From freeipa-github-notification at redhat.com Tue Nov 1 06:51:18 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 01 Nov 2016 07:51:18 +0100 Subject: [Freeipa-devel] [freeipa PR#198][+ack] Fix missing file that fails DL1 replica installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/198 Title: #198: Fix missing file that fails DL1 replica installation Label: +ack From freeipa-github-notification at redhat.com Tue Nov 1 06:52:32 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 01 Nov 2016 07:52:32 +0100 Subject: [Freeipa-devel] [freeipa PR#198][comment] Fix missing file that fails DL1 replica installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/198 Title: #198: Fix missing file that fails DL1 replica installation jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/842bf3d09f4b2de7d4b52005ac970594345455e0 """ See the full comment at https://github.com/freeipa/freeipa/pull/198#issuecomment-257500680 From freeipa-github-notification at redhat.com Tue Nov 1 06:52:34 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 01 Nov 2016 07:52:34 +0100 Subject: [Freeipa-devel] [freeipa PR#198][+pushed] Fix missing file that fails DL1 replica installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/198 Title: #198: Fix missing file that fails DL1 replica installation Label: +pushed From freeipa-github-notification at redhat.com Tue Nov 1 06:52:36 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 01 Nov 2016 07:52:36 +0100 Subject: [Freeipa-devel] [freeipa PR#198][closed] Fix missing file that fails DL1 replica installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/198 Author: stlaz Title: #198: Fix missing file that fails DL1 replica installation Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/198/head:pr198 git checkout pr198 From freeipa-github-notification at redhat.com Tue Nov 1 06:52:50 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 01 Nov 2016 07:52:50 +0100 Subject: [Freeipa-devel] [freeipa PR#198][comment] Fix missing file that fails DL1 replica installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/198 Title: #198: Fix missing file that fails DL1 replica installation jcholast commented: """ Please rebase to ipa-4-4. """ See the full comment at https://github.com/freeipa/freeipa/pull/198#issuecomment-257500714 From freeipa-github-notification at redhat.com Tue Nov 1 07:11:57 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 01 Nov 2016 08:11:57 +0100 Subject: [Freeipa-devel] [freeipa PR#199][opened] [ipa-4-4] Fix missing file that fails DL1 replica installation Message-ID: URL: https://github.com/freeipa/freeipa/pull/199 Author: stlaz Title: #199: [ipa-4-4] Fix missing file that fails DL1 replica installation Action: opened PR body: """ Replica installation on DL1 would fail to create a httpd instance due to missing '/etc/httpd/alias/cacert.asc'. Create this file in the setup_ssl step to avoid the error. https://fedorahosted.org/freeipa/ticket/6393 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/199/head:pr199 git checkout pr199 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-199.patch Type: text/x-diff Size: 2272 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 1 07:34:02 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 01 Nov 2016 08:34:02 +0100 Subject: [Freeipa-devel] [freeipa PR#199][+ack] [ipa-4-4] Fix missing file that fails DL1 replica installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/199 Title: #199: [ipa-4-4] Fix missing file that fails DL1 replica installation Label: +ack From freeipa-github-notification at redhat.com Tue Nov 1 07:34:26 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 01 Nov 2016 08:34:26 +0100 Subject: [Freeipa-devel] [freeipa PR#199][+pushed] [ipa-4-4] Fix missing file that fails DL1 replica installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/199 Title: #199: [ipa-4-4] Fix missing file that fails DL1 replica installation Label: +pushed From freeipa-github-notification at redhat.com Tue Nov 1 07:34:27 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 01 Nov 2016 08:34:27 +0100 Subject: [Freeipa-devel] [freeipa PR#199][comment] [ipa-4-4] Fix missing file that fails DL1 replica installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/199 Title: #199: [ipa-4-4] Fix missing file that fails DL1 replica installation jcholast commented: """ Fixed upstream ipa-4-4: https://fedorahosted.org/freeipa/changeset/19a32da65f792bc8f054c14edfcf704876e0257e """ See the full comment at https://github.com/freeipa/freeipa/pull/199#issuecomment-257505602 From freeipa-github-notification at redhat.com Tue Nov 1 07:34:28 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 01 Nov 2016 08:34:28 +0100 Subject: [Freeipa-devel] [freeipa PR#199][closed] [ipa-4-4] Fix missing file that fails DL1 replica installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/199 Author: stlaz Title: #199: [ipa-4-4] Fix missing file that fails DL1 replica installation Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/199/head:pr199 git checkout pr199 From mbabinsk at redhat.com Tue Nov 1 08:26:14 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 1 Nov 2016 09:26:14 +0100 Subject: [Freeipa-devel] [PATCH] 0221 fix trustdomain-del In-Reply-To: <20161031162342.47j3md6wwdn4au6s@redhat.com> References: <20161031162342.47j3md6wwdn4au6s@redhat.com> Message-ID: <23fa8b6d-c7f3-33a6-8246-7201c0ff6c56@redhat.com> On 10/31/2016 05:23 PM, Alexander Bokovoy wrote: > See description. This is a regression since FreeIPA 4.4.0. > > > Hi Alexander, Please link upstream ticket[1] to the commit message, not BZ. I have put on my Travis hat and found: 1.) pep8 error: ./ipaserver/plugins/trust.py:1623:25: E128 continuation line under-indented for visual indent I know that this is a piece of code that was only moved around but it should conform to pep8 anyway. 2.) unused variable: Pylint is running, please wait ... ************* Module ipaserver.plugins.trust ipaserver/plugins/trust.py:1619: [W0612(unused-variable), trustdomain_del.execute] Unused variable 'entry') Makefile:130: recipe for target 'pylint' failed make: *** [pylint] Error 1 Also, if you just want to check if the domain exists, I think that you can use `get_dn_if_exists` method of LDAPObject (you will get rid of unused variable as a bonus): diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index 3540742..2cd4722 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -1615,8 +1615,7 @@ class trustdomain_del(LDAPDelete): for domain in keys[1]: try: - dn = self.obj.get_dn(keys[0], domain, trust_type=u'ad') - entry = ldap.get_entry(dn) + self.obj.get_dn_if_exists(keys[0], domain, trust_type=u'ad') except errors.NotFound: if keys[0].lower() == domain: raise errors.ValidationError(name='domain' [1] https://fedorahosted.org/freeipa/ticket/6445 -- Martin^3 Babinsky From freeipa-github-notification at redhat.com Tue Nov 1 08:27:30 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Tue, 01 Nov 2016 09:27:30 +0100 Subject: [Freeipa-devel] [freeipa PR#200][opened] Test: basic kerberos over http functionality Message-ID: URL: https://github.com/freeipa/freeipa/pull/200 Author: ofayans Title: #200: Test: basic kerberos over http functionality Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6446 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/200/head:pr200 git checkout pr200 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-200.patch Type: text/x-diff Size: 2611 bytes Desc: not available URL: From abokovoy at redhat.com Tue Nov 1 08:42:57 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 1 Nov 2016 10:42:57 +0200 Subject: [Freeipa-devel] [PATCH] 0221 fix trustdomain-del In-Reply-To: <23fa8b6d-c7f3-33a6-8246-7201c0ff6c56@redhat.com> References: <20161031162342.47j3md6wwdn4au6s@redhat.com> <23fa8b6d-c7f3-33a6-8246-7201c0ff6c56@redhat.com> Message-ID: <20161101084257.g3wwljkg2vk7ffbz@redhat.com> On ti, 01 marras 2016, Martin Babinsky wrote: >On 10/31/2016 05:23 PM, Alexander Bokovoy wrote: >>See description. This is a regression since FreeIPA 4.4.0. >> >> >> > >Hi Alexander, > >Please link upstream ticket[1] to the commit message, not BZ. > >I have put on my Travis hat and found: > >1.) pep8 error: > >./ipaserver/plugins/trust.py:1623:25: E128 continuation line >under-indented for visual indent > >I know that this is a piece of code that was only moved around but it >should conform to pep8 anyway. > >2.) unused variable: > >Pylint is running, please wait ... >************* Module ipaserver.plugins.trust >ipaserver/plugins/trust.py:1619: [W0612(unused-variable), >trustdomain_del.execute] Unused variable 'entry') >Makefile:130: recipe for target 'pylint' failed >make: *** [pylint] Error 1 > >Also, if you just want to check if the domain exists, I think that you >can use `get_dn_if_exists` method of LDAPObject (you will get rid of >unused variable as a bonus): > >diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py >index 3540742..2cd4722 100644 >--- a/ipaserver/plugins/trust.py >+++ b/ipaserver/plugins/trust.py >@@ -1615,8 +1615,7 @@ class trustdomain_del(LDAPDelete): > > for domain in keys[1]: > try: >- dn = self.obj.get_dn(keys[0], domain, trust_type=u'ad') >- entry = ldap.get_entry(dn) >+ self.obj.get_dn_if_exists(keys[0], domain, >trust_type=u'ad') > except errors.NotFound: > if keys[0].lower() == domain: > raise errors.ValidationError(name='domain' > >[1] https://fedorahosted.org/freeipa/ticket/6445 Thanks, I've fixed these issues. Updated patch is attached. -- / Alexander Bokovoy -------------- next part -------------- From 2b7cb26a5e95ee6f780b3484ca673fdb5e8bd67e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 31 Oct 2016 18:17:35 +0200 Subject: [PATCH 2/2] trustdomain-del: fix the way how subdomain is searched With FreeIPA 4.4 we moved child domains behind the 'trustdomain' topic. Update 'ipa trustdomain-del' command to properly calculate DN to the actual child domain and handle the case when it is missing correctly. Fixes https://fedorahosted.org/freeipa/ticket/6445 --- ipaserver/plugins/trust.py | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index c0c080d..c84b1aa 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -1614,13 +1614,16 @@ class trustdomain_del(LDAPDelete): # to always receive empty keys. We need to catch the case when root domain is being deleted for domain in keys[1]: - # Fetch the trust to verify that the entered domain is trusted - self.api.Command.trust_show(domain) + try: + self.obj.get_dn_if_exists(keys[0], domain, trust_type=u'ad') + except errors.NotFound: + if keys[0].lower() == domain: + raise errors.ValidationError( + name='domain', + error=_("cannot delete root domain of the trust, " + "use trust-del to delete the trust itself")) + self.obj.handle_not_found(keys[0], domain) - if keys[0].lower() == domain: - raise errors.ValidationError(name='domain', - error=_("cannot delete root domain of the trust, " - "use trust-del to delete the trust itself")) try: self.api.Command.trustdomain_enable(keys[0], domain) except errors.AlreadyActive: -- 2.9.3 From freeipa-github-notification at redhat.com Tue Nov 1 08:54:22 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Tue, 01 Nov 2016 09:54:22 +0100 Subject: [Freeipa-devel] [freeipa PR#200][synchronized] Test: basic kerberos over http functionality In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/200 Author: ofayans Title: #200: Test: basic kerberos over http functionality Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/200/head:pr200 git checkout pr200 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-200.patch Type: text/x-diff Size: 3708 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 1 09:26:47 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Tue, 01 Nov 2016 10:26:47 +0100 Subject: [Freeipa-devel] [freeipa PR#200][synchronized] Test: basic kerberos over http functionality In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/200 Author: ofayans Title: #200: Test: basic kerberos over http functionality Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/200/head:pr200 git checkout pr200 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-200.patch Type: text/x-diff Size: 3756 bytes Desc: not available URL: From mbabinsk at redhat.com Tue Nov 1 10:25:54 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 1 Nov 2016 11:25:54 +0100 Subject: [Freeipa-devel] [PATCH] 0221 fix trustdomain-del In-Reply-To: <20161101084257.g3wwljkg2vk7ffbz@redhat.com> References: <20161031162342.47j3md6wwdn4au6s@redhat.com> <23fa8b6d-c7f3-33a6-8246-7201c0ff6c56@redhat.com> <20161101084257.g3wwljkg2vk7ffbz@redhat.com> Message-ID: On 11/01/2016 09:42 AM, Alexander Bokovoy wrote: > On ti, 01 marras 2016, Martin Babinsky wrote: >> On 10/31/2016 05:23 PM, Alexander Bokovoy wrote: >>> See description. This is a regression since FreeIPA 4.4.0. >>> >>> >>> >> >> Hi Alexander, >> >> Please link upstream ticket[1] to the commit message, not BZ. >> >> I have put on my Travis hat and found: >> >> 1.) pep8 error: >> >> ./ipaserver/plugins/trust.py:1623:25: E128 continuation line >> under-indented for visual indent >> >> I know that this is a piece of code that was only moved around but it >> should conform to pep8 anyway. >> >> 2.) unused variable: >> >> Pylint is running, please wait ... >> ************* Module ipaserver.plugins.trust >> ipaserver/plugins/trust.py:1619: [W0612(unused-variable), >> trustdomain_del.execute] Unused variable 'entry') >> Makefile:130: recipe for target 'pylint' failed >> make: *** [pylint] Error 1 >> >> Also, if you just want to check if the domain exists, I think that you >> can use `get_dn_if_exists` method of LDAPObject (you will get rid of >> unused variable as a bonus): >> >> diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py >> index 3540742..2cd4722 100644 >> --- a/ipaserver/plugins/trust.py >> +++ b/ipaserver/plugins/trust.py >> @@ -1615,8 +1615,7 @@ class trustdomain_del(LDAPDelete): >> >> for domain in keys[1]: >> try: >> - dn = self.obj.get_dn(keys[0], domain, trust_type=u'ad') >> - entry = ldap.get_entry(dn) >> + self.obj.get_dn_if_exists(keys[0], domain, >> trust_type=u'ad') >> except errors.NotFound: >> if keys[0].lower() == domain: >> raise errors.ValidationError(name='domain' >> >> [1] https://fedorahosted.org/freeipa/ticket/6445 > Thanks, I've fixed these issues. > > Updated patch is attached. > Thanks, ACK. Pushed to master: e8b94ef352400f9045837ed69266686b6b117301 rebased and pushed to ipa-4-4: bd74150aa28f92b0980f5a803d3591a118628e8f -- Martin^3 Babinsky From freeipa-github-notification at redhat.com Tue Nov 1 10:37:19 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 01 Nov 2016 11:37:19 +0100 Subject: [Freeipa-devel] [freeipa PR#201][opened] spec file: bump minimal required version of 389-ds-base Message-ID: URL: https://github.com/freeipa/freeipa/pull/201 Author: jcholast Title: #201: spec file: bump minimal required version of 389-ds-base Action: opened PR body: """ Require 389-ds-base >= 1.3.5.14 for: https://fedorahosted.org/389/ticket/48992 https://fedorahosted.org/freeipa/ticket/6369 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/201/head:pr201 git checkout pr201 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-201.patch Type: text/x-diff Size: 1229 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 1 10:38:43 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 01 Nov 2016 11:38:43 +0100 Subject: [Freeipa-devel] [freeipa PR#197][synchronized] Make setup.py files PyPI compatible In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/197 Author: tiran Title: #197: Make setup.py files PyPI compatible Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/197/head:pr197 git checkout pr197 