Freeipa-devel mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >> > -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-msimacek-0001-3-Port-from-python-kerberos-to-python-gssapi.patch Type: text/x-patch Size: 7717 bytes Desc: not available URL: From cheimes at redhat.com Thu Jul 23 10:26:28 2015 From: cheimes at redhat.com (Christian Heimes) Date: Thu, 23 Jul 2015 12:26:28 +0200 Subject: [Freeipa-devel] [PATCH 016] Require Dogtag PKI >= 10.2.6 Message-ID: <55B0C154.7010904@redhat.com> Dogtag 10.2.6 comes with two fixes for cloning from 9.x to 10.x instances: https://fedorahosted.org/pki/ticket/1495 https://fedorahosted.org/pki/ticket/1488 https://fedorahosted.org/freeipa/ticket/5140 https://fedorahosted.org/freeipa/ticket/5129 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0016-Require-Dogtag-PKI-10.2.6.patch Type: text/x-patch Size: 1513 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From mbasti at redhat.com Thu Jul 23 11:46:56 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 23 Jul 2015 13:46:56 +0200 Subject: [Freeipa-devel] [PATCH 0294] ULC: fix stageuser-add --from-delete command Message-ID: <55B0D430.6090405@redhat.com> https://fedorahosted.org/freeipa/ticket/5145 Patch attached. This patch fixes only first part of problem -- the traceback. Removing promt for name and surname requires too big hacks in internal API, and I'm not sure if we will be able to do that. IMO this should be separate command, I will open a discussion. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0294-ULC-Fix-stageused-add-from-delete-command.patch Type: text/x-patch Size: 1823 bytes Desc: not available URL: From mbasti at redhat.com Thu Jul 23 12:43:00 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 23 Jul 2015 14:43:00 +0200 Subject: [Freeipa-devel] stageuser-add --from-delete issue #5145 Message-ID: <55B0E154.7000907@redhat.com> Hello, I tried to fix #5145 and I partially succeeded. However, I cannot fix this part of ticket, where user is prompted to write name and surname. $ ipa stageuser-add tuser --from-delete First name: this will be ignored Last name: this will be also ignored ------------------------ Added stage user "tuser" ------------------------ As the first name and last name are mandatory attributes of stageuser-add command, but they are not needed by when the --from-delete option is used. I would like to ask how to fix this issue, IMO this will be huge hack in internal API. Or should we just document this bug as known issue (thierry wrote that this is not use case that should be used often)? The best solution would be separate command, but this idea was rejected in thread "[Freeipa-devel] User life cycle: question regarding the design" Regards Martin^2 -- Martin Basti From tbabej at redhat.com Thu Jul 23 12:50:24 2015 From: tbabej at redhat.com (Tomas Babej) Date: Thu, 23 Jul 2015 14:50:24 +0200 Subject: [Freeipa-devel] [PATCHES 0351-0353] Improvements to ID override type validation Message-ID: <55B0E310.6020407@redhat.com> Hi, this patchset deals mainly with the ticket: https://fedorahosted.org/freeipa/ticket/5029 Details in the commit messages. Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0351-dcerpc-Add-get_trusted_domain_object_type-method.patch Type: text/x-patch Size: 2197 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0352-idviews-Restrict-anchor-to-name-and-name-to-anchor-c.patch Type: text/x-patch Size: 3870 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0353-idviews-Enforce-objectclass-check-in-idoverride-del.patch Type: text/x-patch Size: 1710 bytes Desc: not available URL: From abokovoy at redhat.com Thu Jul 23 13:08:01 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 23 Jul 2015 16:08:01 +0300 Subject: [Freeipa-devel] [PATCHES 0351-0353] Improvements to ID override type validation In-Reply-To: <55B0E310.6020407@redhat.com> References: <55B0E310.6020407@redhat.com> Message-ID: <20150723130801.GJ21928@redhat.com> On Thu, 23 Jul 2015, Tomas Babej wrote: >Hi, > >this patchset deals mainly with the ticket: > >https://fedorahosted.org/freeipa/ticket/5029 > >Details in the commit messages. > >Tomas >From 83defa7e286b9e65a147598b4056abc47b4647bf Mon Sep 17 00:00:00 2001 >From: Tomas Babej >Date: Wed, 22 Jul 2015 14:00:37 +0200 >Subject: [PATCH] dcerpc: Add get_trusted_domain_object_type method > >https://fedorahosted.org/freeipa/ticket/5029 >--- > ipaserver/dcerpc.py | 29 +++++++++++++++++++++++++++++ > 1 file changed, 29 insertions(+) > >diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py >index 7220c440d16816abf5c022c840e9744f321878c4..be6313e1586cb9e3296361a8d07041d496d3223f 100644 >--- a/ipaserver/dcerpc.py >+++ b/ipaserver/dcerpc.py >@@ -107,6 +107,14 @@ dcerpc_error_messages = { > errors.RequirementError(name=_('At least the domain or IP address should be specified')), > } > >+pysss_type_key_translation_dict = { >+ pysss_nss_idmap.ID_USER: 'user', >+ pysss_nss_idmap.ID_GROUP: 'group', >+ # Used for users with magic private groups >+ pysss_nss_idmap.ID_BOTH: 'both', >+} >+ >+ > def assess_dcerpc_exception(num=None,message=None): > """ > Takes error returned by Samba bindings and converts it into >@@ -368,6 +376,27 @@ class DomainValidator(object): > raise errors.ValidationError(name=_('trusted domain object'), > error= _('Trusted domain did not return a valid SID for the object')) > >+ def get_trusted_domain_object_type(self, name_or_sid): >+ """ >+ Return the type of the object corresponding to the given name in >+ the trusted domain, which is either 'user', 'group' or 'both'. >+ The 'both' types is used for users with magic private groups. >+ """ >+ >+ object_type = None >+ >+ if is_sid_valid(name_or_sid): >+ result = pysss_nss_idmap.getnamebysid(name_or_sid) >+ else: >+ result = pysss_nss_idmap.getsidbyname(name_or_sid) >+ >+ if name_or_sid in result: >+ object_type = result[name_or_sid].get(pysss_nss_idmap.TYPE_KEY) If user or group not found, pysss_nss_idmap.getsidbyname() will return empty dict and the line above will fail: >>> import pysss_nss_idmap >>> pysss_nss_idmap.getsidbyname('some-name') {} >+ >+ # Do the translation to hide pysss_nss_idmap constants >+ # from higher-level code >+ return pysss_type_key_translation_dict.get(object_type) >+ > def get_trusted_domain_object_from_sid(self, sid): > root_logger.debug("Converting SID to object name: %s" % sid) > >-- >2.1.0 > >From b331e08905db1deb90e1188e62a51620c3f187b3 Mon Sep 17 00:00:00 2001 >From: Tomas Babej >Date: Thu, 23 Jul 2015 12:36:53 +0200 >Subject: [PATCH] idviews: Restrict anchor to name and name to anchor > conversions > >When converting the ID override anchor from AD SID representation to >the object name, we need to properly restrict the type of the object >that is being resolved. > >The same restriction applies for the opposite direction, when >converting the object name to it's SID. > >https://fedorahosted.org/freeipa/ticket/5029 >--- > ipalib/plugins/idviews.py | 50 +++++++++++++++++++++++++++++++++++++++++++---- > 1 file changed, 46 insertions(+), 4 deletions(-) > >diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py >index 48f646b812c424435233327e8fcfa363e17104f2..4d1aefef2cc8e8259d6b62315eb266c61f5cc5fb 100644 >--- a/ipalib/plugins/idviews.py >+++ b/ipalib/plugins/idviews.py >@@ -434,6 +434,36 @@ class idview_unapply(baseidview_apply): > > > # ID overrides helper methods >+def verify_trusted_domain_object_type(validator, desired_type, name_or_sid): >+ >+ object_type = validator.get_trusted_domain_object_type(name_or_sid) >+ >+ if object_type == desired_type: >+ # In case SSSD returns the same type as the type being >+ # searched, no problems here. >+ return True >+ >+ elif desired_type == 'user' and object_type == 'both': >+ # Type both denotes users with magic private groups. >+ # Overriding attributes for such users is OK. >+ return True >+ >+ elif desired_type == 'group' and object_type == 'both': >+ # However, overriding attributes for magic private groups >+ # does not make sense. One should override the GID of >+ # the user itself. >+ >+ raise errors.ConversionError( >+ name='identifier', >+ error=_('You are trying to reference a magic private group ' >+ 'which is not allowed to be overriden. ' >+ 'Try overriding the GID attribute of the ' >+ 'corresponding user instead.') >+ ) >+ >+ return False >+ >+ > def resolve_object_to_anchor(ldap, obj_type, obj, fallback_to_ldap): > """ > Resolves the user/group name to the anchor uuid: >@@ -484,9 +514,15 @@ def resolve_object_to_anchor(ldap, obj_type, obj, fallback_to_ldap): > sid = domain_validator.get_trusted_domain_object_sid(obj, > fallback_to_ldap=fallback_to_ldap) > >- # There is no domain prefix since SID contains information >- # about the domain >- return SID_ANCHOR_PREFIX + sid >+ # We need to verify that the object type is correct >+ type_correct = verify_trusted_domain_object_type( >+ domain_validator, obj_type, sid) >+ >+ if type_correct: >+ # There is no domain prefix since SID contains information >+ # about the domain >+ return SID_ANCHOR_PREFIX + sid >+ > except errors.ValidationError: > # Domain validator raises Validation Error if object name does not > # contain domain part (either NETBIOS\ prefix or @domain.name suffix) >@@ -541,7 +577,13 @@ def resolve_anchor_to_object_name(ldap, obj_type, anchor): > domain_validator = ipaserver.dcerpc.DomainValidator(api) > if domain_validator.is_configured(): > name = domain_validator.get_trusted_domain_object_from_sid(sid) >- return name >+ >+ # We need to verify that the object type is correct >+ type_correct = verify_trusted_domain_object_type( >+ domain_validator, obj_type, name) >+ >+ if type_correct: >+ return name > > # No acceptable object was found > raise errors.NotFound( >-- >2.1.0 > >From 1086f33dda3b5b92793ad6fb710be59703a186ac Mon Sep 17 00:00:00 2001 >From: Tomas Babej >Date: Thu, 23 Jul 2015 14:00:06 +0200 >Subject: [PATCH] idviews: Enforce objectclass check in idoverride*-del > >Even with anchor to sid type checking, it would be still >possible to delete a user ID override by specifying a group >raw anchor and vice versa. > >This patch introduces a objectclass check in idoverride*-del >commands to prevent that. > >https://fedorahosted.org/freeipa/ticket/5029 >--- > ipalib/plugins/idviews.py | 19 +++++++++++++++++++ > 1 file changed, 19 insertions(+) > >diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py >index 4d1aefef2cc8e8259d6b62315eb266c61f5cc5fb..cf5c9b5e8371c89e89a4cf1d334ac0e6b514653a 100644 >--- a/ipalib/plugins/idviews.py >+++ b/ipalib/plugins/idviews.py >@@ -718,6 +718,25 @@ class baseidoverride_del(LDAPDelete): > > takes_options = LDAPDelete.takes_options + (fallback_to_ldap_option,) > >+ def pre_callback(self, ldap, dn, *keys, **options): >+ assert isinstance(dn, DN) >+ >+ # Make sure the entry we're deleting has all the objectclasses >+ # this object requires >+ try: >+ entry = ldap.get_entry(dn, ['objectclass']) >+ except errors.NotFound: >+ self.obj.handle_not_found(*keys) >+ >+ required_object_classes = set(self.obj.object_class) >+ actual_object_classes = set(entry['objectclass']) >+ >+ # If not, treat it as a failed search >+ if not required_object_classes.issubset(actual_object_classes): >+ self.obj.handle_not_found(*keys) >+ >+ return dn >+ > > class baseidoverride_mod(LDAPUpdate): > __doc__ = _('Modify an ID override.') >-- >2.1.0 > -- / Alexander Bokovoy From tbabej at redhat.com Thu Jul 23 13:20:20 2015 From: tbabej at redhat.com (Tomas Babej) Date: Thu, 23 Jul 2015 15:20:20 +0200 Subject: [Freeipa-devel] [PATCHES 0351-0353] Improvements to ID override type validation In-Reply-To: <20150723130801.GJ21928@redhat.com> References: <55B0E310.6020407@redhat.com> <20150723130801.GJ21928@redhat.com> Message-ID: <55B0EA14.6030200@redhat.com> On 07/23/2015 03:08 PM, Alexander Bokovoy wrote: > On Thu, 23 Jul 2015, Tomas Babej wrote: >> Hi, >> >> this patchset deals mainly with the ticket: >> >> https://fedorahosted.org/freeipa/ticket/5029 >> >> Details in the commit messages. >> >> Tomas > >> From 83defa7e286b9e65a147598b4056abc47b4647bf Mon Sep 17 00:00:00 2001 >> From: Tomas Babej >> Date: Wed, 22 Jul 2015 14:00:37 +0200 >> Subject: [PATCH] dcerpc: Add get_trusted_domain_object_type method >> >> https://fedorahosted.org/freeipa/ticket/5029 >> --- >> ipaserver/dcerpc.py | 29 +++++++++++++++++++++++++++++ >> 1 file changed, 29 insertions(+) >> >> diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py >> index >> 7220c440d16816abf5c022c840e9744f321878c4..be6313e1586cb9e3296361a8d07041d496d3223f >> 100644 >> --- a/ipaserver/dcerpc.py >> +++ b/ipaserver/dcerpc.py >> @@ -107,6 +107,14 @@ dcerpc_error_messages = { >> errors.RequirementError(name=_('At least the domain or IP >> address should be specified')), >> } >> >> +pysss_type_key_translation_dict = { >> + pysss_nss_idmap.ID_USER: 'user', >> + pysss_nss_idmap.ID_GROUP: 'group', >> + # Used for users with magic private groups >> + pysss_nss_idmap.ID_BOTH: 'both', >> +} >> + >> + >> def assess_dcerpc_exception(num=None,message=None): >> """ >> Takes error returned by Samba bindings and converts it into >> @@ -368,6 +376,27 @@ class DomainValidator(object): >> raise errors.ValidationError(name=_('trusted domain object'), >> error= _('Trusted domain did not return a valid SID for >> the object')) >> >> + def get_trusted_domain_object_type(self, name_or_sid): >> + """ >> + Return the type of the object corresponding to the given name in >> + the trusted domain, which is either 'user', 'group' or 'both'. >> + The 'both' types is used for users with magic private groups. >> + """ >> + >> + object_type = None >> + >> + if is_sid_valid(name_or_sid): >> + result = pysss_nss_idmap.getnamebysid(name_or_sid) >> + else: >> + result = pysss_nss_idmap.getsidbyname(name_or_sid) >> + >> + if name_or_sid in result: >> + object_type = >> result[name_or_sid].get(pysss_nss_idmap.TYPE_KEY) > If user or group not found, pysss_nss_idmap.getsidbyname() will return > empty dict and the line above will fail: >>>> import pysss_nss_idmap >>>> pysss_nss_idmap.getsidbyname('some-name') > {} It will return {}, however, that line is prefixed by the + if name_or_sid in result: condition, hence it won't get executed in this case. I just ran a quick check and it seems to run as expected: >>> import ipaserver.dcerpc >>> validator = DomainValidator(api) >>> validator.get_trusted_domain_object_type('some-name') >>> Tomas From abokovoy at redhat.com Thu Jul 23 13:32:39 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 23 Jul 2015 16:32:39 +0300 Subject: [Freeipa-devel] [PATCHES 0351-0353] Improvements to ID override type validation In-Reply-To: <55B0EA14.6030200@redhat.com> References: <55B0E310.6020407@redhat.com> <20150723130801.GJ21928@redhat.com> <55B0EA14.6030200@redhat.com> Message-ID: <20150723133239.GL21928@redhat.com> On Thu, 23 Jul 2015, Tomas Babej wrote: >>> + def get_trusted_domain_object_type(self, name_or_sid): >>> + """ >>> + Return the type of the object corresponding to the given name in >>> + the trusted domain, which is either 'user', 'group' or 'both'. >>> + The 'both' types is used for users with magic private groups. >>> + """ >>> + >>> + object_type = None >>> + >>> + if is_sid_valid(name_or_sid): >>> + result = pysss_nss_idmap.getnamebysid(name_or_sid) >>> + else: >>> + result = pysss_nss_idmap.getsidbyname(name_or_sid) >>> + >>> + if name_or_sid in result: >>> + object_type = >>> result[name_or_sid].get(pysss_nss_idmap.TYPE_KEY) >> If user or group not found, pysss_nss_idmap.getsidbyname() will return >> empty dict and the line above will fail: >>>>> import pysss_nss_idmap >>>>> pysss_nss_idmap.getsidbyname('some-name') >> {} > >It will return {}, however, that line is prefixed by the > >+ if name_or_sid in result: > >condition, hence it won't get executed in this case. Ok, and then you get conversion dict.get(None) -> None which then wouldn't match anything in the caller. Sounds good. The rest was fine. ACK. -- / Alexander Bokovoy From tbabej at redhat.com Thu Jul 23 13:37:43 2015 From: tbabej at redhat.com (Tomas Babej) Date: Thu, 23 Jul 2015 15:37:43 +0200 Subject: [Freeipa-devel] [PATCHES 0351-0353] Improvements to ID override type validation In-Reply-To: <20150723133239.GL21928@redhat.com> References: <55B0E310.6020407@redhat.com> <20150723130801.GJ21928@redhat.com> <55B0EA14.6030200@redhat.com> <20150723133239.GL21928@redhat.com> Message-ID: <55B0EE27.6080704@redhat.com> On 07/23/2015 03:32 PM, Alexander Bokovoy wrote: > On Thu, 23 Jul 2015, Tomas Babej wrote: >>>> + def get_trusted_domain_object_type(self, name_or_sid): >>>> + """ >>>> + Return the type of the object corresponding to the given >>>> name in >>>> + the trusted domain, which is either 'user', 'group' or 'both'. >>>> + The 'both' types is used for users with magic private groups. >>>> + """ >>>> + >>>> + object_type = None >>>> + >>>> + if is_sid_valid(name_or_sid): >>>> + result = pysss_nss_idmap.getnamebysid(name_or_sid) >>>> + else: >>>> + result = pysss_nss_idmap.getsidbyname(name_or_sid) >>>> + >>>> + if name_or_sid in result: >>>> + object_type = >>>> result[name_or_sid].get(pysss_nss_idmap.TYPE_KEY) >>> If user or group not found, pysss_nss_idmap.getsidbyname() will return >>> empty dict and the line above will fail: >>>>>> import pysss_nss_idmap >>>>>> pysss_nss_idmap.getsidbyname('some-name') >>> {} >> >> It will return {}, however, that line is prefixed by the >> >> + if name_or_sid in result: >> >> condition, hence it won't get executed in this case. > Ok, and then you get conversion dict.get(None) -> None which then > wouldn't match anything in the caller. > > Sounds good. The rest was fine. > > ACK. > Pushed to: master: aa066f31a5341079197f7b5a79fe2fa1045688bb ipa-4-2: a60f4ad7d0bbdaca2fbec2c9c491e976bf935f7e From mbabinsk at redhat.com Thu Jul 23 14:06:12 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 23 Jul 2015 16:06:12 +0200 Subject: [Freeipa-devel] [PATCH 0050] ACI plugin: correctly parse bind rules enclosed in parentheses Message-ID: <55B0F4D4.9050901@redhat.com> This is a quick fix for https://fedorahosted.org/freeipa/ticket/5037 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0050-ACI-plugin-correctly-parse-bind-rules-enclosed-in-pa.patch Type: text/x-patch Size: 1645 bytes Desc: not available URL: From mbasti at redhat.com Thu Jul 23 14:27:19 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 23 Jul 2015 16:27:19 +0200 Subject: [Freeipa-devel] [PATCH 0001] Test Topology plugin is listed among DS plugins In-Reply-To: <55B0B723.7070801@redhat.com> References: <55ACC623.20601@redhat.com> <55ACD1A2.5030202@redhat.com> <55ACE483.5030504@redhat.com> <55AE6903.4040202@redhat.com> <55AF44E1.3030500@redhat.com> <55AF4594.10704@redhat.com> <55AF9866.3050002@redhat.com> <55AFBB55.8000002@redhat.com> <55B0A6AF.4090807@redhat.com> <55B0B723.7070801@redhat.com> Message-ID: <55B0F9C7.1050006@redhat.com> On 23/07/15 11:42, Oleg Fayans wrote: > Forgot to attach the new version, sorry! > > On 07/23/2015 10:32 AM, Oleg Fayans wrote: >> Hi Martin, >> >> On 07/22/2015 05:48 PM, Martin Basti wrote: >>> On 22/07/15 15:19, Oleg Fayans wrote: >>>> Hi Martin, >>>> >>>> Fixed. >>>> >>>> On 07/22/2015 09:26 AM, Martin Basti wrote: >>>>> On 22/07/15 09:23, Oleg Fayans wrote: >>>>>> Hi Martin, >>>>>> >>>>>> Patch updated. Thank you for the review! >>>>>> >>>>>> On 07/21/2015 05:45 PM, Martin Basti wrote: >>>>>>> On 20/07/15 14:07, Oleg Fayans wrote: >>>>>>>> Hi Martin, >>>>>>>> >>>>>>>> Updated. >>>>>>>> >>>>>>>> >>>>>>>> On 07/20/2015 12:46 PM, Martin Basti wrote: >>>>>>>>> On 20/07/15 11:57, Oleg Fayans wrote: >>>>>>>>>> + pwfile = api.env.dot_ipa + os.sep + ".dmpw" >>>>>>>>>> + if ipautil.file_exists(pwfile): >>>>>>>>>> + fp = open(pwfile, "r") >>>>>>>>>> + dm_password = fp.read().rstrip() >>>>>>>>>> + fp.close() >>>>>>>>>> + else: >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> 1) Can you use os.path.join() instead of "+ os.sep +" please >>>>>>>>> >>>>>>>>> 2) Can you use with statement with file? >>>>>>>>> >>>>>>>>> with open(pwfile, "r") as f: >>>>>>>>> dm_password = f.read().rstrip() >>>>>>>>> >>>>>>>>> 3) Please keep PEP8 in new code >>>>>>>>> >>>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:30:80: E501 >>>>>>>>> line too long (102 > 79 characters) >>>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:33:80: E501 >>>>>>>>> line too long (92 > 79 characters) >>>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:39:80: E501 >>>>>>>>> line too long (124 > 79 characters) >>>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:44:80: E501 >>>>>>>>> line too long (92 > 79 characters) >>>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:45:48: E128 >>>>>>>>> continuation line under-indented for visual indent >>>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:45:80: E501 >>>>>>>>> line too long (89 > 79 characters) >>>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:46:48: E128 >>>>>>>>> continuation line under-indented for visual indent >>>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:46:80: E501 >>>>>>>>> line too long (89 > 79 characters) >>>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:58:80: E501 >>>>>>>>> line too long (87 > 79 characters) >>>>>>>>> >>>>>>>>> 4) Missing nose import >>>>>>>>> raise nose.SkipTest("No directory manager password >>>>>>>>> in %s" % pwfile) >>>>>>>>> >>>>>>>>> 5) Can you use sets here instead of sorted lists? >>>>>>>>> assert(sorted(entry.keys()) == sorted(pluginattrs.keys())) >>>>>>>>> >>>>>>>>> >>>>>>>>> Martin^2 >>>>>>>>> >>>>>>>> >>>>>>> 1) >>>>>>> Sorry, I didn't notice before, but there is missing header in >>>>>>> that file. >>>>>>> >>>>>>> 2) >>>>>>> You don't need to specify ldap_uri, you just need to call >>>>>>> ldap2(api), by default api.env.ldap_uri is used, which is the >>>>>>> same as you specified >>>>>>> >>>>>>> 3) >>>>>>> Can you indent values of dict which are on newline? It is >>>>>>> readable better. >>>>>>> u'nsslapd-topo-plugin-shared-config-base': >>>>>>> [u'cn=ipa,cn=etc,dc=example,dc=com'], >>>>>>> u'nsslapd-pluginDescription': [u'ipa-topology-plugin'], >>>>>>> >>>>>>> 4) >>>>>>> Please use lower F as variable, in python we use capital letters >>>>>>> for class definitions >>>>>>> with open(pwfile, "r") as F: >>>>>>> dm_password = F.read().rstrip() >>>>>>> >>>>>>> Otherwise it works as expected. >>>>>>> >>>>>>> Martin^2 >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> Sorry. >>>>> You added there old license format, we now use in new files new >>>>> format >>>>> >>>>> # >>>>> # Copyright (C) 2015 FreeIPA Contributors see COPYING for license >>>>> # >>>>> >>>> >>> I cannot apply the last patch >>> >>> $ git am >>> freeipa-ofayans-0001.3-test-topologyplugin-is-listed-among-DS-plugins.patch >>> -3 >>> Applying: Added test - topology plugin is listed among DS plugins >>> fatal: corrupt patch at line 83 >>> Repository lacks necessary blobs to fall back on 3-way merge. >>> Cannot fall back to three-way merge. >>> >> Fixed. Tested it locally, it applies >> > > > Thank you ACK -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From cheimes at redhat.com Thu Jul 23 15:54:03 2015 From: cheimes at redhat.com (Christian Heimes) Date: Thu, 23 Jul 2015 17:54:03 +0200 Subject: [Freeipa-devel] [PATCH 017] certprofile-import: do not require profileId in profile data Message-ID: <55B10E1B.8090203@redhat.com> certprofile-import no longer requires profileId in profile data. Instead the profile ID from the command line is taken and added to the profile data internally. If profileId is set in the profile, then it still has to match the CLI option. https://fedorahosted.org/freeipa/ticket/5090 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0017-certprofile-import-do-not-require-profileId-in-profi.patch Type: text/x-patch Size: 1484 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From mzidek at redhat.com Thu Jul 23 16:21:25 2015 From: mzidek at redhat.com (=?UTF-8?B?TWljaGFsIMW9aWRlaw==?=) Date: Thu, 23 Jul 2015 18:21:25 +0200 Subject: [Freeipa-devel] C coding style guide update Message-ID: <55B11485.8020400@redhat.com> Hi, in SSSD we use the freeipa coding guidelines which are located here: http://www.freeipa.org/page/Coding_Style However this coding style guide is already dated and there are some rules we follow in SSSD which are not mentioned in the guide and also there are some C language features that we would like to start using in certain way but their usage should be covered in the coding style guide. So, update is needed (at least for SSSD). I would like to start discussion about what to add to the coding guide (and maybe what to remove), but before that, I would like propose to move the coding style guide to SSSD wiki and just add link to it to FreeIPA wiki. The reason is that unlike FreeIPA, most of the SSSD code is written in C and SSSD team will more likely update and modify the guide according to new practices used in upstream development, where FreeIPA is mostly Python project and C coding style probably does not need revision as often. So SSSD wiki seems like more appropriate place. Another possibility would be to fork the FreeIPA style and maintain SSSD coding style guide separately. But I think linking the two is better option, because the two projects are closely related and it makes sense to share the coding style guidelines. So, my first question is, Is someone against moving the C coding style guide to SSSD wiki and adding link to it on FreeIPA wiki? Michal -- Senior Principal Intern From cheimes at redhat.com Thu Jul 23 16:25:25 2015 From: cheimes at redhat.com (Christian Heimes) Date: Thu, 23 Jul 2015 18:25:25 +0200 Subject: [Freeipa-devel] [PATCH 018] certprofile-import: improve profile format documentation Message-ID: <55B11575.10004@redhat.com> The certprofile-import plugin expects a raw Dogtag config file. The XML format is not supported. --help gives a hint about the correct file format. https://fedorahosted.org/freeipa/ticket/5089 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0018-certprofile-import-improve-profile-format-documentat.patch Type: text/x-patch Size: 1126 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From cheimes at redhat.com Thu Jul 23 18:38:46 2015 From: cheimes at redhat.com (Christian Heimes) Date: Thu, 23 Jul 2015 20:38:46 +0200 Subject: [Freeipa-devel] [PATCH 019] Asymmetric vault: validate public key in client Message-ID: <55B134B6.1020209@redhat.com> The ipa vault commands now load the public keys in order to verify them. The validation also prevents a user from accidentally sending her private keys to the server. The patch fixes #5142 and #5142. $ ./ipa vault-add AsymmetricVault --desc "Asymmetric vault" --type asymmetric --public-key-file mykey.pem ipa: ERROR: invalid 'ipavaultpublickey': Invalid or unsupported vault public key: Could not unserialize key data. https://fedorahosted.org/freeipa/ticket/5142 https://fedorahosted.org/freeipa/ticket/5143 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0019-Asymmetric-vault-validate-public-key-in-client.patch Type: text/x-patch Size: 1608 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From rharwood at redhat.com Thu Jul 23 19:29:23 2015 From: rharwood at redhat.com (Robbie Harwood) Date: Thu, 23 Jul 2015 15:29:23 -0400 Subject: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi In-Reply-To: <55B0BCDF.4070006@redhat.com> References: <2026883365.1326941.1437480146008.JavaMail.zimbra@redhat.com> <1747692317.2396484.1437572854418.JavaMail.zimbra@redhat.com> <55B0BCDF.4070006@redhat.com> Message-ID: Some comments from Solly and I inline: Michael ?im??ek writes: > On 2015-07-22 15:47, Simo Sorce wrote: >> Comments inline. >> >> ----- Original Message ----- >>> From: "Michael Simacek" >>> To: freeipa-devel at redhat.com >>> Sent: Tuesday, July 21, 2015 8:02:26 AM >>> Subject: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi >>> >>> diff --git a/ipalib/util.py b/ipalib/util.py >>> index 649a487..aea3ba9 100644 >>> --- a/ipalib/util.py >>> +++ b/ipalib/util.py >>> @@ -63,15 +63,15 @@ def json_serialize(obj): >>> >>> def get_current_principal(): >>> try: >>> - import kerberos >>> - rc, vc = kerberos.authGSSClientInit("notempty") >>> - rc = kerberos.authGSSClientInquireCred(vc) >>> - username = kerberos.authGSSClientUserName(vc) >>> - kerberos.authGSSClientClean(vc) >>> + import gssapi >>> + cred = gssapi.raw.acquire_cred(usage='initiate').creds >>> + name = gssapi.raw.inquire_cred(cred, lifetime=False, usage=False, >>> + mechs=False).name >>> + username = gssapi.raw.display_name(name, name_type=False).name >> >> Same as above. >> Create a credential and inquire it with the high level api > > Done, but I still use raw.display_name as I don't see how to get it from > high-level API (besides parsing repr). I believe one can call `str()`. See http://pythonhosted.org/gssapi/gssapi.html#gssapi.names.Name > @@ -548,14 +552,12 @@ class KerbTransport(SSLTransport): > service = "HTTP@" + host.split(':')[0] > > try: > - (rc, vc) = kerberos.authGSSClientInit(service=service, > - gssflags=self.flags) > - except kerberos.GSSError, e: > - self._handle_exception(e) > - > - try: > - kerberos.authGSSClientStep(vc, "") > - except kerberos.GSSError, e: > + name = gssapi.Name(service, gssapi.NameType.hostbased_service) > + sec_context = gssapi.SecurityContext(name=name, flags=self.flags) > + # gssapi defers errors to next step, we want them now > + sec_context.__DEFER_STEP_ERRORS__ = False As a class-level flag, this should probably be used as such. Preferable to using it would be to check complete, though - is there a reason not to do that here? Otherwise, looks good! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 818 bytes Desc: not available URL: From mkosek at redhat.com Thu Jul 23 20:07:20 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 23 Jul 2015 22:07:20 +0200 Subject: [Freeipa-devel] 4.3 Branch? In-Reply-To: <55A7954F.1090904@redhat.com> References: <1192868348.41149398.1436880184299.JavaMail.zimbra@redhat.com> <55A791E5.7070104@redhat.com> <55A7954F.1090904@redhat.com> Message-ID: <55B14978.5010701@redhat.com> On 07/16/2015 01:28 PM, Tomas Babej wrote: > > > On 07/16/2015 01:13 PM, Petr Vobornik wrote: >> On 07/14/2015 03:23 PM, Nathaniel McCallum wrote: >>> 4.3 is going to be a very narrow feature release. Should we branch >>> 4.3 early so that we can still land new features on master during >>> 4.3? >>> >> >> I did not like it at first but we should do it. > > We will have some little maintenance burden, as we will need to push to > two branches concurrently. > > However, I find rebasing patches that do not apply cleanly painful.. > when we release 4.3 and decide to land ~50-100 patches of fixes that > didn't belong there, it might turn out to be a huge pain. > > I'd much rather go with the separate branch approach, as Nathaniel suggests. > > Tomas > I would really prefer to wait until we have a good reason/RFE that "does not fit" in FreeIPA 4.3 before branching out. The narrow nature of FreeIPA 4.3 release is in what we chose to focus on rather that in what patches are let in. If a feature is completed, I personally do not see a reason why we could not add it to FreeIPA 4.3 release. Of course, if we have a refactoring/feature that would destabilize the tree past the time when we wish to release FreeIPA 4.3 (during August), then it may be the right time to branch out. Martin From ftweedal at redhat.com Fri Jul 24 02:06:33 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 24 Jul 2015 12:06:33 +1000 Subject: [Freeipa-devel] [PATCH 018] certprofile-import: improve profile format documentation In-Reply-To: <55B11575.10004@redhat.com> References: <55B11575.10004@redhat.com> Message-ID: <20150724020633.GF20599@dhcp-40-8.bne.redhat.com> On Thu, Jul 23, 2015 at 06:25:25PM +0200, Christian Heimes wrote: > The certprofile-import plugin expects a raw Dogtag config file. The XML > format is not supported. --help gives a hint about the correct file format. > > https://fedorahosted.org/freeipa/ticket/5089 ACK, but IMO this does not complete 5089. I will add more commentary to the plugin documentation in a separate patch. Thanks, Fraser > From 1344425af2886797ec9cef40a325e56a8d1752eb Mon Sep 17 00:00:00 2001 > From: Christian Heimes > Date: Thu, 23 Jul 2015 18:22:19 +0200 > Subject: [PATCH] certprofile-import: improve profile format documentation > > The certprofile-import plugin expects a raw Dogtag config file. The XML > format is not supported. --help gives a hint about the correct file format. > > https://fedorahosted.org/freeipa/ticket/5089 > --- > ipalib/plugins/certprofile.py | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py > index 5550ed942521dbab2e783fba1570520268f9b378..ae75d43d7412d0df7c09a33c16c833995d9a3fe4 100644 > --- a/ipalib/plugins/certprofile.py > +++ b/ipalib/plugins/certprofile.py > @@ -220,7 +220,7 @@ class certprofile_import(LDAPCreate): > msg_summary = _('Imported profile "%(value)s"') > takes_options = ( > File('file', > - label=_('Filename'), > + label=_('Filename of a raw profile. The XML format is not supported.'), > cli_name='file', > flags=('virtual_attribute',), > ), > -- > 2.4.3 > From ftweedal at redhat.com Fri Jul 24 03:15:28 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 24 Jul 2015 13:15:28 +1000 Subject: [Freeipa-devel] [PATCH 017] certprofile-import: do not require profileId in profile data In-Reply-To: <55B10E1B.8090203@redhat.com> References: <55B10E1B.8090203@redhat.com> Message-ID: <20150724031528.GG20599@dhcp-40-8.bne.redhat.com> > diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py > index 5550ed942521dbab2e783fba1570520268f9b378..fe8934690fe09499f0bacb6610d9815a2b4367a4 100644 > --- a/ipalib/plugins/certprofile.py > +++ b/ipalib/plugins/certprofile.py > @@ -233,8 +233,8 @@ class certprofile_import(LDAPCreate): > > match = self.PROFILE_ID_PATTERN.search(options['file']) > if match is None: > - raise errors.ValidationError(name='file', > - error=_("Profile ID is not present in profile data")) > + # no profileId found, use CLI value as profileId. > + options['file'] = u'profileId=%s\n%s' % (keys[0], options['file']) NACK This assignment has no external effect; `post_callback' is called with original `options['file']' and dogtag profile import can fail due to missing profileId. The solution is to do the same thing in post_callback; updated patch attached. Thanks, Fraser -------------- next part -------------- From 98b422098ace7d8a405facf17b7399b07ed9362c Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 23 Jul 2015 17:48:56 +0200 Subject: [PATCH] certprofile-import: do not require profileId in profile data certprofile-import no longer requires profileId in profile data. Instead the profile ID from the command line is taken and added to the profile data internally. If profileId is set in the profile, then it still has to match the CLI option. https://fedorahosted.org/freeipa/ticket/5090 --- ipalib/plugins/certprofile.py | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py index 5550ed942521dbab2e783fba1570520268f9b378..8c24192fc9204a412c5357571eb5a274074bad39 100644 --- a/ipalib/plugins/certprofile.py +++ b/ipalib/plugins/certprofile.py @@ -233,8 +233,8 @@ class certprofile_import(LDAPCreate): match = self.PROFILE_ID_PATTERN.search(options['file']) if match is None: - raise errors.ValidationError(name='file', - error=_("Profile ID is not present in profile data")) + # no profileId found, use CLI value as profileId. + options['file'] = u'profileId=%s\n%s' % (keys[0], options['file']) elif keys[0] != match.group(1): raise errors.ValidationError(name='file', error=_("Profile ID '%(cli_value)s' does not match profile data '%(file_value)s'") @@ -248,6 +248,11 @@ class certprofile_import(LDAPCreate): If the operation fails, remove the LDAP entry. """ + match = self.PROFILE_ID_PATTERN.search(options['file']) + if match is None: + # no profileId found, use CLI value as profileId. + options['file'] = u'profileId=%s\n%s' % (keys[0], options['file']) + try: with self.api.Backend.ra_certprofile as profile_api: profile_api.create_profile(options['file']) -- 2.4.3 From cheimes at redhat.com Fri Jul 24 09:31:15 2015 From: cheimes at redhat.com (Christian Heimes) Date: Fri, 24 Jul 2015 11:31:15 +0200 Subject: [Freeipa-devel] [PATCH 017] certprofile-import: do not require profileId in profile data In-Reply-To: <20150724031528.GG20599@dhcp-40-8.bne.redhat.com> References: <55B10E1B.8090203@redhat.com> <20150724031528.GG20599@dhcp-40-8.bne.redhat.com> Message-ID: <55B205E3.3090004@redhat.com> On 2015-07-24 05:15, Fraser Tweedale wrote: >> diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py >> index 5550ed942521dbab2e783fba1570520268f9b378..fe8934690fe09499f0bacb6610d9815a2b4367a4 100644 >> --- a/ipalib/plugins/certprofile.py >> +++ b/ipalib/plugins/certprofile.py >> @@ -233,8 +233,8 @@ class certprofile_import(LDAPCreate): >> >> match = self.PROFILE_ID_PATTERN.search(options['file']) >> if match is None: >> - raise errors.ValidationError(name='file', >> - error=_("Profile ID is not present in profile data")) >> + # no profileId found, use CLI value as profileId. >> + options['file'] = u'profileId=%s\n%s' % (keys[0], options['file']) > > NACK > > This assignment has no external effect; `post_callback' is called > with original `options['file']' and dogtag profile import can fail > due to missing profileId. > > The solution is to do the same thing in post_callback; updated patch > attached. Oh, I should have noticed that myself. The options parameter is passed in as **kwargs. The keyword arguments dict is always a flat copy. Thanks! Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From cheimes at redhat.com Fri Jul 24 10:20:06 2015 From: cheimes at redhat.com (Christian Heimes) Date: Fri, 24 Jul 2015 12:20:06 +0200 Subject: [Freeipa-devel] variable name 'rsa_public_key' in vault Message-ID: <55B21156.6010607@redhat.com> Hello, while I was working on https://fedorahosted.org/freeipa/ticket/5142 and patch 019, I noticed the variable names rsa_public_key and rsa_private_key in vault.py. load_pem_public_key() can load and return other key formats (DSA, ECDSA), too. Does vault mean to support the other algorithms? In case vault should support any kind of asymmetric cipher, I'd like to change the variable names. It's confusing. Otherwise we should add a check for RSA and prevent DSA and ECDSA keys. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From mbasti at redhat.com Fri Jul 24 10:41:44 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 24 Jul 2015 12:41:44 +0200 Subject: [Freeipa-devel] [PATCH 017] certprofile-import: do not require profileId in profile data In-Reply-To: <20150724031528.GG20599@dhcp-40-8.bne.redhat.com> References: <55B10E1B.8090203@redhat.com> <20150724031528.GG20599@dhcp-40-8.bne.redhat.com> Message-ID: <55B21668.20604@redhat.com> On 24/07/15 05:15, Fraser Tweedale wrote: >> diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py >> index 5550ed942521dbab2e783fba1570520268f9b378..fe8934690fe09499f0bacb6610d9815a2b4367a4 100644 >> --- a/ipalib/plugins/certprofile.py >> +++ b/ipalib/plugins/certprofile.py >> @@ -233,8 +233,8 @@ class certprofile_import(LDAPCreate): >> >> match = self.PROFILE_ID_PATTERN.search(options['file']) >> if match is None: >> - raise errors.ValidationError(name='file', >> - error=_("Profile ID is not present in profile data")) >> + # no profileId found, use CLI value as profileId. >> + options['file'] = u'profileId=%s\n%s' % (keys[0], options['file']) > NACK > > This assignment has no external effect; `post_callback' is called > with original `options['file']' and dogtag profile import can fail > due to missing profileId. > > The solution is to do the same thing in post_callback; updated patch > attached. > > Thanks, > Fraser > > I dont like to have the same code twice in pre and post callback. Can you use contexmanager to store the right value in pre callback and then use it in post callback? (can find it in dns plugin, search for context) Martin^2 -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Fri Jul 24 13:40:49 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 24 Jul 2015 23:40:49 +1000 Subject: [Freeipa-devel] [PATCH] 0028 add --out option to user-show Message-ID: <20150724134049.GI20599@dhcp-40-8.bne.redhat.com> The attached patch adds --out option to user-show for saving user's certificate(s) to file. Thanks, Fraser -------------- next part -------------- From 0e3f681d21724ba2ab09737977c18b13392d9f53 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 24 Jul 2015 09:31:26 -0400 Subject: [PATCH] user-show: add --out option to save certificates to file Add the --out option to user-show, bringing it into line with host-show and service-show with the ability to save the user's certificate(s) to a file. --- API.txt | 3 ++- VERSION | 4 ++-- ipalib/plugins/user.py | 27 ++++++++++++++++++++++++++- 3 files changed, 30 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index 6ab30ddab41715fdbccb4f37aa1852621bca62b4..2e19d6b2f1e16cc1c89d71ed7d443145426a28e3 100644 --- a/API.txt +++ b/API.txt @@ -5360,10 +5360,11 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: user_show -args: 1,5,3 +args: 1,6,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Str('out?') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) option: Str('version?', exclude='webui') diff --git a/VERSION b/VERSION index 2b78af50bf1e811cbcd04f6c69b8d506c98fdedb..a3d586df47ab6a6136bd38c0151fe43876bf5ab3 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=147 -# Last change: mbasti - Consolidate DNS RR in API and schema +IPA_API_VERSION_MINOR=148 +# Last change: ftweedal - add --out option to user-show diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 206b380efb6472fb040dde33ac80e3f66c00c138..0209b29b130f2377c04f497f95c8ad39e98f2587 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -23,7 +23,7 @@ import string import posixpath import os -from ipalib import api, errors +from ipalib import api, errors, util from ipalib import Flag, Int, Password, Str, Bool, StrEnum, DateTime from ipalib.plugins.baseuser import baseuser, baseuser_add, baseuser_del, \ baseuser_mod, baseuser_find, baseuser_show, \ @@ -38,6 +38,7 @@ from ipalib.plugins import baseldap from ipalib.request import context from ipalib import _, ngettext from ipalib import output +from ipalib import x509 from ipaplatform.paths import paths from ipapython.ipautil import ipa_generate_password from ipapython.ipavalidate import Email @@ -765,6 +766,11 @@ class user_show(baseuser_show): __doc__ = _('Display information about a user.') has_output_params = baseuser_show.has_output_params + user_output_params + takes_options = baseuser_show.takes_options + ( + Str('out?', + doc=_('file to store certificate in'), + ), + ) def post_callback(self, ldap, dn, entry_attrs, *keys, **options): convert_nsaccountlock(entry_attrs) @@ -772,6 +778,25 @@ class user_show(baseuser_show): self.obj.get_preserved_attribute(entry_attrs, options) return dn + def forward(self, *keys, **options): + if 'out' in options: + util.check_writable_file(options['out']) + result = super(user_show, self).forward(*keys, **options) + if 'usercertificate' in result['result']: + x509.write_certificate_list( + result['result']['usercertificate'], + options['out'] + ) + result['summary'] = ( + _('Certificate(s) stored in file \'%(file)s\'') + % dict(file=options['out']) + ) + return result + else: + raise errors.NoCertificateError(entry=keys[-1]) + else: + return super(user_show, self).forward(*keys, **options) + @register() class user_undel(LDAPQuery): __doc__ = _('Undelete a delete user account.') -- 2.4.3 From tbabej at redhat.com Fri Jul 24 14:52:08 2015 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 24 Jul 2015 16:52:08 +0200 Subject: [Freeipa-devel] [PATCH] 0028 add --out option to user-show In-Reply-To: <20150724134049.GI20599@dhcp-40-8.bne.redhat.com> References: <20150724134049.GI20599@dhcp-40-8.bne.redhat.com> Message-ID: <55B25118.2080700@redhat.com> On 07/24/2015 03:40 PM, Fraser Tweedale wrote: > The attached patch adds --out option to user-show for saving user's > certificate(s) to file. > > Thanks, > Fraser > > > I hate to nitpick here, but is "out" really a descriptive option name here? I'd prefer something more explicit, like '--save-cert-to', or maybe even have this operation implemented as a separate command altogether. Tomas From mbasti at redhat.com Fri Jul 24 15:34:50 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 24 Jul 2015 17:34:50 +0200 Subject: [Freeipa-devel] [PATCH] 0028 add --out option to user-show In-Reply-To: <55B25118.2080700@redhat.com> References: <20150724134049.GI20599@dhcp-40-8.bne.redhat.com> <55B25118.2080700@redhat.com> Message-ID: <55B25B1A.8040106@redhat.com> On 24/07/15 16:52, Tomas Babej wrote: > > On 07/24/2015 03:40 PM, Fraser Tweedale wrote: >> The attached patch adds --out option to user-show for saving user's >> certificate(s) to file. >> >> Thanks, >> Fraser >> >> >> > I hate to nitpick here, but is "out" really a descriptive option name > here? I'd prefer something more explicit, like '--save-cert-to', or > maybe even have this operation implemented as a separate command altogether. > > Tomas > This keyword was already used with several commands. For consistency might be better to have it the same. -- Martin Basti From tbabej at redhat.com Fri Jul 24 15:53:56 2015 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 24 Jul 2015 17:53:56 +0200 Subject: [Freeipa-devel] [PATCH] 0028 add --out option to user-show In-Reply-To: <55B25B1A.8040106@redhat.com> References: <20150724134049.GI20599@dhcp-40-8.bne.redhat.com> <55B25118.2080700@redhat.com> <55B25B1A.8040106@redhat.com> Message-ID: <55B25F94.3040507@redhat.com> On 07/24/2015 05:34 PM, Martin Basti wrote: > On 24/07/15 16:52, Tomas Babej wrote: >> >> On 07/24/2015 03:40 PM, Fraser Tweedale wrote: >>> The attached patch adds --out option to user-show for saving user's >>> certificate(s) to file. >>> >>> Thanks, >>> Fraser >>> >>> >>> >> I hate to nitpick here, but is "out" really a descriptive option name >> here? I'd prefer something more explicit, like '--save-cert-to', or >> maybe even have this operation implemented as a separate command >> altogether. >> >> Tomas >> > This keyword was already used with several commands. For consistency > might be better to have it the same. > True. I see this options is being used in the following commands: - cert-show - vault-retrieve - host-show - service-show - user-show (proposed) While the first two seem to be an acceptable fit for an option called --out, as they mainly deal with cert/secret, using the '--out' for the latter three is a poor decision imho. I agree the consistency is important, I'm just not happy to see this spread further. Tomas From ftweedal at redhat.com Sat Jul 25 01:40:15 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Sat, 25 Jul 2015 11:40:15 +1000 Subject: [Freeipa-devel] [PATCH] 0028 add --out option to user-show In-Reply-To: <55B25F94.3040507@redhat.com> References: <20150724134049.GI20599@dhcp-40-8.bne.redhat.com> <55B25118.2080700@redhat.com> <55B25B1A.8040106@redhat.com> <55B25F94.3040507@redhat.com> Message-ID: <20150725014015.GJ20599@dhcp-40-8.bne.redhat.com> On Fri, Jul 24, 2015 at 05:53:56PM +0200, Tomas Babej wrote: > > > On 07/24/2015 05:34 PM, Martin Basti wrote: > > On 24/07/15 16:52, Tomas Babej wrote: > >> > >> On 07/24/2015 03:40 PM, Fraser Tweedale wrote: > >>> The attached patch adds --out option to user-show for saving user's > >>> certificate(s) to file. > >>> > >>> Thanks, > >>> Fraser > >>> > >>> > >>> > >> I hate to nitpick here, but is "out" really a descriptive option name > >> here? I'd prefer something more explicit, like '--save-cert-to', or > >> maybe even have this operation implemented as a separate command > >> altogether. > >> > >> Tomas > >> > > This keyword was already used with several commands. For consistency > > might be better to have it the same. > > > > True. I see this options is being used in the following commands: > > - cert-show > - vault-retrieve > - host-show > - service-show > - user-show (proposed) > > While the first two seem to be an acceptable fit for an option called > --out, as they mainly deal with cert/secret, using the '--out' for the > latter three is a poor decision imho. > > I agree the consistency is important, I'm just not happy to see this > spread further. > > Tomas Perhaps we should go with something like `--certout' instead, and support `--certout' in addition to `--out' in host-show and service-show, esentially deprecating `--out' for those commands. Cheers, Fraser From msimacek at redhat.com Sun Jul 26 19:51:59 2015 From: msimacek at redhat.com (=?UTF-8?B?TWljaGFlbCDFoGltw6HEjWVr?=) Date: Sun, 26 Jul 2015 21:51:59 +0200 Subject: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi In-Reply-To: References: <2026883365.1326941.1437480146008.JavaMail.zimbra@redhat.com> <1747692317.2396484.1437572854418.JavaMail.zimbra@redhat.com> <55B0BCDF.4070006@redhat.com> Message-ID: <55B53A5F.9@redhat.com> Comments inline. On 2015-07-23 21:29, Robbie Harwood wrote: > Some comments from Solly and I inline: > > Michael ?im??ek writes: > >> On 2015-07-22 15:47, Simo Sorce wrote: >>> Comments inline. >>> >>> ----- Original Message ----- >>>> From: "Michael Simacek" >>>> To: freeipa-devel at redhat.com >>>> Sent: Tuesday, July 21, 2015 8:02:26 AM >>>> Subject: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi >>>> >>>> diff --git a/ipalib/util.py b/ipalib/util.py >>>> index 649a487..aea3ba9 100644 >>>> --- a/ipalib/util.py >>>> +++ b/ipalib/util.py >>>> @@ -63,15 +63,15 @@ def json_serialize(obj): >>>> >>>> def get_current_principal(): >>>> try: >>>> - import kerberos >>>> - rc, vc = kerberos.authGSSClientInit("notempty") >>>> - rc = kerberos.authGSSClientInquireCred(vc) >>>> - username = kerberos.authGSSClientUserName(vc) >>>> - kerberos.authGSSClientClean(vc) >>>> + import gssapi >>>> + cred = gssapi.raw.acquire_cred(usage='initiate').creds >>>> + name = gssapi.raw.inquire_cred(cred, lifetime=False, usage=False, >>>> + mechs=False).name >>>> + username = gssapi.raw.display_name(name, name_type=False).name >>> >>> Same as above. >>> Create a credential and inquire it with the high level api >> >> Done, but I still use raw.display_name as I don't see how to get it from >> high-level API (besides parsing repr). > > I believe one can call `str()`. See > http://pythonhosted.org/gssapi/gssapi.html#gssapi.names.Name > You're of course right. I'm sorry I missed such an obvious thing. >> @@ -548,14 +552,12 @@ class KerbTransport(SSLTransport): >> service = "HTTP@" + host.split(':')[0] >> >> try: >> - (rc, vc) = kerberos.authGSSClientInit(service=service, >> - gssflags=self.flags) >> - except kerberos.GSSError, e: >> - self._handle_exception(e) >> - >> - try: >> - kerberos.authGSSClientStep(vc, "") >> - except kerberos.GSSError, e: >> + name = gssapi.Name(service, gssapi.NameType.hostbased_service) >> + sec_context = gssapi.SecurityContext(name=name, flags=self.flags) >> + # gssapi defers errors to next step, we want them now >> + sec_context.