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-197.patch Type: text/x-diff Size: 2743 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 1 10:39:20 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 01 Nov 2016 11:39:20 +0100 Subject: [Freeipa-devel] [freeipa PR#201][comment] spec file: bump minimal required version of 389-ds-base In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/201 Title: #201: spec file: bump minimal required version of 389-ds-base stlaz commented: """ ACK """ See the full comment at https://github.com/freeipa/freeipa/pull/201#issuecomment-257535867 From freeipa-github-notification at redhat.com Tue Nov 1 10:39:23 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 01 Nov 2016 11:39:23 +0100 Subject: [Freeipa-devel] [freeipa PR#201][+ack] spec file: bump minimal required version of 389-ds-base In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/201 Title: #201: spec file: bump minimal required version of 389-ds-base Label: +ack From freeipa-github-notification at redhat.com Tue Nov 1 10:39:43 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 01 Nov 2016 11:39:43 +0100 Subject: [Freeipa-devel] [freeipa PR#187][synchronized] Register entry points of Custodia plugins In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/187 Author: tiran Title: #187: Register entry points of Custodia plugins Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/187/head:pr187 git checkout pr187 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-187.patch Type: text/x-diff Size: 1025 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 1 10:40:52 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 01 Nov 2016 11:40:52 +0100 Subject: [Freeipa-devel] [freeipa PR#201][comment] spec file: bump minimal required version of 389-ds-base In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/201 Title: #201: spec file: bump minimal required version of 389-ds-base jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/f12abfb852dfb1a7759928b05defde68d5d7a3df ipa-4-4: https://fedorahosted.org/freeipa/changeset/0e2818d9aa1f2b8750e83e5eb4d6f91cafae76e8 """ See the full comment at https://github.com/freeipa/freeipa/pull/201#issuecomment-257536165 From freeipa-github-notification at redhat.com Tue Nov 1 10:40:54 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 01 Nov 2016 11:40:54 +0100 Subject: [Freeipa-devel] [freeipa PR#201][+pushed] spec file: bump minimal required version of 389-ds-base In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/201 Title: #201: spec file: bump minimal required version of 389-ds-base Label: +pushed From freeipa-github-notification at redhat.com Tue Nov 1 10:40:55 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 01 Nov 2016 11:40:55 +0100 Subject: [Freeipa-devel] [freeipa PR#201][closed] spec file: bump minimal required version of 389-ds-base In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/201 Author: jcholast Title: #201: spec file: bump minimal required version of 389-ds-base Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/201/head:pr201 git checkout pr201 From freeipa-github-notification at redhat.com Tue Nov 1 11:10:26 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 01 Nov 2016 12:10:26 +0100 Subject: [Freeipa-devel] [freeipa PR#202][opened] ipa-getkeytab enhancements Message-ID: URL: https://github.com/freeipa/freeipa/pull/202 Author: martbab Title: #202: ipa-getkeytab enhancements Action: opened PR body: """ This PR implements '-H' and '-Y' options mentioned in https://fedorahosted.org/freeipa/ticket/6409 along with the ability to specify CA cert on the command line (which proved useful during the work on installer refactoring). Since my C skills are not at the level I would like them to be it would be nice if you point out even the tiniest mistakes, risky code or non-idiomatic usage. Also the test case `test_retrieval_using_plain_ldap` fails due to unsuccesful simple bind. I wanted to implement StartTLS for simple binds over ldap://, but I get the following errors in dirsrv error log: [01/Nov/2016:10:44:52.395126000 +0000] connection - conn=883 fd=135 Incoming BER Element was 3 bytes, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. I guess there is something fishy with the way I initialize the StartTLS session. I would appreciate your help with it. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/202/head:pr202 git checkout pr202 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-202.patch Type: text/x-diff Size: 35563 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 1 12:02:55 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 01 Nov 2016 13:02:55 +0100 Subject: [Freeipa-devel] [freeipa PR#203][opened] Add sdist_list plugin to all setup.py Message-ID: URL: https://github.com/freeipa/freeipa/pull/203 Author: tiran Title: #203: Add sdist_list plugin to all setup.py Action: opened PR body: """ The sdist_list plugin creates a source distribution file list. Signed-off-by: Christian Heimes @pspacek here is your helper command for automake dist. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/203/head:pr203 git checkout pr203 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-203.patch Type: text/x-diff Size: 3021 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 1 13:13:04 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Tue, 01 Nov 2016 14:13:04 +0100 Subject: [Freeipa-devel] [freeipa PR#203][comment] Add sdist_list plugin to all setup.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/203 Title: #203: Add sdist_list plugin to all setup.py pspacek commented: """ Thanks for the propsal. It has several problems: - It prints extra text at the beginning of output. This makes the output unsuitable for automated processing. ~~~ $ python setup.py sdist_list --quiet running sdist_list running egg_info writing freeipa.egg-info/PKG-INFO writing top-level names to freeipa.egg-info/top_level.txt writing dependency_links to freeipa.egg-info/dependency_links.txt reading manifest file 'freeipa.egg-info/SOURCES.txt' writing manifest file 'freeipa.egg-info/SOURCES.txt' warning: sdist_list: standard file not found: should have one of README, README.rst, README.txt running check /home/pspacek/pkg/ipa/git/ipaserver/__init__.py ~~~ - pylint is failing I wonder if the printed list is always the same as *.egg-info/SOURCES.txt or not. If it is the same we may very well re-use that file. It seems that egg-info is generated during `sdist_list` processing anyway ... """ See the full comment at https://github.com/freeipa/freeipa/pull/203#issuecomment-257562968 From freeipa-github-notification at redhat.com Tue Nov 1 13:27:46 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 01 Nov 2016 14:27:46 +0100 Subject: [Freeipa-devel] [freeipa PR#203][comment] Add sdist_list plugin to all setup.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/203 Title: #203: Add sdist_list plugin to all setup.py tiran commented: """ You have two options to work around the extra output 1. redirect stderr and use ```python setup.py --quiet sdist_list```. The order is import, ```python setup.py sdist_list --quiet``` only silences sdist_list command, not subcommands. 2. use the ```--source-list``` option to write the source list into a file The content of ```SOURCES.txt``` is not necessarily the same as ```sdist_list```. The ```sdist``` command may add additional files after ```egg_info``` has creates the file. """ See the full comment at https://github.com/freeipa/freeipa/pull/203#issuecomment-257565973 From freeipa-github-notification at redhat.com Tue Nov 1 13:35:19 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 01 Nov 2016 14:35:19 +0100 Subject: [Freeipa-devel] [freeipa PR#203][synchronized] Add sdist_list plugin to all setup.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/203 Author: tiran Title: #203: Add sdist_list plugin to all setup.py Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/203/head:pr203 git checkout pr203 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-203.patch Type: text/x-diff Size: 3131 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 1 16:34:51 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 01 Nov 2016 17:34:51 +0100 Subject: [Freeipa-devel] [freeipa PR#204][opened] ipautil.run: Remove hardcoded environ PATH value Message-ID: URL: https://github.com/freeipa/freeipa/pull/204 Author: mbasti-rh Title: #204: ipautil.run: Remove hardcoded environ PATH value Action: opened PR body: """ This was introduced in commit d0ea0bb63891babd1c5778df2e291b527c8e927c as F14 compatibility. PATH should be always inherited from from os.environ and then amended also this is platform specific and should not be in core code """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/204/head:pr204 git checkout pr204 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-204.patch Type: text/x-diff Size: 977 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 1 17:03:04 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 01 Nov 2016 18:03:04 +0100 Subject: [Freeipa-devel] [freeipa PR#204][synchronized] ipautil.run: Remove hardcoded environ PATH value In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/204 Author: mbasti-rh Title: #204: ipautil.run: Remove hardcoded environ PATH value Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/204/head:pr204 git checkout pr204 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-204.patch Type: text/x-diff Size: 1021 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 1 17:15:57 2016 From: freeipa-github-notification at redhat.com (rcritten) Date: Tue, 01 Nov 2016 18:15:57 +0100 Subject: [Freeipa-devel] [freeipa PR#204][comment] ipautil.run: Remove hardcoded environ PATH value In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/204 Title: #204: ipautil.run: Remove hardcoded environ PATH value rcritten commented: """ NACK. I'd be fine with changing the PATH to remove cruft but the primary purpose is to prevent an attacker from providing their own PATH with unknown executables. For those few places where one must control PATH then env can be (and is) passed in. No ticket? """ See the full comment at https://github.com/freeipa/freeipa/pull/204#issuecomment-257628641 From freeipa-github-notification at redhat.com Tue Nov 1 17:46:47 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 01 Nov 2016 18:46:47 +0100 Subject: [Freeipa-devel] [freeipa PR#145][synchronized] Refactoring: LDAP Connection Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/145 Author: tomaskrizek Title: #145: Refactoring: LDAP Connection Management Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/145/head:pr145 git checkout pr145 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-145.patch Type: text/x-diff Size: 225303 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 1 17:49:16 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 01 Nov 2016 18:49:16 +0100 Subject: [Freeipa-devel] [freeipa PR#145][comment] Refactoring: LDAP Connection Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/145 Title: #145: Refactoring: LDAP Connection Management tomaskrizek commented: """ In an offline discussion we decided not to push temporary changes to master. Here's the final code for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/145#issuecomment-257638689 From freeipa-github-notification at redhat.com Tue Nov 1 17:55:39 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 01 Nov 2016 18:55:39 +0100 Subject: [Freeipa-devel] [freeipa PR#204][comment] ipautil.run: Remove hardcoded environ PATH value In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/204 Title: #204: ipautil.run: Remove hardcoded environ PATH value mbasti-rh commented: """ Can you elaborate more about that attack? Do you have any links to share? If an attacker has permission to set a user environment variables, IMO the user has already lot of problems and it is too late to save that situation. I did git archaeology and this was the commit where it was added, so it was hard to find reason why it was added. """ See the full comment at https://github.com/freeipa/freeipa/pull/204#issuecomment-257640644 From freeipa-github-notification at redhat.com Tue Nov 1 18:39:45 2016 From: freeipa-github-notification at redhat.com (rcritten) Date: Tue, 01 Nov 2016 19:39:45 +0100 Subject: [Freeipa-devel] [freeipa PR#204][comment] ipautil.run: Remove hardcoded environ PATH value In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/204 Title: #204: ipautil.run: Remove hardcoded environ PATH value rcritten commented: """ PATH is untrustworthy because there is no knowing what is in it, or the order. It could easily have /usr/local/bin first and some rogue version of a program installed there, or it could have something in ~/bin. Calling exec() is dangerous by its very nature so we opted to be paranoid. Your archaeology is right, this wasn't exactly documented. Perhaps it was discussed on IRC in relation to the bug but I remember talking to Simo about this. """ See the full comment at https://github.com/freeipa/freeipa/pull/204#issuecomment-257655506 From freeipa-github-notification at redhat.com Tue Nov 1 19:08:58 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 01 Nov 2016 20:08:58 +0100 Subject: [Freeipa-devel] [freeipa PR#204][comment] ipautil.run: Remove hardcoded environ PATH value In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/204 Title: #204: ipautil.run: Remove hardcoded environ PATH value mbasti-rh commented: """ > PATH is untrustworthy because there is no knowing what is in it, or the order. It could easily have /usr/local/bin first and some rogue version of a program installed there, or it could have something in ~/bin. Calling exec() is dangerous by its very nature so we opted to be paranoid. > /usr/bin is untrostworthy in the same way, you dont know if an attacker changed some binary files, should we have fingerprints and check before exec? AFAIK path is the standard way how to say programs where should check for binarries if they are installed in nonstandard directory In case that enviroment variables are really considered to be an security risk in a way you are saying, then I have bad news: - our custom path can be overriden by attacker - this kind of attack can be currently done directly from python we don't need anything else in IPA, so our ipautil.run() cannot save users - you can easily DOS a user of IPA And this should be platform dependent, so we should move path to ipaplatform > Your archaeology is right, this wasn't exactly documented. Perhaps it was discussed on IRC in relation to the bug but I remember talking to Simo about this. It wasn't documented. That is not nice if this is a security feature """ See the full comment at https://github.com/freeipa/freeipa/pull/204#issuecomment-257663432 From freeipa-github-notification at redhat.com Tue Nov 1 19:19:30 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 01 Nov 2016 20:19:30 +0100 Subject: [Freeipa-devel] [freeipa PR#205][opened] Support DAL version 5 and version 6 Message-ID: URL: https://github.com/freeipa/freeipa/pull/205 Author: simo5 Title: #205: Support DAL version 5 and version 6 Action: opened PR body: """ Should fix bz#1389866 (untested) """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/205/head:pr205 git checkout pr205 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-205.patch Type: text/x-diff Size: 3328 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 1 19:24:11 2016 From: freeipa-github-notification at redhat.com (rcritten) Date: Tue, 01 Nov 2016 20:24:11 +0100 Subject: [Freeipa-devel] [freeipa PR#204][comment] ipautil.run: Remove hardcoded environ PATH value In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/204 Title: #204: ipautil.run: Remove hardcoded environ PATH value rcritten commented: """ This isn't about replacing existing binaries, it's about putting binaries into unexpected places that are in the default PATH (e.g. ~/bin or /usr/local/bin). PATH cannot be overridden by an attacker without making code changes, in which case it's already game over (or it shouldn't, I didn't look for every execution of ipautil.run() where env is passed in. I don't disagree on being platform dependent. As for documentation, it just got missed. It's not an excuse, just the reality. It is generally accepted best-practice to not trust user input, including environment variables. See https://www.securecoding.cert.org/confluence/display/c/ENV03-C.