__DEFER_STEP_ERRORS__ = False > > As a class-level flag, this should probably be used as such. Preferable > to using it would be to check complete, though - is there a reason not > to do that here? > > Otherwise, looks good! > It would probably be nicer to do the full cycle, but I'd like to avoid changes in behavior when porting from one library to another. And the code above doesn't actually hold any connection, so it would require more refactoring to make that happen. For now I would follow what the original code was doing. As for the exceptions, I think it would actually be justifiable to use the raw api's init_sec_context, because the high level api would just do the same call + the exception handling magic, which we want to avoid for now. Please let me know what do you think. Attaching updated patch that uses 'unicode' instead of raw.display_name and reverts back to using init_sec_context. Thank you. -- Michael Simacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-msimacek-0001-4-Port-from-python-kerberos-to-python-gssapi.patch Type: text/x-patch Size: 7525 bytes Desc: not available URL: From jhrozek at redhat.com Sun Jul 26 20:09:10 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sun, 26 Jul 2015 22:09:10 +0200 Subject: [Freeipa-devel] C coding style guide update In-Reply-To: <55B11485.8020400@redhat.com> References: <55B11485.8020400@redhat.com> Message-ID: <20150726200910.GF22586@hendrix> On Thu, Jul 23, 2015 at 06:21:25PM +0200, Michal ?idek wrote: > Hi, > > in SSSD we use the freeipa coding guidelines which are located here: > http://www.freeipa.org/page/Coding_Style > > However this coding style guide is already dated and there are > some rules we follow in SSSD which are not mentioned in the guide > and also there are some C language features that we would like to > start using in certain way but their usage should be covered in the > coding style guide. So, update is needed (at least for SSSD). > > I would like to start discussion about what to add to the coding > guide (and maybe what to remove), but before that, I would like > propose to move the coding style guide to SSSD wiki and just add link > to it to FreeIPA wiki. The reason is that unlike FreeIPA, most of the > SSSD code is written in C and SSSD team will more likely update and > modify the guide according to new practices used in upstream > development, where FreeIPA is mostly Python project and C coding > style probably does not need revision as often. So SSSD wiki > seems like more appropriate place. > > Another possibility would be to fork the FreeIPA style and > maintain SSSD coding style guide separately. But I think linking > the two is better option, because the two projects are closely > related and it makes sense to share the coding style guidelines. > > So, my first question is, Is someone against moving the C coding > style guide to SSSD wiki and adding link to it on FreeIPA wiki? I don't really mind where the coding style is located as long as it's on one place (no forks please) and the existing link points to a new version (if any). As per updating the coding standards, I would like to propose to: - explicitly say that C99 is fine to use. It's 2015 and any compiler that doesn't support C99 at this point is probably dead and should be avoided (Hello, MSVC!). We use stdbool.h and variadic macros already anyway. - Line-comments (//, aka C++ comments) should be still avoided, though - Variable Length arrays are very helpful, but explicitly mention they should be used with caution, especially if array size might come from the user - Also, I would warn about interleaved variable declarations. I think it's fine to declare some helper variable inside a for loop for example, but generally it might be better to refactor the function if we find out there's so many variables that the code author ends up declaring them inside blocks. Personally, I would even go as far as to allow the __cleanup__ attribute. I really like how the systemd codebase uses it to define helper "destructors" like: int closep(int fd) { if (fd >= 0) { close(fd); } } #define _cleanup_close_ _cleanup_(closep) Then safely declare a file descriptor as: _cleanup_close_ int fdf = -1; ..and stop worrying about closing the fd in all branches. It's not portable, but seriously...are there any compilers except gcc and clang that are used at all these days?? From ssorce at redhat.com Mon Jul 27 09:38:03 2015 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 27 Jul 2015 05:38:03 -0400 Subject: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi In-Reply-To: <55B53A5F.9@redhat.com> References: <2026883365.1326941.1437480146008.JavaMail.zimbra@redhat.com> <1747692317.2396484.1437572854418.JavaMail.zimbra@redhat.com> <55B0BCDF.4070006@redhat.com> <55B53A5F.9@redhat.com> Message-ID: <1437989883.8077.2.camel@willson.usersys.redhat.com> On Sun, 2015-07-26 at 21:51 +0200, Michael ?im??ek wrote: > It would probably be nicer to do the full cycle, but I'd like to > avoid > changes in behavior when porting from one library to another. And the > code above doesn't actually hold any connection, so it would require > more refactoring to make that happen. For now I would follow what the > original code was doing. As for the exceptions, I think it would > actually be justifiable to use the raw api's init_sec_context, > because > the high level api would just do the same call + the exception > handling > magic, which we want to avoid for now. Please let me know what do you > think. > Attaching updated patch that uses 'unicode' instead of > raw.display_name > and reverts back to using init_sec_context. Sorry, but we should really not use the raw API here. If it means more changes to the code, so be it, please us the high level API as recommended by Robbie, we wrote a better API so that people would use it, and we want to apply best practices when changing code in IPA. Simo. From mkosek at redhat.com Mon Jul 27 10:01:48 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 27 Jul 2015 12:01:48 +0200 Subject: [Freeipa-devel] Added Martin Basti to comitters group Message-ID: <55B6018C.1060001@redhat.com> Hi all, In order to spread better review/push load, I think we need to expand the FreeIPA comitters group a bit. I added Martin Basti to the group, so please feel free to bug him with push requests :-) -- Martin Kosek Supervisor, Software Engineering - Identity Management Team Red Hat Inc. From mbasti at redhat.com Mon Jul 27 10:06:11 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jul 2015 12:06:11 +0200 Subject: [Freeipa-devel] [PATCH] 905 webui: add Kerberos configuration instructions for Chrome In-Reply-To: <55AF85F8.3080104@redhat.com> References: <55AF85F8.3080104@redhat.com> Message-ID: <55B60293.5030401@redhat.com> On 22/07/15 14:00, Petr Vobornik wrote: > * IE section moved at the end > * Chrome section added > * FF and IE icons removed > > https://fedorahosted.org/freeipa/ticket/823 > > ACK -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkubik at redhat.com Mon Jul 27 10:32:44 2015 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Mon, 27 Jul 2015 12:32:44 +0200 Subject: [Freeipa-devel] [patch 0007] tests: Allow Tracker.dn be an instance of Fuzzy Message-ID: <55B608CC.6030602@redhat.com> Hi, the patch changes the check on the Tracker.dn setter, allowing to use an instance of ipatests.util.Fuzzy to ease writing Trackers for plugins like CA ACL, which use ipaUniqueID as their primary key. Thanks, Milan -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkubik-0007-tests-Allow-Tracker.dn-be-an-instance-of-Fuzzy.patch Type: text/x-patch Size: 1553 bytes Desc: not available URL: From mbasti at redhat.com Mon Jul 27 11:52:53 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jul 2015 13:52:53 +0200 Subject: [Freeipa-devel] [PATCH] 905 webui: add Kerberos configuration instructions for Chrome In-Reply-To: <55B60293.5030401@redhat.com> References: <55AF85F8.3080104@redhat.com> <55B60293.5030401@redhat.com> Message-ID: <55B61B95.70508@redhat.com> On 27/07/15 12:06, Martin Basti wrote: > On 22/07/15 14:00, Petr Vobornik wrote: >> * IE section moved at the end >> * Chrome section added >> * FF and IE icons removed >> >> https://fedorahosted.org/freeipa/ticket/823 >> >> > ACK > > -- > Martin Basti > > Pushed to: master: a4be844809179ff0a05286606df1487d81a70022 ipa-4-2: 8e528db8a33938d6954e0d94714b3492a79b3b6d -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mzidek at redhat.com Mon Jul 27 13:54:22 2015 From: mzidek at redhat.com (=?UTF-8?B?TWljaGFsIMW9aWRlaw==?=) Date: Mon, 27 Jul 2015 15:54:22 +0200 Subject: [Freeipa-devel] C coding style guide update In-Reply-To: <20150726200910.GF22586@hendrix> References: <55B11485.8020400@redhat.com> <20150726200910.GF22586@hendrix> Message-ID: <55B6380E.8040902@redhat.com> On 07/26/2015 10:09 PM, Jakub Hrozek wrote: > On Thu, Jul 23, 2015 at 06:21:25PM +0200, Michal ?idek wrote: >> Hi, >> >> in SSSD we use the freeipa coding guidelines which are located here: >> http://www.freeipa.org/page/Coding_Style >> >> However this coding style guide is already dated and there are >> some rules we follow in SSSD which are not mentioned in the guide >> and also there are some C language features that we would like to >> start using in certain way but their usage should be covered in the >> coding style guide. So, update is needed (at least for SSSD). >> >> I would like to start discussion about what to add to the coding >> guide (and maybe what to remove), but before that, I would like >> propose to move the coding style guide to SSSD wiki and just add link >> to it to FreeIPA wiki. The reason is that unlike FreeIPA, most of the >> SSSD code is written in C and SSSD team will more likely update and >> modify the guide according to new practices used in upstream >> development, where FreeIPA is mostly Python project and C coding >> style probably does not need revision as often. So SSSD wiki >> seems like more appropriate place. >> >> Another possibility would be to fork the FreeIPA style and >> maintain SSSD coding style guide separately. But I think linking >> the two is better option, because the two projects are closely >> related and it makes sense to share the coding style guidelines. >> >> So, my first question is, Is someone against moving the C coding >> style guide to SSSD wiki and adding link to it on FreeIPA wiki? > > I don't really mind where the coding style is located as long as it's > on one place (no forks please) and the existing link points to a new > version (if any). Ok. I will start crafting the new SSSD wiki after we come to some conclusion in this thread. > > As per updating the coding standards, I would like to propose to: > - explicitly say that C99 is fine to use. It's 2015 and any compiler > that doesn't support C99 at this point is probably dead and should > be avoided (Hello, MSVC!). We use stdbool.h and variadic macros > already anyway. +1 > - Line-comments (//, aka C++ comments) should be still avoided, > though I really do not know what people have against line comments, but this is not the first time I see someone resisting them, so I guess there is some hidden evil in this way of commenting the code. But I am OK if they stay forbidden. > - Variable Length arrays are very helpful, but explicitly mention > they should be used with caution, especially if array size might > come from the user +1 We overuse talloc for very small allocations that can be done automatically on stack. > - Also, I would warn about interleaved variable declarations. I > think it's fine to declare some helper variable inside a for loop > for example, but generally it might be better to refactor the > function if we find out there's so many variables that the code > author ends up declaring them inside blocks. It is good practice to declare variables at the begging of the block that covers all blocks where the variable is used. And it is one of the things I would like to put in the coding style. I am not sure about loops however. it could lead us to hard to debug bugs if someone forgets to put static keyword in variable declaration. > > Personally, I would even go as far as to allow the __cleanup__ > attribute. I really like how the systemd codebase uses it to define > helper "destructors" like: > int closep(int fd) > { > if (fd >= 0) { > close(fd); > } > } > > #define _cleanup_close_ _cleanup_(closep) > > Then safely declare a file descriptor as: > _cleanup_close_ int fdf = -1; > ..and stop worrying about closing the fd in all branches. Looks like a good thing to me as well for the cases when we *always* want to destroy the resource before leaving the function. For the rest of the cases we would still have to use goto labels. > > It's not portable, but seriously...are there any compilers except gcc > and clang that are used at all these days?? GCC and Clang are the most widely used compilers on platforms we care about. We do not need to make SSSD compile on anything else. We could also add few tips and 'rules of thumb' to the coding style as well. For example isolating the untrusted value on the left side when doing comparisons in ifs ( see ticket https://fedorahosted.org/sssd/ticket/1697 ). Michal -- Senior Principal Intern From mbasti at redhat.com Mon Jul 27 14:12:02 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jul 2015 16:12:02 +0200 Subject: [Freeipa-devel] [PATCH] 905, 295 webui: add Kerberos configuration instructions for Chrome In-Reply-To: <55B61B95.70508@redhat.com> References: <55AF85F8.3080104@redhat.com> <55B60293.5030401@redhat.com> <55B61B95.70508@redhat.com> Message-ID: <55B63C32.1010809@redhat.com> On 27/07/15 13:52, Martin Basti wrote: > On 27/07/15 12:06, Martin Basti wrote: >> On 22/07/15 14:00, Petr Vobornik wrote: >>> * IE section moved at the end >>> * Chrome section added >>> * FF and IE icons removed >>> >>> https://fedorahosted.org/freeipa/ticket/823 >>> >>> >> ACK >> >> -- >> Martin Basti >> >> > Pushed to: > master: a4be844809179ff0a05286606df1487d81a70022 > ipa-4-2: 8e528db8a33938d6954e0d94714b3492a79b3b6d > > > -- > Martin Basti > > Patch fixes Makefile. -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0295-Remove-ico-files-from-Makefile.patch Type: text/x-patch Size: 974 bytes Desc: not available URL: From mbabinsk at redhat.com Mon Jul 27 14:16:46 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 27 Jul 2015 16:16:46 +0200 Subject: [Freeipa-devel] [PATCH] 905, 295 webui: add Kerberos configuration instructions for Chrome In-Reply-To: <55B63C32.1010809@redhat.com> References: <55AF85F8.3080104@redhat.com> <55B60293.5030401@redhat.com> <55B61B95.70508@redhat.com> <55B63C32.1010809@redhat.com> Message-ID: <55B63D4E.5010809@redhat.com> On 07/27/2015 04:12 PM, Martin Basti wrote: > On 27/07/15 13:52, Martin Basti wrote: >> On 27/07/15 12:06, Martin Basti wrote: >>> On 22/07/15 14:00, Petr Vobornik wrote: >>>> * IE section moved at the end >>>> * Chrome section added >>>> * FF and IE icons removed >>>> >>>> https://fedorahosted.org/freeipa/ticket/823 >>>> >>>> >>> ACK >>> >>> -- >>> Martin Basti >>> >>> >> Pushed to: >> master: a4be844809179ff0a05286606df1487d81a70022 >> ipa-4-2: 8e528db8a33938d6954e0d94714b3492a79b3b6d >> >> >> -- >> Martin Basti >> >> > Patch fixes Makefile. > > -- > Martin Basti > fixes build, ACK -- Martin^3 Babinsky From dkupka at redhat.com Mon Jul 27 14:45:53 2015 From: dkupka at redhat.com (David Kupka) Date: Mon, 27 Jul 2015 16:45:53 +0200 Subject: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses. In-Reply-To: <54B7E742.4060602@redhat.com> References: <54AD182D.2050803@redhat.com> <54AD4D91.3020101@redhat.com> <54AFDB04.7000902@redhat.com> <54B405BD.30100@redhat.com> <54B7A7EF.2020100@redhat.com> <54B7CD0B.7080008@redhat.com> <54B7E742.4060602@redhat.com> Message-ID: <55B64421.6080006@redhat.com> On 15/01/15 17:13, David Kupka wrote: > On 01/15/2015 03:22 PM, David Kupka wrote: >> On 01/15/2015 12:43 PM, David Kupka wrote: >>> On 01/12/2015 06:34 PM, Martin Basti wrote: >>>> On 09/01/15 14:43, David Kupka wrote: >>>>> On 01/07/2015 04:15 PM, Martin Basti wrote: >>>>>> On 07/01/15 12:27, David Kupka wrote: >>>>>>> https://fedorahosted.org/freeipa/ticket/4249 >>>>>> >>>>>> Thank you for patch: >>>>>> >>>>>> 1) >>>>>> - root_logger.error("Cannot update DNS records! " >>>>>> - "Failed to connect to server '%s'.", >>>>>> server) >>>>>> + ips = get_local_ipaddresses() >>>>>> + except CalledProcessError as e: >>>>>> + root_logger.error("Cannot update DNS records. %s" % e) >>>>>> >>>>>> IMO the error message should be more specific, add there something >>>>>> like >>>>>> "Unable to get local IP addresses". at least in log.debug() >>>>>> >>>>>> 2) >>>>>> + lines = ipresult[0].replace('\\', '').split('\n') >>>>>> >>>>>> .replace() is not needed >>>>>> >>>>>> 3) >>>>>> + if len(ips) == 0: >>>>>> >>>>>> if not ips: >>>>>> >>>>>> is more pythonic by PEP8 >>>>>> >>>>>> >>>>> Thanks for catching these. Updated patch attached. >>>>> >>>> merciful NACK >>>> >>>> Thank you for the patch, unfortunately I hit one issue which needs >>>> to be >>>> resolved. >>>> >>>> If "sync PTR" is activated in zone settings, and reverse zone doesn't >>>> exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print >>>> Error message, 'DNS update failed'. In fact, all A/AAAA records was >>>> succesfully updated, only PTR records failed. >>>> >>>> Bind log: >>>> named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at >>>> 'vm-101.example.com' AAAA >>>> >>>> named-pkcs11[28652]: PTR record synchronization (addition) for A/AAAA >>>> 'vm-101.example.com.' refused: unable to find active reverse zone >>>> for IP >>>> address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found >>>> >>>> With IPv6 we have several addresses from different reverse zones and >>>> this situation may happen often. >>>> I suggest following: >>>> 1) Print list of addresses which will be updated. (Now if update fails, >>>> user needs to read log, which addresses installer tried to update) >>>> 2) Split nsupdates per A/AAAA record. >>>> 3a) If failed, check with DNS query if A/AAAA and PTR record are there >>>> and print proper error message >>>> 3b) Just print A/AAAA (or PTR) record may not be updated for particular >>>> IP address. >>>> >>>> Any other suggestions are welcome. >>>> >>> >>> After long discussion with DNS and UX guru I've implemented it this way: >>> 1. Call nsupdate only once with all updates. >>> 2. Verify that the expected records are resolvable. >>> 3. If no print list of missing A/AAAA, list of missing PTR records and >>> list to mismatched PTR record. >>> >>> As this is running inside client we can't much more and it's up to user >>> to check what's rotten in his DNS setup. >>> >>> Updated patch attached. >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >> >> >> One more change to behave well in -crazy- exotic environments that >> resolves more PTR records for single IP. >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> > > Yet another change to make language nerds and our UX guru happy :-) > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > Rebased patch attached. -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0035-7-client-Update-DNS-with-all-available-local-IP-addres.patch Type: text/x-patch Size: 8527 bytes Desc: not available URL: From ldoudova at redhat.com Mon Jul 27 14:47:49 2015 From: ldoudova at redhat.com (Lenka Doudova) Date: Mon, 27 Jul 2015 16:47:49 +0200 Subject: [Freeipa-devel] [PATCH 0002] TEST: Stageuser plugin In-Reply-To: <55B64351.5020001@redhat.com> References: <55B64351.5020001@redhat.com> Message-ID: <55B64495.30309@redhat.com> Hi, I'm attaching a patch with automated tests for stageuser plugin (https://fedorahosted.org/freeipa/ticket/3813). The user plugin test is affected as well (one class was added). The tests seem a bit of a mess even to myself, but what with the way freeipa behaves I didn't know how else to implement them, but I'm eager to learn how to do it in a nicer way, if someone has a better idea. Lenka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-lryznaro-0002-Automated-test-for-stageuser-plugin.patch Type: text/x-patch Size: 43416 bytes Desc: not available URL: From mbasti at redhat.com Mon Jul 27 15:10:02 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jul 2015 17:10:02 +0200 Subject: [Freeipa-devel] [PATCH 0050] ACI plugin: correctly parse bind rules enclosed in parentheses In-Reply-To: <55B0F4D4.9050901@redhat.com> References: <55B0F4D4.9050901@redhat.com> Message-ID: <55B649CA.4080406@redhat.com> On 23/07/15 16:06, Martin Babinsky wrote: > This is a quick fix for https://fedorahosted.org/freeipa/ticket/5037 > > > NACK I do not like your change in first regexp too much. Can you try this instead? PermPat = re.compile(r'(\w+)\s*\(([^()]*)\)\s*(.*)', re.UNICODE) This just removes '(' and ') ' from pattern and accept all other characters. -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jul 27 15:18:22 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jul 2015 17:18:22 +0200 Subject: [Freeipa-devel] [PATCH 0001] Test Topology plugin is listed among DS plugins In-Reply-To: <55B0F9C7.1050006@redhat.com> References: <55ACC623.20601@redhat.com> <55ACD1A2.5030202@redhat.com> <55ACE483.5030504@redhat.com> <55AE6903.4040202@redhat.com> <55AF44E1.3030500@redhat.com> <55AF4594.10704@redhat.com> <55AF9866.3050002@redhat.com> <55AFBB55.8000002@redhat.com> <55B0A6AF.4090807@redhat.com> <55B0B723.7070801@redhat.com> <55B0F9C7.1050006@redhat.com> Message-ID: <55B64BBE.3070003@redhat.com> On 23/07/15 16:27, Martin Basti wrote: > On 23/07/15 11:42, Oleg Fayans wrote: >> Forgot to attach the new version, sorry! >> >> On 07/23/2015 10:32 AM, Oleg Fayans wrote: >>> Hi Martin, >>> >>> On 07/22/2015 05:48 PM, Martin Basti wrote: >>>> On 22/07/15 15:19, Oleg Fayans wrote: >>>>> Hi Martin, >>>>> >>>>> Fixed. >>>>> >>>>> On 07/22/2015 09:26 AM, Martin Basti wrote: >>>>>> On 22/07/15 09:23, Oleg Fayans wrote: >>>>>>> Hi Martin, >>>>>>> >>>>>>> Patch updated. Thank you for the review! >>>>>>> >>>>>>> On 07/21/2015 05:45 PM, Martin Basti wrote: >>>>>>>> On 20/07/15 14:07, Oleg Fayans wrote: >>>>>>>>> Hi Martin, >>>>>>>>> >>>>>>>>> Updated. >>>>>>>>> >>>>>>>>> >>>>>>>>> On 07/20/2015 12:46 PM, Martin Basti wrote: >>>>>>>>>> On 20/07/15 11:57, Oleg Fayans wrote: >>>>>>>>>>> + pwfile = api.env.dot_ipa + os.sep + ".dmpw" >>>>>>>>>>> + if ipautil.file_exists(pwfile): >>>>>>>>>>> + fp = open(pwfile, "r") >>>>>>>>>>> + dm_password = fp.read().rstrip() >>>>>>>>>>> + fp.close() >>>>>>>>>>> + else: >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> 1) Can you use os.path.join() instead of "+ os.sep +" please >>>>>>>>>> >>>>>>>>>> 2) Can you use with statement with file? >>>>>>>>>> >>>>>>>>>> with open(pwfile, "r") as f: >>>>>>>>>> dm_password = f.read().rstrip() >>>>>>>>>> >>>>>>>>>> 3) Please keep PEP8 in new code >>>>>>>>>> >>>>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:30:80: E501 >>>>>>>>>> line too long (102 > 79 characters) >>>>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:33:80: E501 >>>>>>>>>> line too long (92 > 79 characters) >>>>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:39:80: E501 >>>>>>>>>> line too long (124 > 79 characters) >>>>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:44:80: E501 >>>>>>>>>> line too long (92 > 79 characters) >>>>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:45:48: E128 >>>>>>>>>> continuation line under-indented for visual indent >>>>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:45:80: E501 >>>>>>>>>> line too long (89 > 79 characters) >>>>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:46:48: E128 >>>>>>>>>> continuation line under-indented for visual indent >>>>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:46:80: E501 >>>>>>>>>> line too long (89 > 79 characters) >>>>>>>>>> ./ipatests/test_ipaserver/test_topology_plugin.py:58:80: E501 >>>>>>>>>> line too long (87 > 79 characters) >>>>>>>>>> >>>>>>>>>> 4) Missing nose import >>>>>>>>>> raise nose.SkipTest("No directory manager >>>>>>>>>> password in %s" % pwfile) >>>>>>>>>> >>>>>>>>>> 5) Can you use sets here instead of sorted lists? >>>>>>>>>> assert(sorted(entry.keys()) == sorted(pluginattrs.keys())) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Martin^2 >>>>>>>>>> >>>>>>>>> >>>>>>>> 1) >>>>>>>> Sorry, I didn't notice before, but there is missing header in >>>>>>>> that file. >>>>>>>> >>>>>>>> 2) >>>>>>>> You don't need to specify ldap_uri, you just need to call >>>>>>>> ldap2(api), by default api.env.ldap_uri is used, which is the >>>>>>>> same as you specified >>>>>>>> >>>>>>>> 3) >>>>>>>> Can you indent values of dict which are on newline? It is >>>>>>>> readable better. >>>>>>>> u'nsslapd-topo-plugin-shared-config-base': >>>>>>>> [u'cn=ipa,cn=etc,dc=example,dc=com'], >>>>>>>> u'nsslapd-pluginDescription': >>>>>>>> [u'ipa-topology-plugin'], >>>>>>>> >>>>>>>> 4) >>>>>>>> Please use lower F as variable, in python we use capital >>>>>>>> letters for class definitions >>>>>>>> with open(pwfile, "r") as F: >>>>>>>> dm_password = F.read().rstrip() >>>>>>>> >>>>>>>> Otherwise it works as expected. >>>>>>>> >>>>>>>> Martin^2 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> Sorry. >>>>>> You added there old license format, we now use in new files new >>>>>> format >>>>>> >>>>>> # >>>>>> # Copyright (C) 2015 FreeIPA Contributors see COPYING for license >>>>>> # >>>>>> >>>>> >>>> I cannot apply the last patch >>>> >>>> $ git am >>>> freeipa-ofayans-0001.3-test-topologyplugin-is-listed-among-DS-plugins.patch >>>> -3 >>>> Applying: Added test - topology plugin is listed among DS plugins >>>> fatal: corrupt patch at line 83 >>>> Repository lacks necessary blobs to fall back on 3-way merge. >>>> Cannot fall back to three-way merge. >>>> >>> Fixed. Tested it locally, it applies >>> >> >> >> > Thank you ACK > > -- > Martin Basti > > Pushed to master: e5acd01ed2971be779e788937493844a9926bb96 -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jul 27 15:22:24 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jul 2015 17:22:24 +0200 Subject: [Freeipa-devel] [PATCH 018] certprofile-import: improve profile format documentation In-Reply-To: <20150724020633.GF20599@dhcp-40-8.bne.redhat.com> References: <55B11575.10004@redhat.com> <20150724020633.GF20599@dhcp-40-8.bne.redhat.com> Message-ID: <55B64CB0.7090602@redhat.com> On 24/07/15 04:06, Fraser Tweedale wrote: > On Thu, Jul 23, 2015 at 06:25:25PM +0200, Christian Heimes wrote: >> The certprofile-import plugin expects a raw Dogtag config file. The XML >> format is not supported. --help gives a hint about the correct file format. >> >> https://fedorahosted.org/freeipa/ticket/5089 > ACK, but IMO this does not complete 5089. I will add more > commentary to the plugin documentation in a separate patch. > > Thanks, > Fraser Pushed to: master: 2596adb312700a6133a4405851af9aec62941cd9 ipa-4-2: b4722beb78cafcb196c10392a48b22022a425e8e >> From 1344425af2886797ec9cef40a325e56a8d1752eb Mon Sep 17 00:00:00 2001 >> From: Christian Heimes >> Date: Thu, 23 Jul 2015 18:22:19 +0200 >> Subject: [PATCH] certprofile-import: improve profile format documentation >> >> The certprofile-import plugin expects a raw Dogtag config file. The XML >> format is not supported. --help gives a hint about the correct file format. >> >> https://fedorahosted.org/freeipa/ticket/5089 >> --- >> ipalib/plugins/certprofile.py | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py >> index 5550ed942521dbab2e783fba1570520268f9b378..ae75d43d7412d0df7c09a33c16c833995d9a3fe4 100644 >> --- a/ipalib/plugins/certprofile.py >> +++ b/ipalib/plugins/certprofile.py >> @@ -220,7 +220,7 @@ class certprofile_import(LDAPCreate): >> msg_summary = _('Imported profile "%(value)s"') >> takes_options = ( >> File('file', >> - label=_('Filename'), >> + label=_('Filename of a raw profile. The XML format is not supported.'), >> cli_name='file', >> flags=('virtual_attribute',), >> ), >> -- >> 2.4.3 >> > > -- Martin Basti From jhrozek at redhat.com Mon Jul 27 15:24:46 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 27 Jul 2015 17:24:46 +0200 Subject: [Freeipa-devel] C coding style guide update In-Reply-To: <55B6380E.8040902@redhat.com> References: <55B11485.8020400@redhat.com> <20150726200910.GF22586@hendrix> <55B6380E.8040902@redhat.com> Message-ID: <20150727152446.GL3188@hendrix.arn.redhat.com> On Mon, Jul 27, 2015 at 03:54:22PM +0200, Michal ?idek wrote: > > - Line-comments (//, aka C++ comments) should be still avoided, > > though > > I really do not know what people have against line comments, but > this is not the first time I see someone resisting them, so I > guess there is some hidden evil in this way of commenting the code. > But I am OK if they stay forbidden. This is only personal preference, no technical reason :-) I mostly don't like how they look -- for some reason they are much easier for me to skip visually, even with syntax highlighting. From mbasti at redhat.com Mon Jul 27 15:26:41 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jul 2015 17:26:41 +0200 Subject: [Freeipa-devel] [PATCH] otptoken: use ipapython.nsslib instead of Python's ssl module In-Reply-To: <55AF566D.8070208@redhat.com> References: <559C00ED.4090408@redhat.com> <55AF566D.8070208@redhat.com> Message-ID: <55B64DB1.7060503@redhat.com> On 22/07/15 10:38, Martin Basti wrote: > On 07/07/15 18:40, Christian Heimes wrote: >> Hello, >> >> the patch removes the dependency on Python's ssl module and >> python-backports-ssl_match_hostname. >> >> https://fedorahosted.org/freeipa/ticket/5068 >> >> Open question >> ------------- >> Is paths.IPA_NSSDB_DIR the correct NSSDB? > Should be. >> Christian >> >> > > Works for me, ACK. > -- > Martin Basti > > Pushed to: master: 3c974c157f332bd8f4db48eba52d2b760c0c1e77 ipa-4-2: 4fe3bd107a066aeb2d628f50584f979e2026398f -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jul 27 15:59:33 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jul 2015 17:59:33 +0200 Subject: [Freeipa-devel] Replace stageuser-add --from-delete with user-undel --to-staged In-Reply-To: <55B0E154.7000907@redhat.com> References: <55B0E154.7000907@redhat.com> Message-ID: <55B65565.7090409@redhat.com> On 23/07/15 14:43, Martin Basti wrote: > Hello, > > I tried to fix #5145 and I partially succeeded. > > However, I cannot fix this part of ticket, where user is prompted to > write name and surname. > > $ ipa stageuser-add tuser --from-delete > First name: this will be ignored > Last name: this will be also ignored > ------------------------ > Added stage user "tuser" > ------------------------ > > As the first name and last name are mandatory attributes of > stageuser-add command, but they are not needed by when the > --from-delete option is used. > I would like to ask how to fix this issue, IMO this will be huge hack > in internal API. Or should we just document this bug as known issue > (thierry wrote that this is not use case that should be used often)? > > The best solution would be separate command, but this idea was > rejected in thread "[Freeipa-devel] User life cycle: question > regarding the design" > > Regards > Martin^2 > Hello, as was mentioned before, we have issue with current internal API and the stageuser-add --from-delete command. We discussed this today, and we did not find a nice way how to fix it, so we propose this (which is IMO the best solution): * stageuser-add --from-delete should be deprecated * create new option for user-undel: used-undel --to-staged (or create new command) that will handle moving deleted users to staged area as --from-delete did. Instead of stageuser-add and option --from-delete, which work totally different, the command user-undel does similar operation than stage-user --from-delete, it just uses different container. We need to do this in 4.2.1 to affect as least as possible users. If you have any objections, please speak/write :) Martin^2 -- Martin Basti From mbasti at redhat.com Mon Jul 27 16:04:02 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jul 2015 18:04:02 +0200 Subject: [Freeipa-devel] [PATCH] Use Exception class instead of StandardError In-Reply-To: <20150629064156.GA6005@mniranja.pnq.redhat.com> References: <20150601043325.GA5783@mniranja.pnq.redhat.com> <20150602224416.GA4049@mniranja.pnq.redhat.com> <20150609225910.GA6506@mniranja.pnq.redhat.com> <558D4B6B.6050702@redhat.com> <20150629064156.GA6005@mniranja.pnq.redhat.com> Message-ID: <55B65672.3060206@redhat.com> On 29/06/15 08:41, Niranjan wrote: > Martin Basti wrote: >> On 10/06/15 00:59, Niranjan wrote: >>> Niranjan wrote: >>> Greetings, >>> >>> Please find the modified patch for ipapython/adminutil.py. >>> >>> I have run few tests manually like running ipa-server-install >>> as non-root user or provide --quiet and --verbose to see >>> if it raises ScriptError properly. >>> >>> Also i checked by running ipa-server-install and using CTRL-C >>> to break and see if the KeyboardInterrupt is properly caught. >>> >>> Please let me know your views on this. >>> >>> Regards >>> Niranjan >>> >> ACK for IPA 4.3, I don't feel brave enough to push it into IPA 4.2. >> >> Also, would be nice to have migrated all occurrences of StandardError to >> Exception, before push. > I actually intend to do that, but i thought i will start small and do this > from one file before i proceed further, I can send patch which migrates all > occurance of standardError to Exception. Pushed to master: 7d2823040593a4207cfce834a5c6840464fab64b >> Martin^2 >> >>> >>>> Niranjan wrote: >>>>> Greetings, >>>>> >>>>> I would like to present patch for replacing StandardError exception >>>>> with Exception class in ipapython/adminutil.py. Also replacing >>>>> BaseException class with Exception class. >>>>> >>>>> Though the use of StandardError is many places. I would like to start >>>>> with ipapython/adminutil.py >>>>> >>>>> This is my first patch. Please let me know if my approach on this is >>>>> correct. >>>> Could anyone have a look at this please. >>>>> Regards >>>>> Niranjan >>>>> From 018312f76952ea86c8c6e2396657e0531d2d61ba Mon Sep 17 00:00:00 2001 >>>>> From: Niranjan Mallapadi >>>>> Date: Mon, 1 Jun 2015 09:41:05 +0530 >>>>> Subject: [PATCH] Use Exception class instead of BaseException >>>>> >>>>> 1. Replace BaseException with Exception class. >>>>> 2. Remove StandardError and use Exception class. StandError is deprecated (Python3) >>>>> 3 .From python3.0 use of , is not recommended, instead >>>>> use "as" keyword (PEP 3110) >>>>> >>>>> Signed-off-by: Niranjan Mallapadi >>>>> --- >>>>> ipapython/admintool.py | 11 +++++++++-- >>>>> 1 file changed, 9 insertions(+), 2 deletions(-) >>>>> >>>>> diff --git a/ipapython/admintool.py b/ipapython/admintool.py >>>>> index d55bd18499ac427db8adc0c04096bc2aabdc2bbd..891232b9f387182ac5dbfb279a6f666805261ba1 100644 >>>>> --- a/ipapython/admintool.py >>>>> +++ b/ipapython/admintool.py >>>>> @@ -32,7 +32,7 @@ from ipapython import config >>>>> from ipapython import ipa_log_manager >>>>> -class ScriptError(StandardError): >>>>> +class ScriptError(Exception): >>>>> """An exception that records an error message and a return value >>>>> """ >>>>> def __init__(self, msg='', rval=1): >>>>> @@ -169,13 +169,20 @@ class AdminTool(object): >>>>> self.ask_for_options() >>>>> self.setup_logging() >>>>> return_value = self.run() >>>>> - except BaseException, exception: >>>>> + except Exception as exception: >>>>> traceback = sys.exc_info()[2] >>>>> error_message, return_value = self.handle_error(exception) >>>>> if return_value: >>>>> self.log_failure(error_message, return_value, exception, >>>>> traceback) >>>>> return return_value >>>>> + except SystemExit as exception: >>>>> + traceback = sys.exc_info()[2] >>>>> + error_message, return_value = self.handle_error(exception) >>>>> + if return_value: >>>>> + self.log_failure(error_message, return_value, exception, >>>>> + traceback) >>>>> + return return_value >>>>> self.log_success() >>>>> return return_value >>>>> -- >>>>> 1.9.3 >>>>> >>>>> Removed an attachment of 322 bytes with the following headers: >>>>> >>>>> Content-Type: application/pgp-signature >>>>> -- >>>>> Manage your subscription for the Freeipa-devel mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >>> >>>> -- >>>> Manage your subscription for the Freeipa-devel mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >>> >> >> -- >> Martin Basti >> >> >> -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jul 27 16:05:22 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jul 2015 18:05:22 +0200 Subject: [Freeipa-devel] [PATCH 0050] Fix client ca.crt to match the server's cert In-Reply-To: <55AF5736.6030406@redhat.com> References: <5592ACFE.8020803@redhat.com> <5593913D.8000303@redhat.com> <5593AABB.607@redhat.com> <55A3DF6A.6080206@redhat.com> <55AF5736.6030406@redhat.com> Message-ID: <55B656C2.9040704@redhat.com> On 22/07/15 10:41, Martin Basti wrote: > On 13/07/15 17:55, Martin Basti wrote: >> On 08/07/15 16:09, Gabe Alford wrote: >>> Thanks, Martin. Update patch attached. >>> >>> I was getting an 'No newline at the end of file' in my environment >>> hence an extra '\n' at the end. >>> Please let me know if you see the same thing. >>> >>> Thanks, >>> >>> Gabe >>> >>> On Wed, Jul 1, 2015 at 2:54 AM, Martin Basti >> > wrote: >>> >>> On 01/07/15 09:05, Martin Basti wrote: >>>> On 30/06/15 17:31, Gabe Alford wrote: >>>>> On Tue, Jun 30, 2015 at 8:51 AM, Martin Basti >>>>> wrote: >>>>> >>>>> On 16/06/15 16:58, Gabe Alford wrote: >>>>>> I know you guys are busy. Bump for review. >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Gabe >>>>>> >>>>>> On Tue, May 26, 2015 at 8:16 AM, Gabe Alford >>>>>> wrote: >>>>>> >>>>>> Hello, >>>>>> >>>>>> Fix for https://fedorahosted.org/freeipa/ticket/3809 >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Gabe >>>>>> >>>>>> >>>>>> >>>>>> >>>>> I'm getting certificate on server without extra '\n' at >>>>> the end. >>>>> >>>>> So certificate files are not the same. >>>>> >>>>> >>>>> I assume you did a diff of the server /etc/ipa/ca.crt and the >>>>> client /etc/ipa/ca.crt, right? Did you setup a server and then >>>>> connect a client (just wonder what your steps were so that I >>>>> can also reproduce)? >>>> >>>> Yes. I did that. >>>> >>>> I will retest it today. >>>> >>> Retested and ca.cert on client has extra '\n' at the end. >>>>> >>>>> >>>>> -- >>>>> Martin Basti >>>>> >>>>> >>>> >>>> >>>> -- >>>> Martin Basti >>>> >>>> >>> >>> >>> -- >>> Martin Basti >>> >>> >> Thank you! >> ACK >> >> -- >> Martin Basti >> >> > This patch has not been pushed yet. > > -- > Martin Basti > > Pushed to master: f7dbaa6382caac118acd6f5379cc7ec691f39b28 -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Mon Jul 27 16:30:07 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 27 Jul 2015 18:30:07 +0200 Subject: [Freeipa-devel] C coding style guide update In-Reply-To: <20150726200910.GF22586@hendrix> References: <55B11485.8020400@redhat.com> <20150726200910.GF22586@hendrix> Message-ID: <55B65C8F.9050901@redhat.com> On 07/26/2015 10:09 PM, Jakub Hrozek wrote: > On Thu, Jul 23, 2015 at 06:21:25PM +0200, Michal ?idek wrote: >> Hi, >> >> in SSSD we use the freeipa coding guidelines which are located here: >> http://www.freeipa.org/page/Coding_Style >> >> However this coding style guide is already dated and there are >> some rules we follow in SSSD which are not mentioned in the guide >> and also there are some C language features that we would like to >> start using in certain way but their usage should be covered in the >> coding style guide. So, update is needed (at least for SSSD). >> >> I would like to start discussion about what to add to the coding >> guide (and maybe what to remove), but before that, I would like >> propose to move the coding style guide to SSSD wiki and just add link >> to it to FreeIPA wiki. The reason is that unlike FreeIPA, most of the >> SSSD code is written in C and SSSD team will more likely update and >> modify the guide according to new practices used in upstream >> development, where FreeIPA is mostly Python project and C coding >> style probably does not need revision as often. So SSSD wiki >> seems like more appropriate place. >> >> Another possibility would be to fork the FreeIPA style and >> maintain SSSD coding style guide separately. But I think linking >> the two is better option, because the two projects are closely >> related and it makes sense to share the coding style guidelines. >> >> So, my first question is, Is someone against moving the C coding >> style guide to SSSD wiki and adding link to it on FreeIPA wiki? > > I don't really mind where the coding style is located as long as it's > on one place (no forks please) and the existing link points to a new > version (if any). > > As per updating the coding standards, I would like to propose to: > - explicitly say that C99 is fine to use. It's 2015 and any compiler > that doesn't support C99 at this point is probably dead and should > be avoided (Hello, MSVC!). We use stdbool.h and variadic macros > already anyway. > - Line-comments (//, aka C++ comments) should be still avoided, > though > - Variable Length arrays are very helpful, but explicitly mention > they should be used with caution, especially if array size might > come from the user > - Also, I would warn about interleaved variable declarations. I > think it's fine to declare some helper variable inside a for loop > for example, but generally it might be better to refactor the > function if we find out there's so many variables that the code > author ends up declaring them inside blocks. > > Personally, I would even go as far as to allow the __cleanup__ > attribute. I really like how the systemd codebase uses it to define > helper "destructors" like: > int closep(int fd) > { > if (fd >= 0) { > close(fd); > } > } > > #define _cleanup_close_ _cleanup_(closep) > > Then safely declare a file descriptor as: > _cleanup_close_ int fdf = -1; > ..and stop worrying about closing the fd in all branches. > > It's not portable, but seriously...are there any compilers except gcc > and clang that are used at all these days?? > Location of the C coding style guide was discussed on FreeIPA dev call. Conclusion was the same as Jakub's opinion: no fork, link from the other, it doesn't matter if it is in SSSD or FreeIPA wiki. -- Petr Vobornik From dkupka at redhat.com Tue Jul 28 07:52:52 2015 From: dkupka at redhat.com (David Kupka) Date: Tue, 28 Jul 2015 09:52:52 +0200 Subject: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses. In-Reply-To: <55B64421.6080006@redhat.com> References: <54AD182D.2050803@redhat.com> <54AD4D91.3020101@redhat.com> <54AFDB04.7000902@redhat.com> <54B405BD.30100@redhat.com> <54B7A7EF.2020100@redhat.com> <54B7CD0B.7080008@redhat.com> <54B7E742.4060602@redhat.com> <55B64421.6080006@redhat.com> Message-ID: <55B734D4.3060003@redhat.com> On 27/07/15 16:45, David Kupka wrote: > On 15/01/15 17:13, David Kupka wrote: >> On 01/15/2015 03:22 PM, David Kupka wrote: >>> On 01/15/2015 12:43 PM, David Kupka wrote: >>>> On 01/12/2015 06:34 PM, Martin Basti wrote: >>>>> On 09/01/15 14:43, David Kupka wrote: >>>>>> On 01/07/2015 04:15 PM, Martin Basti wrote: >>>>>>> On 07/01/15 12:27, David Kupka wrote: >>>>>>>> https://fedorahosted.org/freeipa/ticket/4249 >>>>>>> >>>>>>> Thank you for patch: >>>>>>> >>>>>>> 1) >>>>>>> - root_logger.error("Cannot update DNS records! " >>>>>>> - "Failed to connect to server '%s'.", >>>>>>> server) >>>>>>> + ips = get_local_ipaddresses() >>>>>>> + except CalledProcessError as e: >>>>>>> + root_logger.error("Cannot update DNS records. %s" % e) >>>>>>> >>>>>>> IMO the error message should be more specific, add there something >>>>>>> like >>>>>>> "Unable to get local IP addresses". at least in log.debug() >>>>>>> >>>>>>> 2) >>>>>>> + lines = ipresult[0].replace('\\', '').split('\n') >>>>>>> >>>>>>> .replace() is not needed >>>>>>> >>>>>>> 3) >>>>>>> + if len(ips) == 0: >>>>>>> >>>>>>> if not ips: >>>>>>> >>>>>>> is more pythonic by PEP8 >>>>>>> >>>>>>> >>>>>> Thanks for catching these. Updated patch attached. >>>>>> >>>>> merciful NACK >>>>> >>>>> Thank you for the patch, unfortunately I hit one issue which needs >>>>> to be >>>>> resolved. >>>>> >>>>> If "sync PTR" is activated in zone settings, and reverse zone doesn't >>>>> exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print >>>>> Error message, 'DNS update failed'. In fact, all A/AAAA records was >>>>> succesfully updated, only PTR records failed. >>>>> >>>>> Bind log: >>>>> named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at >>>>> 'vm-101.example.com' AAAA >>>>> >>>>> named-pkcs11[28652]: PTR record synchronization (addition) for A/AAAA >>>>> 'vm-101.example.com.' refused: unable to find active reverse zone >>>>> for IP >>>>> address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found >>>>> >>>>> With IPv6 we have several addresses from different reverse zones and >>>>> this situation may happen often. >>>>> I suggest following: >>>>> 1) Print list of addresses which will be updated. (Now if update >>>>> fails, >>>>> user needs to read log, which addresses installer tried to update) >>>>> 2) Split nsupdates per A/AAAA record. >>>>> 3a) If failed, check with DNS query if A/AAAA and PTR record are there >>>>> and print proper error message >>>>> 3b) Just print A/AAAA (or PTR) record may not be updated for >>>>> particular >>>>> IP address. >>>>> >>>>> Any other suggestions are welcome. >>>>> >>>> >>>> After long discussion with DNS and UX guru I've implemented it this >>>> way: >>>> 1. Call nsupdate only once with all updates. >>>> 2. Verify that the expected records are resolvable. >>>> 3. If no print list of missing A/AAAA, list of missing PTR records and >>>> list to mismatched PTR record. >>>> >>>> As this is running inside client we can't much more and it's up to user >>>> to check what's rotten in his DNS setup. >>>> >>>> Updated patch attached. >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> >>> >>> >>> One more change to behave well in -crazy- exotic environments that >>> resolves more PTR records for single IP. >>> >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >> >> Yet another change to make language nerds and our UX guru happy :-) >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> > > Rebased patch attached. > > Updated patch attached. -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0035-8-client-Update-DNS-with-all-available-local-IP-addres.patch Type: text/x-patch Size: 8868 bytes Desc: not available URL: From msimacek at redhat.com Tue Jul 28 08:57:43 2015 From: msimacek at redhat.com (=?UTF-8?B?TWljaGFlbCDFoGltw6HEjWVr?=) Date: Tue, 28 Jul 2015 10:57:43 +0200 Subject: [Freeipa-devel] Is Backend.krb part of API? Message-ID: <55B74407.6070806@redhat.com> Hi, I'm working on porting FreeIPA away from python-krbV. Backend.krb and KRB5_CCache classes are mere wrappers around krbV bindings, so it would make sense to remove them. But I found the former used in the example in doc/examples/python-api.py. Is it part of FreeIPA's API? Shall I provide some partial compatibility layer for it? (only partial because some methods can take krbV objects as arguments) Thank you, Michael Simacek From jcholast at redhat.com Tue Jul 28 09:27:07 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 28 Jul 2015 11:27:07 +0200 Subject: [Freeipa-devel] Replace stageuser-add --from-delete with user-undel --to-staged In-Reply-To: <55B65565.7090409@redhat.com> References: <55B0E154.7000907@redhat.com> <55B65565.7090409@redhat.com> Message-ID: <55B74AEB.3050000@redhat.com> Dne 27.7.2015 v 17:59 Martin Basti napsal(a): > On 23/07/15 14:43, Martin Basti wrote: >> Hello, >> >> I tried to fix #5145 and I partially succeeded. >> >> However, I cannot fix this part of ticket, where user is prompted to >> write name and surname. >> >> $ ipa stageuser-add tuser --from-delete >> First name: this will be ignored >> Last name: this will be also ignored >> ------------------------ >> Added stage user "tuser" >> ------------------------ >> >> As the first name and last name are mandatory attributes of >> stageuser-add command, but they are not needed by when the >> --from-delete option is used. >> I would like to ask how to fix this issue, IMO this will be huge hack >> in internal API. Or should we just document this bug as known issue >> (thierry wrote that this is not use case that should be used often)? >> >> The best solution would be separate command, but this idea was >> rejected in thread "[Freeipa-devel] User life cycle: question >> regarding the design" >> >> Regards >> Martin^2 >> > Hello, > > as was mentioned before, we have issue with current internal API and the > stageuser-add --from-delete command. > > We discussed this today, and we did not find a nice way how to fix it, > so we propose this (which is IMO the best solution): > > * stageuser-add --from-delete should be deprecated +1 > * create new option for user-undel: used-undel --to-staged (or create > new command) that will handle moving deleted users to staged area as > --from-delete did. Make it new command please. > > Instead of stageuser-add and option --from-delete, which work totally > different, the command user-undel does similar operation than stage-user > --from-delete, it just uses different container. NACK on stuffing everything into a single command just because it does something similar. > > We need to do this in 4.2.1 to affect as least as possible users. > > If you have any objections, please speak/write :) > Martin^2 -- Jan Cholasta From ldoudova at redhat.com Tue Jul 28 09:36:08 2015 From: ldoudova at redhat.com (Lenka Doudova) Date: Tue, 28 Jul 2015 11:36:08 +0200 Subject: [Freeipa-devel] Replace stageuser-add --from-delete with user-undel --to-staged In-Reply-To: <55B74AEB.3050000@redhat.com> References: <55B0E154.7000907@redhat.com> <55B65565.7090409@redhat.com> <55B74AEB.3050000@redhat.com> Message-ID: <55B74D08.2010207@redhat.com> Dne 28.7.2015 v 11:27 Jan Cholasta napsal(a): > Dne 27.7.2015 v 17:59 Martin Basti napsal(a): >> On 23/07/15 14:43, Martin Basti wrote: >>> Hello, >>> >>> I tried to fix #5145 and I partially succeeded. >>> >>> However, I cannot fix this part of ticket, where user is prompted to >>> write name and surname. >>> >>> $ ipa stageuser-add tuser --from-delete >>> First name: this will be ignored >>> Last name: this will be also ignored >>> ------------------------ >>> Added stage user "tuser" >>> ------------------------ >>> >>> As the first name and last name are mandatory attributes of >>> stageuser-add command, but they are not needed by when the >>> --from-delete option is used. >>> I would like to ask how to fix this issue, IMO this will be huge hack >>> in internal API. Or should we just document this bug as known issue >>> (thierry wrote that this is not use case that should be used often)? >>> >>> The best solution would be separate command, but this idea was >>> rejected in thread "[Freeipa-devel] User life cycle: question >>> regarding the design" >>> >>> Regards >>> Martin^2 >>> >> Hello, >> >> as was mentioned before, we have issue with current internal API and the >> stageuser-add --from-delete command. >> >> We discussed this today, and we did not find a nice way how to fix it, >> so we propose this (which is IMO the best solution): >> >> * stageuser-add --from-delete should be deprecated > > +1 > >> * create new option for user-undel: used-undel --to-staged (or create >> new command) that will handle moving deleted users to staged area as >> --from-delete did. > > Make it new command please. > >> >> Instead of stageuser-add and option --from-delete, which work totally >> different, the command user-undel does similar operation than stage-user >> --from-delete, it just uses different container. > > NACK on stuffing everything into a single command just because it does > something similar. How about making it a 'stageuser-undel'? The 'user-undel' moves preserved user to active, so the 'stageuser-undel' would move preserved to staged. The action is similar, but has slightly different specifics (which attributes are preserved etc.), and for me the 'stageuser-undel' feels more natural than 'user-undel --to-staged' since it's basically the same as there is 'stageuser-add' for creating a staged user, not 'user-add --to-staged'. It would be in the same style as all the other commands concerning operations with users in staged container. Lenka > >> >> We need to do this in 4.2.1 to affect as least as possible users. >> >> If you have any objections, please speak/write :) >> Martin^2 > From simo at redhat.com Tue Jul 28 09:43:55 2015 From: simo at redhat.com (Simo Sorce) Date: Tue, 28 Jul 2015 05:43:55 -0400 Subject: [Freeipa-devel] variable name 'rsa_public_key' in vault In-Reply-To: <55B21156.6010607@redhat.com> References: <55B21156.6010607@redhat.com> Message-ID: <1438076635.13513.4.camel@willson.usersys.redhat.com> On Fri, 2015-07-24 at 12:20 +0200, Christian Heimes wrote: > Hello, > > while I was working on https://fedorahosted.org/freeipa/ticket/5142 and > patch 019, I noticed the variable names rsa_public_key and > rsa_private_key in vault.py. load_pem_public_key() can load and return > other key formats (DSA, ECDSA), too. Does vault mean to support the > other algorithms? > > In case vault should support any kind of asymmetric cipher, I'd like to > change the variable names. It's confusing. Otherwise we should add a > check for RSA and prevent DSA and ECDSA keys. > > Christian > We certainly want to support ECDSA keys eventually, so I'd rename the vars. Simo. -- Simo Sorce * Red Hat, Inc * New York From sbose at redhat.com Tue Jul 28 10:15:15 2015 From: sbose at redhat.com (Sumit Bose) Date: Tue, 28 Jul 2015 12:15:15 +0200 Subject: [Freeipa-devel] [PATCH 149] IPA KDB: allow case in-sensitive realm in AS request In-Reply-To: <721412384.2383594.1437572511320.JavaMail.zimbra@redhat.com> References: <20150721114114.GA7078@p.redhat.com> <721412384.2383594.1437572511320.JavaMail.zimbra@redhat.com> Message-ID: <20150728101515.GA7078@p.redhat.com> On Wed, Jul 22, 2015 at 09:41:51AM -0400, Simo Sorce wrote: > ----- Original Message ----- > > From: "Sumit Bose" > > To: "freeipa-devel" > > Sent: Tuesday, July 21, 2015 7:41:14 AM > > Subject: [Freeipa-devel] [PATCH 149] IPA KDB: allow case in-sensitive realm in AS request > > > > Hi, > > > > this patch is my suggestion to solve > > https://fedorahosted.org/freeipa/ticket/4844 . > > > > The original issue in the ticket has two part. One is a loop in libkrb5 > > which is already fixed. The other is to handle canonicalization better. > > Sorry Sumit, > I see several issues with this patck. > > first of all you should really not change ipadb_get_principal(), that's the > wrong place to apply your logic. > > To support searching for the realm name case-insensitively all we should do > is to always forcibly upper case the realm name at the same time we build the > filter (in ipadb_fetch_principals(), if canonicalization was requested. > Because we will never store (code to prevent that should probably be dded with > this patch) a realm name that is not all caps. > Then the post search matches should be done straight within ipadb_find_principal(). > > > The general way to allow canonicalization on a principal is to add the > > attributes 'krbcanonicalname'[1] and 'ipakrbprincipalalias' together > > with the objectclass 'ipaKrbPrincipal' to the user object. > > We have already a ticket open since long to remove krbprincipalalias, it was > a mistake to add it and any patch that depends on it will be nacked by me. > We need to use krbPrincipalName and krbCanonicalName. > > > Then the IPA > > KDB backend will use 'ipakrbprincipalalias' for case in-sensitive > > matches and the principal from 'krbcanonicalname' will be the canonical > > principal used further on. The 'krbPrincipalName' is not suitable for > > either because it has caseExact* matching rules and is a multivalue > > attribute [2]. > > Case-exact match is a problem only if we do not canonicalize names when storing > them, otherwise all you need to do is store a "search form" in krbPrincipalName > and always change searches to that form (forcibly upper case realm, forcibly > lowercase components) when canonicalization is requested. > > Additionally in the patch you are using stcasecmp(), that function is not > acceptable, look at ipadb_find_principal() and you'll see we use ulc_casecmp() > there. > Also modyfing the principal before searching is done wrong (you use strchr() > to find the @ sign, but you could find an @ in the components this way, you > should use strrchr() at the very least), and is dangerous if done outside of > the inner functions because then we never have a way to know the original > form should it be needed. In any case as said above realm should be forcibly > uppercase, given a flag in the escape function instead. Thank for for the review and the comments. I changed the patch as you suggested to upper-case the realm in the escape function if the flag is set. I didn't add any checks to make sure that the realm of newly added principal attributes is always upper case. Since the attributes can be added via various ways I think the check should happen on the DS level but I see this more in the context of full canonicalization fix covered by https://fedorahosted.org/freeipa/ticket/3864 . If you think this is a requirement for the patch attached I would suggest to drop https://fedorahosted.org/freeipa/ticket/4844 and solve it together with #3864. I added a second patch which makes the unit test a bit more robust if the krb5.conf on the system running the tests is broken. bye, Sumit > > > What I got from the comments in the ticket and the related bugzilla > > ticket is that it should be possible to get a TGT for a user even if the > > realm is given in lower-case if canonicalization is enabled. Please note > > that the client can only send such request because we have > > 'dns_lookup_kdc = true' in krb.conf and DNS is case in-sensitive. If you > > set 'dns_lookup_kdc = false' the client will fail immediately without > > sending a request at all, because it is not able to find a KDC for the > > lower-case realm. > > > > On the server-side the request is processed because of > > http://k5wiki.kerberos.org/wiki/Projects/Aliases which made parts of > > processing case in-sensitive. > > > > With the attached patch a second lookup is done if the lookup with the > > original input returned no result, canonicalization is > > enabled and the realm from the original input matches the IPA realm case > > in-sensitive. For the second lookup the realm is replace with the IPA > > realm. This approach adds a bit redundant code but does not add extra > > processing requests which would be successful before. > > > > Without the patch > > kinit ipauser at IPA.REALM -> success > > kinit -C ipauser at IPA.REALM -> success > > kinit ipauser at ipa.realm -> failure > > kinit -C ipauser at ipa.realm -> failure > > > > With the patch > > kinit ipauser at IPA.REALM -> success > > kinit -C ipauser at IPA.REALM -> success > > kinit ipauser at ipa.realm -> success > > kinit -C ipauser at ipa.realm -> success > > > > where 'ipa.realm' can be replace by mixed case version like 'iPa.ReAlM' > > as well. > > > > bye, > > Sumit > > > > [1] I was not able to add 'krbcanonicalname' as admin user because of an > > ACI denial. I wonder if this is expected or if the ACI rules should be > > extended here? > > Yes, we need to fix this, it's a bug that admins can't set the canonical name. > > > [2] We might to skip the requirement that 'krbcanonicalname' must exists > > if 'ipaKrbPrincipal' only has a single value but canonicalization will > > fail immediately if someone adds a second value so I guess it would be > > more safe to keep it as it is. > > If someone adds a second value we must have code to set krbCanonicalName > anyway or we will not know anymore what is the canonical name. So this also > needs fixing in this patchset probably, by adding checks to the add/modify > principal functions. > > HTH, > Simo. > > -- > Simo Sorce * Red Hat, Inc. * New York -------------- next part -------------- From f75e334262219ca8d97fd09ece4ea31495e94ec9 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 28 Jul 2015 11:00:41 +0200 Subject: [PATCH 149/150] IPA KDB: allow case in-sensitive realm in AS request If the canonicalization flag is set the realm of the client principal in an AS request (kinit) is transformed into upper-case to match the IPA convention for realm names. Resolves https://fedorahosted.org/freeipa/ticket/4844 --- daemons/ipa-kdb/ipa_kdb.h | 2 +- daemons/ipa-kdb/ipa_kdb_common.c | 41 +++++++++++++++++++++++++- daemons/ipa-kdb/ipa_kdb_principals.c | 3 +- daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 2 +- daemons/ipa-kdb/tests/ipa_kdb_tests.c | 55 +++++++++++++++++++++++++++++++++++ 5 files changed, 99 insertions(+), 4 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index 4abb7335d356f976eb5dc777c94b35c81655ad79..a9d36fe259b60fdc7d500c889b18c6a2e57a3f47 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -133,7 +133,7 @@ struct ipadb_context *ipadb_get_context(krb5_context kcontext); int ipadb_get_connection(struct ipadb_context *ipactx); /* COMMON LDAP FUNCTIONS */ -char *ipadb_filter_escape(const char *input, bool star); +char *ipadb_filter_escape(const char *input, bool star, bool unify); krb5_error_code ipadb_simple_search(struct ipadb_context *ipactx, char *basedn, int scope, char *filter, char **attrs, diff --git a/daemons/ipa-kdb/ipa_kdb_common.c b/daemons/ipa-kdb/ipa_kdb_common.c index 112086b57c9f83895589538b5494ae81fb14a948..07d8d47214fab673aecffeef0c59f0072a5c08bc 100644 --- a/daemons/ipa-kdb/ipa_kdb_common.c +++ b/daemons/ipa-kdb/ipa_kdb_common.c @@ -25,9 +25,39 @@ static struct timeval std_timeout = {300, 0}; -char *ipadb_filter_escape(const char *input, bool star) +static char *unify_princ(const char *princ) +{ + int ret; + char *p; + uint8_t *uc_realm; + char *unify_princ; + size_t size; + uint8_t *buf; + + p = strrchr(princ, '@'); + if (p == NULL) { + return NULL; + } + + size = strlen(p + 1); + /* Assume the worst-case. */ + buf = calloc(size * 2 + 1, sizeof(uint8_t)); + uc_realm = u8_toupper((const uint8_t *)( p + 1), size, NULL, NULL, buf, + &size); + + ret = asprintf(&unify_princ, "%.*s@%s", (p - princ), princ, uc_realm); + free(buf); + if (ret == -1) { + return NULL; + } + + return unify_princ; +} + +char *ipadb_filter_escape(const char *input, bool star, bool unify) { char *output; + char *unified; size_t i = 0; size_t j = 0; @@ -75,6 +105,15 @@ char *ipadb_filter_escape(const char *input, bool star) } output[j] = '\0'; + if (unify) { + unified = unify_princ(output); + /* return output in case of an error */ + if (unified != NULL) { + free(output); + output = unified; + } + } + return output; } diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index b3f8b1ad7784f55f55b4d6edd05f778a9389de27..5fb280d6217c2957b9a554cc5fd3a027ddd729fa 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -788,7 +788,8 @@ static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx, /* escape filter but do not touch '*' as this function accepts * wildcards in names */ - esc_original_princ = ipadb_filter_escape(principal, false); + esc_original_princ = ipadb_filter_escape(principal, false, + (flags & KRB5_KDB_FLAG_ALIAS_OK)); if (!esc_original_princ) { kerr = KRB5_KDB_INTERNAL_ERROR; goto done; diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c index 076314a12840881a340763ab5693131aaccafec6..875960c5d77984c111b197ba03ad7ba79705d6e7 100644 --- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c +++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c @@ -151,7 +151,7 @@ krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name, return KRB5_KDB_DBNOTINITED; } - esc_name = ipadb_filter_escape(name, true); + esc_name = ipadb_filter_escape(name, true, false); if (!esc_name) { return ENOMEM; } diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c index edd4ae0975628d6b3abe9bab2852c990c9a8c590..eea735b9d2d59650fc4e7bb9629e35393dc93f63 100644 --- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c +++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c @@ -465,6 +465,60 @@ void test_dom_sid_string(void **state) str_sid = dom_sid_string(test_ctx, &test_sid); } +void test_ipadb_filter_escape(void **state) +{ + char *out; + size_t c; + + struct test_data { + const char *in; + bool star; + bool unify; + const char *exp_out; + } test_data[] = { + {"abc", false, false, "abc"}, + {"abc", false, true, "abc"}, + {"abc", true, true, "abc"}, + {"abc", true, false, "abc"}, + {"abc at def", false, false, "abc at def"}, + {"abc at def", false, true, "abc at DEF"}, + {"abc at def", true, true, "abc at DEF"}, + {"abc at def", true, false, "abc at def"}, + {"abc at DEF", false, false, "abc at DEF"}, + {"abc at DEF", false, true, "abc at DEF"}, + {"abc at DEF", true, true, "abc at DEF"}, + {"abc at DEF", true, false, "abc at DEF"}, + {"ab*c at def", false, false, "ab*c at def"}, + {"ab*c at def", false, true, "ab*c at DEF"}, + {"ab*c at def", true, true, "ab\\2ac at DEF"}, + {"ab*c at def", true, false, "ab\\2ac at def"}, + {"\\a(b)c at def", false, false, "\\5ca\\28b\\29c at def"}, + {"\\a(b)c at def", false, true, "\\5ca\\28b\\29c at DEF"}, + {"\\a(b)c at def", true, true, "\\5ca\\28b\\29c at DEF"}, + {"\\a(b)c at def", true, false, "\\5ca\\28b\\29c at def"}, + {"abc at de*f", false, false, "abc at de*f"}, + {"abc at de*f", false, true, "abc at DE*F"}, + {"abc at de*f", true, true, "abc at DE\\2AF"}, + {"abc at de*f", true, false, "abc at de\\2af"}, + /* Special characters must be UTF-8 encoded, don't change encoding */ + {"abc@???", false, false, "abc@???"}, + {"abc@???", false, true, "abc@???"}, + {"abc@???", true, true, "abc@???"}, + {"abc@???", true, false, "abc@???"}, + {NULL, false, false, NULL} + }; + + out = ipadb_filter_escape(NULL, false, false); + assert_null(out); + + for (c = 0; test_data[c]. in != NULL; c++) { + out = ipadb_filter_escape(test_data[c].in, test_data[c].star, + test_data[c].unify); + assert_string_equal(out, test_data[c].exp_out); + free(out); + } +} + int main(int argc, const char *argv[]) { @@ -473,6 +527,7 @@ int main(int argc, const char *argv[]) unit_test_setup_teardown(test_filter_logon_info, setup, teardown), unit_test(test_string_to_sid), unit_test_setup_teardown(test_dom_sid_string, setup, teardown), + unit_test(test_ipadb_filter_escape), }; return run_tests(tests); -- 2.4.3 -------------- next part -------------- From f52ead00a1d0600c71da4604755c3132c5423755 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 28 Jul 2015 10:56:26 +0200 Subject: [PATCH 150/150] IPA KDB: use empty profile to init krb5 context in tests If the systems /etc/krb5.conf contains some unexpected or broken configuration the test might fail. With this patch the tests are run with an empty configuration. --- daemons/ipa-kdb/tests/ipa_kdb_tests.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c index eea735b9d2d59650fc4e7bb9629e35393dc93f63..1a5b6a7edb4c691e52a026866e983c60a3fb7800 100644 --- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c +++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c @@ -27,6 +27,7 @@ #include #include #include +#include #include @@ -79,8 +80,13 @@ void setup(void **state) krb5_error_code kerr; struct ipadb_context *ipa_ctx; struct test_ctx *test_ctx; + struct _profile_t *profile; + long perr; - kerr = krb5_init_context(&krb5_ctx); + perr = profile_init(NULL, &profile); + assert_int_equal(perr, 0); + + kerr = krb5_init_context_profile(profile, 0, &krb5_ctx); assert_int_equal(kerr, 0); kerr = krb5_db_setup_lib_handle(krb5_ctx); assert_int_equal(kerr, 0); -- 2.4.3 From jcholast at redhat.com Tue Jul 28 10:34:07 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 28 Jul 2015 12:34:07 +0200 Subject: [Freeipa-devel] Replace stageuser-add --from-delete with user-undel --to-staged In-Reply-To: <55B74D08.2010207@redhat.com> References: <55B0E154.7000907@redhat.com> <55B65565.7090409@redhat.com> <55B74AEB.3050000@redhat.com> <55B74D08.2010207@redhat.com> Message-ID: <55B75A9F.7090308@redhat.com> Dne 28.7.2015 v 11:36 Lenka Doudova napsal(a): > > > Dne 28.7.2015 v 11:27 Jan Cholasta napsal(a): >> Dne 27.7.2015 v 17:59 Martin Basti napsal(a): >>> On 23/07/15 14:43, Martin Basti wrote: >>>> Hello, >>>> >>>> I tried to fix #5145 and I partially succeeded. >>>> >>>> However, I cannot fix this part of ticket, where user is prompted to >>>> write name and surname. >>>> >>>> $ ipa stageuser-add tuser --from-delete >>>> First name: this will be ignored >>>> Last name: this will be also ignored >>>> ------------------------ >>>> Added stage user "tuser" >>>> ------------------------ >>>> >>>> As the first name and last name are mandatory attributes of >>>> stageuser-add command, but they are not needed by when the >>>> --from-delete option is used. >>>> I would like to ask how to fix this issue, IMO this will be huge hack >>>> in internal API. Or should we just document this bug as known issue >>>> (thierry wrote that this is not use case that should be used often)? >>>> >>>> The best solution would be separate command, but this idea was >>>> rejected in thread "[Freeipa-devel] User life cycle: question >>>> regarding the design" >>>> >>>> Regards >>>> Martin^2 >>>> >>> Hello, >>> >>> as was mentioned before, we have issue with current internal API and the >>> stageuser-add --from-delete command. >>> >>> We discussed this today, and we did not find a nice way how to fix it, >>> so we propose this (which is IMO the best solution): >>> >>> * stageuser-add --from-delete should be deprecated >> >> +1 >> >>> * create new option for user-undel: used-undel --to-staged (or create >>> new command) that will handle moving deleted users to staged area as >>> --from-delete did. >> >> Make it new command please. >> >>> >>> Instead of stageuser-add and option --from-delete, which work totally >>> different, the command user-undel does similar operation than stage-user >>> --from-delete, it just uses different container. >> >> NACK on stuffing everything into a single command just because it does >> something similar. > > How about making it a 'stageuser-undel'? The 'user-undel' moves > preserved user to active, so the 'stageuser-undel' would move preserved > to staged. The action is similar, but has slightly different specifics > (which attributes are preserved etc.), and for me the 'stageuser-undel' > feels more natural than 'user-undel --to-staged' since it's basically > the same as there is 'stageuser-add' for creating a staged user, not > 'user-add --to-staged'. It would be in the same style as all the other > commands concerning operations with users in staged container. Well, user-undel is the opposite of user-del, and stageuser-undel should be the opposite of stageuser-del. The stageuser-undel you are suggesting is not. Also I'm not sure if we want to (always) remove the deleted user once a staged user is created from it, but -undel behaves like that. I don't think the command should be limited to deleted users only. Active and deleted users share the same namespace, so it is an arbitrary limitation. I think that what we are looking for is the opposite of stageuser-activate. So maybe user-stage? -- Jan Cholasta From pvoborni at redhat.com Tue Jul 28 10:37:47 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 28 Jul 2015 12:37:47 +0200 Subject: [Freeipa-devel] Is Backend.krb part of API? In-Reply-To: <55B74407.6070806@redhat.com> References: <55B74407.6070806@redhat.com> Message-ID: <55B75B7B.6000402@redhat.com> On 07/28/2015 10:57 AM, Michael ?im??ek wrote: > Hi, > > I'm working on porting FreeIPA away from python-krbV. Backend.krb and > KRB5_CCache classes are mere wrappers around krbV bindings, so it would > make sense to remove them. But I found the former used in the example in > doc/examples/python-api.py. Is it part of FreeIPA's API? Shall I provide > some partial compatibility layer for it? (only partial because some > methods can take krbV objects as arguments) > > Thank you, > Michael Simacek > Does the replacement offer API which has all the methods as the wrappers? If so we can remove them. Imho we can remove Backend.krb aka ipalib/plugins/kerberos.py. It's used only in 2 files, both are not in production. But I'm not sure about KRB5_CCache, the wrapper has some exception logic which might be wanted to be kept. -- Petr Vobornik From abokovoy at redhat.com Tue Jul 28 10:55:45 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 28 Jul 2015 13:55:45 +0300 Subject: [Freeipa-devel] Is Backend.krb part of API? In-Reply-To: <55B75B7B.6000402@redhat.com> References: <55B74407.6070806@redhat.com> <55B75B7B.6000402@redhat.com> Message-ID: <20150728105545.GM21928@redhat.com> On Tue, 28 Jul 2015, Petr Vobornik wrote: >On 07/28/2015 10:57 AM, Michael ?im??ek wrote: >>Hi, >> >>I'm working on porting FreeIPA away from python-krbV. Backend.krb and >>KRB5_CCache classes are mere wrappers around krbV bindings, so it would >>make sense to remove them. But I found the former used in the example in >>doc/examples/python-api.py. Is it part of FreeIPA's API? Shall I provide >>some partial compatibility layer for it? (only partial because some >>methods can take krbV objects as arguments) >> >>Thank you, >>Michael Simacek >> > >Does the replacement offer API which has all the methods as the >wrappers? If so we can remove them. > >Imho we can remove Backend.krb aka ipalib/plugins/kerberos.py. It's >used only in 2 files, both are not in production. But I'm not sure >about KRB5_CCache, the wrapper has some exception logic which might be >wanted to be kept. Backend.krb can go if you provide something similar to KRB5_CCache. We need to be able to initialize ccache with that class -- either by using existing ccache (we often marshall ccache content to memcached and then unmarshall it when the same session comes back) or by using a keytab. After ccache is provided, we need to be able to query default principal of the existing ccache. -- / Alexander Bokovoy From ssorce at redhat.com Tue Jul 28 11:05:37 2015 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 28 Jul 2015 07:05:37 -0400 Subject: [Freeipa-devel] [PATCH 149] IPA KDB: allow case in-sensitive realm in AS request In-Reply-To: <20150728101515.GA7078@p.redhat.com> References: <20150721114114.GA7078@p.redhat.com> <721412384.2383594.1437572511320.JavaMail.zimbra@redhat.com> <20150728101515.GA7078@p.redhat.com> Message-ID: <1438081537.13513.17.camel@willson.usersys.redhat.com> On Tue, 2015-07-28 at 12:15 +0200, Sumit Bose wrote: > On Wed, Jul 22, 2015 at 09:41:51AM -0400, Simo Sorce wrote: > > ----- Original Message ----- > > > From: "Sumit Bose" > > > To: "freeipa-devel" > > > Sent: Tuesday, July 21, 2015 7:41:14 AM > > > Subject: [Freeipa-devel] [PATCH 149] IPA KDB: allow case in-sensitive realm in AS request > > > > > > Hi, > > > > > > this patch is my suggestion to solve > > > https://fedorahosted.org/freeipa/ticket/4844 . > > > > > > The original issue in the ticket has two part. One is a loop in libkrb5 > > > which is already fixed. The other is to handle canonicalization better. > > > > Sorry Sumit, > > I see several issues with this patck. > > > > first of all you should really not change ipadb_get_principal(), that's the > > wrong place to apply your logic. > > > > To support searching for the realm name case-insensitively all we should do > > is to always forcibly upper case the realm name at the same time we build the > > filter (in ipadb_fetch_principals(), if canonicalization was requested. > > Because we will never store (code to prevent that should probably be dded with > > this patch) a realm name that is not all caps. > > Then the post search matches should be done straight within ipadb_find_principal(). > > > > > The general way to allow canonicalization on a principal is to add the > > > attributes 'krbcanonicalname'[1] and 'ipakrbprincipalalias' together > > > with the objectclass 'ipaKrbPrincipal' to the user object. > > > > We have already a ticket open since long to remove krbprincipalalias, it was > > a mistake to add it and any patch that depends on it will be nacked by me. > > We need to use krbPrincipalName and krbCanonicalName. > > > > > Then the IPA > > > KDB backend will use 'ipakrbprincipalalias' for case in-sensitive > > > matches and the principal from 'krbcanonicalname' will be the canonical > > > principal used further on. The 'krbPrincipalName' is not suitable for > > > either because it has caseExact* matching rules and is a multivalue > > > attribute [2]. > > > > Case-exact match is a problem only if we do not canonicalize names when storing > > them, otherwise all you need to do is store a "search form" in krbPrincipalName > > and always change searches to that form (forcibly upper case realm, forcibly > > lowercase components) when canonicalization is requested. > > > > Additionally in the patch you are using stcasecmp(), that function is not > > acceptable, look at ipadb_find_principal() and you'll see we use ulc_casecmp() > > there. > > Also modyfing the principal before searching is done wrong (you use strchr() > > to find the @ sign, but you could find an @ in the components this way, you > > should use strrchr() at the very least), and is dangerous if done outside of > > the inner functions because then we never have a way to know the original > > form should it be needed. In any case as said above realm should be forcibly > > uppercase, given a flag in the escape function instead. > > Thank for for the review and the comments. > > I changed the patch as you suggested to upper-case the realm in the > escape function if the flag is set. > > I didn't add any checks to make sure that the realm of newly added > principal attributes is always upper case. Since the attributes can be > added via various ways I think the check should happen on the DS level We should indeed intercept add/modify operations and see if they try to set krbPrincipalName/krbCanonicalName and then validate the name. Return unwilling to perform if the case of the realm is different (or fix it on the fly, up for discussion) from the default case as configured in the server. > but I see this more in the context of full canonicalization fix covered > by https://fedorahosted.org/freeipa/ticket/3864 . If you think this is a > requirement for the patch attached I would suggest to drop > https://fedorahosted.org/freeipa/ticket/4844 and solve it together with > #3864. We should clsoe 4844 as fixed upstream (there *was* a bug in libkrb5). I commented on #3864 about what we can do, and we can also avoid changing the schema. > I added a second patch which makes the unit test a bit more robust if > the krb5.conf on the system running the tests is broken. Ok. So on the new patches, what does "unify" means ? I do not get what it means (so probably it is a poor name), I guess you may want to call it "canonicalization" ? (or even 'canon' to shorten it a bit). I think the worst case for a utf8 string is more then length*2, probably more like length*6, unless there is some guarantee around case changes that I am not aware of, that said we could probably just allocate on the stack a fixed size string of a KiB or so, the longest DNS name is 256 chars IIRC and a service name can't be that much longer, also usernames can't be arbitrarily long. So 1/2 KiB should probably be fine for a full principal name. (avoids a malloc too which is good). On the tests, realms can't use unicode afaik. The change to use an empty profile is probably ok. HTH, Simo. From simo at redhat.com Tue Jul 28 11:13:54 2015 From: simo at redhat.com (Simo Sorce) Date: Tue, 28 Jul 2015 07:13:54 -0400 Subject: [Freeipa-devel] Is Backend.krb part of API? In-Reply-To: <20150728105545.GM21928@redhat.com> References: <55B74407.6070806@redhat.com> <55B75B7B.6000402@redhat.com> <20150728105545.GM21928@redhat.com> Message-ID: <1438082034.13513.18.camel@willson.usersys.redhat.com> On Tue, 2015-07-28 at 13:55 +0300, Alexander Bokovoy wrote: > On Tue, 28 Jul 2015, Petr Vobornik wrote: > >On 07/28/2015 10:57 AM, Michael ?im??ek wrote: > >>Hi, > >> > >>I'm working on porting FreeIPA away from python-krbV. Backend.krb and > >>KRB5_CCache classes are mere wrappers around krbV bindings, so it would > >>make sense to remove them. But I found the former used in the example in > >>doc/examples/python-api.py. Is it part of FreeIPA's API? Shall I provide > >>some partial compatibility layer for it? (only partial because some > >>methods can take krbV objects as arguments) > >> > >>Thank you, > >>Michael Simacek > >> > > > >Does the replacement offer API which has all the methods as the > >wrappers? If so we can remove them. > > > >Imho we can remove Backend.krb aka ipalib/plugins/kerberos.py. It's > >used only in 2 files, both are not in production. But I'm not sure > >about KRB5_CCache, the wrapper has some exception logic which might be > >wanted to be kept. > Backend.krb can go if you provide something similar to KRB5_CCache. We > need to be able to initialize ccache with that class -- either by using > existing ccache (we often marshall ccache content to memcached and then > unmarshall it when the same session comes back) or by using a keytab. > After ccache is provided, we need to be able to query default principal > of the existing ccache. We should be able to do all this with python-gssapi and the store extensions. Simo. -- Simo Sorce * Red Hat, Inc * New York From dkupka at redhat.com Tue Jul 28 11:22:48 2015 From: dkupka at redhat.com (David Kupka) Date: Tue, 28 Jul 2015 13:22:48 +0200 Subject: [Freeipa-devel] [PATCH 0294] ULC: fix stageuser-add --from-delete command In-Reply-To: <55B0D430.6090405@redhat.com> References: <55B0D430.6090405@redhat.com> Message-ID: <55B76608.1060704@redhat.com> On 23/07/15 13:46, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5145 > > Patch attached. > > This patch fixes only first part of problem -- the traceback. > > Removing promt for name and surname requires too big hacks in internal > API, and I'm not sure if we will be able to do that. > IMO this should be separate command, I will open a discussion. > > > Works for me, ACK. It would be better to leave the ticket open until the issue is fully resolved. -- David Kupka From abokovoy at redhat.com Tue Jul 28 11:26:34 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 28 Jul 2015 14:26:34 +0300 Subject: [Freeipa-devel] [PATCH 149] IPA KDB: allow case in-sensitive realm in AS request In-Reply-To: <1438081537.13513.17.camel@willson.usersys.redhat.com> References: <20150721114114.GA7078@p.redhat.com> <721412384.2383594.1437572511320.JavaMail.zimbra@redhat.com> <20150728101515.GA7078@p.redhat.com> <1438081537.13513.17.camel@willson.usersys.redhat.com> Message-ID: <20150728112634.GP21928@redhat.com> On Tue, 28 Jul 2015, Simo Sorce wrote: >On Tue, 2015-07-28 at 12:15 +0200, Sumit Bose wrote: >> On Wed, Jul 22, 2015 at 09:41:51AM -0400, Simo Sorce wrote: >> > ----- Original Message ----- >> > > From: "Sumit Bose" >> > > To: "freeipa-devel" >> > > Sent: Tuesday, July 21, 2015 7:41:14 AM >> > > Subject: [Freeipa-devel] [PATCH 149] IPA KDB: allow case in-sensitive realm in AS request >> > > >> > > Hi, >> > > >> > > this patch is my suggestion to solve >> > > https://fedorahosted.org/freeipa/ticket/4844 . >> > > >> > > The original issue in the ticket has two part. One is a loop in libkrb5 >> > > which is already fixed. The other is to handle canonicalization better. >> > >> > Sorry Sumit, >> > I see several issues with this patck. >> > >> > first of all you should really not change ipadb_get_principal(), that's the >> > wrong place to apply your logic. >> > >> > To support searching for the realm name case-insensitively all we should do >> > is to always forcibly upper case the realm name at the same time we build the >> > filter (in ipadb_fetch_principals(), if canonicalization was requested. >> > Because we will never store (code to prevent that should probably be dded with >> > this patch) a realm name that is not all caps. >> > Then the post search matches should be done straight within ipadb_find_principal(). >> > >> > > The general way to allow canonicalization on a principal is to add the >> > > attributes 'krbcanonicalname'[1] and 'ipakrbprincipalalias' together >> > > with the objectclass 'ipaKrbPrincipal' to the user object. >> > >> > We have already a ticket open since long to remove krbprincipalalias, it was >> > a mistake to add it and any patch that depends on it will be nacked by me. >> > We need to use krbPrincipalName and krbCanonicalName. >> > >> > > Then the IPA >> > > KDB backend will use 'ipakrbprincipalalias' for case in-sensitive >> > > matches and the principal from 'krbcanonicalname' will be the canonical >> > > principal used further on. The 'krbPrincipalName' is not suitable for >> > > either because it has caseExact* matching rules and is a multivalue >> > > attribute [2]. >> > >> > Case-exact match is a problem only if we do not canonicalize names when storing >> > them, otherwise all you need to do is store a "search form" in krbPrincipalName >> > and always change searches to that form (forcibly upper case realm, forcibly >> > lowercase components) when canonicalization is requested. >> > >> > Additionally in the patch you are using stcasecmp(), that function is not >> > acceptable, look at ipadb_find_principal() and you'll see we use ulc_casecmp() >> > there. >> > Also modyfing the principal before searching is done wrong (you use strchr() >> > to find the @ sign, but you could find an @ in the components this way, you >> > should use strrchr() at the very least), and is dangerous if done outside of >> > the inner functions because then we never have a way to know the original >> > form should it be needed. In any case as said above realm should be forcibly >> > uppercase, given a flag in the escape function instead. >> >> Thank for for the review and the comments. >> >> I changed the patch as you suggested to upper-case the realm in the >> escape function if the flag is set. >> >> I didn't add any checks to make sure that the realm of newly added >> principal attributes is always upper case. Since the attributes can be >> added via various ways I think the check should happen on the DS level > >We should indeed intercept add/modify operations and see if they try to >set krbPrincipalName/krbCanonicalName and then validate the name. >Return unwilling to perform if the case of the realm is different (or >fix it on the fly, up for discussion) from the default case as >configured in the server. Will break trusts -- ipasam does add these principals for krbtgt/IPA at AD. >> but I see this more in the context of full canonicalization fix covered >> by https://fedorahosted.org/freeipa/ticket/3864 . If you think this is a >> requirement for the patch attached I would suggest to drop >> https://fedorahosted.org/freeipa/ticket/4844 and solve it together with >> #3864. > >We should clsoe 4844 as fixed upstream (there *was* a bug in libkrb5). >I commented on #3864 about what we can do, and we can also avoid >changing the schema. Yep. >So on the new patches, what does "unify" means ? I do not get what it >means (so probably it is a poor name), I guess you may want to call it >"canonicalization" ? (or even 'canon' to shorten it a bit). I have same question. I tried to understand why it is called unify and failed. >I think the worst case for a utf8 string is more then length*2, probably >more like length*6, unless there is some guarantee around case changes >that I am not aware of, that said we could probably just allocate on the >stack a fixed size string of a KiB or so, the longest DNS name is 256 >chars IIRC and a service name can't be that much longer, also usernames >can't be arbitrarily long. So 1/2 KiB should probably be fine for a full >principal name. (avoids a malloc too which is good). Yes, sounds good. A hostname label can be up to 63 characters and full domain name including dots would be 253 characters. At the same time, a a component of the principal may be of arbitrary length. From practical perspective it would probably be enough to go with a static buffer of 1/2 KiB for the quickest case and fall back to malloc() if the size is bigger than that one. -- / Alexander Bokovoy From abokovoy at redhat.com Tue Jul 28 11:28:59 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 28 Jul 2015 14:28:59 +0300 Subject: [Freeipa-devel] Is Backend.krb part of API? In-Reply-To: <1438082034.13513.18.camel@willson.usersys.redhat.com> References: <55B74407.6070806@redhat.com> <55B75B7B.6000402@redhat.com> <20150728105545.GM21928@redhat.com> <1438082034.13513.18.camel@willson.usersys.redhat.com> Message-ID: <20150728112859.GQ21928@redhat.com> On Tue, 28 Jul 2015, Simo Sorce wrote: >On Tue, 2015-07-28 at 13:55 +0300, Alexander Bokovoy wrote: >> On Tue, 28 Jul 2015, Petr Vobornik wrote: >> >On 07/28/2015 10:57 AM, Michael ?im??ek wrote: >> >>Hi, >> >> >> >>I'm working on porting FreeIPA away from python-krbV. Backend.krb and >> >>KRB5_CCache classes are mere wrappers around krbV bindings, so it would >> >>make sense to remove them. But I found the former used in the example in >> >>doc/examples/python-api.py. Is it part of FreeIPA's API? Shall I provide >> >>some partial compatibility layer for it? (only partial because some >> >>methods can take krbV objects as arguments) >> >> >> >>Thank you, >> >>Michael Simacek >> >> >> > >> >Does the replacement offer API which has all the methods as the >> >wrappers? If so we can remove them. >> > >> >Imho we can remove Backend.krb aka ipalib/plugins/kerberos.py. It's >> >used only in 2 files, both are not in production. But I'm not sure >> >about KRB5_CCache, the wrapper has some exception logic which might be >> >wanted to be kept. >> Backend.krb can go if you provide something similar to KRB5_CCache. We >> need to be able to initialize ccache with that class -- either by using >> existing ccache (we often marshall ccache content to memcached and then >> unmarshall it when the same session comes back) or by using a keytab. >> After ccache is provided, we need to be able to query default principal >> of the existing ccache. > >We should be able to do all this with python-gssapi and the store >extensions. Yep. It would be good to have a helper, though. -- / Alexander Bokovoy From mbabinsk at redhat.com Tue Jul 28 11:33:57 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 28 Jul 2015 13:33:57 +0200 Subject: [Freeipa-devel] [PATCH 0050] ACI plugin: correctly parse bind rules enclosed in parentheses In-Reply-To: <55B649CA.4080406@redhat.com> References: <55B0F4D4.9050901@redhat.com> <55B649CA.4080406@redhat.com> Message-ID: <55B768A5.4030205@redhat.com> On 07/27/2015 05:10 PM, Martin Basti wrote: > On 23/07/15 16:06, Martin Babinsky wrote: >> This is a quick fix for https://fedorahosted.org/freeipa/ticket/5037 >> >> >> > NACK > > I do not like your change in first regexp too much. > > Can you try this instead? > > PermPat = re.compile(r'(\w+)\s*\(([^()]*)\)\s*(.*)', re.UNICODE) > > This just removes '(' and ') ' from pattern and accept all other characters. > > -- > Martin Basti > Attaching updated patch. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0050.1-ACI-plugin-correctly-parse-bind-rules-enclosed-in-pa.patch Type: text/x-patch Size: 1636 bytes Desc: not available URL: From sbose at redhat.com Tue Jul 28 11:42:29 2015 From: sbose at redhat.com (Sumit Bose) Date: Tue, 28 Jul 2015 13:42:29 +0200 Subject: [Freeipa-devel] [PATCH 149] IPA KDB: allow case in-sensitive realm in AS request In-Reply-To: <20150728112634.GP21928@redhat.com> References: <20150721114114.GA7078@p.redhat.com> <721412384.2383594.1437572511320.JavaMail.zimbra@redhat.com> <20150728101515.GA7078@p.redhat.com> <1438081537.13513.17.camel@willson.usersys.redhat.com> <20150728112634.GP21928@redhat.com> Message-ID: <20150728114229.GC17746@p.redhat.com> On Tue, Jul 28, 2015 at 02:26:34PM +0300, Alexander Bokovoy wrote: > On Tue, 28 Jul 2015, Simo Sorce wrote: > >On Tue, 2015-07-28 at 12:15 +0200, Sumit Bose wrote: > >>On Wed, Jul 22, 2015 at 09:41:51AM -0400, Simo Sorce wrote: > >>> ----- Original Message ----- > >>> > From: "Sumit Bose" > >>> > To: "freeipa-devel" > >>> > Sent: Tuesday, July 21, 2015 7:41:14 AM > >>> > Subject: [Freeipa-devel] [PATCH 149] IPA KDB: allow case in-sensitive realm in AS request > >>> > > >>> > Hi, > >>> > > >>> > this patch is my suggestion to solve > >>> > https://fedorahosted.org/freeipa/ticket/4844 . > >>> > > >>> > The original issue in the ticket has two part. One is a loop in libkrb5 > >>> > which is already fixed. The other is to handle canonicalization better. > >>> > >>> Sorry Sumit, > >>> I see several issues with this patck. > >>> > >>> first of all you should really not change ipadb_get_principal(), that's the > >>> wrong place to apply your logic. > >>> > >>> To support searching for the realm name case-insensitively all we should do > >>> is to always forcibly upper case the realm name at the same time we build the > >>> filter (in ipadb_fetch_principals(), if canonicalization was requested. > >>> Because we will never store (code to prevent that should probably be dded with > >>> this patch) a realm name that is not all caps. > >>> Then the post search matches should be done straight within ipadb_find_principal(). > >>> > >>> > The general way to allow canonicalization on a principal is to add the > >>> > attributes 'krbcanonicalname'[1] and 'ipakrbprincipalalias' together > >>> > with the objectclass 'ipaKrbPrincipal' to the user object. > >>> > >>> We have already a ticket open since long to remove krbprincipalalias, it was > >>> a mistake to add it and any patch that depends on it will be nacked by me. > >>> We need to use krbPrincipalName and krbCanonicalName. > >>> > >>> > Then the IPA > >>> > KDB backend will use 'ipakrbprincipalalias' for case in-sensitive > >>> > matches and the principal from 'krbcanonicalname' will be the canonical > >>> > principal used further on. The 'krbPrincipalName' is not suitable for > >>> > either because it has caseExact* matching rules and is a multivalue > >>> > attribute [2]. > >>> > >>> Case-exact match is a problem only if we do not canonicalize names when storing > >>> them, otherwise all you need to do is store a "search form" in krbPrincipalName > >>> and always change searches to that form (forcibly upper case realm, forcibly > >>> lowercase components) when canonicalization is requested. > >>> > >>> Additionally in the patch you are using stcasecmp(), that function is not > >>> acceptable, look at ipadb_find_principal() and you'll see we use ulc_casecmp() > >>> there. > >>> Also modyfing the principal before searching is done wrong (you use strchr() > >>> to find the @ sign, but you could find an @ in the components this way, you > >>> should use strrchr() at the very least), and is dangerous if done outside of > >>> the inner functions because then we never have a way to know the original > >>> form should it be needed. In any case as said above realm should be forcibly > >>> uppercase, given a flag in the escape function instead. > >> > >>Thank for for the review and the comments. > >> > >>I changed the patch as you suggested to upper-case the realm in the > >>escape function if the flag is set. > >> > >>I didn't add any checks to make sure that the realm of newly added > >>principal attributes is always upper case. Since the attributes can be > >>added via various ways I think the check should happen on the DS level > > > >We should indeed intercept add/modify operations and see if they try to > >set krbPrincipalName/krbCanonicalName and then validate the name. > >Return unwilling to perform if the case of the realm is different (or > >fix it on the fly, up for discussion) from the default case as > >configured in the server. > Will break trusts -- ipasam does add these principals for krbtgt/IPA at AD. > > >>but I see this more in the context of full canonicalization fix covered > >>by https://fedorahosted.org/freeipa/ticket/3864 . If you think this is a > >>requirement for the patch attached I would suggest to drop > >>https://fedorahosted.org/freeipa/ticket/4844 and solve it together with > >>#3864. > > > >We should clsoe 4844 as fixed upstream (there *was* a bug in libkrb5). > >I commented on #3864 about what we can do, and we can also avoid > >changing the schema. > Yep. > > >So on the new patches, what does "unify" means ? I do not get what it > >means (so probably it is a poor name), I guess you may want to call it > >"canonicalization" ? (or even 'canon' to shorten it a bit). > I have same question. I tried to understand why it is called unify and > failed. I didn't want to use 'canonical' because the result will not be the canonical name in the general case but only a name we use for searching. I was thinking about 'normalized' bit this has a special meaning with unicode. So I came up with 'unify'. But if you prefer 'canon' I can change it. > > >I think the worst case for a utf8 string is more then length*2, probably > >more like length*6, unless there is some guarantee around case changes > >that I am not aware of, that said we could probably just allocate on the > >stack a fixed size string of a KiB or so, the longest DNS name is 256 > >chars IIRC and a service name can't be that much longer, also usernames > >can't be arbitrarily long. So 1/2 KiB should probably be fine for a full > >principal name. (avoids a malloc too which is good). > Yes, sounds good. A hostname label can be up to 63 characters and full > domain name including dots would be 253 characters. At the same time, a > a component of the principal may be of arbitrary length. From practical > perspective it would probably be enough to go with a static buffer of > 1/2 KiB for the quickest case and fall back to malloc() if the size is > bigger than that one. ok, I will change this. bye, Sumit > > > -- > / Alexander Bokovoy From pvoborni at redhat.com Tue Jul 28 12:05:54 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 28 Jul 2015 14:05:54 +0200 Subject: [Freeipa-devel] [PATCH] 906 webui: fix regressions failed auth messages Message-ID: <55B77022.5040902@redhat.com> 1. after logout, krb auth no longer shows "session expired" but correct "Authentication with Kerberos failed". 2. "The password or username you entered is incorrect." is showed on failed forms-based auth. https://fedorahosted.org/freeipa/ticket/5163 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0906-webui-fix-regressions-failed-auth-messages.patch Type: text/x-patch Size: 2925 bytes Desc: not available URL: From ssorce at redhat.com Tue Jul 28 12:11:12 2015 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 28 Jul 2015 08:11:12 -0400 Subject: [Freeipa-devel] [PATCH 149] IPA KDB: allow case in-sensitive realm in AS request In-Reply-To: <20150728112634.GP21928@redhat.com> References: <20150721114114.GA7078@p.redhat.com> <721412384.2383594.1437572511320.JavaMail.zimbra@redhat.com> <20150728101515.GA7078@p.redhat.com> <1438081537.13513.17.camel@willson.usersys.redhat.com> <20150728112634.GP21928@redhat.com> Message-ID: <1438085472.18261.6.camel@willson.usersys.redhat.com> On Tue, 2015-07-28 at 14:26 +0300, Alexander Bokovoy wrote: > On Tue, 28 Jul 2015, Simo Sorce wrote: > >On Tue, 2015-07-28 at 12:15 +0200, Sumit Bose wrote: > >> On Wed, Jul 22, 2015 at 09:41:51AM -0400, Simo Sorce wrote: > >> > ----- Original Message ----- > >> > > From: "Sumit Bose" > >> > > To: "freeipa-devel" > >> > > Sent: Tuesday, July 21, 2015 7:41:14 AM > >> > > Subject: [Freeipa-devel] [PATCH 149] IPA KDB: allow case in-sensitive realm in AS request > >> > > > >> > > Hi, > >> > > > >> > > this patch is my suggestion to solve > >> > > https://fedorahosted.org/freeipa/ticket/4844 . > >> > > > >> > > The original issue in the ticket has two part. One is a loop in libkrb5 > >> > > which is already fixed. The other is to handle canonicalization better. > >> > > >> > Sorry Sumit, > >> > I see several issues with this patck. > >> > > >> > first of all you should really not change ipadb_get_principal(), that's the > >> > wrong place to apply your logic. > >> > > >> > To support searching for the realm name case-insensitively all we should do > >> > is to always forcibly upper case the realm name at the same time we build the > >> > filter (in ipadb_fetch_principals(), if canonicalization was requested. > >> > Because we will never store (code to prevent that should probably be dded with > >> > this patch) a realm name that is not all caps. > >> > Then the post search matches should be done straight within ipadb_find_principal(). > >> > > >> > > The general way to allow canonicalization on a principal is to add the > >> > > attributes 'krbcanonicalname'[1] and 'ipakrbprincipalalias' together > >> > > with the objectclass 'ipaKrbPrincipal' to the user object. > >> > > >> > We have already a ticket open since long to remove krbprincipalalias, it was > >> > a mistake to add it and any patch that depends on it will be nacked by me. > >> > We need to use krbPrincipalName and krbCanonicalName. > >> > > >> > > Then the IPA > >> > > KDB backend will use 'ipakrbprincipalalias' for case in-sensitive > >> > > matches and the principal from 'krbcanonicalname' will be the canonical > >> > > principal used further on. The 'krbPrincipalName' is not suitable for > >> > > either because it has caseExact* matching rules and is a multivalue > >> > > attribute [2]. > >> > > >> > Case-exact match is a problem only if we do not canonicalize names when storing > >> > them, otherwise all you need to do is store a "search form" in krbPrincipalName > >> > and always change searches to that form (forcibly upper case realm, forcibly > >> > lowercase components) when canonicalization is requested. > >> > > >> > Additionally in the patch you are using stcasecmp(), that function is not > >> > acceptable, look at ipadb_find_principal() and you'll see we use ulc_casecmp() > >> > there. > >> > Also modyfing the principal before searching is done wrong (you use strchr() > >> > to find the @ sign, but you could find an @ in the components this way, you > >> > should use strrchr() at the very least), and is dangerous if done outside of > >> > the inner functions because then we never have a way to know the original > >> > form should it be needed. In any case as said above realm should be forcibly > >> > uppercase, given a flag in the escape function instead. > >> > >> Thank for for the review and the comments. > >> > >> I changed the patch as you suggested to upper-case the realm in the > >> escape function if the flag is set. > >> > >> I didn't add any checks to make sure that the realm of newly added > >> principal attributes is always upper case. Since the attributes can be > >> added via various ways I think the check should happen on the DS level > > > >We should indeed intercept add/modify operations and see if they try to > >set krbPrincipalName/krbCanonicalName and then validate the name. > >Return unwilling to perform if the case of the realm is different (or > >fix it on the fly, up for discussion) from the default case as > >configured in the server. > Will break trusts -- ipasam does add these principals for krbtgt/IPA at AD. You misunderstood, we compare case-insenstively and adjust the case (or simply always uppercase). We do not refuse to add realm names that are completely different, I know about the cross realm principals :) > >> but I see this more in the context of full canonicalization fix covered > >> by https://fedorahosted.org/freeipa/ticket/3864 . If you think this is a > >> requirement for the patch attached I would suggest to drop > >> https://fedorahosted.org/freeipa/ticket/4844 and solve it together with > >> #3864. > > > >We should clsoe 4844 as fixed upstream (there *was* a bug in libkrb5). > >I commented on #3864 about what we can do, and we can also avoid > >changing the schema. > Yep. > > >So on the new patches, what does "unify" means ? I do not get what it > >means (so probably it is a poor name), I guess you may want to call it > >"canonicalization" ? (or even 'canon' to shorten it a bit). > I have same question. I tried to understand why it is called unify and > failed. > > >I think the worst case for a utf8 string is more then length*2, probably > >more like length*6, unless there is some guarantee around case changes > >that I am not aware of, that said we could probably just allocate on the > >stack a fixed size string of a KiB or so, the longest DNS name is 256 > >chars IIRC and a service name can't be that much longer, also usernames > >can't be arbitrarily long. So 1/2 KiB should probably be fine for a full > >principal name. (avoids a malloc too which is good). > Yes, sounds good. A hostname label can be up to 63 characters and full > domain name including dots would be 253 characters. At the same time, a > a component of the principal may be of arbitrary length. From practical > perspective it would probably be enough to go with a static buffer of > 1/2 KiB for the quickest case and fall back to malloc() if the size is > bigger than that one. Just fail if the size is bigger, I do not see any legitimate case for > 1000 characters principal names for now. Simo. From mbasti at redhat.com Tue Jul 28 12:11:38 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 28 Jul 2015 14:11:38 +0200 Subject: [Freeipa-devel] [PATCH 0050] ACI plugin: correctly parse bind rules enclosed in parentheses In-Reply-To: <55B768A5.4030205@redhat.com> References: <55B0F4D4.9050901@redhat.com> <55B649CA.4080406@redhat.com> <55B768A5.4030205@redhat.com> Message-ID: <55B7717A.60103@redhat.com> On 28/07/15 13:33, Martin Babinsky wrote: > On 07/27/2015 05:10 PM, Martin Basti wrote: >> On 23/07/15 16:06, Martin Babinsky wrote: >>> This is a quick fix for https://fedorahosted.org/freeipa/ticket/5037 >>> >>> >>> >> NACK >> >> I do not like your change in first regexp too much. >> >> Can you try this instead? >> >> PermPat = re.compile(r'(\w+)\s*\(([^()]*)\)\s*(.