+Sanitize+the+environment+when+invoking+external+programs This isn't followed completely, but at least the environment by default is wiped and PATH is controlled for the most part. Originally the commands were called explicitly, e.g. /usr/kerberos/sbin/kadmin.local, but because of the Fedora 14 issue we had to rely on PATH (see d0ea0bb63891babd1c5778df2e291b527c8e927c). """ See the full comment at https://github.com/freeipa/freeipa/pull/204#issuecomment-257667140 From freeipa-github-notification at redhat.com Tue Nov 1 20:52:56 2016 From: freeipa-github-notification at redhat.com (frozencemetery) Date: Tue, 01 Nov 2016 21:52:56 +0100 Subject: [Freeipa-devel] [freeipa PR#205][comment] Support DAL version 5 and version 6 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/205 Title: #205: Support DAL version 5 and version 6 frozencemetery commented: """ Thank you for fixing this, and futureproofing the next version bump. Unless freeipa has a policy against it, I would prefer the use of designated initializers here for additional protection against breakage in the future, as you mention in the past this has occasionally been changed by accident without bumping the number. """ See the full comment at https://github.com/freeipa/freeipa/pull/205#issuecomment-257692943 From freeipa-github-notification at redhat.com Tue Nov 1 20:58:02 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 01 Nov 2016 21:58:02 +0100 Subject: [Freeipa-devel] [freeipa PR#206][opened] Properly handle multiple cookies in rpcclient Message-ID: URL: https://github.com/freeipa/freeipa/pull/206 Author: simo5 Title: #206: Properly handle multiple cookies in rpcclient Action: opened PR body: """ The current code does not give a list of cookies, but a concatenated string separated by a comma. This is a format the Cookie class does not understand. msg.getheaders returns the wanted format. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/206/head:pr206 git checkout pr206 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-206.patch Type: text/x-diff Size: 773 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 2 07:22:27 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Wed, 02 Nov 2016 08:22:27 +0100 Subject: [Freeipa-devel] [freeipa PR#145][comment] Refactoring: LDAP Connection Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/145 Title: #145: Refactoring: LDAP Connection Management jcholast commented: """ In addition to my inline comments: * use component name ("ipaldap", "ldap2", "install", ...) rather than "lda refactoring" as a prefix in commit subjects, * please move "ldap refactoring: change default time/size limit in ldap2" before "ldap refactoring: conn management in dsinstance" and squash it with "ldap refactoring: restore previous time/size limit in backend", * squash "ldap refactoring: add restart_dirsrv to installutils" and "ldap refactoring: use restart_dirsrv in installers", * maybe squash all of the "ldap refactoring: conn management in ipa-...", as it is a single change accross multiple scripts. """ See the full comment at https://github.com/freeipa/freeipa/pull/145#issuecomment-257790636 From freeipa-github-notification at redhat.com Wed Nov 2 08:10:48 2016 From: freeipa-github-notification at redhat.com (Akasurde) Date: Wed, 02 Nov 2016 09:10:48 +0100 Subject: [Freeipa-devel] [freeipa PR#207][opened] Provide user hint about IP address in IPA install Message-ID: URL: https://github.com/freeipa/freeipa/pull/207 Author: Akasurde Title: #207: Provide user hint about IP address in IPA install Action: opened PR body: """ With this fix, user will be notified about pressing enter to proceed with IPA installation procedure, if user has provided valid IP address previously. Fixes https://fedorahosted.org/freeipa/ticket/5949 Signed-off-by: Abhijeet Kasurde """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/207/head:pr207 git checkout pr207 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-207.patch Type: text/x-diff Size: 1368 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 2 08:37:36 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Wed, 02 Nov 2016 09:37:36 +0100 Subject: [Freeipa-devel] [freeipa PR#208][opened] Tests: Fix integration sudo test Message-ID: URL: https://github.com/freeipa/freeipa/pull/208 Author: mirielka Title: #208: Tests: Fix integration sudo test Action: opened PR body: """ Tests with sudorules using only RunAsGroups attributes with empty RunAsUsers attribute fail due to different expected value than is really returned. This is caused by improper behaviour of sudo in versions before 1.8.18 (see [1]), to which the tests were originally fitted. Changing the expected value to proper one. [1] - https://www.sudo.ws/pipermail/sudo-workers/2016-November/001025.html https://fedorahosted.org/freeipa/ticket/6378 Please note that this PR needs to go to master, ipa-4-4 AND ipa-4-3 branches (ticket milestone is to be updated). """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/208/head:pr208 git checkout pr208 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-208.patch Type: text/x-diff Size: 1962 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 2 08:40:27 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Wed, 02 Nov 2016 09:40:27 +0100 Subject: [Freeipa-devel] [freeipa PR#208][edited] Tests: Fix integration sudo test In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/208 Author: mirielka Title: #208: Tests: Fix integration sudo test Action: edited Changed field: body Original value: """ Tests with sudorules using only RunAsGroups attributes with empty RunAsUsers attribute fail due to different expected value than is really returned. This is caused by improper behaviour of sudo in versions before 1.8.18 (see [1]), to which the tests were originally fitted. Changing the expected value to proper one. [1] - https://www.sudo.ws/pipermail/sudo-workers/2016-November/001025.html https://fedorahosted.org/freeipa/ticket/6378 Please note that this PR needs to go to master, ipa-4-4 AND ipa-4-3 branches (ticket milestone is to be updated). """ From freeipa-github-notification at redhat.com Wed Nov 2 09:33:21 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Wed, 02 Nov 2016 10:33:21 +0100 Subject: [Freeipa-devel] [freeipa PR#200][synchronized] Test: basic kerberos over http functionality In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/200 Author: ofayans Title: #200: Test: basic kerberos over http functionality Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/200/head:pr200 git checkout pr200 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-200.patch Type: text/x-diff Size: 3848 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 2 09:56:54 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 02 Nov 2016 10:56:54 +0100 Subject: [Freeipa-devel] [freeipa PR#205][synchronized] Support DAL version 5 and version 6 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/205 Author: simo5 Title: #205: Support DAL version 5 and version 6 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/205/head:pr205 git checkout pr205 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-205.patch Type: text/x-diff Size: 5535 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 2 09:57:05 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 02 Nov 2016 10:57:05 +0100 Subject: [Freeipa-devel] [freeipa PR#205][comment] Support DAL version 5 and version 6 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/205 Title: #205: Support DAL version 5 and version 6 simo5 commented: """ Updated """ See the full comment at https://github.com/freeipa/freeipa/pull/205#issuecomment-257820109 From freeipa-github-notification at redhat.com Wed Nov 2 10:44:04 2016 From: freeipa-github-notification at redhat.com (gkaihorodova) Date: Wed, 02 Nov 2016 11:44:04 +0100 Subject: [Freeipa-devel] [freeipa PR#181][synchronized] Tests : User Tracker creation of user with minimal values In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/181 Author: gkaihorodova Title: #181: Tests : User Tracker creation of user with minimal values Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/181/head:pr181 git checkout pr181 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-181.patch Type: text/x-diff Size: 2126 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 2 11:07:39 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 02 Nov 2016 12:07:39 +0100 Subject: [Freeipa-devel] [freeipa PR#203][comment] Add sdist_list plugin to all setup.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/203 Title: #203: Add sdist_list plugin to all setup.py pspacek commented: """ > 1. redirect stderr and use python setup.py --quiet sdist_list. The order is import, python setup.py sdist_list --quiet only silences sdist_list command, not subcommands. Could you fix sdist_list so it properly propagates --quiet option to the subcommands? """ See the full comment at https://github.com/freeipa/freeipa/pull/203#issuecomment-257835229 From freeipa-github-notification at redhat.com Wed Nov 2 11:09:16 2016 From: freeipa-github-notification at redhat.com (Akasurde) Date: Wed, 02 Nov 2016 12:09:16 +0100 Subject: [Freeipa-devel] [freeipa PR#209][opened] Enumerate available options in IPA installer Message-ID: URL: https://github.com/freeipa/freeipa/pull/209 Author: Akasurde Title: #209: Enumerate available options in IPA installer Action: opened PR body: """ Fix adds enumerated list of available options in IPA server installer and IPA CA installer help options Fixes https://fedorahosted.org/freeipa/ticket/5435 Signed-off-by: Abhijeet Kasurde """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/209/head:pr209 git checkout pr209 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-209.patch Type: text/x-diff Size: 3343 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 2 11:23:21 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 02 Nov 2016 12:23:21 +0100 Subject: [Freeipa-devel] [freeipa PR#204][comment] ipautil.run: Remove hardcoded environ PATH value In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/204 Title: #204: ipautil.run: Remove hardcoded environ PATH value pspacek commented: """ The approach with wiping env adds another layer of problems, e.g. inability to use `KRB5_TRACE` environment variable for debugging etc. IMHO we should use absolute paths whenever we call an external program and let the env be. If an attacker is controling env the game is already over. He could mess with `LD_PRELOAD` or any other other current or future sensitive variables. """ See the full comment at https://github.com/freeipa/freeipa/pull/204#issuecomment-257838182 From freeipa-github-notification at redhat.com Wed Nov 2 11:26:02 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 02 Nov 2016 12:26:02 +0100 Subject: [Freeipa-devel] [freeipa PR#203][comment] Add sdist_list plugin to all setup.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/203 Title: #203: Add sdist_list plugin to all setup.py tiran commented: """ There is nothing to fix here. Just use the ```--source-list``` argument. """ See the full comment at https://github.com/freeipa/freeipa/pull/203#issuecomment-257838678 From freeipa-github-notification at redhat.com Wed Nov 2 11:35:20 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 02 Nov 2016 12:35:20 +0100 Subject: [Freeipa-devel] [freeipa PR#203][comment] Add sdist_list plugin to all setup.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/203 Title: #203: Add sdist_list plugin to all setup.py pspacek commented: """ > There is nothing to fix here. Just use the --source-list argument. I would rather avoid temporary file and related logic. For this reason I would like to see `--quiet` option propagated to subcommands. Can it be done? """ See the full comment at https://github.com/freeipa/freeipa/pull/203#issuecomment-257840453 From freeipa-github-notification at redhat.com Wed Nov 2 11:42:12 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 02 Nov 2016 12:42:12 +0100 Subject: [Freeipa-devel] [freeipa PR#203][comment] Add sdist_list plugin to all setup.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/203 Title: #203: Add sdist_list plugin to all setup.py tiran commented: """ It can't be done in a clean way. distutils and setuptools starts logging to stdout before the command has a chance to change the log level. I don't want to change the log level globally because it contains useful information. """ See the full comment at https://github.com/freeipa/freeipa/pull/203#issuecomment-257841684 From freeipa-github-notification at redhat.com Wed Nov 2 12:11:08 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 02 Nov 2016 13:11:08 +0100 Subject: [Freeipa-devel] [freeipa PR#204][comment] ipautil.run: Remove hardcoded environ PATH value In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/204 Title: #204: ipautil.run: Remove hardcoded environ PATH value mbasti-rh commented: """ https://fedorahosted.org/freeipa/ticket/6449 """ See the full comment at https://github.com/freeipa/freeipa/pull/204#issuecomment-257847185 From freeipa-github-notification at redhat.com Wed Nov 2 13:43:21 2016 From: freeipa-github-notification at redhat.com (rcritten) Date: Wed, 02 Nov 2016 14:43:21 +0100 Subject: [Freeipa-devel] [freeipa PR#204][comment] ipautil.run: Remove hardcoded environ PATH value In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/204 Title: #204: ipautil.run: Remove hardcoded environ PATH value rcritten commented: """ +1 on using absolute paths. I don't recall any cases where KRB5_TRACE was needed so is this a theoretical use case or an actual one? Yes, LD_PRELOAD or PYTHONPATH can be tweaked but this just proves my point: the environment is untrustworthy. """ See the full comment at https://github.com/freeipa/freeipa/pull/204#issuecomment-257867492 From freeipa-github-notification at redhat.com Wed Nov 2 14:50:30 2016 From: freeipa-github-notification at redhat.com (gkaihorodova) Date: Wed, 02 Nov 2016 15:50:30 +0100 Subject: [Freeipa-devel] [freeipa PR#210][opened] Tests: Stage User Tracker implementation Message-ID: URL: https://github.com/freeipa/freeipa/pull/210 Author: gkaihorodova Title: #210: Tests: Stage User Tracker implementation Action: opened PR body: """ Fix provide possibility of creation stage user with minimal values, with uid not specified. Implementation is the same as for User Tracker. https://fedorahosted.org/freeipa/ticket/6448 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/210/head:pr210 git checkout pr210 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-210.patch Type: text/x-diff Size: 3146 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 2 14:56:18 2016 From: freeipa-github-notification at redhat.com (gkaihorodova) Date: Wed, 02 Nov 2016 15:56:18 +0100 Subject: [Freeipa-devel] [freeipa PR#210][synchronized] Tests: Stage User Tracker implementation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/210 Author: gkaihorodova Title: #210: Tests: Stage User