*)', re.UNICODE) >> >> This just removes '(' and ') ' from pattern and accept all other >> characters. >> >> -- >> Martin Basti >> > > Attaching updated patch. > ACK -- Martin Basti From jpazdziora at redhat.com Tue Jul 28 12:16:28 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Tue, 28 Jul 2015 14:16:28 +0200 Subject: [Freeipa-devel] 4.2: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart the Dogtag instance. Message-ID: <20150728121628.GA30165@redhat.com> Hello, ever since I started to run FreeIPA 4.2 installations (from upstream copr repo on Fedora 22), I often (but not always) get [13/25]: setting audit signing renewal to 2 years [14/25]: restarting certificate server ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart the Dogtag instance.See the installation log for details. [15/25]: requesting RA certificate from CA [error] error: [Errno 111] Connection refused In the ipaserver-install.log, there is 2015-07-28T11:15:42Z DEBUG Starting external process 2015-07-28T11:15:42Z DEBUG args='/bin/systemctl' 'is-active' 'pki-tomcatd at pki-tomcat.service' 2015-07-28T11:15:42Z DEBUG Process finished, return code=0 2015-07-28T11:15:42Z DEBUG stdout=active 2015-07-28T11:15:42Z DEBUG stderr= 2015-07-28T11:15:42Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300 2015-07-28T11:20:42Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 183, in rest art_instance self.restart(self.dogtag_constants.PKI_INSTANCE_NAME) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 316, in restart self.service.restart(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 250, in restart instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 317, in restart self.wait_for_open_ports(self.service_instance(instance_name)) File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 272, in wait_for_op en_ports self.api.env.startup_timeout) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1180, in wait_for_open_port s raise socket.timeout("Timeout exceeded") timeout: Timeout exceeded I do run it in container so it could be related, so I'm mostly looking for blind hints about what might have changed in the installer or in dogtag itself in 4.2 that could cause this. For example, did we make the timeout shorter? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From abokovoy at redhat.com Tue Jul 28 12:25:50 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 28 Jul 2015 15:25:50 +0300 Subject: [Freeipa-devel] 4.2: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart the Dogtag instance. In-Reply-To: <20150728121628.GA30165@redhat.com> References: <20150728121628.GA30165@redhat.com> Message-ID: <20150728122550.GT21928@redhat.com> On Tue, 28 Jul 2015, Jan Pazdziora wrote: > >Hello, > >ever since I started to run FreeIPA 4.2 installations (from upstream >copr repo on Fedora 22), I often (but not always) get > > [13/25]: setting audit signing renewal to 2 years > [14/25]: restarting certificate server >ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart the Dogtag instance.See the installation log for details. > [15/25]: requesting RA certificate from CA > [error] error: [Errno 111] Connection refused > >In the ipaserver-install.log, there is > >2015-07-28T11:15:42Z DEBUG Starting external process >2015-07-28T11:15:42Z DEBUG args='/bin/systemctl' 'is-active' 'pki-tomcatd at pki-tomcat.service' >2015-07-28T11:15:42Z DEBUG Process finished, return code=0 >2015-07-28T11:15:42Z DEBUG stdout=active > >2015-07-28T11:15:42Z DEBUG stderr= >2015-07-28T11:15:42Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300 >2015-07-28T11:20:42Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 183, in rest >art_instance > self.restart(self.dogtag_constants.PKI_INSTANCE_NAME) > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 316, in restart > self.service.restart(instance_name, capture_output=capture_output, wait=wait) > File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 250, in restart > instance_name, capture_output=capture_output, wait=wait) > File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 317, in restart > self.wait_for_open_ports(self.service_instance(instance_name)) > File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 272, in wait_for_op >en_ports > self.api.env.startup_timeout) > File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1180, in wait_for_open_port >s > raise socket.timeout("Timeout exceeded") >timeout: Timeout exceeded > >I do run it in container so it could be related, so I'm mostly looking >for blind hints about what might have changed in the installer or >in dogtag itself in 4.2 that could cause this. For example, did we make >the timeout shorter? The timeout is 300: >2015-07-28T11:15:42Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300 You can look at dogtag's catalina-.log, to see how long did it take: # grep 'Server startup' /var/log/pki/pki-tomcat/catalina.2015-07-24.log INFO: Server startup in 27159 ms INFO: Server startup in 11323 ms INFO: Server startup in 10472 ms INFO: Server startup in 11158 ms INFO: Server startup in 11194 ms -- / Alexander Bokovoy From sbose at redhat.com Tue Jul 28 13:02:56 2015 From: sbose at redhat.com (Sumit Bose) Date: Tue, 28 Jul 2015 15:02:56 +0200 Subject: [Freeipa-devel] [PATCH 149] IPA KDB: allow case in-sensitive realm in AS request In-Reply-To: <20150728114229.GC17746@p.redhat.com> References: <20150721114114.GA7078@p.redhat.com> <721412384.2383594.1437572511320.JavaMail.zimbra@redhat.com> <20150728101515.GA7078@p.redhat.com> <1438081537.13513.17.camel@willson.usersys.redhat.com> <20150728112634.GP21928@redhat.com> <20150728114229.GC17746@p.redhat.com> Message-ID: <20150728130256.GA20980@p.redhat.com> On Tue, Jul 28, 2015 at 01:42:29PM +0200, Sumit Bose wrote: > On Tue, Jul 28, 2015 at 02:26:34PM +0300, Alexander Bokovoy wrote: > > On Tue, 28 Jul 2015, Simo Sorce wrote: > > >On Tue, 2015-07-28 at 12:15 +0200, Sumit Bose wrote: > > >>On Wed, Jul 22, 2015 at 09:41:51AM -0400, Simo Sorce wrote: > > >>> ----- Original Message ----- > > >>> > From: "Sumit Bose" > > >>> > To: "freeipa-devel" > > >>> > Sent: Tuesday, July 21, 2015 7:41:14 AM > > >>> > Subject: [Freeipa-devel] [PATCH 149] IPA KDB: allow case in-sensitive realm in AS request > > >>> > > > >>> > Hi, > > >>> > > > >>> > this patch is my suggestion to solve > > >>> > https://fedorahosted.org/freeipa/ticket/4844 . > > >>> > > > >>> > The original issue in the ticket has two part. One is a loop in libkrb5 > > >>> > which is already fixed. The other is to handle canonicalization better. > > >>> > > >>> Sorry Sumit, > > >>> I see several issues with this patck. > > >>> > > >>> first of all you should really not change ipadb_get_principal(), that's the > > >>> wrong place to apply your logic. > > >>> > > >>> To support searching for the realm name case-insensitively all we should do > > >>> is to always forcibly upper case the realm name at the same time we build the > > >>> filter (in ipadb_fetch_principals(), if canonicalization was requested. > > >>> Because we will never store (code to prevent that should probably be dded with > > >>> this patch) a realm name that is not all caps. > > >>> Then the post search matches should be done straight within ipadb_find_principal(). > > >>> > > >>> > The general way to allow canonicalization on a principal is to add the > > >>> > attributes 'krbcanonicalname'[1] and 'ipakrbprincipalalias' together > > >>> > with the objectclass 'ipaKrbPrincipal' to the user object. > > >>> > > >>> We have already a ticket open since long to remove krbprincipalalias, it was > > >>> a mistake to add it and any patch that depends on it will be nacked by me. > > >>> We need to use krbPrincipalName and krbCanonicalName. > > >>> > > >>> > Then the IPA > > >>> > KDB backend will use 'ipakrbprincipalalias' for case in-sensitive > > >>> > matches and the principal from 'krbcanonicalname' will be the canonical > > >>> > principal used further on. The 'krbPrincipalName' is not suitable for > > >>> > either because it has caseExact* matching rules and is a multivalue > > >>> > attribute [2]. > > >>> > > >>> Case-exact match is a problem only if we do not canonicalize names when storing > > >>> them, otherwise all you need to do is store a "search form" in krbPrincipalName > > >>> and always change searches to that form (forcibly upper case realm, forcibly > > >>> lowercase components) when canonicalization is requested. > > >>> > > >>> Additionally in the patch you are using stcasecmp(), that function is not > > >>> acceptable, look at ipadb_find_principal() and you'll see we use ulc_casecmp() > > >>> there. > > >>> Also modyfing the principal before searching is done wrong (you use strchr() > > >>> to find the @ sign, but you could find an @ in the components this way, you > > >>> should use strrchr() at the very least), and is dangerous if done outside of > > >>> the inner functions because then we never have a way to know the original > > >>> form should it be needed. In any case as said above realm should be forcibly > > >>> uppercase, given a flag in the escape function instead. > > >> > > >>Thank for for the review and the comments. > > >> > > >>I changed the patch as you suggested to upper-case the realm in the > > >>escape function if the flag is set. > > >> > > >>I didn't add any checks to make sure that the realm of newly added > > >>principal attributes is always upper case. Since the attributes can be > > >>added via various ways I think the check should happen on the DS level > > > > > >We should indeed intercept add/modify operations and see if they try to > > >set krbPrincipalName/krbCanonicalName and then validate the name. > > >Return unwilling to perform if the case of the realm is different (or > > >fix it on the fly, up for discussion) from the default case as > > >configured in the server. > > Will break trusts -- ipasam does add these principals for krbtgt/IPA at AD. > > > > >>but I see this more in the context of full canonicalization fix covered > > >>by https://fedorahosted.org/freeipa/ticket/3864 . If you think this is a > > >>requirement for the patch attached I would suggest to drop > > >>https://fedorahosted.org/freeipa/ticket/4844 and solve it together with > > >>#3864. > > > > > >We should clsoe 4844 as fixed upstream (there *was* a bug in libkrb5). > > >I commented on #3864 about what we can do, and we can also avoid > > >changing the schema. > > Yep. > > > > >So on the new patches, what does "unify" means ? I do not get what it > > >means (so probably it is a poor name), I guess you may want to call it > > >"canonicalization" ? (or even 'canon' to shorten it a bit). > > I have same question. I tried to understand why it is called unify and > > failed. > > I didn't want to use 'canonical' because the result will not be the > canonical name in the general case but only a name we use for searching. > I was thinking about 'normalized' bit this has a special meaning with > unicode. So I came up with 'unify'. But if you prefer 'canon' I can > change it. > > > > > >I think the worst case for a utf8 string is more then length*2, probably > > >more like length*6, unless there is some guarantee around case changes > > >that I am not aware of, that said we could probably just allocate on the > > >stack a fixed size string of a KiB or so, the longest DNS name is 256 > > >chars IIRC and a service name can't be that much longer, also usernames > > >can't be arbitrarily long. So 1/2 KiB should probably be fine for a full > > >principal name. (avoids a malloc too which is good). > > Yes, sounds good. A hostname label can be up to 63 characters and full > > domain name including dots would be 253 characters. At the same time, a > > a component of the principal may be of arbitrary length. From practical > > perspective it would probably be enough to go with a static buffer of > > 1/2 KiB for the quickest case and fall back to malloc() if the size is > > bigger than that one. > > ok, I will change this. new version with changed name and 1/2 KiB buffer attached. No changes to the 2nd patch. bye, Sumit -------------- next part -------------- From da05e8e800aed9eb00536c359510272ad04e42ba Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 28 Jul 2015 11:00:41 +0200 Subject: [PATCH 149/150] IPA KDB: allow case in-sensitive realm in AS request If the canonicalization flag is set the realm of the client principal in an AS request (kinit) is transformed into upper-case to match the IPA convention for realm names. Resolves https://fedorahosted.org/freeipa/ticket/4844 --- daemons/ipa-kdb/ipa_kdb.h | 2 +- daemons/ipa-kdb/ipa_kdb_common.c | 43 ++++++++++++++++++++++++++- daemons/ipa-kdb/ipa_kdb_principals.c | 3 +- daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 2 +- daemons/ipa-kdb/tests/ipa_kdb_tests.c | 55 +++++++++++++++++++++++++++++++++++ 5 files changed, 101 insertions(+), 4 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index 4abb7335d356f976eb5dc777c94b35c81655ad79..a9d36fe259b60fdc7d500c889b18c6a2e57a3f47 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -133,7 +133,7 @@ struct ipadb_context *ipadb_get_context(krb5_context kcontext); int ipadb_get_connection(struct ipadb_context *ipactx); /* COMMON LDAP FUNCTIONS */ -char *ipadb_filter_escape(const char *input, bool star); +char *ipadb_filter_escape(const char *input, bool star, bool unify); krb5_error_code ipadb_simple_search(struct ipadb_context *ipactx, char *basedn, int scope, char *filter, char **attrs, diff --git a/daemons/ipa-kdb/ipa_kdb_common.c b/daemons/ipa-kdb/ipa_kdb_common.c index 112086b57c9f83895589538b5494ae81fb14a948..80afa23f06efcc12201189ff9d13cbfb9cb489ff 100644 --- a/daemons/ipa-kdb/ipa_kdb_common.c +++ b/daemons/ipa-kdb/ipa_kdb_common.c @@ -25,9 +25,41 @@ static struct timeval std_timeout = {300, 0}; -char *ipadb_filter_escape(const char *input, bool star) +#define PRINC_BUF_SIZE 512 + +static char *canon_princ(const char *princ) +{ + int ret; + char *p; + uint8_t *uc_realm; + char *canon_princ; + uint8_t buf[PRINC_BUF_SIZE] = { 0 }; + size_t size = PRINC_BUF_SIZE; + + p = strrchr(princ, '@'); + if (p == NULL) { + return NULL; + } + + /* Assume the worst-case. */ + uc_realm = u8_toupper((const uint8_t *)( p + 1), size, NULL, NULL, buf, + &size); + if (uc_realm == NULL) { + return NULL; + } + + ret = asprintf(&canon_princ, "%.*s@%s", (p - princ), princ, uc_realm); + if (ret == -1) { + return NULL; + } + + return canon_princ; +} + +char *ipadb_filter_escape(const char *input, bool star, bool canon) { char *output; + char *canonicalized; size_t i = 0; size_t j = 0; @@ -75,6 +107,15 @@ char *ipadb_filter_escape(const char *input, bool star) } output[j] = '\0'; + if (canon) { + canonicalized = canon_princ(output); + /* return output in case of an error */ + if (canonicalized != NULL) { + free(output); + output = canonicalized; + } + } + return output; } diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index b3f8b1ad7784f55f55b4d6edd05f778a9389de27..5fb280d6217c2957b9a554cc5fd3a027ddd729fa 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -788,7 +788,8 @@ static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx, /* escape filter but do not touch '*' as this function accepts * wildcards in names */ - esc_original_princ = ipadb_filter_escape(principal, false); + esc_original_princ = ipadb_filter_escape(principal, false, + (flags & KRB5_KDB_FLAG_ALIAS_OK)); if (!esc_original_princ) { kerr = KRB5_KDB_INTERNAL_ERROR; goto done; diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c index 076314a12840881a340763ab5693131aaccafec6..875960c5d77984c111b197ba03ad7ba79705d6e7 100644 --- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c +++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c @@ -151,7 +151,7 @@ krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name, return KRB5_KDB_DBNOTINITED; } - esc_name = ipadb_filter_escape(name, true); + esc_name = ipadb_filter_escape(name, true, false); if (!esc_name) { return ENOMEM; } diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c index edd4ae0975628d6b3abe9bab2852c990c9a8c590..3f8a0bfd0bc2ac01ab84b44ee3942473bcc01d96 100644 --- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c +++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c @@ -465,6 +465,60 @@ void test_dom_sid_string(void **state) str_sid = dom_sid_string(test_ctx, &test_sid); } +void test_ipadb_filter_escape(void **state) +{ + char *out; + size_t c; + + struct test_data { + const char *in; + bool star; + bool canon; + const char *exp_out; + } test_data[] = { + {"abc", false, false, "abc"}, + {"abc", false, true, "abc"}, + {"abc", true, true, "abc"}, + {"abc", true, false, "abc"}, + {"abc at def", false, false, "abc at def"}, + {"abc at def", false, true, "abc at DEF"}, + {"abc at def", true, true, "abc at DEF"}, + {"abc at def", true, false, "abc at def"}, + {"abc at DEF", false, false, "abc at DEF"}, + {"abc at DEF", false, true, "abc at DEF"}, + {"abc at DEF", true, true, "abc at DEF"}, + {"abc at DEF", true, false, "abc at DEF"}, + {"ab*c at def", false, false, "ab*c at def"}, + {"ab*c at def", false, true, "ab*c at DEF"}, + {"ab*c at def", true, true, "ab\\2ac at DEF"}, + {"ab*c at def", true, false, "ab\\2ac at def"}, + {"\\a(b)c at def", false, false, "\\5ca\\28b\\29c at def"}, + {"\\a(b)c at def", false, true, "\\5ca\\28b\\29c at DEF"}, + {"\\a(b)c at def", true, true, "\\5ca\\28b\\29c at DEF"}, + {"\\a(b)c at def", true, false, "\\5ca\\28b\\29c at def"}, + {"abc at de*f", false, false, "abc at de*f"}, + {"abc at de*f", false, true, "abc at DE*F"}, + {"abc at de*f", true, true, "abc at DE\\2AF"}, + {"abc at de*f", true, false, "abc at de\\2af"}, + /* Special characters must be UTF-8 encoded, don't change encoding */ + {"abc@???", false, false, "abc@???"}, + {"abc@???", false, true, "abc@???"}, + {"abc@???", true, true, "abc@???"}, + {"abc@???", true, false, "abc@???"}, + {NULL, false, false, NULL} + }; + + out = ipadb_filter_escape(NULL, false, false); + assert_null(out); + + for (c = 0; test_data[c]. in != NULL; c++) { + out = ipadb_filter_escape(test_data[c].in, test_data[c].star, + test_data[c].canon); + assert_string_equal(out, test_data[c].exp_out); + free(out); + } +} + int main(int argc, const char *argv[]) { @@ -473,6 +527,7 @@ int main(int argc, const char *argv[]) unit_test_setup_teardown(test_filter_logon_info, setup, teardown), unit_test(test_string_to_sid), unit_test_setup_teardown(test_dom_sid_string, setup, teardown), + unit_test(test_ipadb_filter_escape), }; return run_tests(tests); -- 2.4.3 -------------- next part -------------- From 067b284d041994442b825aac8326d4624789d652 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 28 Jul 2015 10:56:26 +0200 Subject: [PATCH 150/150] IPA KDB: use empty profile to init krb5 context in tests If the systems /etc/krb5.conf contains some unexpected or broken configuration the test might fail. With this patch the tests are run with an empty configuration. --- daemons/ipa-kdb/tests/ipa_kdb_tests.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c index 3f8a0bfd0bc2ac01ab84b44ee3942473bcc01d96..5f0dda6e8a59e5a76c296bfa209801bfd20c40ab 100644 --- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c +++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c @@ -27,6 +27,7 @@ #include #include #include +#include #include @@ -79,8 +80,13 @@ void setup(void **state) krb5_error_code kerr; struct ipadb_context *ipa_ctx; struct test_ctx *test_ctx; + struct _profile_t *profile; + long perr; - kerr = krb5_init_context(&krb5_ctx); + perr = profile_init(NULL, &profile); + assert_int_equal(perr, 0); + + kerr = krb5_init_context_profile(profile, 0, &krb5_ctx); assert_int_equal(kerr, 0); kerr = krb5_db_setup_lib_handle(krb5_ctx); assert_int_equal(kerr, 0); -- 2.4.3 From jpazdziora at redhat.com Tue Jul 28 13:56:47 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Tue, 28 Jul 2015 15:56:47 +0200 Subject: [Freeipa-devel] 4.2: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart the Dogtag instance. In-Reply-To: <20150728122550.GT21928@redhat.com> References: <20150728121628.GA30165@redhat.com> <20150728122550.GT21928@redhat.com> Message-ID: <20150728135647.GS11345@redhat.com> On Tue, Jul 28, 2015 at 03:25:50PM +0300, Alexander Bokovoy wrote: > On Tue, 28 Jul 2015, Jan Pazdziora wrote: > > > >I do run it in container so it could be related, so I'm mostly looking > >for blind hints about what might have changed in the installer or > >in dogtag itself in 4.2 that could cause this. For example, did we make > >the timeout shorter? > > The timeout is 300: > >2015-07-28T11:15:42Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300 > > You can look at dogtag's catalina-.log, to see how long did it > take: > # grep 'Server startup' /var/log/pki/pki-tomcat/catalina.2015-07-24.log > INFO: Server startup in 27159 ms > INFO: Server startup in 11323 ms > INFO: Server startup in 10472 ms > INFO: Server startup in 11158 ms > INFO: Server startup in 11194 ms INFO: Server startup in 5444 ms INFO: Server startup in 5936 ms INFO: Server startup in 5804 ms -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From cheimes at redhat.com Tue Jul 28 14:18:56 2015 From: cheimes at redhat.com (Christian Heimes) Date: Tue, 28 Jul 2015 16:18:56 +0200 Subject: [Freeipa-devel] [PATCH 020] Change internal rsa_(public|private)_key variable names Message-ID: <55B78F50.6070303@redhat.com> In two places the vault plugin refers to rsa public or rsa private key although the code can handle just any kind of asymmetric algorithms, e.g. ECDSA. The patch just renames the occurences to avoid more confusion in the future. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0020-Change-internal-rsa_-public-private-_key-variable-na.patch Type: text/x-patch Size: 1871 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From simo at redhat.com Tue Jul 28 14:28:01 2015 From: simo at redhat.com (Simo Sorce) Date: Tue, 28 Jul 2015 10:28:01 -0400 Subject: [Freeipa-devel] [PATCH 020] Change internal rsa_(public|private)_key variable names In-Reply-To: <55B78F50.6070303@redhat.com> References: <55B78F50.6070303@redhat.com> Message-ID: <1438093681.18261.12.camel@willson.usersys.redhat.com> On Tue, 2015-07-28 at 16:18 +0200, Christian Heimes wrote: > In two places the vault plugin refers to rsa public or rsa private key > although the code can handle just any kind of asymmetric algorithms, > e.g. ECDSA. The patch just renames the occurences to avoid more > confusion in the future. LGTM. Simo. -- Simo Sorce * Red Hat, Inc * New York From mbasti at redhat.com Tue Jul 28 14:54:18 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 28 Jul 2015 16:54:18 +0200 Subject: [Freeipa-devel] Replace stageuser-add --from-delete with user-undel --to-staged In-Reply-To: <55B75A9F.7090308@redhat.com> References: <55B0E154.7000907@redhat.com> <55B65565.7090409@redhat.com> <55B74AEB.3050000@redhat.com> <55B74D08.2010207@redhat.com> <55B75A9F.7090308@redhat.com> Message-ID: <55B7979A.5020303@redhat.com> On 28/07/15 12:34, Jan Cholasta wrote: > Dne 28.7.2015 v 11:36 Lenka Doudova napsal(a): >> >> >> Dne 28.7.2015 v 11:27 Jan Cholasta napsal(a): >>> Dne 27.7.2015 v 17:59 Martin Basti napsal(a): >>>> On 23/07/15 14:43, Martin Basti wrote: >>>>> Hello, >>>>> >>>>> I tried to fix #5145 and I partially succeeded. >>>>> >>>>> However, I cannot fix this part of ticket, where user is prompted to >>>>> write name and surname. >>>>> >>>>> $ ipa stageuser-add tuser --from-delete >>>>> First name: this will be ignored >>>>> Last name: this will be also ignored >>>>> ------------------------ >>>>> Added stage user "tuser" >>>>> ------------------------ >>>>> >>>>> As the first name and last name are mandatory attributes of >>>>> stageuser-add command, but they are not needed by when the >>>>> --from-delete option is used. >>>>> I would like to ask how to fix this issue, IMO this will be huge hack >>>>> in internal API. Or should we just document this bug as known issue >>>>> (thierry wrote that this is not use case that should be used often)? >>>>> >>>>> The best solution would be separate command, but this idea was >>>>> rejected in thread "[Freeipa-devel] User life cycle: question >>>>> regarding the design" >>>>> >>>>> Regards >>>>> Martin^2 >>>>> >>>> Hello, >>>> >>>> as was mentioned before, we have issue with current internal API >>>> and the >>>> stageuser-add --from-delete command. >>>> >>>> We discussed this today, and we did not find a nice way how to fix it, >>>> so we propose this (which is IMO the best solution): >>>> >>>> * stageuser-add --from-delete should be deprecated >>> >>> +1 >>> >>>> * create new option for user-undel: used-undel --to-staged (or create >>>> new command) that will handle moving deleted users to staged area as >>>> --from-delete did. >>> >>> Make it new command please. >>> >>>> >>>> Instead of stageuser-add and option --from-delete, which work totally >>>> different, the command user-undel does similar operation than >>>> stage-user >>>> --from-delete, it just uses different container. >>> >>> NACK on stuffing everything into a single command just because it does >>> something similar. >> >> How about making it a 'stageuser-undel'? The 'user-undel' moves >> preserved user to active, so the 'stageuser-undel' would move preserved >> to staged. The action is similar, but has slightly different specifics >> (which attributes are preserved etc.), and for me the 'stageuser-undel' >> feels more natural than 'user-undel --to-staged' since it's basically >> the same as there is 'stageuser-add' for creating a staged user, not >> 'user-add --to-staged'. It would be in the same style as all the other >> commands concerning operations with users in staged container. > > Well, user-undel is the opposite of user-del, and stageuser-undel > should be the opposite of stageuser-del. The stageuser-undel you are > suggesting is not. > > Also I'm not sure if we want to (always) remove the deleted user once > a staged user is created from it, but -undel behaves like that. > > I don't think the command should be limited to deleted users only. > Active and deleted users share the same namespace, so it is an > arbitrary limitation. > > I think that what we are looking for is the opposite of > stageuser-activate. So maybe user-stage? > Can we use stageuser-from-deleted ? -- Martin Basti From pvoborni at redhat.com Tue Jul 28 14:56:36 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 28 Jul 2015 16:56:36 +0200 Subject: [Freeipa-devel] Replace stageuser-add --from-delete with user-undel --to-staged In-Reply-To: <55B7979A.5020303@redhat.com> References: <55B0E154.7000907@redhat.com> <55B65565.7090409@redhat.com> <55B74AEB.3050000@redhat.com> <55B74D08.2010207@redhat.com> <55B75A9F.7090308@redhat.com> <55B7979A.5020303@redhat.com> Message-ID: <55B79824.9050106@redhat.com> On 07/28/2015 04:54 PM, Martin Basti wrote: > On 28/07/15 12:34, Jan Cholasta wrote: >> Dne 28.7.2015 v 11:36 Lenka Doudova napsal(a): >>> >>> >>> Dne 28.7.2015 v 11:27 Jan Cholasta napsal(a): >>>> Dne 27.7.2015 v 17:59 Martin Basti napsal(a): >>>>> On 23/07/15 14:43, Martin Basti wrote: >>>>>> Hello, >>>>>> >>>>>> I tried to fix #5145 and I partially succeeded. >>>>>> >>>>>> However, I cannot fix this part of ticket, where user is prompted to >>>>>> write name and surname. >>>>>> >>>>>> $ ipa stageuser-add tuser --from-delete >>>>>> First name: this will be ignored >>>>>> Last name: this will be also ignored >>>>>> ------------------------ >>>>>> Added stage user "tuser" >>>>>> ------------------------ >>>>>> >>>>>> As the first name and last name are mandatory attributes of >>>>>> stageuser-add command, but they are not needed by when the >>>>>> --from-delete option is used. >>>>>> I would like to ask how to fix this issue, IMO this will be huge hack >>>>>> in internal API. Or should we just document this bug as known issue >>>>>> (thierry wrote that this is not use case that should be used often)? >>>>>> >>>>>> The best solution would be separate command, but this idea was >>>>>> rejected in thread "[Freeipa-devel] User life cycle: question >>>>>> regarding the design" >>>>>> >>>>>> Regards >>>>>> Martin^2 >>>>>> >>>>> Hello, >>>>> >>>>> as was mentioned before, we have issue with current internal API >>>>> and the >>>>> stageuser-add --from-delete command. >>>>> >>>>> We discussed this today, and we did not find a nice way how to fix it, >>>>> so we propose this (which is IMO the best solution): >>>>> >>>>> * stageuser-add --from-delete should be deprecated >>>> >>>> +1 >>>> >>>>> * create new option for user-undel: used-undel --to-staged (or create >>>>> new command) that will handle moving deleted users to staged area as >>>>> --from-delete did. >>>> >>>> Make it new command please. >>>> >>>>> >>>>> Instead of stageuser-add and option --from-delete, which work totally >>>>> different, the command user-undel does similar operation than >>>>> stage-user >>>>> --from-delete, it just uses different container. >>>> >>>> NACK on stuffing everything into a single command just because it does >>>> something similar. >>> >>> How about making it a 'stageuser-undel'? The 'user-undel' moves >>> preserved user to active, so the 'stageuser-undel' would move preserved >>> to staged. The action is similar, but has slightly different specifics >>> (which attributes are preserved etc.), and for me the 'stageuser-undel' >>> feels more natural than 'user-undel --to-staged' since it's basically >>> the same as there is 'stageuser-add' for creating a staged user, not >>> 'user-add --to-staged'. It would be in the same style as all the other >>> commands concerning operations with users in staged container. >> >> Well, user-undel is the opposite of user-del, and stageuser-undel >> should be the opposite of stageuser-del. The stageuser-undel you are >> suggesting is not. >> >> Also I'm not sure if we want to (always) remove the deleted user once >> a staged user is created from it, but -undel behaves like that. >> >> I don't think the command should be limited to deleted users only. >> Active and deleted users share the same namespace, so it is an >> arbitrary limitation. >> >> I think that what we are looking for is the opposite of >> stageuser-activate. So maybe user-stage? >> > > Can we use stageuser-from-deleted ? > user-stage sounds better to me than stageuser-from-deleted -- Petr Vobornik From jcholast at redhat.com Tue Jul 28 14:57:42 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 28 Jul 2015 16:57:42 +0200 Subject: [Freeipa-devel] Replace stageuser-add --from-delete with user-undel --to-staged In-Reply-To: <55B7979A.5020303@redhat.com> References: <55B0E154.7000907@redhat.com> <55B65565.7090409@redhat.com> <55B74AEB.3050000@redhat.com> <55B74D08.2010207@redhat.com> <55B75A9F.7090308@redhat.com> <55B7979A.5020303@redhat.com> Message-ID: <55B79866.7070101@redhat.com> Dne 28.7.2015 v 16:54 Martin Basti napsal(a): > On 28/07/15 12:34, Jan Cholasta wrote: >> Dne 28.7.2015 v 11:36 Lenka Doudova napsal(a): >>> >>> >>> Dne 28.7.2015 v 11:27 Jan Cholasta napsal(a): >>>> Dne 27.7.2015 v 17:59 Martin Basti napsal(a): >>>>> On 23/07/15 14:43, Martin Basti wrote: >>>>>> Hello, >>>>>> >>>>>> I tried to fix #5145 and I partially succeeded. >>>>>> >>>>>> However, I cannot fix this part of ticket, where user is prompted to >>>>>> write name and surname. >>>>>> >>>>>> $ ipa stageuser-add tuser --from-delete >>>>>> First name: this will be ignored >>>>>> Last name: this will be also ignored >>>>>> ------------------------ >>>>>> Added stage user "tuser" >>>>>> ------------------------ >>>>>> >>>>>> As the first name and last name are mandatory attributes of >>>>>> stageuser-add command, but they are not needed by when the >>>>>> --from-delete option is used. >>>>>> I would like to ask how to fix this issue, IMO this will be huge hack >>>>>> in internal API. Or should we just document this bug as known issue >>>>>> (thierry wrote that this is not use case that should be used often)? >>>>>> >>>>>> The best solution would be separate command, but this idea was >>>>>> rejected in thread "[Freeipa-devel] User life cycle: question >>>>>> regarding the design" >>>>>> >>>>>> Regards >>>>>> Martin^2 >>>>>> >>>>> Hello, >>>>> >>>>> as was mentioned before, we have issue with current internal API >>>>> and the >>>>> stageuser-add --from-delete command. >>>>> >>>>> We discussed this today, and we did not find a nice way how to fix it, >>>>> so we propose this (which is IMO the best solution): >>>>> >>>>> * stageuser-add --from-delete should be deprecated >>>> >>>> +1 >>>> >>>>> * create new option for user-undel: used-undel --to-staged (or create >>>>> new command) that will handle moving deleted users to staged area as >>>>> --from-delete did. >>>> >>>> Make it new command please. >>>> >>>>> >>>>> Instead of stageuser-add and option --from-delete, which work totally >>>>> different, the command user-undel does similar operation than >>>>> stage-user >>>>> --from-delete, it just uses different container. >>>> >>>> NACK on stuffing everything into a single command just because it does >>>> something similar. >>> >>> How about making it a 'stageuser-undel'? The 'user-undel' moves >>> preserved user to active, so the 'stageuser-undel' would move preserved >>> to staged. The action is similar, but has slightly different specifics >>> (which attributes are preserved etc.), and for me the 'stageuser-undel' >>> feels more natural than 'user-undel --to-staged' since it's basically >>> the same as there is 'stageuser-add' for creating a staged user, not >>> 'user-add --to-staged'. It would be in the same style as all the other >>> commands concerning operations with users in staged container. >> >> Well, user-undel is the opposite of user-del, and stageuser-undel >> should be the opposite of stageuser-del. The stageuser-undel you are >> suggesting is not. >> >> Also I'm not sure if we want to (always) remove the deleted user once >> a staged user is created from it, but -undel behaves like that. >> >> I don't think the command should be limited to deleted users only. >> Active and deleted users share the same namespace, so it is an >> arbitrary limitation. >> >> I think that what we are looking for is the opposite of >> stageuser-activate. So maybe user-stage? >> > > Can we use stageuser-from-deleted ? > "from-deleted" is not a verb and like I said, restricting the command to deleted users only is rather arbitrary. -- Jan Cholasta From jpazdziora at redhat.com Tue Jul 28 15:06:29 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Tue, 28 Jul 2015 17:06:29 +0200 Subject: [Freeipa-devel] 4.2: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart the Dogtag instance. In-Reply-To: <20150728135647.GS11345@redhat.com> References: <20150728121628.GA30165@redhat.com> <20150728122550.GT21928@redhat.com> <20150728135647.GS11345@redhat.com> Message-ID: <20150728150629.GT11345@redhat.com> On Tue, Jul 28, 2015 at 03:56:47PM +0200, Jan Pazdziora wrote: > > INFO: Server startup in 5444 ms > INFO: Server startup in 5936 ms > INFO: Server startup in 5804 ms Running netstat at the time when the tomcat should have restarted and be ready shows # /usr/bin/netstat -tln Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp6 0 0 127.0.0.1:8005 :::* LISTEN tcp6 0 0 :::389 :::* LISTEN tcp6 0 0 127.0.0.1:8009 :::* LISTEN tcp6 0 0 :::8443 :::* LISTEN The :::8080 is missing. Will try to figure out what causes 8443 listen to happen but not 8080. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From mkosek at redhat.com Tue Jul 28 15:21:29 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 28 Jul 2015 17:21:29 +0200 Subject: [Freeipa-devel] Move 4.1.5 tickets to 4.2.1 Message-ID: <55B79DF9.8020104@redhat.com> With FreeIPA 4.2.0 released, I think we can move all the 4.1.5 tickets to FreeIPA 4.2.1 bucket and the fixes be based on that release. I would only do exception if some of the fixes are critical for platforms that did not adopt FreeIPA 4.2.0 yet (most of them ;-), but I am not aware of such tickets. -- Martin Kosek Supervisor, Software Engineering - Identity Management Team Red Hat Inc. From dkupka at redhat.com Wed Jul 29 07:02:43 2015 From: dkupka at redhat.com (David Kupka) Date: Wed, 29 Jul 2015 09:02:43 +0200 Subject: [Freeipa-devel] [PATCH 0286, 0290] Sysrestore: copy files instead of moving them to avoid SELinux issues In-Reply-To: <55A91244.3050504@redhat.com> References: <55A682FF.8000000@redhat.com> <20150715160118.GJ21928@redhat.com> <55A68728.7050606@redhat.com> <20150717110416.GZ21928@redhat.com> <55A8E4C8.2020706@redhat.com> <20150717112538.GA21928@redhat.com> <55A8E71B.4090103@redhat.com> <20150717114440.GB21928@redhat.com> <55A8EB23.7030802@redhat.com> <55A8EDAB.7050000@redhat.com> <55A91244.3050504@redhat.com> Message-ID: <55B87A93.1010108@redhat.com> On 17/07/15 16:33, Martin Basti wrote: > On 17/07/15 13:57, Petr Vobornik wrote: >> On 07/17/2015 01:46 PM, Petr Vobornik wrote: >>> On 07/17/2015 01:44 PM, Alexander Bokovoy wrote: >>>> On Fri, 17 Jul 2015, Martin Basti wrote: >>>>> From b05f4a2e17ae00e5c20e5eb7bd046472f100e0ad Mon Sep 17 00:00:00 2001 >>>>> From: Martin Basti >>>>> Date: Wed, 15 Jul 2015 16:20:59 +0200 >>>>> Subject: [PATCH] sysrestore: copy files instead of moving them to >>>>> avoind >>>>> SELinux issues >>>> >>>> ACK. >>>> >>> >>> Pushed to: >>> master: 9f701283534745bf93b41a1886183e9ef1d06566 >>> ipa-4-2: 92a73e8b2a5f26744b036a36de4b9956e8883f61 >> >> Does it really fix the whole ticket? >> >> There is also in freeipa.spec.in %post client (i.e. upgrade): >> >> cat /etc/krb5.conf >> /etc/krb5.conf.ipanew >> mv /etc/krb5.conf.ipanew /etc/krb5.conf >> /sbin/restorecon /etc/krb5.conf >> >> + some others. >> >> Between the mv and restorecon, SSSD tries to access the file and >> raises AVC. >> >> In this case we can freely use mv -z since target platforms are Fedora >> and newest RHEL. > > The new patch fixing specfile attached. > > > Works for me, ACK. -- David Kupka From msimacek at redhat.com Wed Jul 29 08:09:46 2015 From: msimacek at redhat.com (=?UTF-8?B?TWljaGFlbCDFoGltw6HEjWVr?=) Date: Wed, 29 Jul 2015 10:09:46 +0200 Subject: [Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi Message-ID: <55B88A4A.9070601@redhat.com> Hi, this is the first attempt to port FreeIPA from deprecated python3-incompatible python-krbV library to python-gssapi. The patch depends on python-kerberos->python-gssapi patch [1] to apply cleanly, but the overlap is small, so I think it can be at least partially reviewed without it. Comments: I removed Backend.krb and KRB5_CCache classes as they were wrappers around krbV classes. I added few utility functions to krb_utils module that perform part of its functionality (no need for classes, because gssapi acquire calls don't pass any context objects, they wouldn't have any state). I merged the two different kinit_keytab functions. GSSAPI doesn't provide any method (that I'm aware of) to get default ccache name. In most cases this is not needed as we can simply not pass any name and it will use the default. The ldap plugin had to be adjusted for this - the connect method now takes new use_gssapi argument, which can turn on gssapi support without the need to supply explicit ccache name. The only place where the ccache name is really needed is the test server, where I use system klist command to obtain it. It's also not possible to directly get default realm name, what I do is importing nonexistent name, cannonicalizing it and extracting the realm from it. Which should work but is ugly. It would be better if we could modify the places that use it to not need it at all, but it's mostly used in ldap code and I don't understand that part of FreeIPA. Alternative would be parsing /etc/krb.conf. Sorry for long patch, but I'm afraid it cannot be reasonably split. Ticket: https://fedorahosted.org/freeipa/ticket/5164 [1] https://fedorahosted.org/freeipa/ticket/5147 -- Michael Simacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-msimacek-0002-2-Port-from-python-krbV-to-python-gssapi.patch Type: text/x-patch Size: 68875 bytes Desc: not available URL: From cheimes at redhat.com Wed Jul 29 09:56:50 2015 From: cheimes at redhat.com (Christian Heimes) Date: Wed, 29 Jul 2015 11:56:50 +0200 Subject: [Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi In-Reply-To: <55B88A4A.9070601@redhat.com> References: <55B88A4A.9070601@redhat.com> Message-ID: <55B8A362.1090705@redhat.com> On 2015-07-29 10:09, Michael ?im??ek wrote: > GSSAPI doesn't provide any method (that I'm aware of) to get default > ccache name. In most cases this is not needed as we can simply not pass > any name and it will use the default. The ldap plugin had to be adjusted > for this - the connect method now takes new use_gssapi argument, which > can turn on gssapi support without the need to supply explicit ccache > name. The only place where the ccache name is really needed is the test > server, where I use system klist command to obtain it. You can use ctypes or cffi for the task, too. It's much faster and more convenient. Here is a quick example how to use ctypes for the function calls. kdcproxy uses similar code to parse /etc/krb5.conf. >>> import ctypes >>> LIBKRB5 = ctypes.CDLL('libkrb5.so.3') >>> ctx = ctypes.c_void_p() >>> ccache = ctypes.c_void_p() >>> LIBKRB5.krb5_init_context(ctypes.byref(ctx)) 0 >>> LIBKRB5.krb5_cc_default(ctx, ctypes.byref(ccache)) 0 >>> LIBKRB5.krb5_cc_get_type.restype = ctypes.c_char_p >>> LIBKRB5.krb5_cc_get_name.restype = ctypes.c_char_p >>> LIBKRB5.krb5_cc_get_type(ctx, ccache) 'KEYRING' >>> LIBKRB5.krb5_cc_get_name(ctx, ccache) 'persistent:1000:1000' >>> LIBKRB5.krb5_cc_close(ctx, ccache) >>> LIBKRB5.krb5_free_context(ctx) If you like the approach I can write a more safe implementation with proper error checking. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From mbabinsk at redhat.com Wed Jul 29 10:20:16 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 29 Jul 2015 12:20:16 +0200 Subject: [Freeipa-devel] [PATCH 0051] IPA server and replica installers can accept options from config file Message-ID: <55B8A8E0.404@redhat.com> Initial attempt to implement https://fedorahosted.org/freeipa/ticket/4517 Some points to discuss: 1.) name of the config entries: currently the option names are derived from CLI options but have underscores in them instead of dashes. Maybe keeping the CLI option names also for config entries will make it easier for the user to transfer their CLI options from scripts to config files. 2.) Config sections: there is currently only one valid section named '[global]' in accordance with the format of 'default.conf'. Should we have separate sections equivalent to option groups in CLI (e.g. [basic], [certificate system], [dns])? 3.) Handling of unattended mode when specifying a config file: Currently there is no connection between --config-file and unattended mode. So when you run ipa-server-install using config file, you still get asked for missing stuff. Should '--config-file' automatically imply '--unattended'? There are probably other issues to discuss. Feel free to write email/ping me on IRC. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: mbabinsk-freeipa-0051-IPA-server-and-replica-installers-can-accept-options.patch Type: text/x-patch Size: 5535 bytes Desc: not available URL: From abokovoy at redhat.com Wed Jul 29 10:37:50 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 29 Jul 2015 13:37:50 +0300 Subject: [Freeipa-devel] [PATCH 0051] IPA server and replica installers can accept options from config file In-Reply-To: <55B8A8E0.404@redhat.com> References: <55B8A8E0.404@redhat.com> Message-ID: <20150729103750.GB4677@redhat.com> On Wed, 29 Jul 2015, Martin Babinsky wrote: >Initial attempt to implement >https://fedorahosted.org/freeipa/ticket/4517 > >Some points to discuss: > >1.) name of the config entries: currently the option names are derived >from CLI options but have underscores in them instead of dashes. Maybe >keeping the CLI option names also for config entries will make it >easier for the user to transfer their CLI options from scripts to >config files. I would prefer that too. Or you can simply allow both _ and -, this should be relatively simple. >2.) Config sections: there is currently only one valid section named >'[global]' in accordance with the format of 'default.conf'. Should we >have separate sections equivalent to option groups in CLI (e.g. >[basic], [certificate system], [dns])? What about using a different approach -- allowing to specify which section to process, defaulting to [global]. This would allow to have a single config file for whole setup, if needed, and just vary which section to use. Maybe global section could always be processed and the rest could be used to amend the configuration? As an example, [global] setup_dns realm = EXAMPLE.COM domain = example.com ds-password = SuperSecretPasswordHere admin-password = EquallySecretPasswordHere mkhomedir [m1.example.com] hostname=m1.example.com [m2.example.com] hostname=m2.example.com setup_dns = False mkhomedir = False You can see I also kind of suggest to allow accepting True/Fals to boolean options to allow _unsetting_ the effect of the default set in the [global] section. >3.) Handling of unattended mode when specifying a config file: >Currently there is no connection between --config-file and unattended >mode. So when you run ipa-server-install using config file, you still >get asked for missing stuff. Should '--config-file' automatically >imply '--unattended'? Well, there is certain beauty of providing some arguments from the config file and be asked for the rest. Unattended is more explicit in the way of handling so I would still keep them separate. -- / Alexander Bokovoy From pvoborni at redhat.com Wed Jul 29 10:50:24 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 29 Jul 2015 12:50:24 +0200 Subject: [Freeipa-devel] [PATCH 0051] IPA server and replica installers can accept options from config file In-Reply-To: <20150729103750.GB4677@redhat.com> References: <55B8A8E0.404@redhat.com> <20150729103750.GB4677@redhat.com> Message-ID: <55B8AFF0.20004@redhat.com> On 07/29/2015 12:37 PM, Alexander Bokovoy wrote: > On Wed, 29 Jul 2015, Martin Babinsky wrote: >> Initial attempt to implement >> https://fedorahosted.org/freeipa/ticket/4517 >> >> Some points to discuss: >> >> 1.) name of the config entries: currently the option names are derived >> from CLI options but have underscores in them instead of dashes. Maybe >> keeping the CLI option names also for config entries will make it >> easier for the user to transfer their CLI options from scripts to >> config files. > I would prefer that too. Or you can simply allow both _ and -, this > should be relatively simple. +1 > >> 2.) Config sections: there is currently only one valid section named >> '[global]' in accordance with the format of 'default.conf'. Should we >> have separate sections equivalent to option groups in CLI (e.g. >> [basic], [certificate system], [dns])? > What about using a different approach -- allowing to specify which > section to process, defaulting to [global]. This would allow to have a > single config file for whole setup, if needed, and just vary which > section to use. Interesting idea. > > Maybe global section could always be processed and the rest could be > used to amend the configuration? > > As an example, > > [global] > setup_dns > realm = EXAMPLE.COM > domain = example.com > ds-password = SuperSecretPasswordHere > admin-password = EquallySecretPasswordHere > mkhomedir > > [m1.example.com] > hostname=m1.example.com > > > [m2.example.com] > hostname=m2.example.com > setup_dns = False > mkhomedir = False > > > You can see I also kind of suggest to allow accepting True/Fals to > boolean options to allow _unsetting_ the effect of the default set in > the [global] section. +1 > >> 3.) Handling of unattended mode when specifying a config file: >> Currently there is no connection between --config-file and unattended >> mode. So when you run ipa-server-install using config file, you still >> get asked for missing stuff. Should '--config-file' automatically >> imply '--unattended'? > Well, there is certain beauty of providing some arguments from the > config file and be asked for the rest. Unattended is more explicit in > the way of handling so I would still keep them separate. > +1 -- Petr Vobornik From jcholast at redhat.com Wed Jul 29 11:25:33 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 29 Jul 2015 13:25:33 +0200 Subject: [Freeipa-devel] [PATCH 0051] IPA server and replica installers can accept options from config file In-Reply-To: <55B8A8E0.404@redhat.com> References: <55B8A8E0.404@redhat.com> Message-ID: <55B8B82D.7010309@redhat.com> Dne 29.7.2015 v 12:20 Martin Babinsky napsal(a): > Initial attempt to implement > https://fedorahosted.org/freeipa/ticket/4517 > > Some points to discuss: > > 1.) name of the config entries: currently the option names are derived > from CLI options but have underscores in them instead of dashes. Maybe > keeping the CLI option names also for config entries will make it easier > for the user to transfer their CLI options from scripts to config files. NACK. There is no point in generating config names from CLI names, which are generated from knob names - use knob names directly. > > 2.) Config sections: there is currently only one valid section named > '[global]' in accordance with the format of 'default.conf'. Should we > have separate sections equivalent to option groups in CLI (e.g. [basic], > [certificate system], [dns])? No, because they would have to be maintained forever. For example, some options are in wrong sections and we wouldn't be able to move them. > > 3.) Handling of unattended mode when specifying a config file: > Currently there is no connection between --config-file and unattended > mode. So when you run ipa-server-install using config file, you still > get asked for missing stuff. Should '--config-file' automatically imply > '--unattended'? The behavior should be the same as if you specified the options on the command line. So no, --config-file should not imply --unattended. > > There are probably other issues to discuss. Feel free to write > email/ping me on IRC. > (I haven't looked at the patch yet.) -- Jan Cholasta From mbasti at redhat.com Wed Jul 29 11:28:49 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Jul 2015 13:28:49 +0200 Subject: [Freeipa-devel] [PATCH] 906 webui: fix regressions failed auth messages In-Reply-To: <55B77022.5040902@redhat.com> References: <55B77022.5040902@redhat.com> Message-ID: <55B8B8F1.2090400@redhat.com> On 28/07/15 14:05, Petr Vobornik wrote: > 1. after logout, krb auth no longer shows "session expired" but correct > "Authentication with Kerberos failed". > > 2. "The password or username you entered is incorrect." is showed on > failed forms-based auth. > > https://fedorahosted.org/freeipa/ticket/5163 > > Works for me ACK -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Wed Jul 29 11:33:17 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 29 Jul 2015 13:33:17 +0200 Subject: [Freeipa-devel] [PATCH 0051] IPA server and replica installers can accept options from config file In-Reply-To: <55B8AFF0.20004@redhat.com> References: <55B8A8E0.404@redhat.com> <20150729103750.GB4677@redhat.com> <55B8AFF0.20004@redhat.com> Message-ID: <55B8B9FD.5070502@redhat.com> Dne 29.7.2015 v 12:50 Petr Vobornik napsal(a): > On 07/29/2015 12:37 PM, Alexander Bokovoy wrote: >> On Wed, 29 Jul 2015, Martin Babinsky wrote: >>> 2.) Config sections: there is currently only one valid section named >>> '[global]' in accordance with the format of 'default.conf'. Should we >>> have separate sections equivalent to option groups in CLI (e.g. >>> [basic], [certificate system], [dns])? >> What about using a different approach -- allowing to specify which >> section to process, defaulting to [global]. This would allow to have a >> single config file for whole setup, if needed, and just vary which >> section to use. > > Interesting idea. Maybe, but I don't think it's something that should be in the initial implementation, let's keep it simple for now. -- Jan Cholasta From mbasti at redhat.com Wed Jul 29 13:27:16 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Jul 2015 15:27:16 +0200 Subject: [Freeipa-devel] [PATCH 0002] TEST: Stageuser plugin In-Reply-To: <55B64495.30309@redhat.com> References: <55B64351.5020001@redhat.com> <55B64495.30309@redhat.com> Message-ID: <55B8D4B4.8090303@redhat.com> On 27/07/15 16:47, Lenka Doudova wrote: > Hi, > > I'm attaching a patch with automated tests for stageuser plugin > (https://fedorahosted.org/freeipa/ticket/3813). The user plugin test > is affected as well (one class was added). > The tests seem a bit of a mess even to myself, but what with the way > freeipa behaves I didn't know how else to implement them, but I'm > eager to learn how to do it in a nicer way, if someone has a better idea. > > Lenka > > > > I just applied patches: 1) Please remove whitespace errors $ git am freeipa-lryznaro-0002-Automated-test-for-stageuser-plugin.patch Applying: Automated test for stageuser plugin /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:110: trailing whitespace. """ Tracker class for staged user LDAP object /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:113: trailing whitespace. StageUserTracker object stores information about the user. /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:121: trailing whitespace. u'krbprincipalexpiration', u'usercertificate', u'dn', u'has_keytab', u'has_password', /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:122: trailing whitespace. u'street', u'postalcode', u'facsimiletelephonenumber', u'carlicense', /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:125: trailing whitespace. u'cn', u'ipauniqueid', u'objectclass', u'description', warning: squelched 50 whitespace errors warning: 55 lines add whitespace errors. 2) Please use new shorter format of license header 3) can you fix some of the most serious PEP8 errors $ git show -U0 | pep8 --diff | wc -l 198 4) if options != None: Please use "options *is not* None" 5) For consistency it should be u'random' if key == 'random': self.attrs[u'randompassword'] = fuzzy_string Otherwise it looks good Martin^2 -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From ldoudova at redhat.com Wed Jul 29 13:29:54 2015 From: ldoudova at redhat.com (Lenka Doudova) Date: Wed, 29 Jul 2015 15:29:54 +0200 Subject: [Freeipa-devel] [PATCH 0002] TEST: Stageuser plugin In-Reply-To: <55B8D4B4.8090303@redhat.com> References: <55B64351.5020001@redhat.com> <55B64495.30309@redhat.com> <55B8D4B4.8090303@redhat.com> Message-ID: <55B8D552.8040306@redhat.com> Hi, thanks a lot for the comments, will work on it tomorrow. Lenka Dne 29.7.2015 v 15:27 Martin Basti napsal(a): > On 27/07/15 16:47, Lenka Doudova wrote: >> Hi, >> >> I'm attaching a patch with automated tests for stageuser plugin >> (https://fedorahosted.org/freeipa/ticket/3813). The user plugin test >> is affected as well (one class was added). >> The tests seem a bit of a mess even to myself, but what with the way >> freeipa behaves I didn't know how else to implement them, but I'm >> eager to learn how to do it in a nicer way, if someone has a better >> idea. >> >> Lenka >> >> >> >> > I just applied patches: > > 1) Please remove whitespace errors > $ git am freeipa-lryznaro-0002-Automated-test-for-stageuser-plugin.patch > Applying: Automated test for stageuser plugin > /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:110: trailing > whitespace. > """ Tracker class for staged user LDAP object > /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:113: trailing > whitespace. > StageUserTracker object stores information about the user. > /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:121: trailing > whitespace. > u'krbprincipalexpiration', u'usercertificate', u'dn', > u'has_keytab', u'has_password', > /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:122: trailing > whitespace. > u'street', u'postalcode', u'facsimiletelephonenumber', > u'carlicense', > /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:125: trailing > whitespace. > u'cn', u'ipauniqueid', u'objectclass', u'description', > warning: squelched 50 whitespace errors > warning: 55 lines add whitespace errors. > > 2) > Please use new shorter format of license header > > 3) can you fix some of the most serious PEP8 errors > $ git show -U0 | pep8 --diff | wc -l > 198 > > 4) > if options != None: > > Please use "options *is not* None" > > 5) > For consistency it should be u'random' > if key == 'random': > self.attrs[u'randompassword'] = fuzzy_string > > Otherwise it looks good > Martin^2 > -- > Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Jul 29 13:41:52 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Jul 2015 15:41:52 +0200 Subject: [Freeipa-devel] [PATCH] 0028 add --out option to user-show In-Reply-To: <20150725014015.GJ20599@dhcp-40-8.bne.redhat.com> References: <20150724134049.GI20599@dhcp-40-8.bne.redhat.com> <55B25118.2080700@redhat.com> <55B25B1A.8040106@redhat.com> <55B25F94.3040507@redhat.com> <20150725014015.GJ20599@dhcp-40-8.bne.redhat.com> Message-ID: <55B8D820.5090607@redhat.com> On 25/07/15 03:40, Fraser Tweedale wrote: > On Fri, Jul 24, 2015 at 05:53:56PM +0200, Tomas Babej wrote: >> >> On 07/24/2015 05:34 PM, Martin Basti wrote: >>> On 24/07/15 16:52, Tomas Babej wrote: >>>> On 07/24/2015 03:40 PM, Fraser Tweedale wrote: >>>>> The attached patch adds --out option to user-show for saving user's >>>>> certificate(s) to file. >>>>> >>>>> Thanks, >>>>> Fraser >>>>> >>>>> >>>>> >>>> I hate to nitpick here, but is "out" really a descriptive option name >>>> here? I'd prefer something more explicit, like '--save-cert-to', or >>>> maybe even have this operation implemented as a separate command >>>> altogether. >>>> >>>> Tomas >>>> >>> This keyword was already used with several commands. For consistency >>> might be better to have it the same. >>> >> True. I see this options is being used in the following commands: >> >> - cert-show >> - vault-retrieve >> - host-show >> - service-show >> - user-show (proposed) >> >> While the first two seem to be an acceptable fit for an option called >> --out, as they mainly deal with cert/secret, using the '--out' for the >> latter three is a poor decision imho. >> >> I agree the consistency is important, I'm just not happy to see this >> spread further. >> >> Tomas > Perhaps we should go with something like `--certout' instead, and > support `--certout' in addition to `--out' in host-show and > service-show, esentially deprecating `--out' for those commands. > > Cheers, > Fraser Good idea, but we should do this for all commands, at the same time. IMO this is not for 4.2, you may file a ticket to deprecate --out option and replace it by --certout or something. I will do review is nobody is against this patch :) Martin^2 -- Martin Basti From mbasti at redhat.com Wed Jul 29 13:46:22 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Jul 2015 15:46:22 +0200 Subject: [Freeipa-devel] [PATCH] 0028 add --out option to user-show In-Reply-To: <55B8D820.5090607@redhat.com> References: <20150724134049.GI20599@dhcp-40-8.bne.redhat.com> <55B25118.2080700@redhat.com> <55B25B1A.8040106@redhat.com> <55B25F94.3040507@redhat.com> <20150725014015.GJ20599@dhcp-40-8.bne.redhat.com> <55B8D820.5090607@redhat.com> Message-ID: <55B8D92E.4030601@redhat.com> On 29/07/15 15:41, Martin Basti wrote: > On 25/07/15 03:40, Fraser Tweedale wrote: >> On Fri, Jul 24, 2015 at 05:53:56PM +0200, Tomas Babej wrote: >>> >>> On 07/24/2015 05:34 PM, Martin Basti wrote: >>>> On 24/07/15 16:52, Tomas Babej wrote: >>>>> On 07/24/2015 03:40 PM, Fraser Tweedale wrote: >>>>>> The attached patch adds --out option to user-show for saving user's >>>>>> certificate(s) to file. >>>>>> >>>>>> Thanks, >>>>>> Fraser >>>>>> >>>>>> >>>>>> >>>>> I hate to nitpick here, but is "out" really a descriptive option name >>>>> here? I'd prefer something more explicit, like '--save-cert-to', or >>>>> maybe even have this operation implemented as a separate command >>>>> altogether. >>>>> >>>>> Tomas >>>>> >>>> This keyword was already used with several commands. For consistency >>>> might be better to have it the same. >>>> >>> True. I see this options is being used in the following commands: >>> >>> - cert-show >>> - vault-retrieve >>> - host-show >>> - service-show >>> - user-show (proposed) >>> >>> While the first two seem to be an acceptable fit for an option called >>> --out, as they mainly deal with cert/secret, using the '--out' for the >>> latter three is a poor decision imho. >>> >>> I agree the consistency is important, I'm just not happy to see this >>> spread further. >>> >>> Tomas >> Perhaps we should go with something like `--certout' instead, and >> support `--certout' in addition to `--out' in host-show and >> service-show, esentially deprecating `--out' for those commands. >> >> Cheers, >> Fraser > Good idea, but we should do this for all commands, at the same time. > IMO this is not for 4.2, you may file a ticket to deprecate --out > option and replace it by --certout or something. > > I will do review is nobody is against this patch :) > Martin^2 > Is a ticket somewhere for this? -- Martin Basti From jcholast at redhat.com Wed Jul 29 13:48:47 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 29 Jul 2015 15:48:47 +0200 Subject: [Freeipa-devel] [PATCH] 0028 add --out option to user-show In-Reply-To: <55B8D92E.4030601@redhat.com> References: <20150724134049.GI20599@dhcp-40-8.bne.redhat.com> <55B25118.2080700@redhat.com> <55B25B1A.8040106@redhat.com> <55B25F94.3040507@redhat.com> <20150725014015.GJ20599@dhcp-40-8.bne.redhat.com> <55B8D820.5090607@redhat.com> <55B8D92E.4030601@redhat.com> Message-ID: <55B8D9BF.8010605@redhat.com> Dne 29.7.2015 v 15:46 Martin Basti napsal(a): > On 29/07/15 15:41, Martin Basti wrote: >> On 25/07/15 03:40, Fraser Tweedale wrote: >>> On Fri, Jul 24, 2015 at 05:53:56PM +0200, Tomas Babej wrote: >>>> >>>> On 07/24/2015 05:34 PM, Martin Basti wrote: >>>>> On 24/07/15 16:52, Tomas Babej wrote: >>>>>> On 07/24/2015 03:40 PM, Fraser Tweedale wrote: >>>>>>> The attached patch adds --out option to user-show for saving user's >>>>>>> certificate(s) to file. >>>>>>> >>>>>>> Thanks, >>>>>>> Fraser >>>>>>> >>>>>>> >>>>>>> >>>>>> I hate to nitpick here, but is "out" really a descriptive option name >>>>>> here? I'd prefer something more explicit, like '--save-cert-to', or >>>>>> maybe even have this operation implemented as a separate command >>>>>> altogether. >>>>>> >>>>>> Tomas >>>>>> >>>>> This keyword was already used with several commands. For consistency >>>>> might be better to have it the same. >>>>> >>>> True. I see this options is being used in the following commands: >>>> >>>> - cert-show >>>> - vault-retrieve >>>> - host-show >>>> - service-show >>>> - user-show (proposed) >>>> >>>> While the first two seem to be an acceptable fit for an option called >>>> --out, as they mainly deal with cert/secret, using the '--out' for the >>>> latter three is a poor decision imho. >>>> >>>> I agree the consistency is important, I'm just not happy to see this >>>> spread further. >>>> >>>> Tomas >>> Perhaps we should go with something like `--certout' instead, and >>> support `--certout' in addition to `--out' in host-show and >>> service-show, esentially deprecating `--out' for those commands. >>> >>> Cheers, >>> Fraser >> Good idea, but we should do this for all commands, at the same time. >> IMO this is not for 4.2, you may file a ticket to deprecate --out >> option and replace it by --certout or something. The "in" option is named --certificate, so it should be --certificate-out. >> >> I will do review is nobody is against this patch :) >> Martin^2 LGTM >> > > Is a ticket somewhere for this? > -- Jan Cholasta From redhatrises at gmail.com Wed Jul 29 13:49:29 2015 From: redhatrises at gmail.com (Gabe Alford) Date: Wed, 29 Jul 2015 07:49:29 -0600 Subject: [Freeipa-devel] [PATCH 0052] Add Chromium configuration note under Chrome section in ssbrowser Message-ID: Hello, As Chromium and Chrome are configured similarly but are configured in different /etc directories, this patch adds a note to the Chrome section in ssbrowser.html stating that. Thanks, Gabe -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rga-0052-Add-Chromium-configuration-note-to-ssbrowser.patch Type: text/x-patch Size: 1170 bytes Desc: not available URL: From mbasti at redhat.com Wed Jul 29 13:56:10 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Jul 2015 15:56:10 +0200 Subject: [Freeipa-devel] [PATCH 016] Require Dogtag PKI >= 10.2.6 In-Reply-To: <55B0C154.7010904@redhat.com> References: <55B0C154.7010904@redhat.com> Message-ID: <55B8DB7A.7090700@redhat.com> On 23/07/15 12:26, Christian Heimes wrote: > Dogtag 10.2.6 comes with two fixes for cloning from 9.x to 10.x > instances: > > https://fedorahosted.org/pki/ticket/1495 > https://fedorahosted.org/pki/ticket/1488 > > https://fedorahosted.org/freeipa/ticket/5140 > https://fedorahosted.org/freeipa/ticket/5129 > > ACK -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Jul 29 14:10:32 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Jul 2015 16:10:32 +0200 Subject: [Freeipa-devel] [PATCH 0002] TEST: Stageuser plugin In-Reply-To: <55B8D552.8040306@redhat.com> References: <55B64351.5020001@redhat.com> <55B64495.30309@redhat.com> <55B8D4B4.8090303@redhat.com> <55B8D552.8040306@redhat.com> Message-ID: <55B8DED8.90909@redhat.com> On 29/07/15 15:29, Lenka Doudova wrote: > Hi, > > thanks a lot for the comments, will work on it tomorrow. > > Lenka > > Dne 29.7.2015 v 15:27 Martin Basti napsal(a): >> On 27/07/15 16:47, Lenka Doudova wrote: >>> Hi, >>> >>> I'm attaching a patch with automated tests for stageuser plugin >>> (https://fedorahosted.org/freeipa/ticket/3813). The user plugin test >>> is affected as well (one class was added). >>> The tests seem a bit of a mess even to myself, but what with the way >>> freeipa behaves I didn't know how else to implement them, but I'm >>> eager to learn how to do it in a nicer way, if someone has a better >>> idea. >>> >>> Lenka >>> >>> >>> >>> >> I just applied patches: >> >> 1) Please remove whitespace errors >> $ git am freeipa-lryznaro-0002-Automated-test-for-stageuser-plugin.patch >> Applying: Automated test for stageuser plugin >> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:110: trailing >> whitespace. >> """ Tracker class for staged user LDAP object >> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:113: trailing >> whitespace. >> StageUserTracker object stores information about the user. >> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:121: trailing >> whitespace. >> u'krbprincipalexpiration', u'usercertificate', u'dn', >> u'has_keytab', u'has_password', >> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:122: trailing >> whitespace. >> u'street', u'postalcode', u'facsimiletelephonenumber', >> u'carlicense', >> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:125: trailing >> whitespace. >> u'cn', u'ipauniqueid', u'objectclass', u'description', >> warning: squelched 50 whitespace errors >> warning: 55 lines add whitespace errors. >> >> 2) >> Please use new shorter format of license header >> >> 3) can you fix some of the most serious PEP8 errors >> $ git show -U0 | pep8 --diff | wc -l >> 198 >> >> 4) >> if options != None: >> >> Please use "options *is not* None" >> >> 5) >> For consistency it should be u'random' >> if key == 'random': >> self.attrs[u'randompassword'] = fuzzy_string >> >> Otherwise it looks good >> Martin^2 >> -- >> Martin Basti > And also fix this please ./make-lint ************* Module ipatests.test_xmlrpc.test_stageuser_plugin ipatests/test_xmlrpc/test_stageuser_plugin.py:337: [E0102(function-redefined), user2] function already defined line 44) -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkupka at redhat.com Wed Jul 29 14:12:02 2015 From: dkupka at redhat.com (David Kupka) Date: Wed, 29 Jul 2015 16:12:02 +0200 Subject: [Freeipa-devel] [PATCH 0058] dns: do not add (forward)zone if it is already resolvable. Message-ID: <55B8DF32.70208@redhat.com> https://fedorahosted.org/freeipa/ticket/5087 -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0058-dns-do-not-add-forward-zone-if-it-is-already-resolva.patch Type: text/x-patch Size: 4653 bytes Desc: not available URL: From mbasti at redhat.com Wed Jul 29 14:42:06 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Jul 2015 16:42:06 +0200 Subject: [Freeipa-devel] [PATCH 0050] ACI plugin: correctly parse bind rules enclosed in parentheses In-Reply-To: <55B7717A.60103@redhat.com> References: <55B0F4D4.9050901@redhat.com> <55B649CA.4080406@redhat.com> <55B768A5.4030205@redhat.com> <55B7717A.60103@redhat.com> Message-ID: <55B8E63E.2070102@redhat.com> On 28/07/15 14:11, Martin Basti wrote: > On 28/07/15 13:33, Martin Babinsky wrote: >> On 07/27/2015 05:10 PM, Martin Basti wrote: >>> On 23/07/15 16:06, Martin Babinsky wrote: >>>> This is a quick fix for https://fedorahosted.org/freeipa/ticket/5037 >>>> >>>> >>>> >>> NACK >>> >>> I do not like your change in first regexp too much. >>> >>> Can you try this instead? >>> >>> PermPat = re.compile(r'(\w+)\s*\(([^()]*)\)\s*(.*)', re.UNICODE) >>> >>> This just removes '(' and ') ' from pattern and accept all other >>> characters. >>> >>> -- >>> Martin Basti >>> >> >> Attaching updated patch. >> > ACK > Pushed to: master: a2ba9373070b19c158be8be78f7fbeee5ccab081 ipa-4-2: d85f92c0e75f3b389edac353de2cf08105b33cc4 -- Martin Basti From mbasti at redhat.com Wed Jul 29 14:49:04 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Jul 2015 16:49:04 +0200 Subject: [Freeipa-devel] [PATCH 0286, 0290] Sysrestore: copy files instead of moving them to avoid SELinux issues In-Reply-To: <55B87A93.1010108@redhat.com> References: <55A682FF.8000000@redhat.com> <20150715160118.GJ21928@redhat.com> <55A68728.7050606@redhat.com> <20150717110416.GZ21928@redhat.com> <55A8E4C8.2020706@redhat.com> <20150717112538.GA21928@redhat.com> <55A8E71B.4090103@redhat.com> <20150717114440.GB21928@redhat.com> <55A8EB23.7030802@redhat.com> <55A8EDAB.7050000@redhat.com> <55A91244.3050504@redhat.com> <55B87A93.1010108@redhat.com> Message-ID: <55B8E7E0.7020304@redhat.com> On 29/07/15 09:02, David Kupka wrote: > On 17/07/15 16:33, Martin Basti wrote: >> On 17/07/15 13:57, Petr Vobornik wrote: >>> On 07/17/2015 01:46 PM, Petr Vobornik wrote: >>>> On 07/17/2015 01:44 PM, Alexander Bokovoy wrote: >>>>> On Fri, 17 Jul 2015, Martin Basti wrote: >>>>>> From b05f4a2e17ae00e5c20e5eb7bd046472f100e0ad Mon Sep 17 00:00:00 >>>>>> 2001 >>>>>> From: Martin Basti >>>>>> Date: Wed, 15 Jul 2015 16:20:59 +0200 >>>>>> Subject: [PATCH] sysrestore: copy files instead of moving them to >>>>>> avoind >>>>>> SELinux issues >>>>> >>>>> ACK. >>>>> >>>> >>>> Pushed to: >>>> master: 9f701283534745bf93b41a1886183e9ef1d06566 >>>> ipa-4-2: 92a73e8b2a5f26744b036a36de4b9956e8883f61 >>> >>> Does it really fix the whole ticket? >>> >>> There is also in freeipa.spec.in %post client (i.e. upgrade): >>> >>> cat /etc/krb5.conf >> /etc/krb5.conf.ipanew >>> mv /etc/krb5.conf.ipanew /etc/krb5.conf >>> /sbin/restorecon /etc/krb5.conf >>> >>> + some others. >>> >>> Between the mv and restorecon, SSSD tries to access the file and >>> raises AVC. >>> >>> In this case we can freely use mv -z since target platforms are Fedora >>> and newest RHEL. >> >> The new patch fixing specfile attached. >> >> >> > Works for me, ACK. > Pushed to: master: 45c709112da1514d57db46f9706bc03920574adf ipa-4-2: 21d31224780d4e1e5e4371f12c5ebae6b4aca54f -- Martin Basti From mbasti at redhat.com Wed Jul 29 15:07:31 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Jul 2015 17:07:31 +0200 Subject: [Freeipa-devel] [PATCH 0294] ULC: fix stageuser-add --from-delete command In-Reply-To: <55B76608.1060704@redhat.com> References: <55B0D430.6090405@redhat.com> <55B76608.1060704@redhat.com> Message-ID: <55B8EC33.3080101@redhat.com> On 28/07/15 13:22, David Kupka wrote: > On 23/07/15 13:46, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5145 >> >> Patch attached. >> >> This patch fixes only first part of problem -- the traceback. >> >> Removing promt for name and surname requires too big hacks in internal >> API, and I'm not sure if we will be able to do that. >> IMO this should be separate command, I will open a discussion. >> >> >> > > Works for me, ACK. > It would be better to leave the ticket open until the issue is fully > resolved. > Pushed to: master: cea52ce186d9341f126ef6a9ac5f0287c4f16ada ipa-4-2: 10e43f883d361ee1c376e1a1e06884cd9f8415ca -- Martin Basti From mbabinsk at redhat.com Wed Jul 29 15:13:25 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 29 Jul 2015 17:13:25 +0200 Subject: [Freeipa-devel] [PATCH 0051] IPA server and replica installers can accept options from config file In-Reply-To: <55B8B82D.7010309@redhat.com> References: <55B8A8E0.404@redhat.com> <55B8B82D.7010309@redhat.com> Message-ID: <55B8ED95.5040208@redhat.com> On 07/29/2015 01:25 PM, Jan Cholasta wrote: > Dne 29.7.2015 v 12:20 Martin Babinsky napsal(a): >> Initial attempt to implement >> https://fedorahosted.org/freeipa/ticket/4517 >> >> Some points to discuss: >> >> 1.) name of the config entries: currently the option names are derived >> from CLI options but have underscores in them instead of dashes. Maybe >> keeping the CLI option names also for config entries will make it easier >> for the user to transfer their CLI options from scripts to config files. > > NACK. There is no point in generating config names from CLI names, which > are generated from knob names - use knob names directly. > The problem is that in some cases the cli_name does not map directly to knob name, leading in different naming of CLI options and config entries, confusion and mayhem. These are some offenders from `ipaserver/install/server.py`: http://fpaste.org/249424/18226114/ On the other hand, this can be an incentive to finally put an end to inconsistent option/knob naming across server/replica/etc. installers. >> >> 2.) Config sections: there is currently only one valid section named >> '[global]' in accordance with the format of 'default.conf'. Should we >> have separate sections equivalent to option groups in CLI (e.g. [basic], >> [certificate system], [dns])? > > No, because they would have to be maintained forever. For example, some > options are in wrong sections and we wouldn't be able to move them. > I'm also more inclined to a single section, at least for now since we are pressed for time with this RFE. That's not to say that we should ditch Alexander's idea about separate sections with overrides for different hosts. We should consider it as a future enhancement to this feature once the basic plumbing is in place. >> >> 3.) Handling of unattended mode when specifying a config file: >> Currently there is no connection between --config-file and unattended >> mode. So when you run ipa-server-install using config file, you still >> get asked for missing stuff. Should '--config-file' automatically imply >> '--unattended'? > > The behavior should be the same as if you specified the options on the > command line. So no, --config-file should not imply --unattended. > That sound reasonable. the code behaves this way already so no changes here. >> >> There are probably other issues to discuss. Feel free to write >> email/ping me on IRC. >> > > (I haven't looked at the patch yet.) > Please take a look at it ASAP. I am on PTO tomorrow and on Friday, but I will find time to work at it in the evening if you send me you comments. -- Martin^3 Babinsky From redhatrises at gmail.com Wed Jul 29 15:23:34 2015 From: redhatrises at gmail.com (Gabe Alford) Date: Wed, 29 Jul 2015 09:23:34 -0600 Subject: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit Message-ID: Hello, Fix for https://fedorahosted.org/freeipa/ticket/4023 Thanks, Gabe -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rga-0053-Standardize-minvalue-for-ipasearchrecordlimit-and-si.patch Type: text/x-patch Size: 39207 bytes Desc: not available URL: From mbasti at redhat.com Wed Jul 29 15:38:15 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Jul 2015 17:38:15 +0200 Subject: [Freeipa-devel] [PATCH 016] Require Dogtag PKI >= 10.2.6 In-Reply-To: <55B8DB7A.7090700@redhat.com> References: <55B0C154.7010904@redhat.com> <55B8DB7A.7090700@redhat.com> Message-ID: <55B8F367.7030503@redhat.com> On 29/07/15 15:56, Martin Basti wrote: > On 23/07/15 12:26, Christian Heimes wrote: >> Dogtag 10.2.6 comes with two fixes for cloning from 9.x to 10.x >> instances: >> >> https://fedorahosted.org/pki/ticket/1495 >> https://fedorahosted.org/pki/ticket/1488 >> >> https://fedorahosted.org/freeipa/ticket/5140 >> https://fedorahosted.org/freeipa/ticket/5129 >> >> > ACK > > -- > Martin Basti > > Pushed to: master: 4e18a62dd5adeb4bcb63aafc4bbe50d7a5c71b9c ipa-4-2: b01dc89967c73076c268e6bc3f1d604c3c04b221 -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Wed Jul 29 15:43:47 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 29 Jul 2015 17:43:47 +0200 Subject: [Freeipa-devel] [PATCH 0051] IPA server and replica installers can accept options from config file In-Reply-To: <55B8ED95.5040208@redhat.com> References: <55B8A8E0.404@redhat.com> <55B8B82D.7010309@redhat.com> <55B8ED95.5040208@redhat.com> Message-ID: <55B8F4B3.1000904@redhat.com> On 07/29/2015 05:13 PM, Martin Babinsky wrote: > On 07/29/2015 01:25 PM, Jan Cholasta wrote: >> Dne 29.7.2015 v 12:20 Martin Babinsky napsal(a): >>> Initial attempt to implement >>> https://fedorahosted.org/freeipa/ticket/4517 >>> >>> Some points to discuss: >>> >>> 1.) name of the config entries: currently the option names are derived >>> from CLI options but have underscores in them instead of dashes. Maybe >>> keeping the CLI option names also for config entries will make it easier >>> for the user to transfer their CLI options from scripts to config files. >> >> NACK. There is no point in generating config names from CLI names, which >> are generated from knob names - use knob names directly. >> > The problem is that in some cases the cli_name does not map directly to > knob name, leading in different naming of CLI options and config > entries, confusion and mayhem. > > These are some offenders from `ipaserver/install/server.py`: > http://fpaste.org/249424/18226114/ > > On the other hand, this can be an incentive to finally put an end to > inconsistent option/knob naming across server/replica/etc. installers. If the names are different than cli names, then they should be made discoverable somehow or be documented. >>> >>> 2.) Config sections: there is currently only one valid section named >>> '[global]' in accordance with the format of 'default.conf'. Should we >>> have separate sections equivalent to option groups in CLI (e.g. [basic], >>> [certificate system], [dns])? >> >> No, because they would have to be maintained forever. For example, some >> options are in wrong sections and we wouldn't be able to move them. >> > I'm also more inclined to a single section, at least for now since we > are pressed for time with this RFE. > > That's not to say that we should ditch Alexander's idea about separate > sections with overrides for different hosts. We should consider it as a > future enhancement to this feature once the basic plumbing is in place. >>> >>> 3.) Handling of unattended mode when specifying a config file: >>> Currently there is no connection between --config-file and unattended >>> mode. So when you run ipa-server-install using config file, you still >>> get asked for missing stuff. Should '--config-file' automatically imply >>> '--unattended'? >> >> The behavior should be the same as if you specified the options on the >> command line. So no, --config-file should not imply --unattended. >> > That sound reasonable. the code behaves this way already so no changes > here. > >>> >>> There are probably other issues to discuss. Feel free to write >>> email/ping me on IRC. >>> >> >> (I haven't looked at the patch yet.) >> > Please take a look at it ASAP. I am on PTO tomorrow and on Friday, but I > will find time to work at it in the evening if you send me you comments. > -- Petr Vobornik From pviktori at redhat.com Wed Jul 29 17:13:38 2015 From: pviktori at redhat.com (Petr Viktorin) Date: Wed, 29 Jul 2015 19:13:38 +0200 Subject: [Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi In-Reply-To: <55B8A362.1090705@redhat.com> References: <55B88A4A.9070601@redhat.com> <55B8A362.1090705@redhat.com> Message-ID: <55B909C2.4030501@redhat.com> On 07/29/2015 11:56 AM, Christian Heimes wrote: > On 2015-07-29 10:09, Michael ?im??ek wrote: >> GSSAPI doesn't provide any method (that I'm aware of) to get default >> ccache name. In most cases this is not needed as we can simply not pass >> any name and it will use the default. The ldap plugin had to be adjusted >> for this - the connect method now takes new use_gssapi argument, which >> can turn on gssapi support without the need to supply explicit ccache >> name. The only place where the ccache name is really needed is the test >> server, where I use system klist command to obtain it. > > You can use ctypes or cffi for the task, too. It's much faster and more > convenient. I think /usr/bin/klist should be just fine for the test server. -- Petr Viktorin From rharwood at redhat.com Wed Jul 29 17:20:11 2015 From: rharwood at redhat.com (Robbie Harwood) Date: Wed, 29 Jul 2015 13:20:11 -0400 Subject: [Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi In-Reply-To: <55B88A4A.9070601@redhat.com> References: <55B88A4A.9070601@redhat.com> Message-ID: Michael ?im??ek writes: > GSSAPI doesn't provide any method (that I'm aware of) to get default > ccache name. In most cases this is not needed as we can simply not > pass any name and it will use the default. The ldap plugin had to be > adjusted for this - the connect method now takes new use_gssapi > argument, which can turn on gssapi support without the need to supply > explicit ccache name. The only place where the ccache name is really > needed is the test server, where I use system klist command to obtain > it. This is sub-optimal, but not a huge deal if it's only in the test suite. > It's also not possible to directly get default realm name, what I do > is importing nonexistent name, cannonicalizing it and extracting the > realm from it. Which should work but is ugly. It would be better if we > could modify the places that use it to not need it at all, but it's > mostly used in ldap code and I don't understand that part of FreeIPA. > Alternative would be parsing /etc/krb.conf. Please try not to do this. DEFINITELY do not parse krb.conf. Unfortunately, I do not know enough about the LDAP code to know why this is needed or to suggest an alternate solution. > Sorry for long patch, but I'm afraid it cannot be reasonably split. This is indeed really long and difficult to work through. I have probably missed some things; apologies if they come through in a later round. > +try: > + cred = kinit_keytab(principal, keytab_name, ccache_name) > + # would raise exception if expired > + cred.lifetime > +except gssapi.exceptions.ExpiredCredentialsError: > + # delete stale ccache and try again > + os.unlink(ccache_name) > + cred = kinit_keytab(principal, keytab_name, ccache_name) See next comment. > - # The keytab may have stale key material (from older trust-add run) > - if not os.path.isfile(oneway_ccache_name): > - oneway_ccache = kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name) > -except krbV.Krb5Error as e: > + try: > + # The keytab may have stale key material (from older trust-add run) > + cred = kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name) > + # would raise exception if expired > + cred.lifetime > + except gssapi.exceptions.ExpiredCredentialsError: > + cred = kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name) > +except gssapi.exceptions.GSSError: > # If there was failure on using keytab, assume it is stale and retrieve again > retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal) In general, it's bad practice to catch *all* possible GSS errors unless you intend to display their status and/or abort/raise. If there's a specific state you want to cope with here, catch the exception related to it, not all of them. Up above is a place where I think this is done right. > - ctx = krbV.default_context() > - ccache = ctx.default_ccache() > - principal = ccache.principal() > - except krbV.Krb5Error, e: > + principal = krb_utils.get_principal() > + except errors.CCacheError: > sys.exit("Must have Kerberos credentials to setup AD trusts on server") Based on how GSSAPI error messages are being packed into CCache errors (the name of which is itself unfortunate...), it would be nice to give some hint of the problem here if it were GSSAPI; otherwise, to my eye, it looks like the GSSAPI status is being dropped. > +def get_credentials(name=None, ccache_name=None): > ''' > - Kerberos stores a TGT (Ticket Granting Ticket) and the service > - tickets bound to it in a ccache (credentials cache). ccaches are > - bound to a Kerberos user principal. This class opens a Kerberos > - ccache and allows one to manipulate it. Most useful is the > - extraction of ticket entries (cred's) in the ccache and the > - ability to examine their attributes. > + Obtains GSSAPI credentials with given principal name from ccache. When no > + principal name specified, it retrieves the default one for given > + credentials cache. > + > + :parameters: > + name > + gssapi.Name object specifying principal or None for the default > + ccache_name > + string specifying Kerberos credentials cache name or None for the > + default > + :returns: > + gssapi.Credentials object > + '''' > + store = None > + if ccache_name: > + store = {'ccache': ccache_name} > + try: > + return gssapi.Credentials(usage='initiate', name=name, store=store) > + except gssapi.exceptions.GSSError as e: > + if e.min_code == KRB5_FCC_NOFILE: > + raise ValueError('"%s", ccache="%s"' % (e.message, ccache_name)) > + raise errors.CCacheError() This is another case where it stands out that the specific error from GSSAPI should probably be checked. > + # FIXME this is a temporary workaround. We should find some nicer solution > + name = gssapi.Name('notempty', gssapi.NameType.user) > + can_name = unicode(name.canonicalize(gssapi.MechType.kerberos)) > + return can_name.partition('@')[2] or None As mentioned in my email to you, I do not think we can guarantee that the realm will actually be present after the '@' in all cases, so hopefully everything copes with a None here. But if it copes with a None, why have this code? > +# Ugly hack for test purposes only. GSSAPI has no way to get default ccache > +# name, but we don't need it outside test server > +def get_default_ccache_name(): > + try: > + out = check_output(['klist']) > + except CalledProcessError: > + raise RuntimeError("Default ccache not found. Did you kinit?") > + match = re.match(r'^Ticket cache:\s*(\S+)', out) > + if not match: > + raise RuntimeError("Cannot obtain ccache name") > + return match.group(1) > > > class KRBCheater(object): > def __init__(self, app): > self.app = app > self.url = app.url > - self.ccname = api.Backend.krb.default_ccname() > + self.ccname = get_default_ccache_name() > def __call__(self, environ, start_response): > environ['KRB5CCNAME'] = self.ccname If all you're doing is using this to set $KRB5CCNAME (as __call__ suggests), that variable when unset is the default value and the song-and-dance to get the default ccache name isn't necessary. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 818 bytes Desc: not available URL: From danofsatx at gmail.com Wed Jul 29 19:59:29 2015 From: danofsatx at gmail.com (Dan Mossor) Date: Wed, 29 Jul 2015 14:59:29 -0500 Subject: [Freeipa-devel] Wiki Access Message-ID: <55B930A1.7080207@fedoraproject.org> Greetings FreeIPA devs. I just wanted to express my sincere thank you for all y'all do - FreeIPA is an awesome product that just keeps getting better and better. One area where y'all desparately need help with, however, is in documentation. I recently had to rescue a co-worker from following a document that was no longer applicable[0], and in researching how to fix it I found your Wiki TODO list [1]. I would like to ask for editor access to the FreeIPA wiki so I can contribute back some of the knowledge I've gleaned from the user list, IRC channel, and copious amounts of research I've been doing in deploying FreeIPA at my workplace. Regards, Dan "danofsatx" Mossor [0] http://www.freeipa.org/page/Active_Directory_trust_setup#On_IPA_server [1] http://www.freeipa.org/page/Wiki_TODO -- Dan Mossor, RHCSA Systems Engineer Fedora Server WG | Fedora KDE WG | Fedora QA Team Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA From rcritten at redhat.com Wed Jul 29 20:10:58 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 29 Jul 2015 16:10:58 -0400 Subject: [Freeipa-devel] Wiki Access In-Reply-To: <55B930A1.7080207@fedoraproject.org> References: <55B930A1.7080207@fedoraproject.org> Message-ID: <55B93352.1040908@redhat.com> Dan Mossor wrote: > Greetings FreeIPA devs. I just wanted to express my sincere thank you > for all y'all do - FreeIPA is an awesome product that just keeps getting > better and better. > > One area where y'all desparately need help with, however, is in > documentation. I recently had to rescue a co-worker from following a > document that was no longer applicable[0], and in researching how to fix > it I found your Wiki TODO list [1]. > > I would like to ask for editor access to the FreeIPA wiki so I can > contribute back some of the knowledge I've gleaned from the user list, > IRC channel, and copious amounts of research I've been doing in > deploying FreeIPA at my workplace. > > Regards, > Dan "danofsatx" Mossor > > [0] http://www.freeipa.org/page/Active_Directory_trust_setup#On_IPA_server > [1] http://www.freeipa.org/page/Wiki_TODO You should just need a FAS account, https://admin.fedoraproject.org/accounts/user/new if you don't already have one. rob From danofsatx at gmail.com Wed Jul 29 20:17:07 2015 From: danofsatx at gmail.com (Dan Mossor) Date: Wed, 29 Jul 2015 15:17:07 -0500 Subject: [Freeipa-devel] Wiki Access In-Reply-To: <55B93352.1040908@redhat.com> References: <55B930A1.7080207@fedoraproject.org> <55B93352.1040908@redhat.com> Message-ID: <55B934C3.6030101@fedoraproject.org> On 07/29/2015 03:10 PM, Rob Crittenden wrote: > Dan Mossor wrote: >> Greetings FreeIPA devs. I just wanted to express my sincere thank you >> for all y'all do - FreeIPA is an awesome product that just keeps getting >> better and better. >> >> One area where y'all desparately need help with, however, is in >> documentation. I recently had to rescue a co-worker from following a >> document that was no longer applicable[0], and in researching how to fix >> it I found your Wiki TODO list [1]. >> >> I would like to ask for editor access to the FreeIPA wiki so I can >> contribute back some of the knowledge I've gleaned from the user list, >> IRC channel, and copious amounts of research I've been doing in >> deploying FreeIPA at my workplace. >> >> Regards, >> Dan "danofsatx" Mossor >> >> [0] >> http://www.freeipa.org/page/Active_Directory_trust_setup#On_IPA_server >> [1] http://www.freeipa.org/page/Wiki_TODO > > You should just need a FAS account, > https://admin.fedoraproject.org/accounts/user/new if you don't already > have one. > > rob I've got one - I just didn't see the login link on the bottom of the page. Incidentally, this simply points out yet another area that needs correction in the wiki, as it states to email the freeipa-devel list to request access. I'm logged in, and will get to work shortly. Dan -- Dan Mossor, RHCSA Systems Engineer Fedora Server WG | Fedora KDE WG | Fedora QA Team Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA From abokovoy at redhat.com Wed Jul 29 21:07:27 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 30 Jul 2015 00:07:27 +0300 Subject: [Freeipa-devel] Wiki Access In-Reply-To: <55B934C3.6030101@fedoraproject.org> References: <55B930A1.7080207@fedoraproject.org> <55B93352.1040908@redhat.com> <55B934C3.6030101@fedoraproject.org> Message-ID: <20150729210727.GH4677@redhat.com> On Wed, 29 Jul 2015, Dan Mossor wrote: >On 07/29/2015 03:10 PM, Rob Crittenden wrote: >>Dan Mossor wrote: >>>Greetings FreeIPA devs. I just wanted to express my sincere thank you >>>for all y'all do - FreeIPA is an awesome product that just keeps getting >>>better and better. >>> >>>One area where y'all desparately need help with, however, is in >>>documentation. I recently had to rescue a co-worker from following a >>>document that was no longer applicable[0], and in researching how to fix >>>it I found your Wiki TODO list [1]. >>> >>>I would like to ask for editor access to the FreeIPA wiki so I can >>>contribute back some of the knowledge I've gleaned from the user list, >>>IRC channel, and copious amounts of research I've been doing in >>>deploying FreeIPA at my workplace. >>> >>>Regards, >>>Dan "danofsatx" Mossor >>> >>>[0] >>>http://www.freeipa.org/page/Active_Directory_trust_setup#On_IPA_server >>>[1] http://www.freeipa.org/page/Wiki_TODO >> >>You should just need a FAS account, >>https://admin.fedoraproject.org/accounts/user/new if you don't already >>have one. >> >>rob >I've got one - I just didn't see the login link on the bottom of the page. > >Incidentally, this simply points out yet another area that needs >correction in the wiki, as it states to email the freeipa-devel list >to request access. > >I'm logged in, and will get to work shortly. Thanks in advance for doing the clean ups. Could you please make sure you are adding at least a version information to any changes or suggestions? One of issues with wiki pages we have is that they are tending to cover 'latest' version at the time they were added but things change over time and multiple edits blend together, sometimes making more of a mess than needed. Adding a simple reference to what version we are talking about could help others to not be in trouble next time. -- / Alexander Bokovoy From ftweedal at redhat.com Thu Jul 30 00:19:19 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 30 Jul 2015 10:19:19 +1000 Subject: [Freeipa-devel] [PATCH] 0028 add --out option to user-show In-Reply-To: <55B8D9BF.8010605@redhat.com> References: <20150724134049.GI20599@dhcp-40-8.bne.redhat.com> <55B25118.2080700@redhat.com> <55B25B1A.8040106@redhat.com> <55B25F94.3040507@redhat.com> <20150725014015.GJ20599@dhcp-40-8.bne.redhat.com> <55B8D820.5090607@redhat.com> <55B8D92E.4030601@redhat.com> <55B8D9BF.8010605@redhat.com> Message-ID: <20150730001919.GD6847@dhcp-40-8.bne.redhat.com> On Wed, Jul 29, 2015 at 03:48:47PM +0200, Jan Cholasta wrote: > Dne 29.7.2015 v 15:46 Martin Basti napsal(a): > >On 29/07/15 15:41, Martin Basti wrote: > >>On 25/07/15 03:40, Fraser Tweedale wrote: > >>>On Fri, Jul 24, 2015 at 05:53:56PM +0200, Tomas Babej wrote: > >>>> > >>>>On 07/24/2015 05:34 PM, Martin Basti wrote: > >>>>>On 24/07/15 16:52, Tomas Babej wrote: > >>>>>>On 07/24/2015 03:40 PM, Fraser Tweedale wrote: > >>>>>>>The attached patch adds --out option to user-show for saving user's > >>>>>>>certificate(s) to file. > >>>>>>> > >>>>>>>Thanks, > >>>>>>>Fraser > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>I hate to nitpick here, but is "out" really a descriptive option name > >>>>>>here? I'd prefer something more explicit, like '--save-cert-to', or > >>>>>>maybe even have this operation implemented as a separate command > >>>>>>altogether. > >>>>>> > >>>>>>Tomas > >>>>>> > >>>>>This keyword was already used with several commands. For consistency > >>>>>might be better to have it the same. > >>>>> > >>>>True. I see this options is being used in the following commands: > >>>> > >>>> - cert-show > >>>> - vault-retrieve > >>>> - host-show > >>>> - service-show > >>>> - user-show (proposed) > >>>> > >>>>While the first two seem to be an acceptable fit for an option called > >>>>--out, as they mainly deal with cert/secret, using the '--out' for the > >>>>latter three is a poor decision imho. > >>>> > >>>>I agree the consistency is important, I'm just not happy to see this > >>>>spread further. > >>>> > >>>>Tomas > >>>Perhaps we should go with something like `--certout' instead, and > >>>support `--certout' in addition to `--out' in host-show and > >>>service-show, esentially deprecating `--out' for those commands. > >>> > >>>Cheers, > >>>Fraser > >>Good idea, but we should do this for all commands, at the same time. > >>IMO this is not for 4.2, you may file a ticket to deprecate --out > >>option and replace it by --certout or something. > > The "in" option is named --certificate, so it should be --certificate-out. > > >> > >>I will do review is nobody is against this patch :) > >>Martin^2 > > LGTM > > >> > > > >Is a ticket somewhere for this? > > No ticket; I just wanted it so I wrote the patch :) I'll file the ticket for future change to `--certificate-out' though. Thanks, Fraser > > -- > Jan Cholasta From ftweedal at redhat.com Thu Jul 30 04:09:04 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 30 Jul 2015 14:09:04 +1000 Subject: [Freeipa-devel] [PATCH] 0029 Work around python-nss bug on unrecognised OIDs Message-ID: <20150730040904.GA4243@dhcp-40-8.bne.redhat.com> The attached patch works around a bug in python-nss triggered by unrecognised PKCS#10 request extensions. It is needed for https://fedorahosted.org/freeipa/ticket/4752 but can be reverted once the python-nss bug is fixed. Thanks, Fraser -------------- next part -------------- From b1846bd1130bb403334cdef0aaf994b45c66d4d7 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 24 Jul 2015 09:23:07 -0400 Subject: [PATCH] Work around python-nss bug on unrecognised OIDs A bug in python-nss causes an error to be thrown when converting an unrecognised OID to a string. If cert-request receives a PKCS #10 CSR with an unknown extension, the error is thrown. Work around this error by first checking if the OID is recognised and, if it is not, using a different method to obtain its string representation. Once the python-nss bug is fixed, this workaround should be reverted. https://bugzilla.redhat.com/show_bug.cgi?id=1246729 --- ipalib/pkcs10.py | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/ipalib/pkcs10.py b/ipalib/pkcs10.py index 6299dfea43b7a3f4104f0b0ec78c4f105d9daf62..64670835127e96f1d724c5f32ed7a939d37b7f16 100644 --- a/ipalib/pkcs10.py +++ b/ipalib/pkcs10.py @@ -53,7 +53,20 @@ def get_extensions(csr, datatype=PEM): The return value is a tuple of strings """ request = load_certificate_request(csr, datatype) - return tuple(nss.oid_dotted_decimal(ext.oid_tag)[4:] + + # Work around a bug in python-nss where nss.oid_dotted_decimal + # errors on unrecognised OIDs + # + # https://bugzilla.redhat.com/show_bug.cgi?id=1246729 + # + def get_prefixed_oid_str(ext): + """Returns a string like 'OID.1.2...'