Tracker implementation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/210/head:pr210 git checkout pr210 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-210.patch Type: text/x-diff Size: 2168 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 2 15:48:48 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 02 Nov 2016 16:48:48 +0100 Subject: [Freeipa-devel] [freeipa PR#204][comment] ipautil.run: Remove hardcoded environ PATH value In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/204 Title: #204: ipautil.run: Remove hardcoded environ PATH value mbasti-rh commented: """ Closing this PR, how to handle environment variables must be discussed and designed first. """ See the full comment at https://github.com/freeipa/freeipa/pull/204#issuecomment-257905927 From freeipa-github-notification at redhat.com Wed Nov 2 15:48:56 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 02 Nov 2016 16:48:56 +0100 Subject: [Freeipa-devel] [freeipa PR#204][+rejected] ipautil.run: Remove hardcoded environ PATH value In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/204 Title: #204: ipautil.run: Remove hardcoded environ PATH value Label: +rejected From freeipa-github-notification at redhat.com Wed Nov 2 15:49:11 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 02 Nov 2016 16:49:11 +0100 Subject: [Freeipa-devel] [freeipa PR#204][closed] ipautil.run: Remove hardcoded environ PATH value In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/204 Author: mbasti-rh Title: #204: ipautil.run: Remove hardcoded environ PATH value Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/204/head:pr204 git checkout pr204 From freeipa-github-notification at redhat.com Wed Nov 2 15:58:41 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 02 Nov 2016 16:58:41 +0100 Subject: [Freeipa-devel] [freeipa PR#202][synchronized] ipa-getkeytab enhancements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/202 Author: martbab Title: #202: ipa-getkeytab enhancements Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/202/head:pr202 git checkout pr202 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-202.patch Type: text/x-diff Size: 37335 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 2 16:01:28 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 02 Nov 2016 17:01:28 +0100 Subject: [Freeipa-devel] [freeipa PR#202][comment] ipa-getkeytab enhancements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/202 Title: #202: ipa-getkeytab enhancements martbab commented: """ Thank you for review @simo5 . I have fixed the issues and reworked the LDAP initialization and binding logic a bit to clean it up. It produced green tests for me. I have also updated the command man page as I missed that during initial work. """ See the full comment at https://github.com/freeipa/freeipa/pull/202#issuecomment-257910325 From freeipa-github-notification at redhat.com Wed Nov 2 16:54:59 2016 From: freeipa-github-notification at redhat.com (tbordaz) Date: Wed, 02 Nov 2016 17:54:59 +0100 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23211=5D=5Bopened=5D_IPA_?= =?utf-8?q?Allows_Password_Reuse_with_History_value_defined_when_admin_res?= =?utf-8?b?ZXTigKY=?= Message-ID: URL: https://github.com/freeipa/freeipa/pull/211 Author: tbordaz Title: #211: IPA Allows Password Reuse with History value defined when admin reset? Action: opened PR body: """ ?s the password. When admin reset a user password, history of user passwords is preserved according to its policy. https://fedorahosted.org/freeipa/ticket/6402 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/211/head:pr211 git checkout pr211 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-211.patch Type: text/x-diff Size: 2728 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 2 18:13:10 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 02 Nov 2016 19:13:10 +0100 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23211=5D=5Bcomment=5D_IPA?= =?utf-8?q?_Allows_Password_Reuse_with_History_value_defined_when_admin_re?= =?utf-8?b?c2V04oCm?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/211 Title: #211: IPA Allows Password Reuse with History value defined when admin reset? martbab commented: """ Please address the comment in code. """ See the full comment at https://github.com/freeipa/freeipa/pull/211#issuecomment-257952076 From pspacek at redhat.com Wed Nov 2 19:01:16 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 2 Nov 2016 20:01:16 +0100 Subject: [Freeipa-devel] Is checks/check-ra.py still useful? Message-ID: <9f5fd87f-02ca-88bf-253c-288abf531c90@redhat.com> Hi, when working on build system refactoring, I've noticed file checks/check-ra.py. README follows: > This directory is for integration tests that require a live backend (LDAP, > Certificate Server, etc.). It's named "checks" so nose wont discover tests > here. Is it still useful? As far as I can tell it was last updated in 2009 and it contains hardcoded host name of a dead machine. We should either revive it or remove it. I do not want to distribute non-functional code in the new shiny tarball. -- Petr^2 Spacek From rcritten at redhat.com Wed Nov 2 19:11:19 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 2 Nov 2016 15:11:19 -0400 Subject: [Freeipa-devel] Is checks/check-ra.py still useful? In-Reply-To: <9f5fd87f-02ca-88bf-253c-288abf531c90@redhat.com> References: <9f5fd87f-02ca-88bf-253c-288abf531c90@redhat.com> Message-ID: <581A3A57.2050108@redhat.com> Petr Spacek wrote: > Hi, > > when working on build system refactoring, I've noticed file > checks/check-ra.py. > > README follows: >> This directory is for integration tests that require a live backend (LDAP, >> Certificate Server, etc.). It's named "checks" so nose wont discover tests >> here. > > Is it still useful? As far as I can tell it was last updated in 2009 and it > contains hardcoded host name of a dead machine. > > We should either revive it or remove it. I do not want to distribute > non-functional code in the new shiny tarball. > I think it can go. It would be worth taking the opportunity to double-check that the API this was written to cover is being handled in test_cert_plugin.py I suspect it probably is. rob From freeipa-github-notification at redhat.com Wed Nov 2 20:23:32 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 02 Nov 2016 21:23:32 +0100 Subject: [Freeipa-devel] [freeipa PR#145][synchronized] Refactoring: LDAP Connection Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/145 Author: tomaskrizek Title: #145: Refactoring: LDAP Connection Management Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/145/head:pr145 git checkout pr145 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-145.patch Type: text/x-diff Size: 227620 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 2 20:30:44 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 02 Nov 2016 21:30:44 +0100 Subject: [Freeipa-devel] [freeipa PR#145][comment] Refactoring: LDAP Connection Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/145 Title: #145: Refactoring: LDAP Connection Management tomaskrizek commented: """ I've made some modifications based on the feedback. Since I've changed a lot of code, I've once again tested some use cases manually and fixed all the bugs I was able to find. Jenkins might stumble upon some problems, but hopefully we can merge this ASAP. I'm on PTO on Friday so if we want to merge this week, I can make some last modifications tomorrow. """ See the full comment at https://github.com/freeipa/freeipa/pull/145#issuecomment-257989321 From blipton at redhat.com Wed Nov 2 23:12:01 2016 From: blipton at redhat.com (Ben Lipton) Date: Wed, 2 Nov 2016 19:12:01 -0400 Subject: [Freeipa-devel] CSR autogeneration next steps Message-ID: <4d31f26b-e332-7362-2b8e-3382a0109067@redhat.com> Hi everybody, Soon I'm going to have to reduce the amount of time I spend on new development work for the CSR autogeneration project, and I want to leave the project in as organized a state as possible. So, I'm taking inventory of the work I've done in order to make sure that what's ready for review can get reviewed and the ideas that have been discussed get prototyped or at least recorded so they won't be forgotten. Code that's ready for review (I will continue to put in as much time as needed to help get these ready for submission): - Current PR: https://github.com/freeipa/freeipa/pull/10 - Allow some fields to be specified by the user at creation time: https://github.com/LiptonB/freeipa/commits/local-user-data - Automation for the full process from getting CSR data to requesting cert: https://github.com/LiptonB/freeipa/commits/local-cert-build Other prototypes and design ideas that aren't ready for submission yet: - Utility written in C to build a CertificationRequestInfo from a SubjectPublicKeyInfo and an openssl-style config file. The purpose of this is to take a config that my code already knows how to generate, and put it in a form that certmonger can use. This is nearly done and available at: https://github.com/LiptonB/freeipa-prototypes/blob/master/build_requestinfo.c - Ideally it should be possible to use this tool to reimplement the full cert-request automation (local-cert-build branch) without a dependency on the certutil/openssl tools. However, I don't think any of the python crypto libraries have bindings for the functions that deal with CertificationRequestInfo objects, so I don't think I can do this in the short term. - Certmonger "helper" program that takes in the CertificationRequestInfo that certmonger generates, calls out to IPA for profile-specific data, and returns an updated CertificationRequestInfo built from the data. Certmonger doesn't currently support this type of helper, but (if I understood correctly) this is the architecture Nalin believed would be simplest to fit in. This is not done yet, but I intend to complete it soon - it shouldn't require much code beyond what's in build_requestinfo.c. - Tool to convert an XER-encoded cert extension to DER, given the ASN.1 description of the extension. This would unblock Jan Cholasta's idea of using XSLT for templates rather than text-based formatting. I should be able to implement the conversion tool, but it may be a while before I have time to demo the full XSLT idea. So: currently on my to do list are the certmonger helper and the XER->DER conversion tool. Do you have any comments about these plans, and is there anything else I can do to wrap up the project neatly? Thanks, Ben From blipton at redhat.com Wed Nov 2 23:18:38 2016 From: blipton at redhat.com (Ben Lipton) Date: Wed, 2 Nov 2016 19:18:38 -0400 Subject: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation In-Reply-To: <8d6899e2-4357-8bf2-4e3e-dfd2c2466b01@redhat.com> References: <8198a4a5-14fa-485f-fa89-325468b65c96@redhat.com> <23f5ad4f-c624-87db-0807-770979880bfb@redhat.com> <20160725111123.qthtarfgcsfbdnzk@redhat.com> <4eb3fe2f-ac80-4cf9-0f17-1c420fd52034@redhat.com> <57f0be1e-2915-fa33-d579-f173f1f5d019@redhat.com> <4f2f65ed-e525-1f04-f19b-c8a00b23001f@redhat.com> <57BF50E1.8030209@redhat.com> <82017bee-a989-cbe5-d5ed-f481441269e6@redhat.com> <8d6899e2-4357-8bf2-4e3e-dfd2c2466b01@redhat.com> Message-ID: On 10/20/2016 03:52 PM, Ben Lipton wrote: > On 10/17/2016 02:16 AM, Jan Cholasta wrote: >> On 13.10.2016 17:23, Ben Lipton wrote: >>> Thank you, this was a really helpful clarification of your point. >>> Comments below. Once again, I'm sorry I missed the email for so long. >>> >>> Ben >>> >>> On 09/05/2016 06:52 AM, Jan Cholasta wrote: >>>> On 27.8.2016 22:40, Ben Lipton wrote: >>>>> On 08/25/2016 04:11 PM, Rob Crittenden wrote: >>>>>> Ben Lipton wrote: >>>>>>> On 08/23/2016 03:54 AM, Jan Cholasta wrote: >>>>>>>> On 8.8.2016 22:23, Ben Lipton wrote: >>>>>>>>> On 07/25/2016 07:45 AM, Jan Cholasta wrote: >>>>>>>>>> On 25.7.2016 13:11, Alexander Bokovoy wrote: >>>>>>>>>>> On Mon, 25 Jul 2016, Jan Cholasta wrote: >>>>>>>>>>>> On 20.7.2016 16:05, Ben Lipton wrote: >>>>>>>>>>>>> Hi, >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks very much for the feedback! Some responses below; I >>>>>>>>>>>>> hope >>>>>>>>>>>>> you'll >>>>>>>>>>>>> let me know what you think of my reasoning. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On 07/20/2016 04:20 AM, Jan Cholasta wrote: >>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 17.6.2016 00:06, Ben Lipton wrote: >>>>>>>>>>>>>>> On 06/14/2016 08:27 AM, Ben Lipton wrote: >>>>>>>>>>>>>>>> Hello all, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I have written up a design proposal for making certificate >>>>>>>>>>>>>>>> requests >>>>>>>>>>>>>>>> easier to generate when using alternate certificate >>>>>>>>>>>>>>>> profiles: >>>>>>>>>>>>>>>> http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> The use case for this is described in >>>>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4899. I will be >>>>>>>>>>>>>>>> working on >>>>>>>>>>>>>>>> implementing this design over the next couple of months. >>>>>>>>>>>>>>>> If you >>>>>>>>>>>>>>>> have >>>>>>>>>>>>>>>> the time and interest, please take a look and share any >>>>>>>>>>>>>>>> comments or >>>>>>>>>>>>>>>> concerns that you have. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thanks! >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Ben >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Just a quick update to say that I've created a new document >>>>>>>>>>>>>>> that >>>>>>>>>>>>>>> covers >>>>>>>>>>>>>>> the proposed schema additions in a more descriptive way >>>>>>>>>>>>>>> (with >>>>>>>>>>>>>>> diagrams!) >>>>>>>>>>>>>>> I'm very new to developing with LDAP, so some more >>>>>>>>>>>>>>> experienced >>>>>>>>>>>>>>> eyes on >>>>>>>>>>>>>>> the proposal would be very helpful, even if you don't have >>>>>>>>>>>>>>> time to >>>>>>>>>>>>>>> absorb the full design. Please take a look at >>>>>>>>>>>>>>> http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Schema >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> if you have a chance. >>>>>>>>>>>>>> >>>>>>>>>>>>>> I finally had a chance to take a look at this, here are some >>>>>>>>>>>>>> comments: >>>>>>>>>>>>>> >>>>>>>>>>>>>> 1) I don't like how transformation rules are tied to a >>>>>>>>>>>>>> particular >>>>>>>>>>>>>> helper and have to be duplicated for each of them. They >>>>>>>>>>>>>> should be >>>>>>>>>>>>>> generic and work with any helper, as helpers are just an >>>>>>>>>>>>>> implementation detail and their resulting data is the same. >>>>>>>>>>>>>> >>>>>>>>>>>>>> In fact, I think I would prefer if the CSR was generated >>>>>>>>>>>>>> using >>>>>>>>>>>>>> python-cryptography's CertificateSigningRequestBuilder [1] >>>>>>>>>>>>>> rather >>>>>>>>>>>>>> than >>>>>>>>>>>>>> openssl or certutil or any other command line tool. >>>>>>>>>>>>>> >>>>>>>>>>>>> There are lots of tools that users might want to use to >>>>>>>>>>>>> manage >>>>>>>>>>>>> their >>>>>>>>>>>>> private keys, so I don't know if we can assume that whatever >>>>>>>>>>>>> library we >>>>>>>>>>>>> prefer will actually be able to access the private key to >>>>>>>>>>>>> sign a >>>>>>>>>>>>> CSR, >>>>>>>>>>>>> which is why I thought it would be useful to support more >>>>>>>>>>>>> than >>>>>>>>>>>>> one. >>>>>>>>>>>> >>>>>>>>>>>> python-cryptography has the notion of backends, which allow >>>>>>>>>>>> it to >>>>>>>>>>>> support multiple crypto implementations. Upstream it currently >>>>>>>>>>>> supports only OpenSSL [2], but some work has been done on >>>>>>>>>>>> PKCS#11 >>>>>>>>>>>> backend [3], which provides support for HSMs and soft-tokens >>>>>>>>>>>> (like >>>>>>>>>>>> NSS >>>>>>>>>>>> databases). >>>>>>>>>>>> >>>>>>>>>>>> Alternatively, for NSS databases (and other "simple" >>>>>>>>>>>> cases), you >>>>>>>>>>>> can >>>>>>>>>>>> generate the private key with python-cryptography using the >>>>>>>>>>>> default >>>>>>>>>>>> backend, export it to a file and import the file to the target >>>>>>>>>>>> database, so you don't actually need the PKCS#11 backend for >>>>>>>>>>>> them. >>>>>>>>>>>> >>>>>>>>>>>> So, the only thing that's currently lacking is HSM support, >>>>>>>>>>>> but >>>>>>>>>>>> given >>>>>>>>>>>> that we don't support HSMs in IPA nor in certmonger, I don't >>>>>>>>>>>> think >>>>>>>>>>>> it's an issue for now. >>>>>>>>>>>> >>>>>>>>>>>>> The >>>>>>>>>>>>> purpose of the mapping rule is to tie together the >>>>>>>>>>>>> transformation >>>>>>>>>>>>> rules >>>>>>>>>>>>> that produce the same data into an object that's >>>>>>>>>>>>> implementation-agnostic, so that profiles referencing those >>>>>>>>>>>>> rules >>>>>>>>>>>>> are >>>>>>>>>>>>> automatically compatible with all the helper options. >>>>>>>>>>>> >>>>>>>>>>>> They are implementation-agnostic, as long as you consider >>>>>>>>>>>> `openssl` >>>>>>>>>>>> and `certutil` the only implementations :-) But I don't think >>>>>>>>>>>> this >>>>>>>>>>>> solution scales well to other possible implementations. >>>>>>>>>>>> >>>>>>>>>>>> Anyway, my main grudge is that the transformation rules >>>>>>>>>>>> shouldn't >>>>>>>>>>>> really be stored on and processed by the server. The server >>>>>>>>>>>> should >>>>>>>>>>>> know the *what* (mapping rules), but not the *how* >>>>>>>>>>>> (transformation >>>>>>>>>>>> rules). The *how* is an implementation detail and does not >>>>>>>>>>>> change in >>>>>>>>>>>> time, so there's no benefit in handling it on the server. It >>>>>>>>>>>> should be >>>>>>>>>>>> handled exclusively on the client, which I believe would also >>>>>>>>>>>> make >>>>>>>>>>>> the >>>>>>>>>>>> whole thing more robust (it would not be possible for a bug on >>>>>>>>>>>> the >>>>>>>>>>>> server to break all the clients). >>>>>>>>>>> This is a good point. However, for the scope of Ben's project >>>>>>>>>>> can we >>>>>>>>>>> limit it by openssl and certutil support? Otherwise Ben >>>>>>>>>>> wouldn't be >>>>>>>>>>> able >>>>>>>>>>> to complete the project in time. >>>>>>>>>> >>>>>>>>>> I'm fine with that, but I don't think it's up to me :-) >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>>> This is turning out to be a common (and, I think, reasonable) >>>>>>>>>>>>> reaction >>>>>>>>>>>>> to the proposal. It is rather complex, and I worry that it >>>>>>>>>>>>> will be >>>>>>>>>>>>> difficult to configure. On the other hand, there is some >>>>>>>>>>>>> hidden >>>>>>>>>>>>> complexity to enabling a simpler config format, as well. >>>>>>>>>>>>> One of >>>>>>>>>>>>> the >>>>>>>>>>>>> goals of the project as it was presented to me was to >>>>>>>>>>>>> allow the >>>>>>>>>>>>> creation >>>>>>>>>>>>> of profiles that add certificate extensions *that FreeIPA >>>>>>>>>>>>> doesn't >>>>>>>>>>>>> yet >>>>>>>>>>>>> know about*. With the current proposal, one only has to add a >>>>>>>>>>>>> rule >>>>>>>>>>>>> generating text that the helper will understand. >>>>>>>>>>>> >>>>>>>>>>>> ... which will be possible only as long as the helper >>>>>>>>>>>> understands the >>>>>>>>>>>> extension. Which it might not, thus the current proposal works >>>>>>>>>>>> only >>>>>>>>>>>> for *some* extensions that FreeIPA doesn't yet support. >>>>>>>>>>> We can go ad infinitum here but with any helper implementation, >>>>>>>>>>> be it >>>>>>>>>>> python-cryptography or anything else, you will need to have a >>>>>>>>>>> support >>>>>>>>>>> there as well. >>>>>>>>>> >>>>>>>>>> My point was that the current proposal is not any better than my >>>>>>>>>> proposal in this regard, as neither of them allows one to use an >>>>>>>>>> arbitrary extension. >>>>>>>>>> >>>>>>>>>>> The idea with unknown extensions was to allow mapping >>>>>>>>>>> their acceptance to a specific relationship between IPA objects >>>>>>>>>>> (optionally) and an input from the CSR. A simplest example >>>>>>>>>>> would >>>>>>>>>>> be an >>>>>>>>>>> identity rule that would copy an ASN.1 encoded content from the >>>>>>>>>>> CSR to >>>>>>>>>>> the certificate. >>>>>>>>>>> >>>>>>>>>>> That's on the mapping side, not on the CSR generation side, >>>>>>>>>>> but it >>>>>>>>>>> would >>>>>>>>>>> go similarly for the CSR if you would be able to enter >>>>>>>>>>> unknown but >>>>>>>>>>> otherwise correct ASN.1 stream. There is no difference at which >>>>>>>>>>> helper >>>>>>>>>>> type we are talking about because all of them support inserting >>>>>>>>>>> ASN.1 >>>>>>>>>>> content. >>>>>>>>>>> >>>>>>>>>>>>> With your suggestion, >>>>>>>>>>>>> if there's a mapping between "san_directoryname" and the >>>>>>>>>>>>> corresponding >>>>>>>>>>>>> API calls or configuration lines, we need some way for >>>>>>>>>>>>> users to >>>>>>>>>>>>> augment >>>>>>>>>>>>> that mapping without changing the code. If there's no >>>>>>>>>>>>> mapping, and >>>>>>>>>>>>> it's >>>>>>>>>>>>> just done with text processing, we need enough in the config >>>>>>>>>>>>> format to >>>>>>>>>>>>> be able to generate fairly complex structures: >>>>>>>>>>>>> >>>>>>>>>>>>> builder = >>>>>>>>>>>>> builder.subject_name(x509.Name(u'CN=user,O=EXAMPLE.COM')) >>>>>>>>>>>>> builder = >>>>>>>>>>>>> builder.add_extension(x509.SubjectAlternativeName([x509.RFC822Name(u'user at example.com'), >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> x509.DirectoryName(x509.Name(u'CN=user,O=EXAMPLE.COM'))]), >>>>>>>>>>>>> False) >>>>>>>>>>>>> >>>>>>>>>>>>> and we need to do it without it being equivalent to calling >>>>>>>>>>>>> eval() on >>>>>>>>>>>>> the config attributes. I'm not sure how to achieve this >>>>>>>>>>>>> (is it >>>>>>>>>>>>> safe to >>>>>>>>>>>>> call getattr(x509, extensiontype)(value) where >>>>>>>>>>>>> extensiontype and >>>>>>>>>>>>> value >>>>>>>>>>>>> are user-specified?) and it definitely would have to be tied >>>>>>>>>>>>> to a >>>>>>>>>>>>> particular library/tool. >>>>>>>>>>>> >>>>>>>>>>>> As I pointed out above, this needs to be figured out for the >>>>>>>>>>>> generic >>>>>>>>>>>> case for both the current proposal and my suggestion. >>>>>>>>> I have a proof of concept[1] for using openssl-based rules to >>>>>>>>> add a >>>>>>>>> subject alt name extension without using openssl's knowledge >>>>>>>>> of that >>>>>>>>> extension. It's not extremely pretty, and it took some trial and >>>>>>>>> error, >>>>>>>>> but no code changes. So, I think this actually is a difference >>>>>>>>> between >>>>>>>>> the two proposals. >>>>>>>> >>>>>>>> With the obvious catch being that it works only with OpenSSL, >>>>>>>> which >>>>>>>> might not work for everyone, e.g. when using HSMs or >>>>>>>> SmartCards, due >>>>>>>> to a limited PKCS#11 support in OpenSSL. >>>>>>> >>>>>>> Very true. Even certutil's equivalent feature (--extGeneric) >>>>>>> doesn't >>>>>>> seem like it would work very well in this context, as you are >>>>>>> supposed >>>>>>> to pass in an already-encoded extension, so text-based templating >>>>>>> wouldn't be able to do much. >>>>>> >>>>>> Yeah, I struggled with this myself. I ended up writing a pyasn1 >>>>>> script >>>>>> to generate the extension I needed, wrote that to a file, and passed >>>>>> it to certutil using: >>>>>> >>>>>> --extGeneric 2.5.29.17:not-critical:/path/to/msupn.der >>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> Next we have the easy case, extensions that we as FreeIPA >>>>>>>>> developers >>>>>>>>> know are important and build support for. For these, the two >>>>>>>>> proposals >>>>>>>>> work equivalently well, but yours is simpler to configure because >>>>>>>>> the >>>>>>>>> knowledge of how to make a san_rfc822name is built into the >>>>>>>>> library >>>>>>>>> instead of being stored on the server as a set of rules. >>>>>>>>> >>>>>>>>> Finally, we have the case of extensions that are known to the >>>>>>>>> helper, >>>>>>>>> but not to FreeIPA. In the existing proposal, new rules can be >>>>>>>>> written >>>>>>>>> to support these extensions under a particular helper. Further, >>>>>>>>> those >>>>>>>>> rules can be used by reference in many profiles, reducing >>>>>>>>> duplication of >>>>>>>>> effort/data/errors. >>>>>>>>> >>>>>>>>> As I understand it, the main objections in this thread are that >>>>>>>>> transformation rules are implementation (i.e. helper) specific >>>>>>>>> data >>>>>>>>> stored in the IPA server, and that the system has several >>>>>>>>> levels of >>>>>>>>> schema when it could just embed rules in the profile. But without >>>>>>>>> helper-specific rules, administrators could not take advantage of >>>>>>>>> the >>>>>>>>> additional extensions supported by the helper they are using. >>>>>>>> >>>>>>>> There is *no* advantage in forcing the user to choose between >>>>>>>> helpers >>>>>>>> which differ only in the set of limitations on the CSR they are >>>>>>>> able >>>>>>>> to produce. The user should specify a) where the private key is >>>>>>>> located and b) what profile to use, and that's it, it should just >>>>>>>> work. >>>>>>> Ok, this is a good point about usability. The user creating the CSR >>>>>>> shouldn't have to care about helpers, and I agree that the >>>>>>> current way >>>>>>> they are exposed is clunky. I do think that an administrator >>>>>>> creating >>>>>>> custom rules might want to take advantage of a helper, so they >>>>>>> wouldn't >>>>>>> need to understand the ASN.1 representation of their chosen >>>>>>> certificate >>>>>>> extension. Of course, the desired extension might not be >>>>>>> supported by >>>>>>> the helper either. Since I don't know what specific extensions >>>>>>> people >>>>>>> will want to use this for, I don't know how to balance the better >>>>>>> administrator experience of adding extensions via a helper with the >>>>>>> limited extension support. >>>>>>> >>>>>>> The original reason we arrived at the concept of "helpers" was to >>>>>>> support different ways of getting at private keys, but perhaps this >>>>>>> should not be the concern of the CSR data generator. In your >>>>>>> opinion, >>>>>>> would it be sufficient to support just one key format (PKCS#12? >>>>>>> PEM?) >>>>>>> and let the user deal with putting those keys into whatever >>>>>>> formats/databases they need? If that's ok, maybe we can stop having >>>>>>> *multiple* helpers, but if we want to replace helpers entirely I'm >>>>>>> still >>>>>>> not certain what to replace them with. >>>>>> >>>>>> I'd just add an option to specify the output format, e.g PEM, NSS, >>>>>> Java keystore, PKCS#12, whatever. You can probably get away with the >>>>>> first two for starters. Different output format is going to mean >>>>>> different options but that is probably not a big deal. >>>>> >>>>> My point was that if we want to get rid of all the helpers but >>>>> one, or >>>>> replace helpers with something else entirely like somehow templating >>>>> ASN1 structures directly, it will get harder to support all those >>>>> formats (or even both of the first two). For example, if we drop >>>>> certutil as a helper, how will we sign CSRs with keys stored in NSS >>>>> databases? >>>> >>>> 1. get the public part of the key from the NSS database >>>> 2. construct a CertificationRequestInfo [1] from the template and the >>>> public key >>>> 3. sign the CertificationRequestInfo with NSS using the private key to >>>> get a CSR >>>> >>>> This is purely client side, will work with any crypto library (just >>>> substitute NSS for something else) and, if done right, using very >>>> little code. >>> >>> Ok, I like this. If an encoded CertificationRequestInfo is something we >>> can expect to be compatible with any reasonable library (it sounds like >>> it should be) then the library can be used client-side to do the >>> key-storage-specific parts. I'm going to try writing this data -> >>> encoded CertificationRequestInfo -> CSR flow to make sure it works as >>> well as it sounds. If it does, it will also be useful for the code I'm >>> working on right now to connect certmonger with the current version of >>> the CSR autogeneration tool. >> >> Note that this will most probably require calling C functions. You >> might want to look into python-cffi. For now I just went ahead and implemented it in C, for simplicity. So far it only does the data + SubjectPublicKeyInfo -> CertificationRequestInfo conversion (data in the openssl config file format), but I'm convinced that both openssl and NSS should be able to sign this to turn it into a CSR. I'm also pretty sure you were right that calling C functions is required - none of the python libraries seem to have bindings for the functions that manipulate these objects. You can see the prototype here: https://github.com/LiptonB/freeipa-prototypes/blob/master/build_requestinfo.c >> >>>> >>>>>> >>>>>> Remember that the private key will be at rest for some period of >>>>>> time >>>>>> while the CSR is being approved. The key needs to be protected at >>>>>> that >>>>>> time. >>>>>> >>>>>> rob >>>>>> >>>>>>>> >>>>>>>>> And >>>>>>>>> without the separation of profiles from mapping rules in the >>>>>>>>> schema, >>>>>>>>> rules would need to be copy+pasted among profiles, and grouping >>>>>>>>> rules >>>>>>>>> with the same effect under different helpers would be much >>>>>>>>> uglier. We >>>>>>>>> can and should discuss whether these are the right tradeoffs, but >>>>>>>>> this >>>>>>>>> is where those decisions came from. >>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> OTOH, I think we could use GSER encoding of the extension >>>>>>>>>>>> value: >>>>>>>>>>>> >>>>>>>>>>>> { rfc822Name:"user at example.com", >>>>>>>>>>>> directoryName:rdnSequence:"CN=user,O=EXAMPLE.COM" } >>>>>>>>>>> GSER is not really used widely and does not have standardized >>>>>>>>>>> encoding >>>>>>>>>>> rules beyond its own definition. If you want to allow >>>>>>>>>>> transformation >>>>>>>>>>> rules in GSER that mention existing content in IPA objects, you >>>>>>>>>>> would >>>>>>>>>>> need to deal with templating anyway. At this point it becomes >>>>>>>>>>> irrelevant >>>>>>>>>>> what you are templating, though. >>>>>>>>>> >>>>>>>>>> True, but the goal here is not to avoid templating, but >>>>>>>>>> rather to >>>>>>>>>> avoid implementation-specific bits on the server, and GSER is >>>>>>>>>> the >>>>>>>>>> only >>>>>>>>>> thing that is textual, implementation-neutral and, as a bonus, >>>>>>>>>> standardized. >>>>>>>>>> >>>>>>>>> As I said elsewhere, we could use GSER as a textual output format >>>>>>>>> instead of openssl or certutil, but it still needs its own >>>>>>>>> "helper" to >>>>>>>>> build the CSR, and unlike the other options, it seems like we >>>>>>>>> might >>>>>>>>> need >>>>>>>>> to implement that helper. I'm not sure it's fair to call it >>>>>>>>> implementation-neutral if no implementation exists yet :) >>>>>>>> >>>>>>>> Right. Like I said, using GSER was just a quick idea off the top >>>>>>>> of my >>>>>>>> head. I would actually rather use some sort of data structure >>>>>>>> templating rather than textual templating on top of any kind of >>>>>>>> textual representation of said data structures. I don't know if >>>>>>>> there >>>>>>>> is such a thing, though. >>>>>>> >>>>>>> This sounds interesting, can you give an example of what this might >>>>>>> look >>>>>>> like? >>>> >>>> It would be something like XSLT, but for ASN.1 rather than XML. >>>> >>>>>>> >>>>>>> I learned that there's also an XML encoding for ASN.1, XER, but >>>>>>> that's >>>>>>> still a textual representation and we'd have to insert the data >>>>>>> textually. >>>> >>>> Well, yes and no. While it's true that it's still a textual >>>> representation, what really makes a difference is that for XML, there >>>> is a