.""" + if ext.oid_tag == 0: + return repr(ext) + else: + return nss.oid_dotted_decimal(ext.oid) + + return tuple(get_prefixed_oid_str(ext)[4:] for ext in request.extensions) class _PrincipalName(univ.Sequence): -- 2.4.3 From ftweedal at redhat.com Thu Jul 30 04:22:25 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 30 Jul 2015 14:22:25 +1000 Subject: [Freeipa-devel] [PATCH] 0028 add --out option to user-show In-Reply-To: <20150730001919.GD6847@dhcp-40-8.bne.redhat.com> References: <20150724134049.GI20599@dhcp-40-8.bne.redhat.com> <55B25118.2080700@redhat.com> <55B25B1A.8040106@redhat.com> <55B25F94.3040507@redhat.com> <20150725014015.GJ20599@dhcp-40-8.bne.redhat.com> <55B8D820.5090607@redhat.com> <55B8D92E.4030601@redhat.com> <55B8D9BF.8010605@redhat.com> <20150730001919.GD6847@dhcp-40-8.bne.redhat.com> Message-ID: <20150730042225.GB4243@dhcp-40-8.bne.redhat.com> On Thu, Jul 30, 2015 at 10:19:19AM +1000, Fraser Tweedale wrote: > On Wed, Jul 29, 2015 at 03:48:47PM +0200, Jan Cholasta wrote: > > Dne 29.7.2015 v 15:46 Martin Basti napsal(a): > > >On 29/07/15 15:41, Martin Basti wrote: > > >>On 25/07/15 03:40, Fraser Tweedale wrote: > > >>>On Fri, Jul 24, 2015 at 05:53:56PM +0200, Tomas Babej wrote: > > >>>> > > >>>>On 07/24/2015 05:34 PM, Martin Basti wrote: > > >>>>>On 24/07/15 16:52, Tomas Babej wrote: > > >>>>>>On 07/24/2015 03:40 PM, Fraser Tweedale wrote: > > >>>>>>>The attached patch adds --out option to user-show for saving user's > > >>>>>>>certificate(s) to file. > > >>>>>>> > > >>>>>>>Thanks, > > >>>>>>>Fraser > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>I hate to nitpick here, but is "out" really a descriptive option name > > >>>>>>here? I'd prefer something more explicit, like '--save-cert-to', or > > >>>>>>maybe even have this operation implemented as a separate command > > >>>>>>altogether. > > >>>>>> > > >>>>>>Tomas > > >>>>>> > > >>>>>This keyword was already used with several commands. For consistency > > >>>>>might be better to have it the same. > > >>>>> > > >>>>True. I see this options is being used in the following commands: > > >>>> > > >>>> - cert-show > > >>>> - vault-retrieve > > >>>> - host-show > > >>>> - service-show > > >>>> - user-show (proposed) > > >>>> > > >>>>While the first two seem to be an acceptable fit for an option called > > >>>>--out, as they mainly deal with cert/secret, using the '--out' for the > > >>>>latter three is a poor decision imho. > > >>>> > > >>>>I agree the consistency is important, I'm just not happy to see this > > >>>>spread further. > > >>>> > > >>>>Tomas > > >>>Perhaps we should go with something like `--certout' instead, and > > >>>support `--certout' in addition to `--out' in host-show and > > >>>service-show, esentially deprecating `--out' for those commands. > > >>> > > >>>Cheers, > > >>>Fraser > > >>Good idea, but we should do this for all commands, at the same time. > > >>IMO this is not for 4.2, you may file a ticket to deprecate --out > > >>option and replace it by --certout or something. > > > > The "in" option is named --certificate, so it should be --certificate-out. > > > > >> > > >>I will do review is nobody is against this patch :) > > >>Martin^2 > > > > LGTM > > > > >> > > > > > >Is a ticket somewhere for this? > > > > No ticket; I just wanted it so I wrote the patch :) > > I'll file the ticket for future change to `--certificate-out' > though. > Ticket: https://fedorahosted.org/freeipa/ticket/5166 From jcholast at redhat.com Thu Jul 30 06:55:45 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 30 Jul 2015 08:55:45 +0200 Subject: [Freeipa-devel] [PATCH 0051] IPA server and replica installers can accept options from config file In-Reply-To: <55B8F4B3.1000904@redhat.com> References: <55B8A8E0.404@redhat.com> <55B8B82D.7010309@redhat.com> <55B8ED95.5040208@redhat.com> <55B8F4B3.1000904@redhat.com> Message-ID: <55B9CA71.6010304@redhat.com> Dne 29.7.2015 v 17:43 Petr Vobornik napsal(a): > On 07/29/2015 05:13 PM, Martin Babinsky wrote: >> On 07/29/2015 01:25 PM, Jan Cholasta wrote: >>> Dne 29.7.2015 v 12:20 Martin Babinsky napsal(a): >>>> Initial attempt to implement >>>> https://fedorahosted.org/freeipa/ticket/4517 >>>> >>>> Some points to discuss: >>>> >>>> 1.) name of the config entries: currently the option names are derived >>>> from CLI options but have underscores in them instead of dashes. Maybe >>>> keeping the CLI option names also for config entries will make it >>>> easier >>>> for the user to transfer their CLI options from scripts to config >>>> files. >>> >>> NACK. There is no point in generating config names from CLI names, which >>> are generated from knob names - use knob names directly. >>> >> The problem is that in some cases the cli_name does not map directly to >> knob name, leading in different naming of CLI options and config >> entries, confusion and mayhem. What works for CLI may not work for config files and vice versa. For example, this works for CLI: --no-ntp --no-forwarders --forwarder 1.2.3.4 --forwarder 5.6.7.8 but this works better in config file: ntp = False forwarders = forwarders = 1.2.3.4, 5.6.7.8 >> >> These are some offenders from `ipaserver/install/server.py`: >> http://fpaste.org/249424/18226114/ >> >> On the other hand, this can be an incentive to finally put an end to >> inconsistent option/knob naming across server/replica/etc. installers. Yes please. > > If the names are different than cli names, then they should be made > discoverable somehow or be documented. IMHO documenting them is easy. > >>>> >>>> 2.) Config sections: there is currently only one valid section named >>>> '[global]' in accordance with the format of 'default.conf'. Should we >>>> have separate sections equivalent to option groups in CLI (e.g. >>>> [basic], >>>> [certificate system], [dns])? >>> >>> No, because they would have to be maintained forever. For example, some >>> options are in wrong sections and we wouldn't be able to move them. >>> >> I'm also more inclined to a single section, at least for now since we >> are pressed for time with this RFE. >> >> That's not to say that we should ditch Alexander's idea about separate >> sections with overrides for different hosts. We should consider it as a >> future enhancement to this feature once the basic plumbing is in place. Right. >>>> >>>> 3.) Handling of unattended mode when specifying a config file: >>>> Currently there is no connection between --config-file and unattended >>>> mode. So when you run ipa-server-install using config file, you still >>>> get asked for missing stuff. Should '--config-file' automatically imply >>>> '--unattended'? >>> >>> The behavior should be the same as if you specified the options on the >>> command line. So no, --config-file should not imply --unattended. >>> >> That sound reasonable. the code behaves this way already so no changes >> here. >> >>>> >>>> There are probably other issues to discuss. Feel free to write >>>> email/ping me on IRC. >>>> >>> >>> (I haven't looked at the patch yet.) >>> >> Please take a look at it ASAP. I am on PTO tomorrow and on Friday, but I >> will find time to work at it in the evening if you send me you comments. 1) IMO the option should be in the top-level option section, not in a separate group (use "parser.add_option()"). Also maybe rename it to --config, AFAIK that's what is usually used. A short name ("-c"?) would be nice too. Nitpick: if the option is named --config-file, dest should be "config_file", to make it easier to look it up in the code. 2) Please don't duplicate the knob retrieval code, store knobs in a list and pass that as an argument to parse_config_file. 3) I'm not sure about using newline as a list separator. I don't know about other IPA components, but SSSD in particular uses commas, maybe we should be consistent with that? 4) Booleans should be assignable either True or False, i.e. do not use _parse_knob to parse them. Honza -- Jan Cholasta From jcholast at redhat.com Thu Jul 30 07:23:42 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 30 Jul 2015 09:23:42 +0200 Subject: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit In-Reply-To: References: Message-ID: <55B9D0FE.2090705@redhat.com> Hi, Dne 29.7.2015 v 17:23 Gabe Alford napsal(a): > Hello, > > Fix for https://fedorahosted.org/freeipa/ticket/4023 Actually, 0 means unlimited for size limit, see . Honza -- Jan Cholasta From jcholast at redhat.com Thu Jul 30 07:32:55 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 30 Jul 2015 09:32:55 +0200 Subject: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit In-Reply-To: <55B9D0FE.2090705@redhat.com> References: <55B9D0FE.2090705@redhat.com> Message-ID: <55B9D327.7070806@redhat.com> Dne 30.7.2015 v 09:23 Jan Cholasta napsal(a): > Hi, > > Dne 29.7.2015 v 17:23 Gabe Alford napsal(a): >> Hello, >> >> Fix for https://fedorahosted.org/freeipa/ticket/4023 > > Actually, 0 means unlimited for size limit, see > . After reading the ticket I think this should be fixed the other way around: make 0 mean unlimited for both time and size limit and fix the config plugin and LDAPClient to respect that. -- Jan Cholasta From mkosek at redhat.com Thu Jul 30 07:38:44 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 30 Jul 2015 09:38:44 +0200 Subject: [Freeipa-devel] Move 4.1.5 tickets to 4.2.1 In-Reply-To: <55B79DF9.8020104@redhat.com> References: <55B79DF9.8020104@redhat.com> Message-ID: <55B9D484.2060203@redhat.com> On 07/28/2015 05:21 PM, Martin Kosek wrote: > With FreeIPA 4.2.0 released, I think we can move all the 4.1.5 tickets to > FreeIPA 4.2.1 bucket and the fixes be based on that release. > > I would only do exception if some of the fixes are critical for platforms that > did not adopt FreeIPA 4.2.0 yet (most of them ;-), but I am not aware of such > tickets. I saw not objections - moved. From cheimes at redhat.com Thu Jul 30 10:44:20 2015 From: cheimes at redhat.com (Christian Heimes) Date: Thu, 30 Jul 2015 12:44:20 +0200 Subject: [Freeipa-devel] [PATCH 017] certprofile-import: do not require profileId in profile data In-Reply-To: <55B21668.20604@redhat.com> References: <55B10E1B.8090203@redhat.com> <20150724031528.GG20599@dhcp-40-8.bne.redhat.com> <55B21668.20604@redhat.com> Message-ID: <55BA0004.60508@redhat.com> On 2015-07-24 12:41, Martin Basti wrote: > On 24/07/15 05:15, Fraser Tweedale wrote: >>> diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py >>> index 5550ed942521dbab2e783fba1570520268f9b378..fe8934690fe09499f0bacb6610d9815a2b4367a4 100644 >>> --- a/ipalib/plugins/certprofile.py >>> +++ b/ipalib/plugins/certprofile.py >>> @@ -233,8 +233,8 @@ class certprofile_import(LDAPCreate): >>> >>> match = self.PROFILE_ID_PATTERN.search(options['file']) >>> if match is None: >>> - raise errors.ValidationError(name='file', >>> - error=_("Profile ID is not present in profile data")) >>> + # no profileId found, use CLI value as profileId. >>> + options['file'] = u'profileId=%s\n%s' % (keys[0], options['file']) >> NACK >> >> This assignment has no external effect; `post_callback' is called >> with original `options['file']' and dogtag profile import can fail >> due to missing profileId. >> >> The solution is to do the same thing in post_callback; updated patch >> attached. >> >> Thanks, >> Fraser >> >> > > I dont like to have the same code twice in pre and post callback. > > Can you use contexmanager to store the right value in pre callback and > then use it in post callback? > (can find it in dns plugin, search for context) Sounds good to me! Christian PS: Context is a fancy name for a TLS dict. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0017-3-certprofile-import-do-not-require-profileId-in-profi.patch Type: text/x-patch Size: 2360 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From mkosek at redhat.com Thu Jul 30 11:37:42 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 30 Jul 2015 13:37:42 +0200 Subject: [Freeipa-devel] New freeipa-tools repo Message-ID: <55BA0C86.5010707@redhat.com> Hello all, Right now, the people pushing patches to FreeIPA use Petr's great "ipatool" that is part of Petr's (CCed) ipa-tools repo forked from my old "ipa-tools" repository. Recently, we have found that "ipatool" needs update due to 4.2 being released, so I think this is a great moment to make this tool more official and use a shared team repository so that people on the team can contribute and freely improve it. As we have our shiny organization on github, I simply created new "freeipa-tools" repo and with Petr's permission, moved "ipa-tools" content there: https://github.com/freeipa/freeipa-tools If there are no objections, I would use that as the authoritative version of the tools repo for the team. FreeIPA developers, please feel free to request access to https://github.com/orgs/freeipa/teams/freeipa if you want to commit to this repo. If there are concerns or comments to this idea, please let me know and we can discuss. -- Martin Kosek Supervisor, Software Engineering - Identity Management Team Red Hat Inc. From abokovoy at redhat.com Thu Jul 30 11:51:16 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 30 Jul 2015 14:51:16 +0300 Subject: [Freeipa-devel] New freeipa-tools repo In-Reply-To: <55BA0C86.5010707@redhat.com> References: <55BA0C86.5010707@redhat.com> Message-ID: <20150730115116.GJ4677@redhat.com> On Thu, 30 Jul 2015, Martin Kosek wrote: >Hello all, > >Right now, the people pushing patches to FreeIPA use Petr's great "ipatool" >that is part of Petr's (CCed) ipa-tools repo forked from my old "ipa-tools" >repository. > >Recently, we have found that "ipatool" needs update due to 4.2 being released, >so I think this is a great moment to make this tool more official and use a >shared team repository so that people on the team can contribute and freely >improve it. > >As we have our shiny organization on github, I simply created new >"freeipa-tools" repo and with Petr's permission, moved "ipa-tools" content there: > >https://github.com/freeipa/freeipa-tools > >If there are no objections, I would use that as the authoritative version of >the tools repo for the team. > >FreeIPA developers, please feel free to request access to >https://github.com/orgs/freeipa/teams/freeipa >if you want to commit to this repo. The link does not exist, you'd get 404 trying to access it. I don't see any way to add myself or request addition at https://github.com/freeipa -- / Alexander Bokovoy From mkosek at redhat.com Thu Jul 30 11:58:31 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 30 Jul 2015 13:58:31 +0200 Subject: [Freeipa-devel] New freeipa-tools repo In-Reply-To: <20150730115116.GJ4677@redhat.com> References: <55BA0C86.5010707@redhat.com> <20150730115116.GJ4677@redhat.com> Message-ID: <55BA1167.6040809@redhat.com> On 07/30/2015 01:51 PM, Alexander Bokovoy wrote: > On Thu, 30 Jul 2015, Martin Kosek wrote: >> Hello all, >> >> Right now, the people pushing patches to FreeIPA use Petr's great "ipatool" >> that is part of Petr's (CCed) ipa-tools repo forked from my old "ipa-tools" >> repository. >> >> Recently, we have found that "ipatool" needs update due to 4.2 being released, >> so I think this is a great moment to make this tool more official and use a >> shared team repository so that people on the team can contribute and freely >> improve it. >> >> As we have our shiny organization on github, I simply created new >> "freeipa-tools" repo and with Petr's permission, moved "ipa-tools" content >> there: >> >> https://github.com/freeipa/freeipa-tools >> >> If there are no objections, I would use that as the authoritative version of >> the tools repo for the team. >> >> FreeIPA developers, please feel free to request access to >> https://github.com/orgs/freeipa/teams/freeipa >> if you want to commit to this repo. > The link does not exist, you'd get 404 trying to access it. > I don't see any way to add myself or request addition at > https://github.com/freeipa Ah, looks like the github teams work differently then I though. You may need to send me your github logins so that I can add people. If there is better way, please let me know. From cheimes at redhat.com Thu Jul 30 12:07:11 2015 From: cheimes at redhat.com (Christian Heimes) Date: Thu, 30 Jul 2015 14:07:11 +0200 Subject: [Freeipa-devel] CLI parameter: TextFile, BinaryFile and mutually exclusive group Message-ID: <55BA136F.9070909@redhat.com> Hello, While I was working on the ticket https://fedorahosted.org/freeipa/ticket/5155, I noticed a couple of additional places that may raise an IOError. Instead of a File() paramaeter, the vault plugin uses Str() paramater in combination with open() to read files. For passwords I can mostly replace the Str() parameter with File(). There is only one minor issue. The File() class has no encoding flag. ipalib.cli.cli.load_files() uses the encoding of sys.stdin to determinate the encoding. In some cases the encoding of sys.stdin can be ASCII. For that reason I like to add an encoding parameter to File(). For public and private key file I can't use File(). File() is a subclass of Str(), which requires unicode text. The vault code treats public and private key data as bytes. I assume it wants to support DER encoded key data, too. I like to introduce a new BinaryFile() parameter, which subclasses Bytes(). It might make sense to alias File as TextFile and deprecate the File name. Finally the vault plugin has several mutually exclusive paramater, e.g. passsword and password-file. The plugin has seven distinct checks for mutual exclusion. IMHO this should be better handled by the parameter parsing code. Python's argparse module has a similar feature: https://docs.python.org/2/library/argparse.html#mutual-exclusion I like to handle the case with a mutually_exclusive flag such as: Str( 'password?', cli_name='password', doc=_('Vault password'), mutually_exclusive='password', ), File( 'password_file?', cli_name='password_file', doc=_('File containing the vault password'), mutually_exclusive='password', ), If more than one parameter with the same mutually_exclusive group name is given, then a MutuallyExclusiveError is raised. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From ofayans at redhat.com Thu Jul 30 12:18:29 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 30 Jul 2015 14:18:29 +0200 Subject: [Freeipa-devel] ipa-server-install completely broken in upstream Message-ID: <55BA1615.6040505@redhat.com> Hi all, Any attempts to install ipa server from today's upstream code result in ipa-server-install silently exiting without doing anything. Here is how it looks like: root at f22master:/home/ofayans]$ rpm -q freeipa-server freeipa-server-4.2.90.201507300929GIT4e18a62-0.fc22.x86_64 root at f22master:/home/ofayans]$ ipa-server-install root at f22master:/home/ofayans]$ Any Ideas how did it happen? -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From abokovoy at redhat.com Thu Jul 30 12:23:31 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 30 Jul 2015 15:23:31 +0300 Subject: [Freeipa-devel] ipa-server-install completely broken in upstream In-Reply-To: <55BA1615.6040505@redhat.com> References: <55BA1615.6040505@redhat.com> Message-ID: <20150730122331.GK4677@redhat.com> On Thu, 30 Jul 2015, Oleg Fayans wrote: >Hi all, > >Any attempts to install ipa server from today's upstream code result >in ipa-server-install silently exiting without doing anything. Here is >how it looks like: > >root at f22master:/home/ofayans]$ rpm -q freeipa-server >freeipa-server-4.2.90.201507300929GIT4e18a62-0.fc22.x86_64 >root at f22master:/home/ofayans]$ ipa-server-install >root at f22master:/home/ofayans]$ > >Any Ideas how did it happen? No idea but you can run ipa-server-install with Python tracing: python -vx /usr/sbin/ipa-server-install 2>&1 | tee logfile.txt -- / Alexander Bokovoy From mbasti at redhat.com Thu Jul 30 12:31:02 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jul 2015 14:31:02 +0200 Subject: [Freeipa-devel] ipa-server-install completely broken in upstream In-Reply-To: <55BA1615.6040505@redhat.com> References: <55BA1615.6040505@redhat.com> Message-ID: <55BA1906.8080609@redhat.com> On 30/07/15 14:18, Oleg Fayans wrote: > Hi all, > > Any attempts to install ipa server from today's upstream code result > in ipa-server-install silently exiting without doing anything. Here is > how it looks like: > > root at f22master:/home/ofayans]$ rpm -q freeipa-server > freeipa-server-4.2.90.201507300929GIT4e18a62-0.fc22.x86_64 > root at f22master:/home/ofayans]$ ipa-server-install > root at f22master:/home/ofayans]$ > > Any Ideas how did it happen? > Is something in /var/log/ipaserver-install.log? -- Martin Basti From ofayans at redhat.com Thu Jul 30 12:32:26 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 30 Jul 2015 14:32:26 +0200 Subject: [Freeipa-devel] ipa-server-install completely broken in upstream In-Reply-To: <20150730122331.GK4677@redhat.com> References: <55BA1615.6040505@redhat.com> <20150730122331.GK4677@redhat.com> Message-ID: <55BA1959.50207@redhat.com> Hi Alexander, On 07/30/2015 02:23 PM, Alexander Bokovoy wrote: > On Thu, 30 Jul 2015, Oleg Fayans wrote: >> Hi all, >> >> Any attempts to install ipa server from today's upstream code result >> in ipa-server-install silently exiting without doing anything. Here >> is how it looks like: >> >> root at f22master:/home/ofayans]$ rpm -q freeipa-server >> freeipa-server-4.2.90.201507300929GIT4e18a62-0.fc22.x86_64 >> root at f22master:/home/ofayans]$ ipa-server-install >> root at f22master:/home/ofayans]$ >> >> Any Ideas how did it happen? > No idea but you can run ipa-server-install with Python tracing: > python -vx /usr/sbin/ipa-server-install 2>&1 | tee logfile.txt Thanks for the hint. Here is the log -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- # installing zipimport hook import zipimport # builtin # installed zipimport hook # /usr/lib64/python2.7/site.pyc matches /usr/lib64/python2.7/site.py import site # precompiled from /usr/lib64/python2.7/site.pyc # /usr/lib64/python2.7/os.pyc matches /usr/lib64/python2.7/os.py import os # precompiled from /usr/lib64/python2.7/os.pyc import errno # builtin import posix # builtin # /usr/lib64/python2.7/posixpath.pyc matches /usr/lib64/python2.7/posixpath.py import posixpath # precompiled from /usr/lib64/python2.7/posixpath.pyc # /usr/lib64/python2.7/stat.pyc matches /usr/lib64/python2.7/stat.py import stat # precompiled from /usr/lib64/python2.7/stat.pyc # /usr/lib64/python2.7/genericpath.pyc matches /usr/lib64/python2.7/genericpath.py import genericpath # precompiled from /usr/lib64/python2.7/genericpath.pyc # /usr/lib64/python2.7/warnings.pyc matches /usr/lib64/python2.7/warnings.py import warnings # precompiled from /usr/lib64/python2.7/warnings.pyc # /usr/lib64/python2.7/linecache.pyc matches /usr/lib64/python2.7/linecache.py import linecache # precompiled from /usr/lib64/python2.7/linecache.pyc # /usr/lib64/python2.7/types.pyc matches /usr/lib64/python2.7/types.py import types # precompiled from /usr/lib64/python2.7/types.pyc # /usr/lib64/python2.7/UserDict.pyc matches /usr/lib64/python2.7/UserDict.py import UserDict # precompiled from /usr/lib64/python2.7/UserDict.pyc # /usr/lib64/python2.7/_abcoll.pyc matches /usr/lib64/python2.7/_abcoll.py import _abcoll # precompiled from /usr/lib64/python2.7/_abcoll.pyc # /usr/lib64/python2.7/abc.pyc matches /usr/lib64/python2.7/abc.py import abc # precompiled from /usr/lib64/python2.7/abc.pyc # /usr/lib64/python2.7/_weakrefset.pyc matches /usr/lib64/python2.7/_weakrefset.py import _weakrefset # precompiled from /usr/lib64/python2.7/_weakrefset.pyc import _weakref # builtin # /usr/lib64/python2.7/copy_reg.pyc matches /usr/lib64/python2.7/copy_reg.py import copy_reg # precompiled from /usr/lib64/python2.7/copy_reg.pyc # /usr/lib64/python2.7/traceback.pyc matches /usr/lib64/python2.7/traceback.py import traceback # precompiled from /usr/lib64/python2.7/traceback.pyc # /usr/lib64/python2.7/sysconfig.pyc matches /usr/lib64/python2.7/sysconfig.py import sysconfig # precompiled from /usr/lib64/python2.7/sysconfig.pyc # /usr/lib64/python2.7/re.pyc matches /usr/lib64/python2.7/re.py import re # precompiled from /usr/lib64/python2.7/re.pyc # /usr/lib64/python2.7/sre_compile.pyc matches /usr/lib64/python2.7/sre_compile.py import sre_compile # precompiled from /usr/lib64/python2.7/sre_compile.pyc import _sre # builtin # /usr/lib64/python2.7/sre_parse.pyc matches /usr/lib64/python2.7/sre_parse.py import sre_parse # precompiled from /usr/lib64/python2.7/sre_parse.pyc # /usr/lib64/python2.7/sre_constants.pyc matches /usr/lib64/python2.7/sre_constants.py import sre_constants # precompiled from /usr/lib64/python2.7/sre_constants.pyc dlopen("/usr/lib64/python2.7/lib-dynload/_localemodule.so", 2); import _locale # dynamically loaded from /usr/lib64/python2.7/lib-dynload/_localemodule.so # /usr/lib64/python2.7/_sysconfigdata.pyc matches /usr/lib64/python2.7/_sysconfigdata.py import _sysconfigdata # precompiled from /usr/lib64/python2.7/_sysconfigdata.pyc import encodings # directory /usr/lib64/python2.7/encodings # /usr/lib64/python2.7/encodings/__init__.pyc matches /usr/lib64/python2.7/encodings/__init__.py import encodings # precompiled from /usr/lib64/python2.7/encodings/__init__.pyc # /usr/lib64/python2.7/codecs.pyc matches /usr/lib64/python2.7/codecs.py import codecs # precompiled from /usr/lib64/python2.7/codecs.pyc import _codecs # builtin # /usr/lib64/python2.7/encodings/aliases.pyc matches /usr/lib64/python2.7/encodings/aliases.py import encodings.aliases # precompiled from /usr/lib64/python2.7/encodings/aliases.pyc # /usr/lib64/python2.7/encodings/utf_8.pyc matches /usr/lib64/python2.7/encodings/utf_8.py import encodings.utf_8 # precompiled from /usr/lib64/python2.7/encodings/utf_8.pyc Python 2.7.10 (default, Jul 5 2015, 14:15:43) [GCC 5.1.1 20150618 (Red Hat 5.1.1-4)] on linux2 Type "help", "copyright", "credits" or "license" for more information. python: can't open file 'ipa-server-install': [Errno 2] No such file or directory From ofayans at redhat.com Thu Jul 30 12:32:57 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 30 Jul 2015 14:32:57 +0200 Subject: [Freeipa-devel] ipa-server-install completely broken in upstream In-Reply-To: <55BA1906.8080609@redhat.com> References: <55BA1615.6040505@redhat.com> <55BA1906.8080609@redhat.com> Message-ID: <55BA1979.9000108@redhat.com> Hi Martin, On 07/30/2015 02:31 PM, Martin Basti wrote: > On 30/07/15 14:18, Oleg Fayans wrote: >> Hi all, >> >> Any attempts to install ipa server from today's upstream code result >> in ipa-server-install silently exiting without doing anything. Here >> is how it looks like: >> >> root at f22master:/home/ofayans]$ rpm -q freeipa-server >> freeipa-server-4.2.90.201507300929GIT4e18a62-0.fc22.x86_64 >> root at f22master:/home/ofayans]$ ipa-server-install >> root at f22master:/home/ofayans]$ >> >> Any Ideas how did it happen? >> > Is something in /var/log/ipaserver-install.log? > This file was even not created. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From jcholast at redhat.com Thu Jul 30 12:37:32 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 30 Jul 2015 14:37:32 +0200 Subject: [Freeipa-devel] CLI parameter: TextFile, BinaryFile and mutually exclusive group In-Reply-To: <55BA136F.9070909@redhat.com> References: <55BA136F.9070909@redhat.com> Message-ID: <55BA1A8C.5030607@redhat.com> Hi, Dne 30.7.2015 v 14:07 Christian Heimes napsal(a): > Hello, > > While I was working on the ticket > https://fedorahosted.org/freeipa/ticket/5155, I noticed a couple of > additional places that may raise an IOError. Instead of a File() > paramaeter, the vault plugin uses Str() paramater in combination with > open() to read files. > > For passwords I can mostly replace the Str() parameter with File(). > There is only one minor issue. The File() class has no encoding flag. > ipalib.cli.cli.load_files() uses the encoding of sys.stdin to > determinate the encoding. In some cases the encoding of sys.stdin can be > ASCII. For that reason I like to add an encoding parameter to File(). > > For public and private key file I can't use File(). File() is a subclass > of Str(), which requires unicode text. The vault code treats public and > private key data as bytes. I assume it wants to support DER encoded key > data, too. I like to introduce a new BinaryFile() parameter, which > subclasses Bytes(). It might make sense to alias File as TextFile and > deprecate the File name. > > Finally the vault plugin has several mutually exclusive paramater, e.g. > passsword and password-file. The plugin has seven distinct checks for > mutual exclusion. IMHO this should be better handled by the parameter > parsing code. Python's argparse module has a similar feature: > https://docs.python.org/2/library/argparse.html#mutual-exclusion > > I like to handle the case with a mutually_exclusive flag such as: > > Str( > 'password?', > cli_name='password', > doc=_('Vault password'), > mutually_exclusive='password', > ), > File( > 'password_file?', > cli_name='password_file', > doc=_('File containing the vault password'), > mutually_exclusive='password', > ), > > If more than one parameter with the same mutually_exclusive group name > is given, then a MutuallyExclusiveError is raised. NACK, instead of having duplicate definitions for a single logical parameter and dealing with their inherent mutual exclusiveness on the framework level, this should be handled exclusively by the CLI by generating multiple command line options for different dispositions of the logical parameter. If anything, File should be completely removed, not further extended, as it is inherently broken and never worked properly. I have an almost working patch which implements this, but I don't think it's 4.2.1 material, so I would suggest doing a simple fix for #5155 for now. Honza -- Jan Cholasta From mbasti at redhat.com Thu Jul 30 12:38:20 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jul 2015 14:38:20 +0200 Subject: [Freeipa-devel] [PATCH 0058] dns: do not add (forward)zone if it is already resolvable. In-Reply-To: <55B8DF32.70208@redhat.com> References: <55B8DF32.70208@redhat.com> Message-ID: <55BA1ABC.8020108@redhat.com> On 29/07/15 16:12, David Kupka wrote: > https://fedorahosted.org/freeipa/ticket/5087 NACK You forgot to update API.txt file -- Martin Basti From abokovoy at redhat.com Thu Jul 30 12:39:56 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 30 Jul 2015 15:39:56 +0300 Subject: [Freeipa-devel] ipa-server-install completely broken in upstream In-Reply-To: <55BA1959.50207@redhat.com> References: <55BA1615.6040505@redhat.com> <20150730122331.GK4677@redhat.com> <55BA1959.50207@redhat.com> Message-ID: <20150730123956.GM4677@redhat.com> On Thu, 30 Jul 2015, Oleg Fayans wrote: >Hi Alexander, > >On 07/30/2015 02:23 PM, Alexander Bokovoy wrote: >>On Thu, 30 Jul 2015, Oleg Fayans wrote: >>>Hi all, >>> >>>Any attempts to install ipa server from today's upstream code >>>result in ipa-server-install silently exiting without doing >>>anything. Here is how it looks like: >>> >>>root at f22master:/home/ofayans]$ rpm -q freeipa-server >>>freeipa-server-4.2.90.201507300929GIT4e18a62-0.fc22.x86_64 >>>root at f22master:/home/ofayans]$ ipa-server-install >>>root at f22master:/home/ofayans]$ >>> >>>Any Ideas how did it happen? >>No idea but you can run ipa-server-install with Python tracing: >>python -vx /usr/sbin/ipa-server-install 2>&1 | tee logfile.txt >Thanks for the hint. Here is the log > >-- >Oleg Fayans >Quality Engineer >FreeIPA team >RedHat. > ># installing zipimport hook >import zipimport # builtin ># installed zipimport hook ># /usr/lib64/python2.7/site.pyc matches /usr/lib64/python2.7/site.py >import site # precompiled from /usr/lib64/python2.7/site.pyc ># /usr/lib64/python2.7/os.pyc matches /usr/lib64/python2.7/os.py >import os # precompiled from /usr/lib64/python2.7/os.pyc >import errno # builtin >import posix # builtin ># /usr/lib64/python2.7/posixpath.pyc matches /usr/lib64/python2.7/posixpath.py >import posixpath # precompiled from /usr/lib64/python2.7/posixpath.pyc ># /usr/lib64/python2.7/stat.pyc matches /usr/lib64/python2.7/stat.py >import stat # precompiled from /usr/lib64/python2.7/stat.pyc ># /usr/lib64/python2.7/genericpath.pyc matches /usr/lib64/python2.7/genericpath.py >import genericpath # precompiled from /usr/lib64/python2.7/genericpath.pyc ># /usr/lib64/python2.7/warnings.pyc matches /usr/lib64/python2.7/warnings.py >import warnings # precompiled from /usr/lib64/python2.7/warnings.pyc ># /usr/lib64/python2.7/linecache.pyc matches /usr/lib64/python2.7/linecache.py >import linecache # precompiled from /usr/lib64/python2.7/linecache.pyc ># /usr/lib64/python2.7/types.pyc matches /usr/lib64/python2.7/types.py >import types # precompiled from /usr/lib64/python2.7/types.pyc ># /usr/lib64/python2.7/UserDict.pyc matches /usr/lib64/python2.7/UserDict.py >import UserDict # precompiled from /usr/lib64/python2.7/UserDict.pyc ># /usr/lib64/python2.7/_abcoll.pyc matches /usr/lib64/python2.7/_abcoll.py >import _abcoll # precompiled from /usr/lib64/python2.7/_abcoll.pyc ># /usr/lib64/python2.7/abc.pyc matches /usr/lib64/python2.7/abc.py >import abc # precompiled from /usr/lib64/python2.7/abc.pyc ># /usr/lib64/python2.7/_weakrefset.pyc matches /usr/lib64/python2.7/_weakrefset.py >import _weakrefset # precompiled from /usr/lib64/python2.7/_weakrefset.pyc >import _weakref # builtin ># /usr/lib64/python2.7/copy_reg.pyc matches /usr/lib64/python2.7/copy_reg.py >import copy_reg # precompiled from /usr/lib64/python2.7/copy_reg.pyc ># /usr/lib64/python2.7/traceback.pyc matches /usr/lib64/python2.7/traceback.py >import traceback # precompiled from /usr/lib64/python2.7/traceback.pyc ># /usr/lib64/python2.7/sysconfig.pyc matches /usr/lib64/python2.7/sysconfig.py >import sysconfig # precompiled from /usr/lib64/python2.7/sysconfig.pyc ># /usr/lib64/python2.7/re.pyc matches /usr/lib64/python2.7/re.py >import re # precompiled from /usr/lib64/python2.7/re.pyc ># /usr/lib64/python2.7/sre_compile.pyc matches /usr/lib64/python2.7/sre_compile.py >import sre_compile # precompiled from /usr/lib64/python2.7/sre_compile.pyc >import _sre # builtin ># /usr/lib64/python2.7/sre_parse.pyc matches /usr/lib64/python2.7/sre_parse.py >import sre_parse # precompiled from /usr/lib64/python2.7/sre_parse.pyc ># /usr/lib64/python2.7/sre_constants.pyc matches /usr/lib64/python2.7/sre_constants.py >import sre_constants # precompiled from /usr/lib64/python2.7/sre_constants.pyc >dlopen("/usr/lib64/python2.7/lib-dynload/_localemodule.so", 2); >import _locale # dynamically loaded from /usr/lib64/python2.7/lib-dynload/_localemodule.so ># /usr/lib64/python2.7/_sysconfigdata.pyc matches /usr/lib64/python2.7/_sysconfigdata.py >import _sysconfigdata # precompiled from /usr/lib64/python2.7/_sysconfigdata.pyc >import encodings # directory /usr/lib64/python2.7/encodings ># /usr/lib64/python2.7/encodings/__init__.pyc matches /usr/lib64/python2.7/encodings/__init__.py >import encodings # precompiled from /usr/lib64/python2.7/encodings/__init__.pyc ># /usr/lib64/python2.7/codecs.pyc matches /usr/lib64/python2.7/codecs.py >import codecs # precompiled from /usr/lib64/python2.7/codecs.pyc >import _codecs # builtin ># /usr/lib64/python2.7/encodings/aliases.pyc matches /usr/lib64/python2.7/encodings/aliases.py >import encodings.aliases # precompiled from /usr/lib64/python2.7/encodings/aliases.pyc ># /usr/lib64/python2.7/encodings/utf_8.pyc matches /usr/lib64/python2.7/encodings/utf_8.py >import encodings.utf_8 # precompiled from /usr/lib64/python2.7/encodings/utf_8.pyc >Python 2.7.10 (default, Jul 5 2015, 14:15:43) >[GCC 5.1.1 20150618 (Red Hat 5.1.1-4)] on linux2 >Type "help", "copyright", "credits" or "license" for more information. >python: can't open file 'ipa-server-install': [Errno 2] No such file or directory So it says it couldn't find file ipa-server-install -- are you sure you launched it with the right path? It is in /usr/sbin/ipa-server-install. -- / Alexander Bokovoy From ofayans at redhat.com Thu Jul 30 12:42:35 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 30 Jul 2015 14:42:35 +0200 Subject: [Freeipa-devel] ipa-server-install completely broken in upstream In-Reply-To: <20150730123956.GM4677@redhat.com> References: <55BA1615.6040505@redhat.com> <20150730122331.GK4677@redhat.com> <55BA1959.50207@redhat.com> <20150730123956.GM4677@redhat.com> Message-ID: <55BA1BBB.9070404@redhat.com> On 07/30/2015 02:39 PM, Alexander Bokovoy wrote: > On Thu, 30 Jul 2015, Oleg Fayans wrote: >> Hi Alexander, >> >> On 07/30/2015 02:23 PM, Alexander Bokovoy wrote: >>> On Thu, 30 Jul 2015, Oleg Fayans wrote: >>>> Hi all, >>>> >>>> Any attempts to install ipa server from today's upstream code >>>> result in ipa-server-install silently exiting without doing >>>> anything. Here is how it looks like: >>>> >>>> root at f22master:/home/ofayans]$ rpm -q freeipa-server >>>> freeipa-server-4.2.90.201507300929GIT4e18a62-0.fc22.x86_64 >>>> root at f22master:/home/ofayans]$ ipa-server-install >>>> root at f22master:/home/ofayans]$ >>>> >>>> Any Ideas how did it happen? >>> No idea but you can run ipa-server-install with Python tracing: >>> python -vx /usr/sbin/ipa-server-install 2>&1 | tee logfile.txt >> Thanks for the hint. Here is the log >> >> -- >> Oleg Fayans >> Quality Engineer >> FreeIPA team >> RedHat. >> > >> # installing zipimport hook >> import zipimport # builtin >> # installed zipimport hook >> # /usr/lib64/python2.7/site.pyc matches /usr/lib64/python2.7/site.py >> import site # precompiled from /usr/lib64/python2.7/site.pyc >> # /usr/lib64/python2.7/os.pyc matches /usr/lib64/python2.7/os.py >> import os # precompiled from /usr/lib64/python2.7/os.pyc >> import errno # builtin >> import posix # builtin >> # /usr/lib64/python2.7/posixpath.pyc matches >> /usr/lib64/python2.7/posixpath.py >> import posixpath # precompiled from /usr/lib64/python2.7/posixpath.pyc >> # /usr/lib64/python2.7/stat.pyc matches /usr/lib64/python2.7/stat.py >> import stat # precompiled from /usr/lib64/python2.7/stat.pyc >> # /usr/lib64/python2.7/genericpath.pyc matches >> /usr/lib64/python2.7/genericpath.py >> import genericpath # precompiled from >> /usr/lib64/python2.7/genericpath.pyc >> # /usr/lib64/python2.7/warnings.pyc matches >> /usr/lib64/python2.7/warnings.py >> import warnings # precompiled from /usr/lib64/python2.7/warnings.pyc >> # /usr/lib64/python2.7/linecache.pyc matches >> /usr/lib64/python2.7/linecache.py >> import linecache # precompiled from /usr/lib64/python2.7/linecache.pyc >> # /usr/lib64/python2.7/types.pyc matches /usr/lib64/python2.7/types.py >> import types # precompiled from /usr/lib64/python2.7/types.pyc >> # /usr/lib64/python2.7/UserDict.pyc matches >> /usr/lib64/python2.7/UserDict.py >> import UserDict # precompiled from /usr/lib64/python2.7/UserDict.pyc >> # /usr/lib64/python2.7/_abcoll.pyc matches >> /usr/lib64/python2.7/_abcoll.py >> import _abcoll # precompiled from /usr/lib64/python2.7/_abcoll.pyc >> # /usr/lib64/python2.7/abc.pyc matches /usr/lib64/python2.7/abc.py >> import abc # precompiled from /usr/lib64/python2.7/abc.pyc >> # /usr/lib64/python2.7/_weakrefset.pyc matches >> /usr/lib64/python2.7/_weakrefset.py >> import _weakrefset # precompiled from >> /usr/lib64/python2.7/_weakrefset.pyc >> import _weakref # builtin >> # /usr/lib64/python2.7/copy_reg.pyc matches >> /usr/lib64/python2.7/copy_reg.py >> import copy_reg # precompiled from /usr/lib64/python2.7/copy_reg.pyc >> # /usr/lib64/python2.7/traceback.pyc matches >> /usr/lib64/python2.7/traceback.py >> import traceback # precompiled from /usr/lib64/python2.7/traceback.pyc >> # /usr/lib64/python2.7/sysconfig.pyc matches >> /usr/lib64/python2.7/sysconfig.py >> import sysconfig # precompiled from /usr/lib64/python2.7/sysconfig.pyc >> # /usr/lib64/python2.7/re.pyc matches /usr/lib64/python2.7/re.py >> import re # precompiled from /usr/lib64/python2.7/re.pyc >> # /usr/lib64/python2.7/sre_compile.pyc matches >> /usr/lib64/python2.7/sre_compile.py >> import sre_compile # precompiled from >> /usr/lib64/python2.7/sre_compile.pyc >> import _sre # builtin >> # /usr/lib64/python2.7/sre_parse.pyc matches >> /usr/lib64/python2.7/sre_parse.py >> import sre_parse # precompiled from /usr/lib64/python2.7/sre_parse.pyc >> # /usr/lib64/python2.7/sre_constants.pyc matches >> /usr/lib64/python2.7/sre_constants.py >> import sre_constants # precompiled from >> /usr/lib64/python2.7/sre_constants.pyc >> dlopen("/usr/lib64/python2.7/lib-dynload/_localemodule.so", 2); >> import _locale # dynamically loaded from >> /usr/lib64/python2.7/lib-dynload/_localemodule.so >> # /usr/lib64/python2.7/_sysconfigdata.pyc matches >> /usr/lib64/python2.7/_sysconfigdata.py >> import _sysconfigdata # precompiled from >> /usr/lib64/python2.7/_sysconfigdata.pyc >> import encodings # directory /usr/lib64/python2.7/encodings >> # /usr/lib64/python2.7/encodings/__init__.pyc matches >> /usr/lib64/python2.7/encodings/__init__.py >> import encodings # precompiled from >> /usr/lib64/python2.7/encodings/__init__.pyc >> # /usr/lib64/python2.7/codecs.pyc matches /usr/lib64/python2.7/codecs.py >> import codecs # precompiled from /usr/lib64/python2.7/codecs.pyc >> import _codecs # builtin >> # /usr/lib64/python2.7/encodings/aliases.pyc matches >> /usr/lib64/python2.7/encodings/aliases.py >> import encodings.aliases # precompiled from >> /usr/lib64/python2.7/encodings/aliases.pyc >> # /usr/lib64/python2.7/encodings/utf_8.pyc matches >> /usr/lib64/python2.7/encodings/utf_8.py >> import encodings.utf_8 # precompiled from >> /usr/lib64/python2.7/encodings/utf_8.pyc >> Python 2.7.10 (default, Jul 5 2015, 14:15:43) >> [GCC 5.1.1 20150618 (Red Hat 5.1.1-4)] on linux2 >> Type "help", "copyright", "credits" or "license" for more information. >> python: can't open file 'ipa-server-install': [Errno 2] No such file >> or directory > So it says it couldn't find file ipa-server-install -- are you sure you > launched it with the right path? It is in /usr/sbin/ipa-server-install. I did not provide absolute path when launched the command, `which ipa-server-install` shows /usr/sbin/ipa-server-install -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From ldoudova at redhat.com Thu Jul 30 12:43:31 2015 From: ldoudova at redhat.com (Lenka Doudova) Date: Thu, 30 Jul 2015 14:43:31 +0200 Subject: [Freeipa-devel] [patch 0007] tests: Allow Tracker.dn be an instance of Fuzzy In-Reply-To: <55B608CC.6030602@redhat.com> References: <55B608CC.6030602@redhat.com> Message-ID: <55BA1BF3.80107@redhat.com> ACK, just configure your email client not to prepend '>' to the patch. Lenka Dne 27.7.2015 v 12:32 Milan Kub?k napsal(a): > Hi, > > the patch changes the check on the Tracker.dn setter, allowing to use > an instance of ipatests.util.Fuzzy to ease writing Trackers for plugins > like CA ACL, which use ipaUniqueID as their primary key. > > Thanks, > Milan > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ofayans at redhat.com Thu Jul 30 13:00:03 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 30 Jul 2015 15:00:03 +0200 Subject: [Freeipa-devel] ipa-server-install completely broken in upstream In-Reply-To: <55BA1615.6040505@redhat.com> References: <55BA1615.6040505@redhat.com> Message-ID: <55BA1FD3.4070406@redhat.com> Somehow the problem disappeared after vm restart. Don't know what it was On 07/30/2015 02:18 PM, Oleg Fayans wrote: > Hi all, > > Any attempts to install ipa server from today's upstream code result > in ipa-server-install silently exiting without doing anything. Here is > how it looks like: > > root at f22master:/home/ofayans]$ rpm -q freeipa-server > freeipa-server-4.2.90.201507300929GIT4e18a62-0.fc22.x86_64 > root at f22master:/home/ofayans]$ ipa-server-install > root at f22master:/home/ofayans]$ > > Any Ideas how did it happen? > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From msimacek at redhat.com Thu Jul 30 13:06:46 2015 From: msimacek at redhat.com (=?UTF-8?B?TWljaGFlbCDFoGltw6HEjWVr?=) Date: Thu, 30 Jul 2015 15:06:46 +0200 Subject: [Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi In-Reply-To: <55B8A362.1090705@redhat.com> References: <55B88A4A.9070601@redhat.com> <55B8A362.1090705@redhat.com> Message-ID: <55BA2166.2050602@redhat.com> On 2015-07-29 11:56, Christian Heimes wrote: > On 2015-07-29 10:09, Michael ?im??ek wrote: >> GSSAPI doesn't provide any method (that I'm aware of) to get default >> ccache name. In most cases this is not needed as we can simply not pass >> any name and it will use the default. The ldap plugin had to be adjusted >> for this - the connect method now takes new use_gssapi argument, which >> can turn on gssapi support without the need to supply explicit ccache >> name. The only place where the ccache name is really needed is the test >> server, where I use system klist command to obtain it. > > You can use ctypes or cffi for the task, too. It's much faster and more > convenient. Here is a quick example how to use ctypes for the function > calls. kdcproxy uses similar code to parse /etc/krb5.conf. > >>>> import ctypes >>>> LIBKRB5 = ctypes.CDLL('libkrb5.so.3') >>>> ctx = ctypes.c_void_p() >>>> ccache = ctypes.c_void_p() >>>> LIBKRB5.krb5_init_context(ctypes.byref(ctx)) > 0 >>>> LIBKRB5.krb5_cc_default(ctx, ctypes.byref(ccache)) > 0 >>>> LIBKRB5.krb5_cc_get_type.restype = ctypes.c_char_p >>>> LIBKRB5.krb5_cc_get_name.restype = ctypes.c_char_p >>>> LIBKRB5.krb5_cc_get_type(ctx, ccache) > 'KEYRING' >>>> LIBKRB5.krb5_cc_get_name(ctx, ccache) > 'persistent:1000:1000' >>>> LIBKRB5.krb5_cc_close(ctx, ccache) >>>> LIBKRB5.krb5_free_context(ctx) > > If you like the approach I can write a more safe implementation with > proper error checking. > I didn't use ctypes, because it was advised against on this list: https://www.redhat.com/archives/freeipa-devel/2012-February/msg00268.html For the tests it's probably fine, but so is using klist. It would actually help a lot with getting the default realm name, but I'm afraid that the second point about problems with ctypes and SELinux in httpd still holds. Michael From cheimes at redhat.com Thu Jul 30 13:11:07 2015 From: cheimes at redhat.com (Christian Heimes) Date: Thu, 30 Jul 2015 15:11:07 +0200 Subject: [Freeipa-devel] CLI parameter: TextFile, BinaryFile and mutually exclusive group In-Reply-To: <55BA1A8C.5030607@redhat.com> References: <55BA136F.9070909@redhat.com> <55BA1A8C.5030607@redhat.com> Message-ID: <55BA226B.2090508@redhat.com> On 2015-07-30 14:37, Jan Cholasta wrote: > Hi, > > Dne 30.7.2015 v 14:07 Christian Heimes napsal(a): >> Hello, >> >> While I was working on the ticket >> https://fedorahosted.org/freeipa/ticket/5155, I noticed a couple of >> additional places that may raise an IOError. Instead of a File() >> paramaeter, the vault plugin uses Str() paramater in combination with >> open() to read files. >> >> For passwords I can mostly replace the Str() parameter with File(). >> There is only one minor issue. The File() class has no encoding flag. >> ipalib.cli.cli.load_files() uses the encoding of sys.stdin to >> determinate the encoding. In some cases the encoding of sys.stdin can be >> ASCII. For that reason I like to add an encoding parameter to File(). >> >> For public and private key file I can't use File(). File() is a subclass >> of Str(), which requires unicode text. The vault code treats public and >> private key data as bytes. I assume it wants to support DER encoded key >> data, too. I like to introduce a new BinaryFile() parameter, which >> subclasses Bytes(). It might make sense to alias File as TextFile and >> deprecate the File name. >> >> Finally the vault plugin has several mutually exclusive paramater, e.g. >> passsword and password-file. The plugin has seven distinct checks for >> mutual exclusion. IMHO this should be better handled by the parameter >> parsing code. Python's argparse module has a similar feature: >> https://docs.python.org/2/library/argparse.html#mutual-exclusion >> >> I like to handle the case with a mutually_exclusive flag such as: >> >> Str( >> 'password?', >> cli_name='password', >> doc=_('Vault password'), >> mutually_exclusive='password', >> ), >> File( >> 'password_file?', >> cli_name='password_file', >> doc=_('File containing the vault password'), >> mutually_exclusive='password', >> ), >> >> If more than one parameter with the same mutually_exclusive group name >> is given, then a MutuallyExclusiveError is raised. > > NACK, instead of having duplicate definitions for a single logical > parameter and dealing with their inherent mutual exclusiveness on the > framework level, this should be handled exclusively by the CLI by > generating multiple command line options for different dispositions of > the logical parameter. If anything, File should be completely removed, > not further extended, as it is inherently broken and never worked properly. > > I have an almost working patch which implements this, but I don't think > it's 4.2.1 material, so I would suggest doing a simple fix for #5155 for > now. I wasn't aware that you have a mostly working patch. In that case I'll come up with a simple fix. I can take care of a redesign when your patch has landed in the future. Thanks for the feedback! Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From mbasti at redhat.com Thu Jul 30 13:14:09 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jul 2015 15:14:09 +0200 Subject: [Freeipa-devel] [PATCH 0291, 0292] Limit max age of replication changelog In-Reply-To: <55AFB0CE.3020508@redhat.com> References: <55AD0976.4070402@redhat.com> <55AD129D.8020608@redhat.com> <55AD1857.8090209@redhat.com> <55AD26EB.5030303@redhat.com> <55AD2A09.9070101@redhat.com> <55AFB0CE.3020508@redhat.com> Message-ID: <55BA2321.4070201@redhat.com> On 22/07/15 17:03, Martin Basti wrote: > On 20/07/15 19:04, Mark Reynolds wrote: >> >> >> On 07/20/2015 12:50 PM, Martin Basti wrote: >>> On 20/07/15 17:48, Petr Vobornik wrote: >>>> On 07/20/2015 05:24 PM, Rob Crittenden wrote: >>>>> Martin Basti wrote: >>>>>> https://fedorahosted.org/freeipa/ticket/5086 >>>>>> >>>>>> Patch attached. >>>>> >>>>> Is this going to be a shock on upgrades for people who until now >>>>> may be >>>>> relying on the fact that there is no limit? >>>> >>>> Not making any point, but have to note: Ludwig raised a question on >>>> users list but there was no feedback from users. >>>> >>>> https://www.redhat.com/archives/freeipa-users/2015-July/msg00022.html >>>> >>>>> >>>>> Should there be a way for an admin to manage this, via the config >>>>> module >>>>> perhaps? >>>>> >>>>> IMHO this is a significant change and red flags need to be raised so >>>>> users are aware of it. >>>>> >>>>> rob >>>>> >>>> >>>> >>> >>> IIUC there is purge delay 7 days, so if changelog max age is 7 or >>> more days, it will not break replication. >>> The issue is if somebody uses changelog for different purpose, right? >> Well the replication changelog can not be used for anything else but >> the multimaster replication plugin. If a customer increased the >> replication purge delay you could potentially run into issues, but >> again this only comes into play when a replica is down for a very >> long time. I'm not sure if IPA even provides the option to adjust >> the replication purge delay, but that doesn't mean a customer can not >> adjust these settings on their own. >> >> Mark >> > > I'm attaching new patch, that modifies behavior of 'addifnew' keyword > in update files. > addifnew will no create new entry if doesn't exist. > This is required for proper working of patch 292 > > Rob are you okay with these patches, as Mark wrote, changelog is used > only for replication plugins, so it should not cause any issues to users. > > Martin^2 > > > These patches are ready to be reviewed. I'm just not sure if would be better to have replication changelog max age 8days, just to be sure. Should I explicitly set purge delay to 7days, or are we fine with 7days as default? -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From redhatrises at gmail.com Thu Jul 30 13:15:25 2015 From: redhatrises at gmail.com (Gabe Alford) Date: Thu, 30 Jul 2015 07:15:25 -0600 Subject: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit In-Reply-To: <55B9D327.7070806@redhat.com> References: <55B9D0FE.2090705@redhat.com> <55B9D327.7070806@redhat.com> Message-ID: On Thu, Jul 30, 2015 at 1:32 AM, Jan Cholasta wrote: > Dne 30.7.2015 v 09:23 Jan Cholasta napsal(a): > >> Hi, >> >> Dne 29.7.2015 v 17:23 Gabe Alford napsal(a): >> >>> Hello, >>> >>> Fix for https://fedorahosted.org/freeipa/ticket/4023 >>> >> >> Actually, 0 means unlimited for size limit, see >> < >> http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.search_ext_s >> >. >> > > After reading the ticket I think this should be fixed the other way > around: make 0 mean unlimited for both time and size limit and fix the > config plugin and LDAPClient to respect that. > > Thanks for the review. Updated patch attached. > -- > Jan Cholasta > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rga-0052-2-Standardize-minvalue-for-ipasearchrecordlimit-and-ip.patch Type: text/x-patch Size: 11116 bytes Desc: not available URL: From cheimes at redhat.com Thu Jul 30 13:21:18 2015 From: cheimes at redhat.com (Christian Heimes) Date: Thu, 30 Jul 2015 15:21:18 +0200 Subject: [Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi In-Reply-To: <55BA2166.2050602@redhat.com> References: <55B88A4A.9070601@redhat.com> <55B8A362.1090705@redhat.com> <55BA2166.2050602@redhat.com> Message-ID: <55BA24CE.30409@redhat.com> On 2015-07-30 15:06, Michael ?im??ek wrote: > I didn't use ctypes, because it was advised against on this list: > https://www.redhat.com/archives/freeipa-devel/2012-February/msg00268.html > For the tests it's probably fine, but so is using klist. > It would actually help a lot with getting the default realm name, but > I'm afraid that the second point about problems with ctypes and SELinux > in httpd still holds. Thanks for the pointer to Alexander's posting. I wasn't aware of any issues with ctypes and SELinux. I usually prefer Cython, C or cffi over ctypes myself. For simple tasks ctypes works good enough, though. python-kdcproxy uses ctypes bindings for libkrb5 to parse /etc/krb5.conf. It runs in mod_wsgi, too. I haven't seen or heard about issues with SELinux. Maybe the bug has been resolved? I'll keep an eye open. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From msimacek at redhat.com Thu Jul 30 13:33:20 2015 From: msimacek at redhat.com (=?UTF-8?B?TWljaGFlbCDFoGltw6HEjWVr?=) Date: Thu, 30 Jul 2015 15:33:20 +0200 Subject: [Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi In-Reply-To: References: <55B88A4A.9070601@redhat.com> Message-ID: <55BA27A0.3090503@redhat.com> On 2015-07-29 19:20, Robbie Harwood wrote: > Michael ?im??ek writes: > >> GSSAPI doesn't provide any method (that I'm aware of) to get default >> ccache name. In most cases this is not needed as we can simply not >> pass any name and it will use the default. The ldap plugin had to be >> adjusted for this - the connect method now takes new use_gssapi >> argument, which can turn on gssapi support without the need to supply >> explicit ccache name. The only place where the ccache name is really >> needed is the test server, where I use system klist command to obtain >> it. > > This is sub-optimal, but not a huge deal if it's only in the test > suite. > >> It's also not possible to directly get default realm name, what I do >> is importing nonexistent name, cannonicalizing it and extracting the >> realm from it. Which should work but is ugly. It would be better if we >> could modify the places that use it to not need it at all, but it's >> mostly used in ldap code and I don't understand that part of FreeIPA. >> Alternative would be parsing /etc/krb.conf. > > Please try not to do this. DEFINITELY do not parse krb.conf. > Unfortunately, I do not know enough about the LDAP code to know why this > is needed or to suggest an alternate solution. > >> Sorry for long patch, but I'm afraid it cannot be reasonably split. > > This is indeed really long and difficult to work through. I have > probably missed some things; apologies if they come through in a later > round. > >> +try: >> + cred = kinit_keytab(principal, keytab_name, ccache_name) >> + # would raise exception if expired >> + cred.lifetime >> +except gssapi.exceptions.ExpiredCredentialsError: >> + # delete stale ccache and try again >> + os.unlink(ccache_name) >> + cred = kinit_keytab(principal, keytab_name, ccache_name) > > See next comment. > >> - # The keytab may have stale key material (from older trust-add run) >> - if not os.path.isfile(oneway_ccache_name): >> - oneway_ccache = kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name) >> -except krbV.Krb5Error as e: >> + try: >> + # The keytab may have stale key material (from older trust-add run) >> + cred = kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name) >> + # would raise exception if expired >> + cred.lifetime >> + except gssapi.exceptions.ExpiredCredentialsError: >> + cred = kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name) >> +except gssapi.exceptions.GSSError: >> # If there was failure on using keytab, assume it is stale and retrieve again >> retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal) > > In general, it's bad practice to catch *all* possible GSS errors unless > you intend to display their status and/or abort/raise. If there's a > specific state you want to cope with here, catch the exception related > to it, not all of them. Up above is a place where I think this is done > right. I haven't found any specific exception for keytab problems, what should I catch? But there's a different error, there should be one more attempt to get the credentials there. I'll fix it in the next revision of the patch. > >> - ctx = krbV.default_context() >> - ccache = ctx.default_ccache() >> - principal = ccache.principal() >> - except krbV.Krb5Error, e: >> + principal = krb_utils.get_principal() >> + except errors.CCacheError: >> sys.exit("Must have Kerberos credentials to setup AD trusts on server") > > Based on how GSSAPI error messages are being packed into CCache errors > (the name of which is itself unfortunate...), it would be nice to give > some hint of the problem here if it were GSSAPI; otherwise, to my eye, > it looks like the GSSAPI status is being dropped. Will do (or just not rewrapping might actually be better) > >> +def get_credentials(name=None, ccache_name=None): >> ''' >> - Kerberos stores a TGT (Ticket Granting Ticket) and the service >> - tickets bound to it in a ccache (credentials cache). ccaches are >> - bound to a Kerberos user principal. This class opens a Kerberos >> - ccache and allows one to manipulate it. Most useful is the >> - extraction of ticket entries (cred's) in the ccache and the >> - ability to examine their attributes. >> + Obtains GSSAPI credentials with given principal name from ccache. When no >> + principal name specified, it retrieves the default one for given >> + credentials cache. >> + >> + :parameters: >> + name >> + gssapi.Name object specifying principal or None for the default >> + ccache_name >> + string specifying Kerberos credentials cache name or None for the >> + default >> + :returns: >> + gssapi.Credentials object >> + '''' >> + store = None >> + if ccache_name: >> + store = {'ccache': ccache_name} >> + try: >> + return gssapi.Credentials(usage='initiate', name=name, store=store) >> + except gssapi.exceptions.GSSError as e: >> + if e.min_code == KRB5_FCC_NOFILE: >> + raise ValueError('"%s", ccache="%s"' % (e.message, ccache_name)) >> + raise errors.CCacheError() > > This is another case where it stands out that the specific error from > GSSAPI should probably be checked. I will try to get rid of the rewrapping entirely, the wrapper doesn't add any value. > >> + # FIXME this is a temporary workaround. We should find some nicer solution >> + name = gssapi.Name('notempty', gssapi.NameType.user) >> + can_name = unicode(name.canonicalize(gssapi.MechType.kerberos)) >> + return can_name.partition('@')[2] or None > > As mentioned in my email to you, I do not think we can guarantee that > the realm will actually be present after the '@' in all cases, so > hopefully everything copes with a None here. But if it copes with a > None, why have this code? krbV's get_default_realm can also return None under some circumstances, but I doubt the code using it actually copes with it. It would be ideal to get rid of the need to know the default realm from kerberos. I will ask in a new thread, so someone who understands the ldap part can comment on it. Or maybe ctypes would be the way to go as suggested in other part of this thread. > >> +# Ugly hack for test purposes only. GSSAPI has no way to get default ccache >> +# name, but we don't need it outside test server >> +def get_default_ccache_name(): >> + try: >> + out = check_output(['klist']) >> + except CalledProcessError: >> + raise RuntimeError("Default ccache not found. Did you kinit?") >> + match = re.match(r'^Ticket cache:\s*(\S+)', out) >> + if not match: >> + raise RuntimeError("Cannot obtain ccache name") >> + return match.group(1) >> >> >> class KRBCheater(object): >> def __init__(self, app): >> self.app = app >> self.url = app.url >> - self.ccname = api.Backend.krb.default_ccname() >> + self.ccname = get_default_ccache_name() >> def __call__(self, environ, start_response): >> environ['KRB5CCNAME'] = self.ccname > > If all you're doing is using this to set $KRB5CCNAME (as __call__ > suggests), that variable when unset is the default value and the > song-and-dance to get the default ccache name isn't necessary. > In production, the variable is always set by mod_auth_gssapi. So in tests I try to mimic production environment. But I think you're right, the code could be adjusted to cope without it. Thank you for your feedback, I'll post a next revision of the patch after we clarify how to proceed with the default realm. -- Michael Simacek From lkrispen at redhat.com Thu Jul 30 13:43:33 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 30 Jul 2015 15:43:33 +0200 Subject: [Freeipa-devel] [PATCH 0291, 0292] Limit max age of replication changelog In-Reply-To: <55BA2321.4070201@redhat.com> References: <55AD0976.4070402@redhat.com> <55AD129D.8020608@redhat.com> <55AD1857.8090209@redhat.com> <55AD26EB.5030303@redhat.com> <55AD2A09.9070101@redhat.com> <55AFB0CE.3020508@redhat.com> <55BA2321.4070201@redhat.com> Message-ID: <55BA2A05.2050900@redhat.com> On 07/30/2015 03:14 PM, Martin Basti wrote: > On 22/07/15 17:03, Martin Basti wrote: >> On 20/07/15 19:04, Mark Reynolds wrote: >>> >>> >>> On 07/20/2015 12:50 PM, Martin Basti wrote: >>>> On 20/07/15 17:48, Petr Vobornik wrote: >>>>> On 07/20/2015 05:24 PM, Rob Crittenden wrote: >>>>>> Martin Basti wrote: >>>>>>> https://fedorahosted.org/freeipa/ticket/5086 >>>>>>> >>>>>>> Patch attached. >>>>>> >>>>>> Is this going to be a shock on upgrades for people who until now >>>>>> may be >>>>>> relying on the fact that there is no limit? >>>>> >>>>> Not making any point, but have to note: Ludwig raised a question >>>>> on users list but there was no feedback from users. >>>>> >>>>> https://www.redhat.com/archives/freeipa-users/2015-July/msg00022.html >>>>> >>>>>> >>>>>> Should there be a way for an admin to manage this, via the config >>>>>> module >>>>>> perhaps? >>>>>> >>>>>> IMHO this is a significant change and red flags need to be raised so >>>>>> users are aware of it. >>>>>> >>>>>> rob >>>>>> >>>>> >>>>> >>>> >>>> IIUC there is purge delay 7 days, so if changelog max age is 7 or >>>> more days, it will not break replication. >>>> The issue is if somebody uses changelog for different purpose, right? >>> Well the replication changelog can not be used for anything else but >>> the multimaster replication plugin. If a customer increased the >>> replication purge delay you could potentially run into issues, but >>> again this only comes into play when a replica is down for a very >>> long time. I'm not sure if IPA even provides the option to adjust >>> the replication purge delay, but that doesn't mean a customer can >>> not adjust these settings on their own. >>> >>> Mark >>> >> >> I'm attaching new patch, that modifies behavior of 'addifnew' keyword >> in update files. >> addifnew will no create new entry if doesn't exist. >> This is required for proper working of patch 292 >> >> Rob are you okay with these patches, as Mark wrote, changelog is used >> only for replication plugins, so it should not cause any issues to >> users. >> >> Martin^2 >> >> >> > > These patches are ready to be reviewed. > I'm just not sure if would be better to have replication changelog max > age 8days, just to be sure. > Should I explicitly set purge delay to 7days, or are we fine with > 7days as default? I think 7d is a quite common setting, so it should be ok > -- > Martin Basti > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cheimes at redhat.com Thu Jul 30 13:54:46 2015 From: cheimes at redhat.com (Christian Heimes) Date: Thu, 30 Jul 2015 15:54:46 +0200 Subject: [Freeipa-devel] [PATCH 021] Validate vault's file parameters Message-ID: <55BA2CA6.1090508@redhat.com> The patch fixes the issue described in #5155 as well as a couple of more potential issues. The vault plugin didn't catch IOError on multiple occasions. A user can pass file names for password, public and private key files to the vault plugin. The plugin attempts to read from these files. If any file can't be, an internal error was raised. The patch wraps all reads and turns any IOError and UnicodeError into a ValidationError. https://fedorahosted.org/freeipa/ticket/5155 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0021-Validate-vault-s-file-parameters.patch Type: text/x-patch Size: 4884 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From mbasti at redhat.com Thu Jul 30 14:09:02 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jul 2015 16:09:02 +0200 Subject: [Freeipa-devel] [PATCH 0002] TEST: Stageuser plugin In-Reply-To: <55B8DED8.90909@redhat.com> References: <55B64351.5020001@redhat.com> <55B64495.30309@redhat.com> <55B8D4B4.8090303@redhat.com> <55B8D552.8040306@redhat.com> <55B8DED8.90909@redhat.com> Message-ID: <55BA2FFE.6010400@redhat.com> On 29/07/15 16:10, Martin Basti wrote: > On 29/07/15 15:29, Lenka Doudova wrote: >> Hi, >> >> thanks a lot for the comments, will work on it tomorrow. >> >> Lenka >> >> Dne 29.7.2015 v 15:27 Martin Basti napsal(a): >>> On 27/07/15 16:47, Lenka Doudova wrote: >>>> Hi, >>>> >>>> I'm attaching a patch with automated tests for stageuser plugin >>>> (https://fedorahosted.org/freeipa/ticket/3813). The user plugin >>>> test is affected as well (one class was added). >>>> The tests seem a bit of a mess even to myself, but what with the >>>> way freeipa behaves I didn't know how else to implement them, but >>>> I'm eager to learn how to do it in a nicer way, if someone has a >>>> better idea. >>>> >>>> Lenka >>>> >>>> >>>> >>>> >>> I just applied patches: >>> >>> 1) Please remove whitespace errors >>> $ git am freeipa-lryznaro-0002-Automated-test-for-stageuser-plugin.patch >>> Applying: Automated test for stageuser plugin >>> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:110: >>> trailing whitespace. >>> """ Tracker class for staged user LDAP object >>> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:113: >>> trailing whitespace. >>> StageUserTracker object stores information about the user. >>> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:121: >>> trailing whitespace. >>> u'krbprincipalexpiration', u'usercertificate', u'dn', >>> u'has_keytab', u'has_password', >>> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:122: >>> trailing whitespace. >>> u'street', u'postalcode', u'facsimiletelephonenumber', >>> u'carlicense', >>> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:125: >>> trailing whitespace. >>> u'cn', u'ipauniqueid', u'objectclass', u'description', >>> warning: squelched 50 whitespace errors >>> warning: 55 lines add whitespace errors. >>> >>> 2) >>> Please use new shorter format of license header >>> >>> 3) can you fix some of the most serious PEP8 errors >>> $ git show -U0 | pep8 --diff | wc -l >>> 198 >>> >>> 4) >>> if options != None: >>> >>> Please use "options *is not* None" >>> >>> 5) >>> For consistency it should be u'random' >>> if key == 'random': >>> self.attrs[u'randompassword'] = fuzzy_string >>> >>> Otherwise it looks good >>> Martin^2 >>> -- >>> Martin Basti >> > And also fix this please > > ./make-lint > ************* Module ipatests.test_xmlrpc.test_stageuser_plugin > ipatests/test_xmlrpc/test_stageuser_plugin.py:337: > [E0102(function-redefined), user2] function already defined line 44) > > -- > Martin Basti > > Ahoj, v patchi mas este uvedene svoje stare meno, mala by si v gite nastavit redhat email -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Jul 30 14:10:25 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jul 2015 16:10:25 +0200 Subject: [Freeipa-devel] [PATCH 0002] TEST: Stageuser plugin In-Reply-To: <55BA2FFE.6010400@redhat.com> References: <55B64351.5020001@redhat.com> <55B64495.30309@redhat.com> <55B8D4B4.8090303@redhat.com> <55B8D552.8040306@redhat.com> <55B8DED8.90909@redhat.com> <55BA2FFE.6010400@redhat.com> Message-ID: <55BA3051.2070703@redhat.com> On 30/07/15 16:09, Martin Basti wrote: > On 29/07/15 16:10, Martin Basti wrote: >> On 29/07/15 15:29, Lenka Doudova wrote: >>> Hi, >>> >>> thanks a lot for the comments, will work on it tomorrow. >>> >>> Lenka >>> >>> Dne 29.7.2015 v 15:27 Martin Basti napsal(a): >>>> On 27/07/15 16:47, Lenka Doudova wrote: >>>>> Hi, >>>>> >>>>> I'm attaching a patch with automated tests for stageuser plugin >>>>> (https://fedorahosted.org/freeipa/ticket/3813). The user plugin >>>>> test is affected as well (one class was added). >>>>> The tests seem a bit of a mess even to myself, but what with the >>>>> way freeipa behaves I didn't know how else to implement them, but >>>>> I'm eager to learn how to do it in a nicer way, if someone has a >>>>> better idea. >>>>> >>>>> Lenka >>>>> >>>>> >>>>> >>>>> >>>> I just applied patches: >>>> >>>> 1) Please remove whitespace errors >>>> $ git am >>>> freeipa-lryznaro-0002-Automated-test-for-stageuser-plugin.patch >>>> Applying: Automated test for stageuser plugin >>>> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:110: >>>> trailing whitespace. >>>> """ Tracker class for staged user LDAP object >>>> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:113: >>>> trailing whitespace. >>>> StageUserTracker object stores information about the user. >>>> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:121: >>>> trailing whitespace. >>>> u'krbprincipalexpiration', u'usercertificate', u'dn', >>>> u'has_keytab', u'has_password', >>>> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:122: >>>> trailing whitespace. >>>> u'street', u'postalcode', u'facsimiletelephonenumber', >>>> u'carlicense', >>>> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:125: >>>> trailing whitespace. >>>> u'cn', u'ipauniqueid', u'objectclass', u'description', >>>> warning: squelched 50 whitespace errors >>>> warning: 55 lines add whitespace errors. >>>> >>>> 2) >>>> Please use new shorter format of license header >>>> >>>> 3) can you fix some of the most serious PEP8 errors >>>> $ git show -U0 | pep8 --diff | wc -l >>>> 198 >>>> >>>> 4) >>>> if options != None: >>>> >>>> Please use "options *is not* None" >>>> >>>> 5) >>>> For consistency it should be u'random' >>>> if key == 'random': >>>> self.attrs[u'randompassword'] = fuzzy_string >>>> >>>> Otherwise it looks good >>>> Martin^2 >>>> -- >>>> Martin Basti >>> >> And also fix this please >> >> ./make-lint >> ************* Module ipatests.test_xmlrpc.test_stageuser_plugin >> ipatests/test_xmlrpc/test_stageuser_plugin.py:337: >> [E0102(function-redefined), user2] function already defined line 44) >> >> -- >> Martin Basti >> >> > Ahoj, v patchi mas este uvedene svoje stare meno, mala by si v gite > nastavit redhat email > > -- > Martin Basti > > Sorry for spam, you can safely ignore this. :) -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From pviktori at redhat.com Thu Jul 30 14:14:12 2015 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 30 Jul 2015 16:14:12 +0200 Subject: [Freeipa-devel] [PATCH] Modernize number literals Message-ID: <55BA3134.5090300@redhat.com> Hello, This patch switches to Python3-compatible syntax for integer literals. -- Petr Viktorin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0670-Modernize-number-literals.patch Type: text/x-patch Size: 36236 bytes Desc: not available URL: From rharwood at redhat.com Thu Jul 30 15:12:18 2015 From: rharwood at redhat.com (Robbie Harwood) Date: Thu, 30 Jul 2015 11:12:18 -0400 Subject: [Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi In-Reply-To: <55BA27A0.3090503@redhat.com> References: <55B88A4A.9070601@redhat.com> <55BA27A0.3090503@redhat.com> Message-ID: Michael ?im??ek writes: > On 2015-07-29 19:20, Robbie Harwood wrote: > >> Michael ?im??ek writes: >> >>> - # The keytab may have stale key material (from older trust-add run) >>> - if not os.path.isfile(oneway_ccache_name): >>> - oneway_ccache = kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name) >>> -except krbV.Krb5Error as e: >>> + try: >>> + # The keytab may have stale key material (from older trust-add run) >>> + cred = kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name) >>> + # would raise exception if expired >>> + cred.lifetime >>> + except gssapi.exceptions.ExpiredCredentialsError: >>> + cred = kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name) >>> +except gssapi.exceptions.GSSError: >>> # If there was failure on using keytab, assume it is stale and retrieve again >>> retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal) >> >> In general, it's bad practice to catch *all* possible GSS errors unless >> you intend to display their status and/or abort/raise. If there's a >> specific state you want to cope with here, catch the exception related >> to it, not all of them. Up above is a place where I think this is done >> right. > > I haven't found any specific exception for keytab problems, what should > I catch? > But there's a different error, there should be one more attempt to get > the credentials there. I'll fix it in the next revision of the patch. I seem to have misread the nested except blocks, which makes this code different from the code I thought was similar above it. I would think the only error that could pop out for keytab problems that can actually be fixed would be ExpiredCredentialsError, but if you're seeing more than just that in practice that fetching the keytab again actually fixes, then I will defer to you. > Thank you for your feedback, I'll post a next revision of the patch > after we clarify how to proceed with the default realm. Sounds good! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 818 bytes Desc: not available URL: From mkubik at redhat.com Thu Jul 30 15:23:38 2015 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Thu, 30 Jul 2015 17:23:38 +0200 Subject: [Freeipa-devel] programmer documentation Message-ID: <55BA417A.7010506@redhat.com> Hi all, I'm curious, is there some documentation of the IPA internals? During my playing with plugins, I was quite amazed and frustrated at the code, not entirely (or remotely) understanding what happens after the call to a command starts and before I get the result. The main problem I have is that the command takes an argument. This argument gets automagically into LDAP, where it quite often is an attribute with a different name, and as the output of the command I get an object that has yet another name for the value I just sent to the command. Is there some (easy to understand) guide how this works, complete with the callback mechanism, etc? In general, where to search for $SUBJ and who to bug when it is missing or out of date? I know there is quite extensive tutorial to writing plugins in ipalib/__init__.py, but nowhere there are pre/post operation callbacks explained nor the format of the command output described (that I know of). Is there some guide that could even a newcomer use to get started? Can you point me to some documentation or designs for the framework itself, if it exists? Thanks, Milan From abokovoy at redhat.com Thu Jul 30 15:42:43 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 30 Jul 2015 18:42:43 +0300 Subject: [Freeipa-devel] programmer documentation In-Reply-To: <55BA417A.7010506@redhat.com> References: <55BA417A.7010506@redhat.com> Message-ID: <20150730154243.GO4677@redhat.com> On Thu, 30 Jul 2015, Milan Kub?k wrote: >Hi all, > >I'm curious, is there some documentation of the IPA internals? > >During my playing with plugins, I was quite amazed and frustrated >at the code, not entirely (or remotely) understanding what happens >after the call to a command starts and before I get the result. > >The main problem I have is that the command takes an argument. >This argument gets automagically into LDAP, where it quite often is >an attribute with a different name, and as the output of the command >I get an object that has yet another name for the value I just sent >to the command. > >Is there some (easy to understand) guide how this works, complete with >the callback mechanism, etc? > >In general, where to search for $SUBJ and who to bug when it is missing >or out of date? I know there is quite extensive tutorial to writing plugins >in ipalib/__init__.py, but nowhere there are pre/post operation callbacks >explained nor the format of the command output described (that I know of). >Is there some guide that could even a newcomer use to get started? > >Can you point me to some documentation or designs for the framework itself, >if it exists? Did you read my (outdated) guide already? https://abbra.fedorapeople.org/freeipa-extensibility.html It is first link in the http://www.freeipa.org/page/Documentation#Additional_Resources_2 section -- / Alexander Bokovoy From mkubik at redhat.com Thu Jul 30 15:48:47 2015 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Thu, 30 Jul 2015 17:48:47 +0200 Subject: [Freeipa-devel] programmer documentation In-Reply-To: <20150730154243.GO4677@redhat.com> References: <55BA417A.7010506@redhat.com> <20150730154243.GO4677@redhat.com> Message-ID: <55BA475F.4090004@redhat.com> On 07/30/2015 05:42 PM, Alexander Bokovoy wrote: > On Thu, 30 Jul 2015, Milan Kub?k wrote: >> Hi all, >> >> I'm curious, is there some documentation of the IPA internals? >> >> During my playing with plugins, I was quite amazed and frustrated >> at the code, not entirely (or remotely) understanding what happens >> after the call to a command starts and before I get the result. >> >> The main problem I have is that the command takes an argument. >> This argument gets automagically into LDAP, where it quite often is >> an attribute with a different name, and as the output of the command >> I get an object that has yet another name for the value I just sent >> to the command. >> >> Is there some (easy to understand) guide how this works, complete with >> the callback mechanism, etc? >> >> In general, where to search for $SUBJ and who to bug when it is missing >> or out of date? I know there is quite extensive tutorial to writing >> plugins >> in ipalib/__init__.py, but nowhere there are pre/post operation >> callbacks >> explained nor the format of the command output described (that I know >> of). >> Is there some guide that could even a newcomer use to get started? >> >> Can you point me to some documentation or designs for the framework >> itself, >> if it exists? > Did you read my (outdated) guide already? > https://abbra.fedorapeople.org/freeipa-extensibility.html > > It is first link in the > http://www.freeipa.org/page/Documentation#Additional_Resources_2 section Thanks, I will take a look at that. :) Milan From jcholast at redhat.com Fri Jul 31 05:52:04 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 31 Jul 2015 07:52:04 +0200 Subject: [Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi In-Reply-To: <55B88A4A.9070601@redhat.com> References: <55B88A4A.9070601@redhat.com> Message-ID: <55BB0D04.4030904@redhat.com> Hi Michael, Dne 29.7.2015 v 10:09 Michael ?im??ek napsal(a): > Hi, > > this is the first attempt to port FreeIPA from deprecated > python3-incompatible python-krbV library to python-gssapi. The patch > depends on python-kerberos->python-gssapi patch [1] to apply cleanly, > but the overlap is small, so I think it can be at least partially > reviewed without it. > > Comments: > I removed Backend.krb and KRB5_CCache classes as they were wrappers > around krbV classes. I added few utility functions to krb_utils module > that perform part of its functionality (no need for classes, because > gssapi acquire calls don't pass any context objects, they wouldn't have > any state). > > I merged the two different kinit_keytab functions. > > GSSAPI doesn't provide any method (that I'm aware of) to get default > ccache name. In most cases this is not needed as we can simply not pass > any name and it will use the default. The ldap plugin had to be adjusted > for this - the connect method now takes new use_gssapi argument, which > can turn on gssapi support without the need to supply explicit ccache > name. The only place where the ccache name is really needed is the test > server, where I use system klist command to obtain it. I would prefer if the semantics were the same as in IPAdmin, i.e. GSSAPI is used by default if bind password is not specified, see IPAdmin.do_bind() in ipapython.ipaldap. > > It's also not possible to directly get default realm name, what I do is > importing nonexistent name, cannonicalizing it and extracting the realm > from it. Which should work but is ugly. It would be better if we could > modify the places that use it to not need it at all, but it's mostly > used in ldap code and I don't understand that part of FreeIPA. > Alternative would be parsing /etc/krb.conf. You should use api.env.realm where possible. I think this should be most of the places where default realm is currently used, if not all of them. > > Sorry for long patch, but I'm afraid it cannot be reasonably split. > > > Ticket: > https://fedorahosted.org/freeipa/ticket/5164 > > [1] https://fedorahosted.org/freeipa/ticket/5147 Honza -- Jan Cholasta From mbasti at redhat.com Fri Jul 31 08:24:57 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 31 Jul 2015 10:24:57 +0200 Subject: [Freeipa-devel] [PATCH 0291, 0292] Limit max age of replication changelog In-Reply-To: <55BA2A05.2050900@redhat.com> References: <55AD0976.4070402@redhat.com> <55AD129D.8020608@redhat.com> <55AD1857.8090209@redhat.com> <55AD26EB.5030303@redhat.com> <55AD2A09.9070101@redhat.com> <55AFB0CE.3020508@redhat.com> <55BA2321.4070201@redhat.com> <55BA2A05.2050900@redhat.com> Message-ID: <55BB30D9.7010004@redhat.com> On 30/07/15 15:43, Ludwig Krispenz wrote: > > On 07/30/2015 03:14 PM, Martin Basti wrote: >> On 22/07/15 17:03, Martin Basti wrote: >>> On 20/07/15 19:04, Mark Reynolds wrote: >>>> >>>> >>>> On 07/20/2015 12:50 PM, Martin Basti wrote: >>>>> On 20/07/15 17:48, Petr Vobornik wrote: >>>>>> On 07/20/2015 05:24 PM, Rob Crittenden wrote: >>>>>>> Martin Basti wrote: >>>>>>>> https://fedorahosted.org/freeipa/ticket/5086 >>>>>>>> >>>>>>>> Patch attached. >>>>>>> >>>>>>> Is this going to be a shock on upgrades for people who until now >>>>>>> may be >>>>>>> relying on the fact that there is no limit? >>>>>> >>>>>> Not making any point, but have to note: Ludwig raised a question >>>>>> on users list but there was no feedback from users. >>>>>> >>>>>> https://www.redhat.com/archives/freeipa-users/2015-July/msg00022.html >>>>>> >>>>>> >>>>>>> >>>>>>> Should there be a way for an admin to manage this, via the >>>>>>> config module >>>>>>> perhaps? >>>>>>> >>>>>>> IMHO this is a significant change and red flags need to be >>>>>>> raised so >>>>>>> users are aware of it. >>>>>>> >>>>>>> rob >>>>>>> >>>>>> >>>>>> >>>>> >>>>> IIUC there is purge delay 7 days, so if changelog max age is 7 or >>>>> more days, it will not break replication. >>>>> The issue is if somebody uses changelog for different purpose, right? >>>> Well the replication changelog can not be used for anything else >>>> but the multimaster replication plugin. If a customer increased >>>> the replication purge delay you could potentially run into issues, >>>> but again this only comes into play when a replica is down for a >>>> very long time. I'm not sure if IPA even provides the option to >>>> adjust the replication purge delay, but that doesn't mean a >>>> customer can not adjust these settings on their own. >>>> >>>> Mark >>>> >>> >>> I'm attaching new patch, that modifies behavior of 'addifnew' >>> keyword in update files. >>> addifnew will no create new entry if doesn't exist. >>> This is required for proper working of patch 292 >>> >>> Rob are you okay with these patches, as Mark wrote, changelog is >>> used only for replication plugins, so it should not cause any issues >>> to users. >>> >>> Martin^2 >>> >>> >>> >> >> These patches are ready to be reviewed. >> I'm just not sure if would be better to have replication changelog >> max age 8days, just to be sure. >> Should I explicitly set purge delay to 7days, or are we fine with >> 7days as default? > I think 7d is a quite common setting, so it should be ok 7 days for changelog max age, or for purge delay, or for both? Should I explicitly set purge delay then? I'm thinking about the case when admin changed purge delay before upgrade, IMO I should check this value and set same value for changelog max age or don't upgrade changelog. Martin^2 >> -- >> Martin Basti >> >> > > > -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkubik at redhat.com Fri Jul 31 08:39:30 2015 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Fri, 31 Jul 2015 10:39:30 +0200 Subject: [Freeipa-devel] programmer documentation In-Reply-To: <20150730154243.GO4677@redhat.com> References: <55BA417A.7010506@redhat.com> <20150730154243.GO4677@redhat.com> Message-ID: <55BB3442.4090700@redhat.com> On 07/30/2015 05:42 PM, Alexander Bokovoy wrote: > On Thu, 30 Jul 2015, Milan Kub?k wrote: >> Hi all, >> >> I'm curious, is there some documentation of the IPA internals? >> >> During my playing with plugins, I was quite amazed and frustrated >> at the code, not entirely (or remotely) understanding what happens >> after the call to a command starts and before I get the result. >> >> The main problem I have is that the command takes an argument. >> This argument gets automagically into LDAP, where it quite often is >> an attribute with a different name, and as the output of the command >> I get an object that has yet another name for the value I just sent >> to the command. >> >> Is there some (easy to understand) guide how this works, complete with >> the callback mechanism, etc? >> >> In general, where to search for $SUBJ and who to bug when it is missing >> or out of date? I know there is quite extensive tutorial to writing >> plugins >> in ipalib/__init__.py, but nowhere there are pre/post operation >> callbacks >> explained nor the format of the command output described (that I know >> of). >> Is there some guide that could even a newcomer use to get started? >> >> Can you point me to some documentation or designs for the framework >> itself, >> if it exists? > Did you read my (outdated) guide already? > https://abbra.fedorapeople.org/freeipa-extensibility.html > > It is first link in the > http://www.freeipa.org/page/Documentation#Additional_Resources_2 section Hi, thanks for the link. Though outdated, it covers most of what I needed. Is there some document describing the rules used in JSON serialization? Sometimes the api call result has interesting representation of the values. Cheers, Milan From pvoborni at redhat.com Fri Jul 31 08:42:45 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 31 Jul 2015 10:42:45 +0200 Subject: [Freeipa-devel] programmer documentation In-Reply-To: <55BB3442.4090700@redhat.com> References: <55BA417A.7010506@redhat.com> <20150730154243.GO4677@redhat.com> <55BB3442.4090700@redhat.com> Message-ID: <55BB3505.60306@redhat.com> On 07/31/2015 10:39 AM, Milan Kub?k wrote: > On 07/30/2015 05:42 PM, Alexander Bokovoy wrote: >> On Thu, 30 Jul 2015, Milan Kub?k wrote: >>> Hi all, >>> >>> I'm curious, is there some documentation of the IPA internals? >>> >>> During my playing with plugins, I was quite amazed and frustrated >>> at the code, not entirely (or remotely) understanding what happens >>> after the call to a command starts and before I get the result. >>> >>> The main problem I have is that the command takes an argument. >>> This argument gets automagically into LDAP, where it quite often is >>> an attribute with a different name, and as the output of the command >>> I get an object that has yet another name for the value I just sent >>> to the command. >>> >>> Is there some (easy to understand) guide how this works, complete with >>> the callback mechanism, etc? >>> >>> In general, where to search for $SUBJ and who to bug when it is missing >>> or out of date? I know there is quite extensive tutorial to writing >>> plugins >>> in ipalib/__init__.py, but nowhere there are pre/post operation >>> callbacks >>> explained nor the format of the command output described (that I know >>> of). >>> Is there some guide that could even a newcomer use to get started? >>> >>> Can you point me to some documentation or designs for the framework >>> itself, >>> if it exists? >> Did you read my (outdated) guide already? >> https://abbra.fedorapeople.org/freeipa-extensibility.html >> >> It is first link in the >> http://www.freeipa.org/page/Documentation#Additional_Resources_2 section > Hi, > > thanks for the link. Though outdated, it covers most of what I needed. > > Is there some document describing the rules used in JSON serialization? > Sometimes the api call result has interesting representation of the values. > Don't know of any. But you can always call `ipa` command with -vvv and observe the communication. -- Petr Vobornik From mkubik at redhat.com Fri Jul 31 08:44:38 2015 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Fri, 31 Jul 2015 10:44:38 +0200 Subject: [Freeipa-devel] programmer documentation In-Reply-To: <55BB3505.60306@redhat.com> References: <55BA417A.7010506@redhat.com> <20150730154243.GO4677@redhat.com> <55BB3442.4090700@redhat.com> <55BB3505.60306@redhat.com> Message-ID: <55BB3576.9060002@redhat.com> On 07/31/2015 10:42 AM, Petr Vobornik wrote: > On 07/31/2015 10:39 AM, Milan Kub?k wrote: >> On 07/30/2015 05:42 PM, Alexander Bokovoy wrote: >>> On Thu, 30 Jul 2015, Milan Kub?k wrote: >>>> Hi all, >>>> >>>> I'm curious, is there some documentation of the IPA internals? >>>> >>>> During my playing with plugins, I was quite amazed and frustrated >>>> at the code, not entirely (or remotely) understanding what happens >>>> after the call to a command starts and before I get the result. >>>> >>>> The main problem I have is that the command takes an argument. >>>> This argument gets automagically into LDAP, where it quite often is >>>> an attribute with a different name, and as the output of the command >>>> I get an object that has yet another name for the value I just sent >>>> to the command. >>>> >>>> Is there some (easy to understand) guide how this works, complete with >>>> the callback mechanism, etc? >>>> >>>> In general, where to search for $SUBJ and who to bug when it is >>>> missing >>>> or out of date? I know there is quite extensive tutorial to writing >>>> plugins >>>> in ipalib/__init__.py, but nowhere there are pre/post operation >>>> callbacks >>>> explained nor the format of the command output described (that I know >>>> of). >>>> Is there some guide that could even a newcomer use to get started? >>>> >>>> Can you point me to some documentation or designs for the framework >>>> itself, >>>> if it exists? >>> Did you read my (outdated) guide already? >>> https://abbra.fedorapeople.org/freeipa-extensibility.html >>> >>> It is first link in the >>> http://www.freeipa.org/page/Documentation#Additional_Resources_2 >>> section >> Hi, >> >> thanks for the link. Though outdated, it covers most of what I needed. >> >> Is there some document describing the rules used in JSON serialization? >> Sometimes the api call result has interesting representation of the >> values. >> > > Don't know of any. But you can always call `ipa` command with -vvv and > observe the communication. > I do that. And take the format as a fact of life. :) From simo at redhat.com Fri Jul 31 10:46:45 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 31 Jul 2015 06:46:45 -0400 Subject: [Freeipa-devel] [PATCHES] changes in preparation of replica promotion work Message-ID: <1438339605.24296.4.camel@willson.usersys.redhat.com> I've been carrying these patches in my tree for a while, I think it is time to put them in master as they stand on their own. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-530-1-Remove-custom-utility-function-from-krbinstance.patch Type: text/x-patch Size: 2244 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-531-1-Move-sasl-mappings-creation-to-dsinstance.patch Type: text/x-patch Size: 6973 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-532-1-Simplify-adding-options-in-ipachangeconf.patch Type: text/x-patch Size: 1272 bytes Desc: not available URL: From mbasti at redhat.com Fri Jul 31 11:32:35 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 31 Jul 2015 13:32:35 +0200 Subject: [Freeipa-devel] [PATCH 0058] dns: do not add (forward)zone if it is already resolvable. In-Reply-To: <55BA1ABC.8020108@redhat.com> References: <55B8DF32.70208@redhat.com> <55BA1ABC.8020108@redhat.com> Message-ID: <55BB5CD3.5060603@redhat.com> On 30/07/15 14:38, Martin Basti wrote: > On 29/07/15 16:12, David Kupka wrote: >> https://fedorahosted.org/freeipa/ticket/5087 > NACK > > You forgot to update API.txt file > I'm just curious, what is the reason to check if forward zone exists? IMO forwardzone must exists somewhere as the master zone. I don't think we should check forwardzones, this may give too many false positive errors. Martin^2 -- Martin Basti From jcholast at redhat.com Fri Jul 31 11:33:24 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 31 Jul 2015 13:33:24 +0200 Subject: [Freeipa-devel] [PATCH 0014] [py3] Replace M2Crypto RC4 with python-cryptography ARC4 In-Reply-To: <55B0AE78.2060804@redhat.com> References: <55B0A916.9000700@redhat.com> <55B0ABDC.7050509@redhat.com> <55B0AE78.2060804@redhat.com> Message-ID: <55BB5D04.6020909@redhat.com> Dne 23.7.2015 v 11:06 Christian Heimes napsal(a): > On 2015-07-23 10:54, Jan Cholasta wrote: >> Hi, >> >> Dne 23.7.2015 v 10:43 Christian Heimes napsal(a): >>> This patch removes the dependency on M2Crypto in favor for cryptography. >>> Cryptography is more strict about the key size and doesn't support >>> non-standard key sizes: >>> >>>>>> from M2Crypto import RC4 >>>>>> from ipaserver.dcerpc import arcfour_encrypt >>>>>> RC4.RC4(b'key').update(b'data') >>> 'o\r@\x8c' >>>>>> arcfour_encrypt(b'key', b'data') >>> Traceback (most recent call last): >>> ... >>> ValueError: Invalid key size (24) for RC4. >>> >>> Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported: >>> >>>>>> arcfour_encrypt(b'key12', b'data') >>> '\xcd\xf80d' >>>>>> RC4.RC4(b'key12').update(b'data') >>> '\xcd\xf80d' >>> >>> http://cryptography.readthedocs.org/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.ARC4 >>> >>> https://fedorahosted.org/freeipa/ticket/5148 >> >> NACK on the spec file change. There is a BuildRequires and Requires on >> m2crypto, replace them with BuildRequires and Requires on >> python-cryptography. > > Argh, m2crypto ... I was looking for M2Crypto (case sensitive). Here is > an updated patch. > > An additional Requires: python-cryptography is not required. > server-trust-ad depends on ipa-server which depends on the ipa-python > package. The ipa-python package already has Requires: python-cryptography. Thanks, ACK. Pushed to master: a908be2785d4388e3c97c7cd543c817c527d73c9 -- Jan Cholasta From pvoborni at redhat.com Fri Jul 31 11:33:00 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 31 Jul 2015 13:33:00 +0200 Subject: [Freeipa-devel] Changing CA replication agreements after raising domain level Message-ID: <55BB5CEC.1030600@redhat.com> Discussed with Ludwig, but it might be interesting to the rest of the team(and mainly Simo) In FreeIPA 4.3 - management of CA agmts by a replication plugin, there is a scenario as follows: - existing couple of replicas of version 4.2 and earlier (no topology management) - upgrade all to future 4.3 - raise domain level to 1 - optionally add a replica All agmts are now managed by a topology plugin but there is an issue with the old CA agreements because they were created with bind method: simple. Atm. no code in IPA framework is executed after raising a domain level. Therefore the old CA agreements are not converted to use GSSAPI. If the segments related to the old agreements are removed and then re-added, topology plugin creates agreements which use GSSAPI. The old agreements are not converted automatically by a topology plugin because simple auth is still required for ipa-replica-install (for both realm and o=ipaca suffix). Nor they can't be converted in IPA upgrade because domain level is raised after the upgrade. Question is who should convert the old amgts after raising a domain level. IPA or topology plugin? Some of possible solutions are: 1. Convert the CA agmts in domailevel-set method 2. Change replica installer to setup Kerberos earlier so that new agreements could use GSSAPI and therefore topology plugin can convert all managed agreements which don't use GSSAPI automatically. 3. Automatically convert all agmts by topo plugin. Introduce an attr in repl agmnt which would be set during replica installation to tell the topo plugin to not covert the agmnt while the attr is set. Then convert in installer or when the attr is removed. #1 is an easy workaround but it creates yet another "sort of upgrade path" in domain level set. #2 is more or less a replica promotion. #3 another workaround From long term perspective, I like #2 but I don't know what's the state of replica promotion. Simo? Attaching IPA patches which I use now (doesn't contain required topo plugin patches). -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-topology-manage-ca-replication-agreements.patch Type: text/x-patch Size: 24452 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-topology-plugin-configuration-workaround.patch Type: text/x-patch Size: 1076 bytes Desc: not available URL: From jcholast at redhat.com Fri Jul 31 11:45:54 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 31 Jul 2015 13:45:54 +0200 Subject: [Freeipa-devel] [PATCH] Modernize number literals In-Reply-To: <55BA3134.5090300@redhat.com> References: <55BA3134.5090300@redhat.com> Message-ID: <55BB5FF2.4030703@redhat.com> Hi, Dne 30.7.2015 v 16:14 Petr Viktorin napsal(a): > Hello, > This patch switches to Python3-compatible syntax for integer literals. 1) API.txt needs to be updated. 