templating mechanism which understands the structure of the data >>>> (XLST, as mentioned above). >>>> >>>> Unforutantely, XER has the same shortcoming as GSER: to be able to >>>> convert it to DER, you need to know the ASN.1 definition of the data >>>> structure. If we used XER+XSLT, we would also have to provide means of >>>> adding custom ASN.1 definitions and run them through ASN.1 compiler to >>>> convert between XER and DER. >>> >>> This is a little disappointing, but it makes sense. I don't think I >>> realized that we'll need to compile the ASN.1 data definitions for any >>> extensions we want to use in a cert. That limitation didn't come up >>> when >>> we were only talking about extensions that were supported by the helper >>> utility. But providing the ASN.1 spec for unusual extensions an admin >>> wants to use in their certs is probably a reasonable expectation. >> >> Yes, that's what I think as well. It could be a simple IPA object >> with name, description, extension OID and the ASN.1 definition. >> >>>> >>>>>>> It doesn't seem to be supported by any python libraries, >>>>>>> either, but it does look like it's supported by the asn1 compiler >>>>>>> in the >>>>>>> IPA source distribution.I could imagine an implementation that >>>>>>> builds >>>>>>> an XML representation of the CSR via python templating, then >>>>>>> makes a >>>>>>> signed CSR out of it in C. I'm a little concerned about it >>>>>>> because it >>>>>>> would have to implement the whole CSR structure from scratch, >>>>>>> but is >>>>>>> this a prototype that you'd be interested in seeing? >>>> >>>> I can imagine something like this might work: >>>> >>>> 1. (client) generate a key pair >>>> 2. (client) get SubjectPublicKeyInfo [2] for the public key >>>> 3. (client) encode the SubjectPublicKeyInfo as XER using asn1c and >>>> python-cffi in API mode [3] >>>> 4. (client) call server to construct CertificationRequestInfo for >>>> specified subject from a specified template and the >>>> SubjectPublicKeyInfo >>>> 5. (server) get the subject's LDAP entry >>>> 6. (server) create a XML document which contains the subject's LDAP >>>> attributes and the SubjectPublicKeyInfo >>>> 7. (server) use XSLT to transform the XML document to >>>> CertificationRequestInfo using the specified template >>>> 8. (server) return the CertificationRequestInfo to the client >>>> 9. (client) convert the CertificationRequestInfo from XER to DER using >>>> asn1c and python-cffi in API mode >>>> 10. (client) sign the CertificationRequestInfo using the private key >>>> to get a CSR >>>> >>>> It would be better if the XER-DER conversion was done on the server, >>>> but I don't think that compiling and running code on the fly on the >>>> server is a particularly good idea. Apparently there is a ASN.1 >>>> compiler available for PyASN1 [4], maybe that could be used instead, >>>> but we would have to write a XER codec for PyASN1 ourselves (which >>>> shouldn't be too hard IMO). >>> >>> Yeah, running programs compiled from arbitrary ASN.1 seems like a risk. >>> Maybe a little better because the ASN.1 is provided by an >>> administrator, >>> but we'd still be depending a lot on the security of the generated >>> code. >>> On the other hand, if we compile on the client, the CSR generation >>> feature is limited to platforms where asn1c can be installed. I wish I >>> could think of a way to do the compilation once when the profile is >>> created, but run it on the client. That seems like asking for >>> compatibility problems, though... >> >> It seems you missed the most important thing in the above paragraph >> :-) - that is asn1ate, the PyASN1-based compiler. The nice thing >> about it is that it compiles the ASN.1 definition into a PyASN1 type >> object, which means you can compile the definition and use it to >> (un)parse data in the same Python program. If we used it, we could >> JIT-compile the ASN.1 definitions on the server, without the security >> risk of executing native code and without the compatibility issues of >> compilation on the client. > > What do you see as the risks of compiling native code with asn1c and > executing it that are not present when generating python code with > asn1ate and loading it? I would think that, native or not, we're > depending on the ASN.1 compiler to generate secure code from any ASN.1 > definition the admin might give it. Even a parser like libtasn1 that > interprets the structure on the fly rather than generating executable > code could do something dangerous when given poorly-constructed input. > I don't mean to create a false equivalence, but are the interpreted > options really safer than the native code? >> >> I did a little research since my last email, andt doesn't seem to >> have there is also another library which allows you to compile and >> use ASN.1 definitions on the fly - libtasn1 [5]. Compared to asn1ate, >> it seems to be pretty stable (asn1ate is currently in alpha) and is >> written in C, so it makes it possible to use the >> administrator-defined extensions outside of IPA (specifically, it >> could be useful for certificate matching and mapping [6] in SSSD). > > Good find. That seems quite useful for being able to interact with > ASN.1 defined on the fly. I wonder how hard it would be to connect it > to pyasn1 to get more flexible ASN.1 decoding within python. Still > doesn't help with XER encoding/decoding, but I suppose that's a SMOP :) >> >>> >>>> >>>>>>> >>>>> On further investigation, it turns out the version of >>>>> python-cryptography in F24 includes a feature allowing arbitrary >>>>> extensions to be added by adding an UnrecognizedExtension to the >>>>> CertificateSigningRequestBuilder. This makes me feel somewhat better >>>>> both about python-cryptography as a tool for this task and about the >>>>> solution I just proposed. But I still don't have a clear idea that >>>>> answers 1) how to make templates that we can turn into encoded >>>>> extensions, and 2) how to deal with all the desired key formats. >>>> >>>> I hope the above clarifies these a little bit. >>>> >>>> [1] >>>> [2] >>>> [3] >>>> >>>> [4] >> >> [5] >> [6] >> >> > From ofayans at redhat.com Thu Nov 3 08:42:26 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 3 Nov 2016 09:42:26 +0100 Subject: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test In-Reply-To: References: <57A07FE4.8000904@redhat.com> <2b0ed7fe-f0bc-7137-bdc1-b0758ffe9cd6@redhat.com> <20160914154119.mkk2ma7tvks55xsu@redhat.com> <97eaa313-e889-cd4a-e900-9e88596577a0@redhat.com> <20160914155320.iowrijrq3z62evoo@redhat.com> <1af52e6c-c24b-d58b-ccf5-a85c5c290e0c@redhat.com> <20160914165348.GE2761@p.Speedport_W_724V_Typ_A_05011603_00_009> <59763ea7-2ab5-bdc2-72c1-489a462f78ef@redhat.com> <6089c103-ab56-62f7-971c-a41710eee22f@redhat.com> <1d744d16-75de-2bdc-5892-b3c36a305581@redhat.com> <39a8af61-056b-df40-9126-50997a5b54c8@redhat.com> Message-ID: <5ca38d5c-0f0b-46ef-71e2-3d493425e9c2@redhat.com> One more ping for review On 10/27/2016 02:21 PM, Oleg Fayans wrote: > ping for review > > On 10/25/2016 10:24 AM, Oleg Fayans wrote: >> Integration part of the tests is ready. 2 tests: >> >> 1. Adds a cert to idoverride of a windows user >> 2. sssd part - looks up user by his certificate using dbus-sssd >> >> Second and third dbus call are executed as a string insted of as array >> of strings because it just does not work otherwise. Some quote escaping >> gets screwed probably, but the system returns "Error >> org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the >> command is executed using the standard array-based approach >> >> The run looks like this: >> >> bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb >> WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] >> Permission denied: 'lextab.py' >> WARNING: yacc table file version is out of date >> WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission >> denied: 'yacctab.py' >> ==================================== test session starts >> ==================================== >> platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 >> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini >> plugins: sourceorder-0.5, multihost-1.0 >> collected 2 items >> >> test_integration/test_idviews.py .. >> >> ================================ 2 passed in 948.44 seconds >> ================================= >> >> >> On 10/21/2016 10:54 AM, Oleg Fayans wrote: >>> Added one more test, resolved the pep8 issues >>> >>> On 10/19/2016 12:32 PM, Oleg Fayans wrote: >>>> Hi Martin, >>>> >>>> As you suggested, I've extended the >>>> test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for >>>> certs >>>> in idoverrides. >>>> The integration part still needs some polishing in the part related to >>>> user lookup by cert >>>> >>>> On 10/14/2016 03:57 PM, Martin Babinsky wrote: >>>>> On 10/14/2016 03:48 PM, Oleg Fayans wrote: >>>>>> So, did I understand correctly, that there would be 2 patches: one >>>>>> containing test for basic idoverrides functionality without >>>>>> AD-integration, and the second one - with AD-integration and an sssd >>>>>> check, correct? >>>>>> I guess, the >>>>>> freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> might be a good candidate for the first one, I only have to change >>>>>> the >>>>>> filename to test_idviews.py, right? >>>>>> >>>>> >>>>> Oleg, we already have XMLRPC tests for idoverrides: >>>>> >>>>> ipatests/test_xmlrpc/test_idviews_plugin.py >>>>> >>>>> Is there any particular reason why not to extend them with add >>>>> cert/remove cert operations? >>>>> >>>>> Even better, you can extend >>>>> `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the >>>>> same set of tests on idoverrideuser objects. >>>>> >>>>> Or am I missing something? >>>>> >>>>>> On 09/15/2016 10:32 AM, Martin Basti wrote: >>>>>>> >>>>>>> >>>>>>> On 15.09.2016 10:10, Oleg Fayans wrote: >>>>>>>> Hi Martin, >>>>>>>> >>>>>>>> The file was renamed. Did I understand correctly that for now we >>>>>>>> are >>>>>>>> leaving the test as is and are planning to extend it later? >>>>>>> >>>>>>> I would like to have there SSSD check involved, please use what >>>>>>> Summit >>>>>>> recommends. No new test cases. >>>>>>> >>>>>>> And this can be done by separate patch, I want to have API/CLI >>>>>>> certificate override tests for non-AD idview (extending current >>>>>>> tests I >>>>>>> posted in this thread) >>>>>>> >>>>>>> Martin^2 >>>>>>>> >>>>>>>> On 09/15/2016 09:49 AM, Martin Basti wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> On 14.09.2016 18:53, Sumit Bose wrote: >>>>>>>>>> On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: >>>>>>>>>>> >>>>>>>>>>> On 14.09.2016 17:53, Alexander Bokovoy wrote: >>>>>>>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> On 14.09.2016 17:41, Alexander Bokovoy wrote: >>>>>>>>>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote: >>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>> I still don't see the reason why AD trust is needed. Default >>>>>>>>>>>>>>> trust ID view is added just by ipa-adtrust-install, adding >>>>>>>>>>>>>>> trust is not needed for current implementation. You don't >>>>>>>>>>>>>>> need AD for this, IDviews is generic feature not just for >>>>>>>>>>>>>>> AD. Is that user configured on AD side? >>>>>>>>>>>>>> You cannot add non-AD user to 'default trust view', so you >>>>>>>>>>>>>> will >>>>>>>>>>>>>> not be >>>>>>>>>>>>>> able to set up certificates to ID override which does not >>>>>>>>>>>>>> exist. >>>>>>>>>>>>>> >>>>>>>>>>>>>> For non-'default trust view' you can add both IPA and AD >>>>>>>>>>>>>> users, >>>>>>>>>>>>>> so using >>>>>>>>>>>>>> some other view and then assign certificate for a ID >>>>>>>>>>>>>> override in >>>>>>>>>>>>>> that >>>>>>>>>>>>>> one. >>>>>>>>>>>>>> >>>>>>>>>>>>> Ok then, but anyway I would like to see API/CLI tests for this >>>>>>>>>>>>> feature with proper output validation. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> How can be this tested with SSSD? >>>>>>>>>>>> You need to log into the system with a certificate... >>>>>>>>>>> Is this possible from test? We are logged remotely as root, is >>>>>>>>>>> there any >>>>>>>>>>> cmdline util which allows us to test certificate against AD >>>>>>>>>>> user? >>>>>>>>>> >>>>>>>>>> You can use 'sss_ssh_authorizedkeys aduser at ad.domain' which >>>>>>>>>> should >>>>>>>>>> return the ssh key derived from the public key in the >>>>>>>>>> certificate. >>>>>>>>>> This >>>>>>>>>> should work for certificate stored in AD as well as for >>>>>>>>>> overrides. >>>>>>>>>> >>>>>>>>>> You can also you the DBus lookup by certificate as described in >>>>>>>>>> https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> . >>>>>>>>>> >>>>>>>>>> HTH >>>>>>>>>> >>>>>>>>>> bye, >>>>>>>>>> Sumit >>>>>>>>> >>>>>>>>> Thank you Alexander and Summit for hints. >>>>>>>>> >>>>>>>>> Oleg I realized we don't have any other idviews integration tests >>>>>>>>> >>>>>>>>> So I propose to rename test file you are adding to >>>>>>>>> test_idviews.py. We >>>>>>>>> can add more testcases for idviews there later >>>>>>>>> >>>>>>>>> Martin^2 >>>>>>>>>>> Martin^2 >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Manage your subscription for the Freeipa-devel mailing list: >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>>>>>>> Contribute to FreeIPA: >>>>>>>>>>> http://www.freeipa.org/page/Contribute/Code >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >>> >>> >> >> >> > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From ofayans at redhat.com Thu Nov 3 08:42:29 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 3 Nov 2016 09:42:29 +0100 Subject: [Freeipa-devel] [test][patch-0057] test for ticket N 6146 (installing rules with service principals) In-Reply-To: <9e419344-e733-76b0-b103-77496dd1097c@redhat.com> References: <57AAE7EA.5090604@redhat.com> <745bf2dc-18d4-9f89-b97c-980b447f2823@redhat.com> <57AB1418.60903@redhat.com> <7d137bdf-883c-2ef9-468d-f8b7de358804@redhat.com> <9e419344-e733-76b0-b103-77496dd1097c@redhat.com> Message-ID: <402f9a42-71dd-3b38-6974-4061c10660dc@redhat.com> One more ping for review On 10/27/2016 02:21 PM, Oleg Fayans wrote: > ping for review > > On 10/25/2016 11:29 AM, Oleg Fayans wrote: >> The patch was rebased to be able to apply on top of latest version of >> certs in idoverrides patch. As before, it requires patches NN 0049 and >> 0059 to apply >> >> On 08/10/2016 01:46 PM, Oleg Fayans wrote: >>> Hi Martin, >>> >>> I am sorry, yes it depends on my patches 0049 and 0050. >>> >>> >>> On 08/10/2016 12:27 PM, Martin Basti wrote: >>>> >>>> >>>> On 10.08.2016 10:38, Oleg Fayans wrote: >>>>> >>>>> >>>>> >>>> Hello, >>>> >>>> I cannot apply this patch >>>> error: ipatests/test_integration/test_certs_in_idoverrides.py: does not >>>> exist in index >>>> It probably depends on another patch (which one?) >>>> >>>> Please, use human readable subjects in email, I do not remember from >>>> top >>>> of my head what #6146 is. >>>> >>>> Martin^2 >>>> >>>> >>> >> >> >> > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From freeipa-github-notification at redhat.com Thu Nov 3 09:20:19 2016 From: freeipa-github-notification at redhat.com (tbordaz) Date: Thu, 03 Nov 2016 10:20:19 +0100 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23211=5D=5Bsynchronized?= =?utf-8?q?=5D_IPA_Allows_Password_Reuse_with_History_value_defined_when_a?= =?utf-8?q?dmin_reset=E2=80=A6?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/211 Author: tbordaz Title: #211: IPA Allows Password Reuse with History value defined when admin reset? Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/211/head:pr211 git checkout pr211 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-211.patch Type: text/x-diff Size: 2847 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 3 09:31:31 2016 From: freeipa-github-notification at redhat.com (lslebodn) Date: Thu, 03 Nov 2016 10:31:31 +0100 Subject: [Freeipa-devel] [freeipa PR#208][comment] Tests: Fix integration sudo test In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/208 Title: #208: Tests: Fix integration sudo test lslebodn commented: """ All versions of Fedora have sudo 1.8.18. And thank you very much for nice/verbose explanation in commit message ACK """ See the full comment at https://github.com/freeipa/freeipa/pull/208#issuecomment-258096257 From freeipa-github-notification at redhat.com Thu Nov 3 09:32:14 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 03 Nov 2016 10:32:14 +0100 Subject: [Freeipa-devel] [freeipa PR#208][+ack] Tests: Fix integration sudo test In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/208 Title: #208: Tests: Fix integration sudo test Label: +ack From freeipa-github-notification at redhat.com Thu Nov 3 09:52:13 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 03 Nov 2016 10:52:13 +0100 Subject: [Freeipa-devel] [freeipa PR#145][synchronized] Refactoring: LDAP Connection Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/145 Author: tomaskrizek Title: #145: Refactoring: LDAP Connection Management Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/145/head:pr145 git checkout pr145 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-145.patch Type: text/x-diff Size: 227995 bytes Desc: not available URL: From mbasti at redhat.com Thu Nov 3 11:43:09 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 3 Nov 2016 12:43:09 +0100 Subject: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test In-Reply-To: <5ca38d5c-0f0b-46ef-71e2-3d493425e9c2@redhat.com> References: <57A07FE4.8000904@redhat.com> <2b0ed7fe-f0bc-7137-bdc1-b0758ffe9cd6@redhat.com> <20160914154119.mkk2ma7tvks55xsu@redhat.com> <97eaa313-e889-cd4a-e900-9e88596577a0@redhat.com> <20160914155320.iowrijrq3z62evoo@redhat.com> <1af52e6c-c24b-d58b-ccf5-a85c5c290e0c@redhat.com> <20160914165348.GE2761@p.Speedport_W_724V_Typ_A_05011603_00_009> <59763ea7-2ab5-bdc2-72c1-489a462f78ef@redhat.com> <6089c103-ab56-62f7-971c-a41710eee22f@redhat.com> <1d744d16-75de-2bdc-5892-b3c36a305581@redhat.com> <39a8af61-056b-df40-9126-50997a5b54c8@redhat.com> <5ca38d5c-0f0b-46ef-71e2-3d493425e9c2@redhat.com> Message-ID: <2b219705-2007-0983-6b61-e52e60d0307b@redhat.com> LGTM On 03.11.2016 09:42, Oleg Fayans wrote: > One more ping for review > > On 10/27/2016 02:21 PM, Oleg Fayans wrote: >> ping for review >> >> On 10/25/2016 10:24 AM, Oleg Fayans wrote: >>> Integration part of the tests is ready. 2 tests: >>> >>> 1. Adds a cert to idoverride of a windows user >>> 2. sssd part - looks up user by his certificate using dbus-sssd >>> >>> Second and third dbus call are executed as a string insted of as array >>> of strings because it just does not work otherwise. Some quote escaping >>> gets screwed probably, but the system returns "Error >>> org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the >>> command is executed using the standard array-based approach >>> >>> The run looks like this: >>> >>> bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb >>> WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] >>> Permission denied: 'lextab.py' >>> WARNING: yacc table file version is out of date >>> WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission >>> denied: 'yacctab.py' >>> ==================================== test session starts >>> ==================================== >>> platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 >>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini >>> plugins: sourceorder-0.5, multihost-1.0 >>> collected 2 items >>> >>> test_integration/test_idviews.py .. >>> >>> ================================ 2 passed in 948.44 seconds >>> ================================= >>> >>> >>> On 10/21/2016 10:54 AM, Oleg Fayans wrote: >>>> Added one more test, resolved the pep8 issues >>>> >>>> On 10/19/2016 12:32 PM, Oleg Fayans wrote: >>>>> Hi Martin, >>>>> >>>>> As you suggested, I've extended the >>>>> test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for >>>>> certs >>>>> in idoverrides. >>>>> The integration part still needs some polishing in the part >>>>> related to >>>>> user lookup by cert >>>>> >>>>> On 10/14/2016 03:57 PM, Martin Babinsky wrote: >>>>>> On 10/14/2016 03:48 PM, Oleg Fayans wrote: >>>>>>> So, did I understand correctly, that there would be 2 patches: one >>>>>>> containing test for basic idoverrides functionality without >>>>>>> AD-integration, and the second one - with AD-integration and an >>>>>>> sssd >>>>>>> check, correct? >>>>>>> I guess, the >>>>>>> freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> might be a good candidate for the first one, I only have to change >>>>>>> the >>>>>>> filename to test_idviews.py, right? >>>>>>> >>>>>> >>>>>> Oleg, we already have XMLRPC tests for idoverrides: >>>>>> >>>>>> ipatests/test_xmlrpc/test_idviews_plugin.py >>>>>> >>>>>> Is there any particular reason why not to extend them with add >>>>>> cert/remove cert operations? >>>>>> >>>>>> Even better, you can extend >>>>>> `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing >>>>>> the >>>>>> same set of tests on idoverrideuser objects. >>>>>> >>>>>> Or am I missing something? >>>>>> >>>>>>> On 09/15/2016 10:32 AM, Martin Basti wrote: >>>>>>>> >>>>>>>> >>>>>>>> On 15.09.2016 10:10, Oleg Fayans wrote: >>>>>>>>> Hi Martin, >>>>>>>>> >>>>>>>>> The file was renamed. Did I understand correctly that for now we >>>>>>>>> are >>>>>>>>> leaving the test as is and are planning to extend it later? >>>>>>>> >>>>>>>> I would like to have there SSSD check involved, please use what >>>>>>>> Summit >>>>>>>> recommends. No new test cases. >>>>>>>> >>>>>>>> And this can be done by separate patch, I want to have API/CLI >>>>>>>> certificate override tests for non-AD idview (extending current >>>>>>>> tests I >>>>>>>> posted in this thread) >>>>>>>> >>>>>>>> Martin^2 >>>>>>>>> >>>>>>>>> On 09/15/2016 09:49 AM, Martin Basti wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 14.09.2016 18:53, Sumit Bose wrote: >>>>>>>>>>> On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: >>>>>>>>>>>> >>>>>>>>>>>> On 14.09.2016 17:53, Alexander Bokovoy wrote: >>>>>>>>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 14.09.2016 17:41, Alexander Bokovoy wrote: >>>>>>>>>>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote: >>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>> I still don't see the reason why AD trust is needed. >>>>>>>>>>>>>>>> Default >>>>>>>>>>>>>>>> trust ID view is added just by ipa-adtrust-install, adding >>>>>>>>>>>>>>>> trust is not needed for current implementation. You don't >>>>>>>>>>>>>>>> need AD for this, IDviews is generic feature not just for >>>>>>>>>>>>>>>> AD. Is that user configured on AD side? >>>>>>>>>>>>>>> You cannot add non-AD user to 'default trust view', so you >>>>>>>>>>>>>>> will >>>>>>>>>>>>>>> not be >>>>>>>>>>>>>>> able to set up certificates to ID override which does not >>>>>>>>>>>>>>> exist. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> For non-'default trust view' you can add both IPA and AD >>>>>>>>>>>>>>> users, >>>>>>>>>>>>>>> so using >>>>>>>>>>>>>>> some other view and then assign certificate for a ID >>>>>>>>>>>>>>> override in >>>>>>>>>>>>>>> that >>>>>>>>>>>>>>> one. >>>>>>>>>>>>>>> >>>>>>>>>>>>>> Ok then, but anyway I would like to see API/CLI tests for >>>>>>>>>>>>>> this >>>>>>>>>>>>>> feature with proper output validation. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> How can be this tested with SSSD? >>>>>>>>>>>>> You need to log into the system with a certificate... >>>>>>>>>>>> Is this possible from test? We are logged remotely as root, is >>>>>>>>>>>> there any >>>>>>>>>>>> cmdline util which allows us to test certificate against AD >>>>>>>>>>>> user? >>>>>>>>>>> >>>>>>>>>>> You can use 'sss_ssh_authorizedkeys aduser at ad.domain' which >>>>>>>>>>> should >>>>>>>>>>> return the ssh key derived from the public key in the >>>>>>>>>>> certificate. >>>>>>>>>>> This >>>>>>>>>>> should work for certificate stored in AD as well as for >>>>>>>>>>> overrides. >>>>>>>>>>> >>>>>>>>>>> You can also you the DBus lookup by certificate as described in >>>>>>>>>>> https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> . >>>>>>>>>>> >>>>>>>>>>> HTH >>>>>>>>>>> >>>>>>>>>>> bye, >>>>>>>>>>> Sumit >>>>>>>>>> >>>>>>>>>> Thank you Alexander and Summit for hints. >>>>>>>>>> >>>>>>>>>> Oleg I realized we don't have any other idviews integration >>>>>>>>>> tests >>>>>>>>>> >>>>>>>>>> So I propose to rename test file you are adding to >>>>>>>>>> test_idviews.py. We >>>>>>>>>> can add more testcases for idviews there later >>>>>>>>>> >>>>>>>>>> Martin^2 >>>>>>>>>>>> Martin^2 >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Manage your subscription for the Freeipa-devel mailing list: >>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>>>>>>>> Contribute to FreeIPA: >>>>>>>>>>>> http://www.freeipa.org/page/Contribute/Code >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >>> >>> >> > From freeipa-github-notification at redhat.com Thu Nov 3 12:20:30 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 03 Nov 2016 13:20:30 +0100 Subject: [Freeipa-devel] [freeipa PR#202][synchronized] ipa-getkeytab enhancements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/202 Author: martbab Title: #202: ipa-getkeytab enhancements Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/202/head:pr202 git checkout pr202 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-202.patch Type: text/x-diff Size: 37253 bytes Desc: not available URL: From ofayans at redhat.com Thu Nov 3 12:28:01 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 3 Nov 2016 13:28:01 +0100 Subject: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964 In-Reply-To: <5b666684-ada4-8721-0671-a6a0424e115b@redhat.com> References: <5762BBDD.4010502@redhat.com> <5763AA17.60207@redhat.com> <5763C073.5020503@redhat.com> <577113B2.1080904@redhat.com> <8ada929c-ebff-b8ce-6f1f-ae65fb8b1ba2@redhat.com> <577FAD77.7080504@redhat.com> <9149be7c-ee3d-42e5-16fb-fd0c0f351bb8@redhat.com> <57A1E76F.9@redhat.com> <478f33da-10d4-0994-e588-b28ca002b3b4@redhat.com> <36a2eba5-a03d-131e-0042-46f0d4f0299a@redhat.com> <80d2ccd8-8e1b-52a7-df76-087c72f21a12@redhat.com> <8caa3b3a-54a6-e168-6304-09ce8fb60a7f@redhat.com> <5b666684-ada4-8721-0671-a6a0424e115b@redhat.com> Message-ID: <847c5b3d-f43b-7381-a8a2-2fcacc343afc@redhat.com> ping for review On 10/19/2016 04:54 PM, Oleg Fayans wrote: > Hi Martin, > > Thanks for the review. Fixed both issues. > > $ ipa-run-tests test_integration/test_topology.py -k TestCASpecificRUVs > WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] > Permission denied: 'lextab.py' > WARNING: yacc table file version is out of date > WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission > denied: 'yacctab.py' > ==================================================================================== > test session starts > ===================================================================================== > > platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 > rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini > plugins: sourceorder-0.5, multihost-1.0 > collected 5 items > > test_integration/test_topology.py .. > > ================================================================================ > 2 passed in 2444.84 seconds > ================================================================================= > > > > On 10/17/2016 07:05 PM, Martin Basti wrote: >> 1) >> >> you don't need to disable/enable dirsrv, just stop/start. Please remove >> disable/enable parts >> >> >> 2) >> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> traceback >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> >> >> self = > object at 0x7f6a502eec90> >> >> def test_delete_ruvs(self): >> """ >> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/ >> Test_Plan#Test_case:_clean-ruv_subcommand >> """ >> replica = self.replicas[0] >> master = self.master >> res1 = master.run_command(['ipa-replica-manage', 'list-ruv', >> '-p', >> master.config.dirman_password]) >>> assert(res1.stdout_text.count(replica.hostname) == 2 and >> "Certificate Server Replica Update Vectors" in res1), ( >> "CA-specific RUVs are not displayed") >> E TypeError: argument of type 'SSHCommand' is not iterable >> >> test_integration/test_topology.py:215: TypeError >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> entering PDB >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> >>> >> /usr/lib/python2.7/site-packages/ipatests/test_integration/test_topology.py(215)test_delete_ruvs() >> >> >> >> -> assert(res1.stdout_text.count(replica.hostname) == 2 and >> >> >> >> On 14.10.2016 11:36, Oleg Fayans wrote: >>> Right you are! I am sorry. >>> >>> On 10/13/2016 06:10 PM, Martin Basti wrote: >>>> I think that you forgot to squash commits. Patch 47 doesn't apply >>>> >>>> >>>> On 13.10.2016 14:01, Oleg Fayans wrote: >>>>> Hi Martin, >>>>> >>>>> Thanks for the review. >>>>> With disabling directory server it works as well, thanks for the hint. >>>>> Also I moved the cleanup logic to the test itself for the sake of >>>>> simplicity. Patch-0048 was not changed >>>>> >>>>> On 10/12/2016 02:35 PM, Martin Basti wrote: >>>>>> 1) >>>>>> >>>>>> Can you just turn off dirsrv on replica instead of doing iptables >>>>>> magic? >>>>>> >>>>>> >>>>>> 2) NACK >>>>>> >>>>>> No more eval() ever in code, use 'getattr', 'get' or whatever in the >>>>>> object that can be used. >>>>>> >>>>>> + evalhost = eval("args[0].%s" % host) >>>>>> >>>>>> Martin^2 >>>>>> >>>>>> On 12.10.2016 14:03, Oleg Fayans wrote: >>>>>>> Hi Martin, >>>>>>> >>>>>>> After extensive discussion with Ludwig, I finally got the clue on >>>>>>> how >>>>>>> does this feature work. When we uninstall the replica, the master >>>>>>> cleans the replication agreements with this replica and >>>>>>> automatically >>>>>>> cleans all replica's RUVs. >>>>>>> If we clean replica's RUVs on master without uninstalling the >>>>>>> replica, >>>>>>> the replica's RUVs get recreated on master (replication works!). So, >>>>>>> the only way to test the clean-ruv subcommand is to turn off the >>>>>>> replica, or block the traffic on it so it gets inaccessible to >>>>>>> updates >>>>>>> from master. >>>>>>> The testcases were updated, see [1] and [2] >>>>>>> >>>>>>> The updated versions of the patches are attached >>>>>>> >>>>>>> [1] >>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended_to_handle_CA-specific_RUVs >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> [2] >>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_clean-ruv_subcommand >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 08/05/2016 06:36 PM, Martin Basti wrote: >>>>>>>> >>>>>>>> >>>>>>>> On 03.08.2016 14:45, Oleg Fayans wrote: >>>>>>>>> Hi Martin, >>>>>>>>> >>>>>>>>> Thanks for the review! Both patches were updated. >>>>>>>>> >>>>>>>>> On 07/28/2016 04:11 PM, Martin Basti wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 08.07.2016 15:41, Oleg Fayans wrote: >>>>>>>>>>> Hi Martin, >>>>>>>>>>> >>>>>>>>>>> Thanks for the review! >>>>>>>>>>> >>>>>>>>>>> On 07/08/2016 02:18 PM, Martin Basti wrote: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On 27.06.2016 13:53, Oleg Fayans wrote: >>>>>>>>>>>>> Hi guys, >>>>>>>>>>>>> >>>>>>>>>>>>> Is there a chance the patches NN 0047.1 and 0048.1 get >>>>>>>>>>>>> reviewed >>>>>>>>>>>>> before >>>>>>>>>>>>> 4.4 release? They cover a good part of the Managed Topology >>>>>>>>>>>>> 4.4 >>>>>>>>>>>>> feature. >>>>>>>>>>>>> >>>>>>>>>>>>> On 06/17/2016 11:18 AM, Oleg Fayans wrote: >>>>>>>>>>>>>> One more test was added to the patch-0048 >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 06/17/2016 09:43 AM, Oleg Fayans wrote: >>>>>>>>>>>>>>> Fixed a bug in the previous patch, automated 2 more >>>>>>>>>>>>>>> testcases >>>>>>>>>>>>>>> from >>>>>>>>>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 06/16/2016 04:46 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> IIUC, this will turn off the machine completely, how is cleanup >>>>>>>>>>>> done >>>>>>>>>>>> then. AFAIK our tests cannot turn on machine again and run >>>>>>>>>>>> cleanup, so >>>>>>>>>>>> you will not be able to run more tests on the same topology >>>>>>>>>>>> without >>>>>>>>>>>> manual cleanup and manual start. >>>>>>>>>>>> >>>>>>>>>>>> + replica = self.replicas[0] >>>>>>>>>>>> + replica.run_command(['poweroff']) >>>>>>>>>>>> >>>>>>>>>>>> IMO would be better to just call 'ipactl stop' instead of >>>>>>>>>>>> 'poweroff' >>>>>>>>>>> >>>>>>>>>>> Agreed! Fixed. >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Martin^2 >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> *Automated ipa-replica-manage del tests* >>>>>>>>>> >>>>>>>>>> 1) >>>>>>>>>> + replica.run_command(['ipactl', 'stop']) >>>>>>>>>> + time.sleep(3) >>>>>>>>>> >>>>>>>>>> Why do you need sleep here? >>>>>>>>> >>>>>>>>> Removed, it was left from the old "poweroff" approach >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 2) >>>>>>>>>> + ruvid_re = re.compile(".