2) You missed these: daemons/dnssec/ipa-dnskeysyncd:58:os.umask(007) ipa-client/ipa-install/ipa-client-install:850: os.chmod(target_fname, 0644) ipa-client/ipa-install/ipa-client-install:1019: os.chmod(target_fname, 0644) ipa-client/ipa-install/ipa-client-install:1113: os.chmod(filename, 0644) ipa-client/ipa-install/ipa-client-install:1984: os.chmod(CACERT, 0644) ipapython/log_manager.py:1099: permission=0600, Honza -- Jan Cholasta From simo at redhat.com Fri Jul 31 11:53:25 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 31 Jul 2015 07:53:25 -0400 Subject: [Freeipa-devel] Changing CA replication agreements after raising domain level In-Reply-To: <55BB5CEC.1030600@redhat.com> References: <55BB5CEC.1030600@redhat.com> Message-ID: <1438343605.24296.20.camel@willson.usersys.redhat.com> On Fri, 2015-07-31 at 13:33 +0200, Petr Vobornik wrote: > Discussed with Ludwig, but it might be interesting to the rest of the > team(and mainly Simo) > > In FreeIPA 4.3 - management of CA agmts by a replication plugin, there > is a scenario as follows: > > - existing couple of replicas of version 4.2 and earlier (no topology > management) > - upgrade all to future 4.3 > - raise domain level to 1 > - optionally add a replica > > All agmts are now managed by a topology plugin but there is an issue > with the old CA agreements because they were created with bind method: > simple. Atm. no code in IPA framework is executed after raising a domain > level. Therefore the old CA agreements are not converted to use GSSAPI. > > If the segments related to the old agreements are removed and then > re-added, topology plugin creates agreements which use GSSAPI. > > The old agreements are not converted automatically by a topology plugin > because simple auth is still required for ipa-replica-install (for both > realm and o=ipaca suffix). My replica-promotion code creates bind agreements directly using GSSAPI, so going forward we will be covered. What is missing is to prevent non-promotion installs. We should make it impossible to run ipa-replica-prepare on level 1 servers I guess. > Nor they can't be converted in IPA upgrade because domain level is > raised after the upgrade. > > Question is who should convert the old amgts after raising a domain > level. IPA or topology plugin? > > Some of possible solutions are: > > 1. Convert the CA agmts in domailevel-set method Nope, the domainlevel-set method can be called on any server, there is no guarantee this server can reach all servers. There may be network issues preventing it as well as a server may be temporarily down/unreachable for whatever reason. > 2. Change replica installer to setup Kerberos earlier so that new > agreements could use GSSAPI and therefore topology plugin can convert > all managed agreements which don't use GSSAPI automatically. This is already done in my replica promotion work, but has no bearing on *existing* agreements. > 3. Automatically convert all agmts by topo plugin. Introduce an attr in > repl agmnt which would be set during replica installation to tell the > topo plugin to not covert the agmnt while the attr is set. Then convert > in installer or when the attr is removed. This is the only viable method. > #1 is an easy workaround but it creates yet another "sort of upgrade > path" in domain level set. > #2 is more or less a replica promotion. > #3 another workaround > > From long term perspective, I like #2 but I don't know what's the state > of replica promotion. Simo? See above, but I do not see how this has any influence on existing replicas that are using the simple method. > Attaching IPA patches which I use now (doesn't contain required topo > plugin patches). Please look at the code in my tree, I think your work conflict with mine on the installer part. I do not handle yet the CA replica stuff in my promotion code, but we should base any work in that direction on the replica-promotion method and not the old replica install method. Simo. -- Simo Sorce * Red Hat, Inc * New York From lkrispen at redhat.com Fri Jul 31 12:04:37 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Fri, 31 Jul 2015 14:04:37 +0200 Subject: [Freeipa-devel] Changing CA replication agreements after raising domain level In-Reply-To: <1438343605.24296.20.camel@willson.usersys.redhat.com> References: <55BB5CEC.1030600@redhat.com> <1438343605.24296.20.camel@willson.usersys.redhat.com> Message-ID: <55BB6455.3010508@redhat.com> On 07/31/2015 01:53 PM, Simo Sorce wrote: > On Fri, 2015-07-31 at 13:33 +0200, Petr Vobornik wrote: >> Discussed with Ludwig, but it might be interesting to the rest of the >> team(and mainly Simo) >> >> In FreeIPA 4.3 - management of CA agmts by a replication plugin, there >> is a scenario as follows: >> >> - existing couple of replicas of version 4.2 and earlier (no topology >> management) >> - upgrade all to future 4.3 >> - raise domain level to 1 >> - optionally add a replica >> >> All agmts are now managed by a topology plugin but there is an issue >> with the old CA agreements because they were created with bind method: >> simple. Atm. no code in IPA framework is executed after raising a domain >> level. Therefore the old CA agreements are not converted to use GSSAPI. >> >> If the segments related to the old agreements are removed and then >> re-added, topology plugin creates agreements which use GSSAPI. >> >> The old agreements are not converted automatically by a topology plugin >> because simple auth is still required for ipa-replica-install (for both >> realm and o=ipaca suffix). > My replica-promotion code creates bind agreements directly using GSSAPI, > so going forward we will be covered. What is missing is to prevent > non-promotion installs. We should make it impossible to run > ipa-replica-prepare on level 1 servers I guess. > >> Nor they can't be converted in IPA upgrade because domain level is >> raised after the upgrade. >> >> Question is who should convert the old amgts after raising a domain >> level. IPA or topology plugin? >> >> Some of possible solutions are: >> >> 1. Convert the CA agmts in domailevel-set method > Nope, the domainlevel-set method can be called on any server, there is > no guarantee this server can reach all servers. There may be network > issues preventing it as well as a server may be temporarily > down/unreachable for whatever reason. > >> 2. Change replica installer to setup Kerberos earlier so that new >> agreements could use GSSAPI and therefore topology plugin can convert >> all managed agreements which don't use GSSAPI automatically. > This is already done in my replica promotion work, but has no bearing on > *existing* agreements. only as a side effect. At the moment the topology plugin cannot just convert a "simple" agreement if itfinds one, because in the initial phase gssapi is not yet operational. But if it is ensured that all new agreements will be gssapi, it can blindly convert all other agreements if zhey are encountered after domain lvel raise > >> 3. Automatically convert all agmts by topo plugin. Introduce an attr in >> repl agmnt which would be set during replica installation to tell the >> topo plugin to not covert the agmnt while the attr is set. Then convert >> in installer or when the attr is removed. > This is the only viable method. > >> #1 is an easy workaround but it creates yet another "sort of upgrade >> path" in domain level set. >> #2 is more or less a replica promotion. >> #3 another workaround >> >> From long term perspective, I like #2 but I don't know what's the state >> of replica promotion. Simo? > See above, but I do not see how this has any influence on existing > replicas that are using the simple method. > >> Attaching IPA patches which I use now (doesn't contain required topo >> plugin patches). > Please look at the code in my tree, I think your work conflict with mine > on the installer part. > I do not handle yet the CA replica stuff in my promotion code, but we > should base any work in that direction on the replica-promotion method > and not the old replica install method. > > Simo. > From pviktori at redhat.com Fri Jul 31 12:18:38 2015 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 31 Jul 2015 14:18:38 +0200 Subject: [Freeipa-devel] [PATCH] Modernize number literals In-Reply-To: <55BB5FF2.4030703@redhat.com> References: <55BA3134.5090300@redhat.com> <55BB5FF2.4030703@redhat.com> Message-ID: <55BB679E.1060709@redhat.com> On 07/31/2015 01:45 PM, Jan Cholasta wrote: > Hi, > > Dne 30.7.2015 v 16:14 Petr Viktorin napsal(a): >> Hello, >> This patch switches to Python3-compatible syntax for integer literals. > > 1) API.txt needs to be updated. > > 2) You missed these: > > daemons/dnssec/ipa-dnskeysyncd:58:os.umask(007) > ipa-client/ipa-install/ipa-client-install:850: os.chmod(target_fname, > 0644) > ipa-client/ipa-install/ipa-client-install:1019: os.chmod(target_fname, > 0644) > ipa-client/ipa-install/ipa-client-install:1113: os.chmod(filename, 0644) > ipa-client/ipa-install/ipa-client-install:1984: os.chmod(CACERT, > 0644) > ipapython/log_manager.py:1099: permission=0600, Ah, right, thanks. Updated patch attached. -- Petr Viktorin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0670.2-Modernize-number-literals.patch Type: text/x-patch Size: 42113 bytes Desc: not available URL: From mbasti at redhat.com Fri Jul 31 12:22:34 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 31 Jul 2015 14:22:34 +0200 Subject: [Freeipa-devel] [PATCH] 0028 add --out option to user-show In-Reply-To: <20150730042225.GB4243@dhcp-40-8.bne.redhat.com> References: <20150724134049.GI20599@dhcp-40-8.bne.redhat.com> <55B25118.2080700@redhat.com> <55B25B1A.8040106@redhat.com> <55B25F94.3040507@redhat.com> <20150725014015.GJ20599@dhcp-40-8.bne.redhat.com> <55B8D820.5090607@redhat.com> <55B8D92E.4030601@redhat.com> <55B8D9BF.8010605@redhat.com> <20150730001919.GD6847@dhcp-40-8.bne.redhat.com> <20150730042225.GB4243@dhcp-40-8.bne.redhat.com> Message-ID: <55BB688A.3020105@redhat.com> On 30/07/15 06:22, Fraser Tweedale wrote: > On Thu, Jul 30, 2015 at 10:19:19AM +1000, Fraser Tweedale wrote: >> On Wed, Jul 29, 2015 at 03:48:47PM +0200, Jan Cholasta wrote: >>> Dne 29.7.2015 v 15:46 Martin Basti napsal(a): >>>> On 29/07/15 15:41, Martin Basti wrote: >>>>> On 25/07/15 03:40, Fraser Tweedale wrote: >>>>>> On Fri, Jul 24, 2015 at 05:53:56PM +0200, Tomas Babej wrote: >>>>>>> On 07/24/2015 05:34 PM, Martin Basti wrote: >>>>>>>> On 24/07/15 16:52, Tomas Babej wrote: >>>>>>>>> On 07/24/2015 03:40 PM, Fraser Tweedale wrote: >>>>>>>>>> The attached patch adds --out option to user-show for saving user's >>>>>>>>>> certificate(s) to file. >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Fraser >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> I hate to nitpick here, but is "out" really a descriptive option name >>>>>>>>> here? I'd prefer something more explicit, like '--save-cert-to', or >>>>>>>>> maybe even have this operation implemented as a separate command >>>>>>>>> altogether. >>>>>>>>> >>>>>>>>> Tomas >>>>>>>>> >>>>>>>> This keyword was already used with several commands. For consistency >>>>>>>> might be better to have it the same. >>>>>>>> >>>>>>> True. I see this options is being used in the following commands: >>>>>>> >>>>>>> - cert-show >>>>>>> - vault-retrieve >>>>>>> - host-show >>>>>>> - service-show >>>>>>> - user-show (proposed) >>>>>>> >>>>>>> While the first two seem to be an acceptable fit for an option called >>>>>>> --out, as they mainly deal with cert/secret, using the '--out' for the >>>>>>> latter three is a poor decision imho. >>>>>>> >>>>>>> I agree the consistency is important, I'm just not happy to see this >>>>>>> spread further. >>>>>>> >>>>>>> Tomas >>>>>> Perhaps we should go with something like `--certout' instead, and >>>>>> support `--certout' in addition to `--out' in host-show and >>>>>> service-show, esentially deprecating `--out' for those commands. >>>>>> >>>>>> Cheers, >>>>>> Fraser >>>>> Good idea, but we should do this for all commands, at the same time. >>>>> IMO this is not for 4.2, you may file a ticket to deprecate --out >>>>> option and replace it by --certout or something. >>> The "in" option is named --certificate, so it should be --certificate-out. >>> >>>>> I will do review is nobody is against this patch :) >>>>> Martin^2 >>> LGTM >>> >>>> Is a ticket somewhere for this? >>>> >> No ticket; I just wanted it so I wrote the patch :) >> >> I'll file the ticket for future change to `--certificate-out' >> though. >> > Ticket: https://fedorahosted.org/freeipa/ticket/5166 > ACK -- Martin Basti From jcholast at redhat.com Fri Jul 31 13:22:45 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 31 Jul 2015 15:22:45 +0200 Subject: [Freeipa-devel] [PATCH] Modernize number literals In-Reply-To: <55BB679E.1060709@redhat.com> References: <55BA3134.5090300@redhat.com> <55BB5FF2.4030703@redhat.com> <55BB679E.1060709@redhat.com> Message-ID: <55BB76A5.5020908@redhat.com> Dne 31.7.2015 v 14:18 Petr Viktorin napsal(a): > On 07/31/2015 01:45 PM, Jan Cholasta wrote: >> Hi, >> >> Dne 30.7.2015 v 16:14 Petr Viktorin napsal(a): >>> Hello, >>> This patch switches to Python3-compatible syntax for integer literals. >> >> 1) API.txt needs to be updated. >> >> 2) You missed these: >> >> daemons/dnssec/ipa-dnskeysyncd:58:os.umask(007) >> ipa-client/ipa-install/ipa-client-install:850: os.chmod(target_fname, >> 0644) >> ipa-client/ipa-install/ipa-client-install:1019: os.chmod(target_fname, >> 0644) >> ipa-client/ipa-install/ipa-client-install:1113: os.chmod(filename, 0644) >> ipa-client/ipa-install/ipa-client-install:1984: os.chmod(CACERT, >> 0644) >> ipapython/log_manager.py:1099: permission=0600, > > Ah, right, thanks. > > Updated patch attached. Thanks, ACK. Pushed to master: b8c46f2a32d0d8c2dc6ef0867f85f63cf076a004 -- Jan Cholasta From mbasti at redhat.com Fri Jul 31 13:35:10 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 31 Jul 2015 15:35:10 +0200 Subject: [Freeipa-devel] [PATCH 021] Validate vault's file parameters In-Reply-To: <55BA2CA6.1090508@redhat.com> References: <55BA2CA6.1090508@redhat.com> Message-ID: <55BB798E.60801@redhat.com> On 30/07/15 15:54, Christian Heimes wrote: > The patch fixes the issue described in #5155 as well as a couple of more > potential issues. The vault plugin didn't catch IOError on multiple > occasions. > > A user can pass file names for password, public and private key files to > the vault plugin. The plugin attempts to read from these files. If any > file can't be, an internal error was raised. The patch wraps all reads > and turns any IOError and UnicodeError into a ValidationError. > > https://fedorahosted.org/freeipa/ticket/5155 > > ACK Pushed to: ipa-4-2: 2d7565eec6dce67263d3d2b25bf098b680a51f82 master: 8e28ddd8fab40e985756729f23e8f352d2dab071 -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Fri Jul 31 13:39:35 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 31 Jul 2015 15:39:35 +0200 Subject: [Freeipa-devel] [PATCH] 0028 add --out option to user-show In-Reply-To: <55BB688A.3020105@redhat.com> References: <20150724134049.GI20599@dhcp-40-8.bne.redhat.com> <55B25118.2080700@redhat.com> <55B25B1A.8040106@redhat.com> <55B25F94.3040507@redhat.com> <20150725014015.GJ20599@dhcp-40-8.bne.redhat.com> <55B8D820.5090607@redhat.com> <55B8D92E.4030601@redhat.com> <55B8D9BF.8010605@redhat.com> <20150730001919.GD6847@dhcp-40-8.bne.redhat.com> <20150730042225.GB4243@dhcp-40-8.bne.redhat.com> <55BB688A.3020105@redhat.com> Message-ID: <55BB7A97.80506@redhat.com> On 07/31/2015 02:22 PM, Martin Basti wrote: > On 30/07/15 06:22, Fraser Tweedale wrote: >> On Thu, Jul 30, 2015 at 10:19:19AM +1000, Fraser Tweedale wrote: >>> On Wed, Jul 29, 2015 at 03:48:47PM +0200, Jan Cholasta wrote: >>>> Dne 29.7.2015 v 15:46 Martin Basti napsal(a): >>>>> On 29/07/15 15:41, Martin Basti wrote: >>>>>> On 25/07/15 03:40, Fraser Tweedale wrote: >>>>>>> On Fri, Jul 24, 2015 at 05:53:56PM +0200, Tomas Babej wrote: >>>>>>>> On 07/24/2015 05:34 PM, Martin Basti wrote: >>>>>>>>> On 24/07/15 16:52, Tomas Babej wrote: >>>>>>>>>> On 07/24/2015 03:40 PM, Fraser Tweedale wrote: >>>>>>>>>>> The attached patch adds --out option to user-show for saving user's >>>>>>>>>>> certificate(s) to file. >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> Fraser >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> I hate to nitpick here, but is "out" really a descriptive option name >>>>>>>>>> here? I'd prefer something more explicit, like '--save-cert-to', or >>>>>>>>>> maybe even have this operation implemented as a separate command >>>>>>>>>> altogether. >>>>>>>>>> >>>>>>>>>> Tomas >>>>>>>>>> >>>>>>>>> This keyword was already used with several commands. For consistency >>>>>>>>> might be better to have it the same. >>>>>>>>> >>>>>>>> True. I see this options is being used in the following commands: >>>>>>>> >>>>>>>> - cert-show >>>>>>>> - vault-retrieve >>>>>>>> - host-show >>>>>>>> - service-show >>>>>>>> - user-show (proposed) >>>>>>>> >>>>>>>> While the first two seem to be an acceptable fit for an option called >>>>>>>> --out, as they mainly deal with cert/secret, using the '--out' for the >>>>>>>> latter three is a poor decision imho. >>>>>>>> >>>>>>>> I agree the consistency is important, I'm just not happy to see this >>>>>>>> spread further. >>>>>>>> >>>>>>>> Tomas >>>>>>> Perhaps we should go with something like `--certout' instead, and >>>>>>> support `--certout' in addition to `--out' in host-show and >>>>>>> service-show, esentially deprecating `--out' for those commands. >>>>>>> >>>>>>> Cheers, >>>>>>> Fraser >>>>>> Good idea, but we should do this for all commands, at the same time. >>>>>> IMO this is not for 4.2, you may file a ticket to deprecate --out >>>>>> option and replace it by --certout or something. >>>> The "in" option is named --certificate, so it should be --certificate-out. >>>> >>>>>> I will do review is nobody is against this patch :) >>>>>> Martin^2 >>>> LGTM >>>> >>>>> Is a ticket somewhere for this? >>>>> >>> No ticket; I just wanted it so I wrote the patch :) >>> >>> I'll file the ticket for future change to `--certificate-out' >>> though. >>> >> Ticket: https://fedorahosted.org/freeipa/ticket/5166 >> > > ACK Before pushing, please create a ticket for this CLI addition and link it to this patch - so that this change/improvement can be references from other sources and/or downstream distros. From mbasti at redhat.com Fri Jul 31 13:51:05 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 31 Jul 2015 15:51:05 +0200 Subject: [Freeipa-devel] [patch 0007] tests: Allow Tracker.dn be an instance of Fuzzy In-Reply-To: <55BA1BF3.80107@redhat.com> References: <55B608CC.6030602@redhat.com> <55BA1BF3.80107@redhat.com> Message-ID: <55BB7D49.2020508@redhat.com> On 30/07/15 14:43, Lenka Doudova wrote: > ACK, > > just configure your email client not to prepend '>' to the patch. > > Lenka > > Dne 27.7.2015 v 12:32 Milan Kub?k napsal(a): >> Hi, >> >> the patch changes the check on the Tracker.dn setter, allowing to use >> an instance of ipatests.util.Fuzzy to ease writing Trackers for plugins >> like CA ACL, which use ipaUniqueID as their primary key. >> >> Thanks, >> Milan >> >> > > > Pushed to: master: 3f90aa0c18727f02e5e373ea0b625cfa6edb7a37 ipa-4-2: 3b90044f309548a7d0c508622b2858c010ba352f -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Jul 31 14:01:59 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 31 Jul 2015 16:01:59 +0200 Subject: [Freeipa-devel] [PATCH 017] certprofile-import: do not require profileId in profile data In-Reply-To: <55BA0004.60508@redhat.com> References: <55B10E1B.8090203@redhat.com> <20150724031528.GG20599@dhcp-40-8.bne.redhat.com> <55B21668.20604@redhat.com> <55BA0004.60508@redhat.com> Message-ID: <55BB7FD7.804@redhat.com> On 30/07/15 12:44, Christian Heimes wrote: > On 2015-07-24 12:41, Martin Basti wrote: >> On 24/07/15 05:15, Fraser Tweedale wrote: >>>> diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py >>>> index 5550ed942521dbab2e783fba1570520268f9b378..fe8934690fe09499f0bacb6610d9815a2b4367a4 100644 >>>> --- a/ipalib/plugins/certprofile.py >>>> +++ b/ipalib/plugins/certprofile.py >>>> @@ -233,8 +233,8 @@ class certprofile_import(LDAPCreate): >>>> >>>> match = self.PROFILE_ID_PATTERN.search(options['file']) >>>> if match is None: >>>> - raise errors.ValidationError(name='file', >>>> - error=_("Profile ID is not present in profile data")) >>>> + # no profileId found, use CLI value as profileId. >>>> + options['file'] = u'profileId=%s\n%s' % (keys[0], options['file']) >>> NACK >>> >>> This assignment has no external effect; `post_callback' is called >>> with original `options['file']' and dogtag profile import can fail >>> due to missing profileId. >>> >>> The solution is to do the same thing in post_callback; updated patch >>> attached. >>> >>> Thanks, >>> Fraser >>> >>> >> I dont like to have the same code twice in pre and post callback. >> >> Can you use contexmanager to store the right value in pre callback and >> then use it in post callback? >> (can find it in dns plugin, search for context) > > Sounds good to me! > > Christian > > PS: Context is a fancy name for a TLS dict. ;) ACK Pushed to: master: a4ade199aa594307cdd6bc43d1729cc42e92fd1e ipa-4-2: d80e90fa5c5ad41f5f29a02c11bca7c7da269938 -- Martin Basti From mbasti at redhat.com Fri Jul 31 14:12:57 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 31 Jul 2015 16:12:57 +0200 Subject: [Freeipa-devel] [PATCH] 0028 add --out option to user-show In-Reply-To: <55BB688A.3020105@redhat.com> References: <20150724134049.GI20599@dhcp-40-8.bne.redhat.com> <55B25118.2080700@redhat.com> <55B25B1A.8040106@redhat.com> <55B25F94.3040507@redhat.com> <20150725014015.GJ20599@dhcp-40-8.bne.redhat.com> <55B8D820.5090607@redhat.com> <55B8D92E.4030601@redhat.com> <55B8D9BF.8010605@redhat.com> <20150730001919.GD6847@dhcp-40-8.bne.redhat.com> <20150730042225.GB4243@dhcp-40-8.bne.redhat.com> <55BB688A.3020105@redhat.com> Message-ID: <55BB8269.2060605@redhat.com> On 31/07/15 14:22, Martin Basti wrote: > On 30/07/15 06:22, Fraser Tweedale wrote: >> On Thu, Jul 30, 2015 at 10:19:19AM +1000, Fraser Tweedale wrote: >>> On Wed, Jul 29, 2015 at 03:48:47PM +0200, Jan Cholasta wrote: >>>> Dne 29.7.2015 v 15:46 Martin Basti napsal(a): >>>>> On 29/07/15 15:41, Martin Basti wrote: >>>>>> On 25/07/15 03:40, Fraser Tweedale wrote: >>>>>>> On Fri, Jul 24, 2015 at 05:53:56PM +0200, Tomas Babej wrote: >>>>>>>> On 07/24/2015 05:34 PM, Martin Basti wrote: >>>>>>>>> On 24/07/15 16:52, Tomas Babej wrote: >>>>>>>>>> On 07/24/2015 03:40 PM, Fraser Tweedale wrote: >>>>>>>>>>> The attached patch adds --out option to user-show for saving >>>>>>>>>>> user's >>>>>>>>>>> certificate(s) to file. >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> Fraser >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> I hate to nitpick here, but is "out" really a descriptive >>>>>>>>>> option name >>>>>>>>>> here? I'd prefer something more explicit, like >>>>>>>>>> '--save-cert-to', or >>>>>>>>>> maybe even have this operation implemented as a separate command >>>>>>>>>> altogether. >>>>>>>>>> >>>>>>>>>> Tomas >>>>>>>>>> >>>>>>>>> This keyword was already used with several commands. For >>>>>>>>> consistency >>>>>>>>> might be better to have it the same. >>>>>>>>> >>>>>>>> True. I see this options is being used in the following commands: >>>>>>>> >>>>>>>> - cert-show >>>>>>>> - vault-retrieve >>>>>>>> - host-show >>>>>>>> - service-show >>>>>>>> - user-show (proposed) >>>>>>>> >>>>>>>> While the first two seem to be an acceptable fit for an option >>>>>>>> called >>>>>>>> --out, as they mainly deal with cert/secret, using the '--out' >>>>>>>> for the >>>>>>>> latter three is a poor decision imho. >>>>>>>> >>>>>>>> I agree the consistency is important, I'm just not happy to see >>>>>>>> this >>>>>>>> spread further. >>>>>>>> >>>>>>>> Tomas >>>>>>> Perhaps we should go with something like `--certout' instead, and >>>>>>> support `--certout' in addition to `--out' in host-show and >>>>>>> service-show, esentially deprecating `--out' for those commands. >>>>>>> >>>>>>> Cheers, >>>>>>> Fraser >>>>>> Good idea, but we should do this for all commands, at the same time. >>>>>> IMO this is not for 4.2, you may file a ticket to deprecate --out >>>>>> option and replace it by --certout or something. >>>> The "in" option is named --certificate, so it should be >>>> --certificate-out. >>>> >>>>>> I will do review is nobody is against this patch :) >>>>>> Martin^2 >>>> LGTM >>>> >>>>> Is a ticket somewhere for this? >>>>> >>> No ticket; I just wanted it so I wrote the patch :) >>> >>> I'll file the ticket for future change to `--certificate-out' >>> though. >>> >> Ticket: https://fedorahosted.org/freeipa/ticket/5166 >> > > ACK > Ticket for this patch created: https://fedorahosted.org/freeipa/ticket/5171 I amended commit message, ticket was added. Pushed to: ipa-4-2: 3332a0a7c83a9e35532327252231b71e07a44f13 master: 896783bae817ef16ca1cb31a0c434fe863287cc3 -- Martin Basti From msimacek at redhat.com Fri Jul 31 14:41:43 2015 From: msimacek at redhat.com (=?UTF-8?B?TWljaGFlbCDFoGltw6HEjWVr?=) Date: Fri, 31 Jul 2015 16:41:43 +0200 Subject: [Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi In-Reply-To: <55BB0D04.4030904@redhat.com> References: <55B88A4A.9070601@redhat.com> <55BB0D04.4030904@redhat.com> Message-ID: <55BB8927.1080608@redhat.com> On 2015-07-31 07:52, Jan Cholasta wrote: > Hi Michael, > > Dne 29.7.2015 v 10:09 Michael ?im??ek napsal(a): >> Hi, >> >> this is the first attempt to port FreeIPA from deprecated >> python3-incompatible python-krbV library to python-gssapi. The patch >> depends on python-kerberos->python-gssapi patch [1] to apply cleanly, >> but the overlap is small, so I think it can be at least partially >> reviewed without it. >> >> Comments: >> I removed Backend.krb and KRB5_CCache classes as they were wrappers >> around krbV classes. I added few utility functions to krb_utils module >> that perform part of its functionality (no need for classes, because >> gssapi acquire calls don't pass any context objects, they wouldn't have >> any state). >> >> I merged the two different kinit_keytab functions. >> >> GSSAPI doesn't provide any method (that I'm aware of) to get default >> ccache name. In most cases this is not needed as we can simply not pass >> any name and it will use the default. The ldap plugin had to be adjusted >> for this - the connect method now takes new use_gssapi argument, which >> can turn on gssapi support without the need to supply explicit ccache >> name. The only place where the ccache name is really needed is the test >> server, where I use system klist command to obtain it. > > I would prefer if the semantics were the same as in IPAdmin, i.e. GSSAPI > is used by default if bind password is not specified, see > IPAdmin.do_bind() in ipapython.ipaldap. Just to clarify, the current flow in ldap module is: if ccache: # I added "or use_gssapi" here in this patch gssapi_bind elif autobind: external_bind else: simple_bind and you would like it to be changed into: if bind_pw: simple_bind elif autobind: external_bind else: gssapi_bind Is that correct? > >> >> It's also not possible to directly get default realm name, what I do is >> importing nonexistent name, cannonicalizing it and extracting the realm >> from it. Which should work but is ugly. It would be better if we could >> modify the places that use it to not need it at all, but it's mostly >> used in ldap code and I don't understand that part of FreeIPA. >> Alternative would be parsing /etc/krb.conf. > > You should use api.env.realm where possible. I think this should be most > of the places where default realm is currently used, if not all of them. That would be great if all the usages could be replaced. How can I determine where api.env.realm can be used? In particular, I'm unsure about ipapython/config.py/__discover_config and ipaserver/plugins/join.py. > >> >> Sorry for long patch, but I'm afraid it cannot be reasonably split. >> >> >> Ticket: >> https://fedorahosted.org/freeipa/ticket/5164 >> >> [1] https://fedorahosted.org/freeipa/ticket/5147 > > Honza > Michael From edewata at redhat.com Fri Jul 31 15:07:36 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 31 Jul 2015 10:07:36 -0500 Subject: [Freeipa-devel] [PATCH] 369 Added CLI param and ACL for vault service operations. Message-ID: <55BB8F38.1010808@redhat.com> The CLIs to manage vault owners and members have been modified to accept services with a new parameter. Due to name conflict, the existing 'service' parameter has been renamed to 'servicename'. A new ACL has been added to allow a service to create its own service container. https://fedorahosted.org/freeipa/ticket/5172 -- Endi S. Dewata -------------- next part -------------- From 9259bb2da81d323a15398c678bfc58e32434364a Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 30 Jul 2015 23:20:34 +0200 Subject: [PATCH] Added CLI param and ACL for vault service operations. The CLIs to manage vault owners and members have been modified to accept services with a new parameter. Due to name conflict, the existing 'service' parameter has been renamed to 'servicename'. A new ACL has been added to allow a service to create its own service container. https://fedorahosted.org/freeipa/ticket/5172 --- API.txt | 40 ++++++++++++++++++--------------- VERSION | 4 ++-- install/share/vault.update | 1 + ipalib/plugins/vault.py | 56 ++++++++++++++++++++++++++++++++++------------ 4 files changed, 67 insertions(+), 34 deletions(-) diff --git a/API.txt b/API.txt index 6ab30ddab41715fdbccb4f37aa1852621bca62b4..0e1525da26b3b0f850f338b7bf2a83b043c9d399 100644 --- a/API.txt +++ b/API.txt @@ -5407,7 +5407,7 @@ option: Str('password?', cli_name='password') option: Str('password_file?', cli_name='password_file') option: Str('public_key_file?', cli_name='public_key_file') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Str('service?') +option: Str('servicename?', cli_name='service') option: Str('setattr*', cli_name='setattr', exclude='webui') option: Flag('shared?', autofill=True, default=False) option: Str('username?', cli_name='user') @@ -5425,7 +5425,7 @@ option: Bytes('ipavaultsalt', attribute=True, cli_name='salt', multivalue=False, option: Str('ipavaulttype', attribute=True, autofill=True, cli_name='type', default=u'standard', multivalue=False, required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Str('service?') +option: Str('servicename?', cli_name='service') option: Flag('shared?', autofill=True, default=False) option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') @@ -5433,13 +5433,14 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: vault_add_member -args: 1,9,3 +args: 1,10,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('group*', alwaysask=True, cli_name='groups', csv=True) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Str('service?') +option: Str('service*', alwaysask=True, cli_name='services', csv=True) +option: Str('servicename?', cli_name='service') option: Flag('shared?', autofill=True, default=False) option: Str('user*', alwaysask=True, cli_name='users', csv=True) option: Str('username?', cli_name='user') @@ -5448,13 +5449,14 @@ output: Output('completed', , None) output: Output('failed', , None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vault_add_owner -args: 1,9,3 +args: 1,10,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('group*', alwaysask=True, cli_name='groups', csv=True) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Str('service?') +option: Str('service*', alwaysask=True, cli_name='services', csv=True) +option: Str('servicename?', cli_name='service') option: Flag('shared?', autofill=True, default=False) option: Str('user*', alwaysask=True, cli_name='users', csv=True) option: Str('username?', cli_name='user') @@ -5471,7 +5473,7 @@ option: Str('in?') option: Str('password?', cli_name='password') option: Str('password_file?', cli_name='password_file') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Str('service?') +option: Str('servicename?', cli_name='service') option: Flag('shared?', autofill=True, default=False) option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') @@ -5484,7 +5486,7 @@ arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Bytes('nonce') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Str('service?') +option: Str('servicename?', cli_name='service') option: Bytes('session_key') option: Flag('shared?', autofill=True, default=False) option: Str('username?', cli_name='user') @@ -5497,7 +5499,7 @@ command: vault_del args: 1,5,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=True, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('continue', autofill=True, cli_name='continue', default=False) -option: Str('service?') +option: Str('servicename?', cli_name='service') option: Flag('shared?', autofill=True, default=False) option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') @@ -5514,7 +5516,7 @@ option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', def option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('pkey_only?', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Str('service?') +option: Str('servicename?', cli_name='service') option: Flag('shared?', autofill=True, default=False) option: Int('sizelimit?', autofill=False, minvalue=0) option: Int('timelimit?', autofill=False, minvalue=0) @@ -5537,7 +5539,7 @@ option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', def option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) -option: Str('service?') +option: Str('servicename?', cli_name='service') option: Str('setattr*', cli_name='setattr', exclude='webui') option: Flag('shared?', autofill=True, default=False) option: Str('username?', cli_name='user') @@ -5546,13 +5548,14 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: vault_remove_member -args: 1,9,3 +args: 1,10,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('group*', alwaysask=True, cli_name='groups', csv=True) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Str('service?') +option: Str('service*', alwaysask=True, cli_name='services', csv=True) +option: Str('servicename?', cli_name='service') option: Flag('shared?', autofill=True, default=False) option: Str('user*', alwaysask=True, cli_name='users', csv=True) option: Str('username?', cli_name='user') @@ -5561,13 +5564,14 @@ output: Output('completed', , None) output: Output('failed', , None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vault_remove_owner -args: 1,9,3 +args: 1,10,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('group*', alwaysask=True, cli_name='groups', csv=True) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Str('service?') +option: Str('service*', alwaysask=True, cli_name='services', csv=True) +option: Str('servicename?', cli_name='service') option: Flag('shared?', autofill=True, default=False) option: Str('user*', alwaysask=True, cli_name='users', csv=True) option: Str('username?', cli_name='user') @@ -5585,7 +5589,7 @@ option: Str('password_file?', cli_name='password_file') option: Bytes('private_key?', cli_name='private_key') option: Str('private_key_file?', cli_name='private_key_file') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Str('service?') +option: Str('servicename?', cli_name='service') option: Flag('shared?', autofill=True, default=False) option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') @@ -5597,7 +5601,7 @@ args: 1,7,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Str('service?') +option: Str('servicename?', cli_name='service') option: Bytes('session_key') option: Flag('shared?', autofill=True, default=False) option: Str('username?', cli_name='user') @@ -5612,7 +5616,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) -option: Str('service?') +option: Str('servicename?', cli_name='service') option: Flag('shared?', autofill=True, default=False) option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') diff --git a/VERSION b/VERSION index 2b78af50bf1e811cbcd04f6c69b8d506c98fdedb..ada3a9b9ead98ef9610cff09cb2f57504c6353ea 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=147 -# Last change: mbasti - Consolidate DNS RR in API and schema +IPA_API_VERSION_MINOR=148 +# Last change: edewata - Added CLI param and ACL for vault service operations diff --git a/install/share/vault.update b/install/share/vault.update index 61a8940b544fbc839b931f337389ac35dc2d1ffa..14421b5189efe9b3d9491e845e74debca6e18941 100644 --- a/install/share/vault.update +++ b/install/share/vault.update @@ -8,6 +8,7 @@ default: objectClass: top default: objectClass: ipaVaultContainer default: cn: vaults default: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow users to create private container"; allow (add) userdn = "ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX";) +default: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow services to create private container"; allow (add) userdn = "ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX";) default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#USERDN";) default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#GROUPDN";) default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";) diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index 81197f9328c7ed890fa336f464bfcda475ac6189..9e54acac1ce3d7a8247f82511a955dc763a9513d 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -198,16 +198,20 @@ EXAMPLES: ipa vault-retrieve --out data.bin --private-key-file private.pem """) + _(""" Add a vault owner: - ipa vault-add-owner --users + ipa vault-add-owner [--users ] \ + [--groups ] [--services ] """) + _(""" Delete a vault owner: - ipa vault-remove-owner --users + ipa vault-remove-owner [--users ] \ + [--groups ] [--services ] """) + _(""" Add a vault member: - ipa vault-add-member --users + ipa vault-add-member [--users ] \ + [--groups ] [--services ] """) + _(""" Delete a vault member: - ipa vault-remove-member --users + ipa vault-remove-member [--users ] \ + [--groups ] [--services ] """) register = Registry() @@ -215,7 +219,8 @@ register = Registry() vault_options = ( Str( - 'service?', + 'servicename?', + cli_name='service', doc=_('Service name of the service vault'), ), Flag( @@ -257,8 +262,8 @@ class vault(LDAPObject): 'ipavaulttype', ] attribute_members = { - 'owner': ['user', 'group'], - 'member': ['user', 'group'], + 'owner': ['user', 'group', 'service'], + 'member': ['user', 'group', 'service'], } label = _('Vaults') @@ -312,6 +317,11 @@ class vault(LDAPObject): label=_('Owner groups'), flags=['no_create', 'no_update', 'no_search'], ), + Str( + 'owner_service?', + label=_('Owner services'), + flags=['no_create', 'no_update', 'no_search'], + ), ) def get_dn(self, *keys, **options): @@ -319,7 +329,7 @@ class vault(LDAPObject): Generates vault DN from parameters. """ - service = options.get('service') + service = options.get('servicename') shared = options.get('shared') user = options.get('username') @@ -662,6 +672,29 @@ class vault_add_internal(LDAPCreate): raise errors.InvocationError( format=_('KRA service is not enabled')) + parent_dn = DN(*dn[1:]) + + container_dn = DN(self.api.Object.vault.container_dn, + self.api.env.basedn) + + services_dn = DN(('cn', 'services'), container_dn) + users_dn = DN(('cn', 'users'), container_dn) + + if dn.endswith(services_dn): + # service container should be owned by the service + service = parent_dn[0]['cn'] + parent_owner_dn = self.api.Object.service.get_dn(service) + + elif dn.endswith(users_dn): + # user container should be owned by the user + user = parent_dn[0]['cn'] + parent_owner_dn = self.api.Object.user.get_dn(user) + + try: + self.obj.create_container(parent_dn, parent_owner_dn) + except errors.DuplicateEntry, e: + pass + principal = getattr(context, 'principal') (name, realm) = split_principal(principal) if '/' in name: @@ -669,12 +702,7 @@ class vault_add_internal(LDAPCreate): else: owner_dn = self.api.Object.user.get_dn(name) - try: - parent_dn = DN(*dn[1:]) - self.obj.create_container(parent_dn, owner_dn) - except errors.DuplicateEntry, e: - pass - + # vault should be owned by the creator entry_attrs['owner'] = owner_dn return dn -- 2.4.3 From redhatrises at gmail.com Fri Jul 31 15:08:24 2015 From: redhatrises at gmail.com (Gabe Alford) Date: Fri, 31 Jul 2015 09:08:24 -0600 Subject: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit In-Reply-To: References: <55B9D0FE.2090705@redhat.com> <55B9D327.7070806@redhat.com> Message-ID: Updated patch attached. Thanks, Gabe On Thu, Jul 30, 2015 at 7:15 AM, Gabe Alford wrote: > On Thu, Jul 30, 2015 at 1:32 AM, Jan Cholasta wrote: > >> Dne 30.7.2015 v 09:23 Jan Cholasta napsal(a): >> >>> Hi, >>> >>> Dne 29.7.2015 v 17:23 Gabe Alford napsal(a): >>> >>>> Hello, >>>> >>>> Fix for https://fedorahosted.org/freeipa/ticket/4023 >>>> >>> >>> Actually, 0 means unlimited for size limit, see >>> < >>> http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.search_ext_s >>> >. >>> >> >> After reading the ticket I think this should be fixed the other way >> around: make 0 mean unlimited for both time and size limit and fix the >> config plugin and LDAPClient to respect that. >> >> > Thanks for the review. Updated patch attached. > > >> -- >> Jan Cholasta >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rga-0053-3-Standardize-minvalue-for-ipasearchrecordlimit-and-ip.patch Type: text/x-patch Size: 11111 bytes Desc: not available URL: From mbasti at redhat.com Fri Jul 31 16:31:41 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 31 Jul 2015 18:31:41 +0200 Subject: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses. In-Reply-To: <55B734D4.3060003@redhat.com> References: <54AD182D.2050803@redhat.com> <54AD4D91.3020101@redhat.com> <54AFDB04.7000902@redhat.com> <54B405BD.30100@redhat.com> <54B7A7EF.2020100@redhat.com> <54B7CD0B.7080008@redhat.com> <54B7E742.4060602@redhat.com> <55B64421.6080006@redhat.com> <55B734D4.3060003@redhat.com> Message-ID: <55BBA2ED.4050201@redhat.com> On 28/07/15 09:52, David Kupka wrote: > On 27/07/15 16:45, David Kupka wrote: >> On 15/01/15 17:13, David Kupka wrote: >>> On 01/15/2015 03:22 PM, David Kupka wrote: >>>> On 01/15/2015 12:43 PM, David Kupka wrote: >>>>> On 01/12/2015 06:34 PM, Martin Basti wrote: >>>>>> On 09/01/15 14:43, David Kupka wrote: >>>>>>> On 01/07/2015 04:15 PM, Martin Basti wrote: >>>>>>>> On 07/01/15 12:27, David Kupka wrote: >>>>>>>>> https://fedorahosted.org/freeipa/ticket/4249 >>>>>>>> >>>>>>>> Thank you for patch: >>>>>>>> >>>>>>>> 1) >>>>>>>> - root_logger.error("Cannot update DNS records! " >>>>>>>> - "Failed to connect to server '%s'.", >>>>>>>> server) >>>>>>>> + ips = get_local_ipaddresses() >>>>>>>> + except CalledProcessError as e: >>>>>>>> + root_logger.error("Cannot update DNS records. %s" % e) >>>>>>>> >>>>>>>> IMO the error message should be more specific, add there >>>>>>>> something >>>>>>>> like >>>>>>>> "Unable to get local IP addresses". at least in log.debug() >>>>>>>> >>>>>>>> 2) >>>>>>>> + lines = ipresult[0].replace('\\', '').split('\n') >>>>>>>> >>>>>>>> .replace() is not needed >>>>>>>> >>>>>>>> 3) >>>>>>>> + if len(ips) == 0: >>>>>>>> >>>>>>>> if not ips: >>>>>>>> >>>>>>>> is more pythonic by PEP8 >>>>>>>> >>>>>>>> >>>>>>> Thanks for catching these. Updated patch attached. >>>>>>> >>>>>> merciful NACK >>>>>> >>>>>> Thank you for the patch, unfortunately I hit one issue which needs >>>>>> to be >>>>>> resolved. >>>>>> >>>>>> If "sync PTR" is activated in zone settings, and reverse zone >>>>>> doesn't >>>>>> exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print >>>>>> Error message, 'DNS update failed'. In fact, all A/AAAA records was >>>>>> succesfully updated, only PTR records failed. >>>>>> >>>>>> Bind log: >>>>>> named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at >>>>>> 'vm-101.example.com' AAAA >>>>>> >>>>>> named-pkcs11[28652]: PTR record synchronization (addition) for >>>>>> A/AAAA >>>>>> 'vm-101.example.com.' refused: unable to find active reverse zone >>>>>> for IP >>>>>> address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found >>>>>> >>>>>> With IPv6 we have several addresses from different reverse zones and >>>>>> this situation may happen often. >>>>>> I suggest following: >>>>>> 1) Print list of addresses which will be updated. (Now if update >>>>>> fails, >>>>>> user needs to read log, which addresses installer tried to update) >>>>>> 2) Split nsupdates per A/AAAA record. >>>>>> 3a) If failed, check with DNS query if A/AAAA and PTR record are >>>>>> there >>>>>> and print proper error message >>>>>> 3b) Just print A/AAAA (or PTR) record may not be updated for >>>>>> particular >>>>>> IP address. >>>>>> >>>>>> Any other suggestions are welcome. >>>>>> >>>>> >>>>> After long discussion with DNS and UX guru I've implemented it this >>>>> way: >>>>> 1. Call nsupdate only once with all updates. >>>>> 2. Verify that the expected records are resolvable. >>>>> 3. If no print list of missing A/AAAA, list of missing PTR records >>>>> and >>>>> list to mismatched PTR record. >>>>> >>>>> As this is running inside client we can't much more and it's up to >>>>> user >>>>> to check what's rotten in his DNS setup. >>>>> >>>>> Updated patch attached. >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> Freeipa-devel at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>> >>>> >>>> >>>> One more change to behave well in -crazy- exotic environments that >>>> resolves more PTR records for single IP. >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> >>> >>> Yet another change to make language nerds and our UX guru happy :-) >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >> >> Rebased patch attached. >> >> > Updated patch attached. > Just for record this patch is for dualstack/IPv6 support. IMO this ticket also requires to fix ipa-join to support IPv6. I still have doubts to have multihomed support as default, this may be unexpected change of ipa-client-install behavior. I know, is hard to detect which addresses user want to register in IPA without crystal ball, but it should not be impossible :-) . I propose following solution: To add new options: --multihomed or --all-ip-address - all IP addresses from client will be used --ip-address - adress which will be registered on (IPA) DNS server --ip-address-interface - interface from which address will be registered 0) without any option specified, current behavior will be used + IPv6 * detect which address is used to communicate with IPA server * detect interface where this address belongs * use ipv4 and all ipv6 addresses of this interface * if --enable-dns-updates=true: configure SSSD as is configured now: automatically detect which address is used + patched SSSD will also updates proper IPv6 address 1) --multihomed or --all-ip-addresses (this is multihomed ticket) * all adresses will be used * if --enable-dns-updates=true: SSSD will be configured to send all ip_addresses 2) --ip-address option specified: * only specified addresses will be used (+ check if this addresses exist locally) * if --enable-dns-updates=true: ERROR dynamic updates may change this address (user should choose static vs dynamic) 3) --ip-address-interface option specified: * only addresses from specified interfaces will be used * if --enable-dns-updates=true: SSSD will be configured to use these interfaces to get addresses that will be dynamically updated on dns Modification of current patch should not be hard, we already have almost everything implemented: * method get_local_addresses should return dict {interface:[list of addresses]}, this can be used in all of 4 cases. * restore original function to detect IP address used to communicate with IPA server I insist on 0) and 1), others may be stretch goal (easy to implement) (It would be shame to not implemented multihomed support together with this ticket, as it requires max 5 extra lines of code) Seems my proposal reasonable? What is you opinion Martin? Should we just use all addresses to be registered, or try to keep old behavior as much as possible? Martin^2 -- Martin Basti From pviktori at redhat.com Fri Jul 31 17:14:59 2015 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 31 Jul 2015 19:14:59 +0200 Subject: [Freeipa-devel] [PATCHES] 0691-0695 Modernization Message-ID: <55BBAD13.8020308@redhat.com> Hello, Here is a batch of mostly mechanical changes: removing deprecated features to prepare for Python 3. -- Petr Viktorin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0691-Modernize-except-clauses.patch Type: text/x-patch Size: 274724 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0692-Modernize-function-and-method-attribute-names.patch Type: text/x-patch Size: 5820 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0693-Replace-dict.has_key-with-the-in-operator.patch Type: text/x-patch Size: 17911 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0694-Import-reduce-from-functools.patch Type: text/x-patch Size: 796 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0695-Use-absolute-imports.patch Type: text/x-patch Size: 46030 bytes Desc: not available URL: From simo at redhat.com Fri Jul 31 18:20:44 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 31 Jul 2015 14:20:44 -0400 Subject: [Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi In-Reply-To: <55BB8927.1080608@redhat.com> References: <55B88A4A.9070601@redhat.com> <55BB0D04.4030904@redhat.com> <55BB8927.1080608@redhat.com> Message-ID: <1438366844.24296.27.camel@willson.usersys.redhat.com> On Fri, 2015-07-31 at 16:41 +0200, Michael ?im??ek wrote: > On 2015-07-31 07:52, Jan Cholasta wrote: > > Hi Michael, > > > > Dne 29.7.2015 v 10:09 Michael ?im??ek napsal(a): > >> Hi, > >> > >> this is the first attempt to port FreeIPA from deprecated > >> python3-incompatible python-krbV library to python-gssapi. The patch > >> depends on python-kerberos->python-gssapi patch [1] to apply cleanly, > >> but the overlap is small, so I think it can be at least partially > >> reviewed without it. > >> > >> Comments: > >> I removed Backend.krb and KRB5_CCache classes as they were wrappers > >> around krbV classes. I added few utility functions to krb_utils module > >> that perform part of its functionality (no need for classes, because > >> gssapi acquire calls don't pass any context objects, they wouldn't have > >> any state). > >> > >> I merged the two different kinit_keytab functions. > >> > >> GSSAPI doesn't provide any method (that I'm aware of) to get default > >> ccache name. In most cases this is not needed as we can simply not pass > >> any name and it will use the default. The ldap plugin had to be adjusted > >> for this - the connect method now takes new use_gssapi argument, which > >> can turn on gssapi support without the need to supply explicit ccache > >> name. The only place where the ccache name is really needed is the test > >> server, where I use system klist command to obtain it. > > > > I would prefer if the semantics were the same as in IPAdmin, i.e. GSSAPI > > is used by default if bind password is not specified, see > > IPAdmin.do_bind() in ipapython.ipaldap. > > Just to clarify, the current flow in ldap module is: > if ccache: # I added "or use_gssapi" here in this patch > gssapi_bind > elif autobind: > external_bind > else: > simple_bind I had to make this change as well for my replica promotion code, and incidentally used the same indicator "use_gssapi". > and you would like it to be changed into: > if bind_pw: > simple_bind > elif autobind: > external_bind > else: > gssapi_bind > > Is that correct? I think this is what Jan wanted, but I am wondering if it is the right thing to do. In ipa we have basically 2 possible default approaches. One is to use GSSAPI, and one is to use LDAPI with external bind. The latter makes sense mostly only when running as root, so I am wondering, should the default change depending on whether we are root and we are connecting to the local LDAP server ? If this is a sensible option it means we have to preserver use_gssapi as we may need to force use of gssapi in some case even when we are root and connectiong to the local server (for example to test that the local ccache can successfully be used). Jan, what do you think ? > > > >> > >> It's also not possible to directly get default realm name, what I do is > >> importing nonexistent name, cannonicalizing it and extracting the realm > >> from it. Which should work but is ugly. It would be better if we could > >> modify the places that use it to not need it at all, but it's mostly > >> used in ldap code and I don't understand that part of FreeIPA. > >> Alternative would be parsing /etc/krb.conf. > > > > You should use api.env.realm where possible. I think this should be most > > of the places where default realm is currently used, if not all of them. > > That would be great if all the usages could be replaced. How can I > determine where api.env.realm can be used? In particular, I'm unsure > about ipapython/config.py/__discover_config and ipaserver/plugins/join.py. try: realm = api.env.realm except: realm = dirty gssapi trick ? Simo. > > > >> > >> Sorry for long patch, but I'm afraid it cannot be reasonably split. > >> > >> > >> Ticket: > >> https://fedorahosted.org/freeipa/ticket/5164 > >> > >> [1] https://fedorahosted.org/freeipa/ticket/5147 > > > > Honza > > > > Michael > -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Fri Jul 31 21:14:15 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 31 Jul 2015 17:14:15 -0400 Subject: [Freeipa-devel] [PATCHES] 0691-0695 Modernization In-Reply-To: <55BBAD13.8020308@redhat.com> References: <55BBAD13.8020308@redhat.com> Message-ID: <1438377255.24296.43.camel@willson.usersys.redhat.com> On Fri, 2015-07-31 at 19:14 +0200, Petr Viktorin wrote: > Hello, > Here is a batch of mostly mechanical changes: removing deprecated > features to prepare for Python 3. > Do we have accompanying lint (or similar) tests that will prevent new patches from reintroducing py3 incompatible syntax ? Simo. -- Simo Sorce * Red Hat, Inc * New York