*%s:389: (\d+).*" % >>>>>>>>>> replica.hostname) >>>>>>>>>> + replica_ruvs = ruvid_re.findall(result.stdout_text) >>>>>>>>>> + master.run_command(['ipa-replica-manage', 'clean-ruv', >>>>>>>>>> 'f', >>>>>>>>>> + '-p', master.config.dirman_password, >>>>>>>>>> + replica_ruvs[0]]) >>>>>>>>>> >>>>>>>>>> Because you are using re.findall(), without any match you will >>>>>>>>>> receive >>>>>>>>>> IndexError here replica_ruvs[0]. IMO it deserves assert before >>>>>>>>> >>>>>>>>> Implemented the assert which checks that the output contains >>>>>>>>> enough >>>>>>>>> replica RUVs >>>>>>>>> >>>>>>>>>> >>>>>>>>>> 3) >>>>>>>>>> assert(replica.hostname in result1.stdout_text) >>>>>>>>>> >>>>>>>>>> I think that this is error prone. What if there is just error >>>>>>>>>> 'could not >>>>>>>>>> connect to replica ', or something similar. >>>>>>>>>> instead of >>>>>>>>>> listing/cleaning/whatever operation was executed. I think that it >>>>>>>>>> should >>>>>>>>>> be more specific regexp than just finding a replica name >>>>>>>>>> substring >>>>>>>>>> (Yes >>>>>>>>>> In IPA we dont always print error so stderr) >>>>>>>>>> >>>>>>>>>> I'm not sure, but probably there might be cases when non critical >>>>>>>>>> error >>>>>>>>>> happen and exist status is still 0 >>>>>>>>> >>>>>>>>> Agree. Implemented a regex-based search >>>>>>>>> >>>>>>>>>> >>>>>>>>>> 4) >>>>>>>>>> >>>>>>>>>> + replica.run_command(['poweroff']) >>>>>>>>>> + time.sleep(3) >>>>>>>>>> >>>>>>>>>> There should not be poweroff, probably sleep could be removed >>>>>>>>>> too. >>>>>>>>> >>>>>>>>> Gone >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> * Automated clean-ruv subcommand test* >>>>>>>>>> >>>>>>>>>> 1) PEP8, 2 new lines expected >>>>>>>>>> ./ipatests/test_integration/test_topology.py:163:1: E302 >>>>>>>>>> expected 2 >>>>>>>>>> blank lines, found 0 >>>>>>>>>> ./ipatests/test_integration/test_topology.py:182:80: E501 line >>>>>>>>>> too >>>>>>>>>> long >>>>>>>>>> (85 > 79 characters) >>>>>>>>> >>>>>>>>> Fixed >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 2) >>>>>>>>>> I dont like doing assert just with count of occurences of >>>>>>>>>> substring in >>>>>>>>>> STDOUT, would be possible to improve this somehow? >>>>>>>>> >>>>>>>>> Maybe, but frankly, I don't see how. In this case we are making >>>>>>>>> sure >>>>>>>>> that both simple and CA-specific RUVs of a replica are >>>>>>>>> displayed. The >>>>>>>>> format of the output is strict: >>>>>>>>> Replica Update Vectors: >>>>>>>>> replica1_hostname:389: RUV_id >>>>>>>>> replica2_hostname:389: RUV_id >>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>> replica1_hostname:389: RUV_id >>>>>>>>> replica2_hostname:389: RUV_id >>>>>>>>> If we do not see 2 occurrences of the replica hostname than >>>>>>>>> definitely >>>>>>>>> something went wrong >>>>>>>>> >>>>>>>>>> >>>>>>>>>> 3) >>>>>>>>>> I'm not sure if clean-ruv is instant operations or there is some >>>>>>>>>> magic >>>>>>>>>> happening in background (we have abort-clean-ruv). Maybe some >>>>>>>>>> sleep >>>>>>>>>> should be there, but this needs investigation. >>>>>>>>>> >>>>>>>>>> + assert(replica.hostname in result2.stdout_text), ( >>>>>>>>>> + "The wrong RUV was deleted") >>>>>>>>>> + result3 = master.run_command(['ipa-replica-manage', >>>>>>>>>> 'list-ruv', >>>>>>>>>> + '-p', >>>>>>>>>> master.config.dirman_password]) >>>>>>>>>> + assert(result3.stdout_text.count(replica.hostname) == 1), ( >>>>>>>>>> + "CA RUV of the replica is still displayed") >>>>>>>>>> >>>>>>>>> >>>>>>>>> Based on my discussion with Stanislav Laznicka, I understood >>>>>>>>> that by >>>>>>>>> default clean-ruv does not return the shell until the operation is >>>>>>>>> finished. You can force dropping into the shell by pressing >>>>>>>>> CTRL+C, in >>>>>>>>> which case the background job will still be running, but this is >>>>>>>>> not >>>>>>>>> the default behavior >>>>>>>>> >>>>>>>> Test failed: >>>>>>>> result4 = master.run_command(['ipa-replica-manage', >>>>>>>> 'list-ruv', >>>>>>>> '-p', >>>>>>>> master.config.dirman_password]) >>>>>>>>> assert(replica.hostname not in result4.stdout_text), ( >>>>>>>> "replica's RUV is still displayed") >>>>>>>> E AssertionError: replica's RUV is still displayed >>>>>>>> E assert 'replica3.ipa.test' not in 'Replica Update >>>>>>>> V...ipa.test:389: 8\n' >>>>>>>> E 'replica3.ipa.test' is contained here: >>>>>>>> E Replica Update Vectors: >>>>>>>> E \tmaster.ipa.test:389: 4 >>>>>>>> E \treplica3.ipa.test:389: 3 >>>>>>>> E \treplica2.ipa.test:389: 7 >>>>>>>> E Certificate Server Replica Update Vectors: >>>>>>>> E \tmaster.ipa.test:389: 6 >>>>>>>> E \treplica2.ipa.test:389: 8 >>>>>>>> >>>>>>>> >>>>>>>> [root at master ~]# ipa topologysegment-find >>>>>>>> Suffix name: domain >>>>>>>> ------------------ >>>>>>>> 2 segments matched >>>>>>>> ------------------ >>>>>>>> Segment name: master.ipa.test-to-replica2.ipa.test >>>>>>>> Left node: master.ipa.test >>>>>>>> Right node: replica2.ipa.test >>>>>>>> Connectivity: both >>>>>>>> >>>>>>>> Segment name: master.ipa.test-to-replica3.ipa.test >>>>>>>> Left node: master.ipa.test >>>>>>>> Right node: replica3.ipa.test >>>>>>>> Connectivity: both >>>>>>>> ---------------------------- >>>>>>>> Number of entries returned 2 >>>>>>>> ---------------------------- >>>>>>>> [root at master ~]# ipa-replica-manage list-ruv >>>>>>>> Directory Manager password: >>>>>>>> >>>>>>>> Replica Update Vectors: >>>>>>>> master.ipa.test:389: 4 >>>>>>>> replica2.ipa.test:389: 7 >>>>>>>> replica3.ipa.test:389: 3 >>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>> master.ipa.test:389: 6 >>>>>>>> replica2.ipa.test:389: 8 >>>>>>>> [root at master ~]# >>>>>>>> >>>>>>>> Then I tried manually to clean RUV 3, and it behaves somehow odd >>>>>>>> >>>>>>>> [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' >>>>>>>> 'Secret123' '-f' >>>>>>>> Clean the Replication Update Vector for replica3.ipa.test:389 >>>>>>>> Background task created to clean replication data. This may take a >>>>>>>> while. >>>>>>>> This may be safely interrupted with Ctrl+C >>>>>>>> Cleanup task created >>>>>>>> [root at master ~]# less /var/log/dirsrv/slapd-IPA-TEST/errors >>>>>>>> [root at master ~]# ipa-replica-manage list-ruv >>>>>>>> Directory Manager password: >>>>>>>> >>>>>>>> Replica Update Vectors: >>>>>>>> master.ipa.test:389: 4 >>>>>>>> replica2.ipa.test:389: 7 >>>>>>>> replica3.ipa.test:389: 3 >>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>> master.ipa.test:389: 6 >>>>>>>> replica2.ipa.test:389: 8 >>>>>>>> [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' >>>>>>>> 'Secret123' '-f' >>>>>>>> Clean the Replication Update Vector for replica3.ipa.test:389 >>>>>>>> CLEANALLRUV task for replica id 3 already exists. >>>>>>>> This may be safely interrupted with Ctrl+C >>>>>>>> Cleanup task created >>>>>>>> >>>>>>>> [root at master ~]# ipa-replica-manage list-clean-ruv -p Secret123 >>>>>>>> No CLEANALLRUV tasks running >>>>>>>> >>>>>>>> No abort CLEANALLRUV tasks running >>>>>>>> [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' >>>>>>>> 'Secret123' '-f' >>>>>>>> Clean the Replication Update Vector for replica3.ipa.test:389 >>>>>>>> Background task created to clean replication data. This may take a >>>>>>>> while. >>>>>>>> This may be safely interrupted with Ctrl+C >>>>>>>> Cleanup task created >>>>>>>> [root at master ~]# ipa-replica-manage list-clean-ruv -p Secret123 >>>>>>>> CLEANALLRUV tasks >>>>>>>> RID 3: Successfully cleaned rid(3). >>>>>>>> >>>>>>>> No abort CLEANALLRUV tasks running >>>>>>>> [root at master ~]# ipa-replica-manage list-ruv -p Secret123 >>>>>>>> Replica Update Vectors: >>>>>>>> master.ipa.test:389: 4 >>>>>>>> replica2.ipa.test:389: 7 >>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>> master.ipa.test:389: 6 >>>>>>>> replica2.ipa.test:389: 8 >>>>>>>> >>>>>>>> >>>>>>>> I'm not sure if this behavior is right, Ludwig may know. >>>>>>> >>>>>> >>>>> >>>> >>> >> > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From freeipa-github-notification at redhat.com Thu Nov 3 13:46:12 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 03 Nov 2016 14:46:12 +0100 Subject: [Freeipa-devel] [freeipa PR#145][comment] Refactoring: LDAP Connection Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/145 Title: #145: Refactoring: LDAP Connection Management tomaskrizek commented: """ I've also updated the design document and described the correct usage of LDAP connections after these changes: http://www.freeipa.org/page/V4/LDAP_Connection_Management_Refactoring """ See the full comment at https://github.com/freeipa/freeipa/pull/145#issuecomment-258146183 From freeipa-github-notification at redhat.com Thu Nov 3 14:25:11 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 03 Nov 2016 15:25:11 +0100 Subject: [Freeipa-devel] [freeipa PR#207][comment] Provide user hint about IP address in IPA install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/207 Title: #207: Provide user hint about IP address in IPA install mbasti-rh commented: """ NACK, please see inline comment I'd use 2 different messages: 1st IP: "Please provide the IP address to be used for this host name:" 2nd and more IP: "Additional IP address (leave blank to continue with installation):" to be clear that we are appending IP addresses """ See the full comment at https://github.com/freeipa/freeipa/pull/207#issuecomment-258156848 From freeipa-github-notification at redhat.com Thu Nov 3 15:15:58 2016 From: freeipa-github-notification at redhat.com (rsd) Date: Thu, 03 Nov 2016 16:15:58 +0100 Subject: [Freeipa-devel] [freeipa PR#207][comment] Provide user hint about IP address in IPA install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/207 Title: #207: Provide user hint about IP address in IPA install rsd commented: """ This happens the case where the user keeps entering a IP address and the UI asks again as if it were ignored. """ See the full comment at https://github.com/freeipa/freeipa/pull/207#issuecomment-258172443 From mbasti at redhat.com Thu Nov 3 15:22:51 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 3 Nov 2016 16:22:51 +0100 Subject: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964 In-Reply-To: <847c5b3d-f43b-7381-a8a2-2fcacc343afc@redhat.com> References: <5762BBDD.4010502@redhat.com> <5763AA17.60207@redhat.com> <5763C073.5020503@redhat.com> <577113B2.1080904@redhat.com> <8ada929c-ebff-b8ce-6f1f-ae65fb8b1ba2@redhat.com> <577FAD77.7080504@redhat.com> <9149be7c-ee3d-42e5-16fb-fd0c0f351bb8@redhat.com> <57A1E76F.9@redhat.com> <478f33da-10d4-0994-e588-b28ca002b3b4@redhat.com> <36a2eba5-a03d-131e-0042-46f0d4f0299a@redhat.com> <80d2ccd8-8e1b-52a7-df76-087c72f21a12@redhat.com> <8caa3b3a-54a6-e168-6304-09ce8fb60a7f@redhat.com> <5b666684-ada4-8721-0671-a6a0424e115b@redhat.com> <847c5b3d-f43b-7381-a8a2-2fcacc343afc@redhat.com> Message-ID: almost ACK, but the ticket in commit message is closed as invalid. So I'm quite puzzled now what to do. On 03.11.2016 13:28, Oleg Fayans wrote: > ping for review > > On 10/19/2016 04:54 PM, Oleg Fayans wrote: >> Hi Martin, >> >> Thanks for the review. Fixed both issues. >> >> $ ipa-run-tests test_integration/test_topology.py -k TestCASpecificRUVs >> WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] >> Permission denied: 'lextab.py' >> WARNING: yacc table file version is out of date >> WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission >> denied: 'yacctab.py' >> ==================================================================================== >> >> test session starts >> ===================================================================================== >> >> >> platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 >> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini >> plugins: sourceorder-0.5, multihost-1.0 >> collected 5 items >> >> test_integration/test_topology.py .. >> >> ================================================================================ >> >> 2 passed in 2444.84 seconds >> ================================================================================= >> >> >> >> >> On 10/17/2016 07:05 PM, Martin Basti wrote: >>> 1) >>> >>> you don't need to disable/enable dirsrv, just stop/start. Please remove >>> disable/enable parts >>> >>> >>> 2) >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> traceback >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> >>> >>> self = >> object at 0x7f6a502eec90> >>> >>> def test_delete_ruvs(self): >>> """ >>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/ >>> Test_Plan#Test_case:_clean-ruv_subcommand >>> """ >>> replica = self.replicas[0] >>> master = self.master >>> res1 = master.run_command(['ipa-replica-manage', 'list-ruv', >>> '-p', >>> master.config.dirman_password]) >>>> assert(res1.stdout_text.count(replica.hostname) == 2 and >>> "Certificate Server Replica Update Vectors" in res1), ( >>> "CA-specific RUVs are not displayed") >>> E TypeError: argument of type 'SSHCommand' is not iterable >>> >>> test_integration/test_topology.py:215: TypeError >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> entering PDB >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> >>>> >>> /usr/lib/python2.7/site-packages/ipatests/test_integration/test_topology.py(215)test_delete_ruvs() >>> >>> >>> >>> >>> -> assert(res1.stdout_text.count(replica.hostname) == 2 and >>> >>> >>> >>> On 14.10.2016 11:36, Oleg Fayans wrote: >>>> Right you are! I am sorry. >>>> >>>> On 10/13/2016 06:10 PM, Martin Basti wrote: >>>>> I think that you forgot to squash commits. Patch 47 doesn't apply >>>>> >>>>> >>>>> On 13.10.2016 14:01, Oleg Fayans wrote: >>>>>> Hi Martin, >>>>>> >>>>>> Thanks for the review. >>>>>> With disabling directory server it works as well, thanks for the >>>>>> hint. >>>>>> Also I moved the cleanup logic to the test itself for the sake of >>>>>> simplicity. Patch-0048 was not changed >>>>>> >>>>>> On 10/12/2016 02:35 PM, Martin Basti wrote: >>>>>>> 1) >>>>>>> >>>>>>> Can you just turn off dirsrv on replica instead of doing iptables >>>>>>> magic? >>>>>>> >>>>>>> >>>>>>> 2) NACK >>>>>>> >>>>>>> No more eval() ever in code, use 'getattr', 'get' or whatever in >>>>>>> the >>>>>>> object that can be used. >>>>>>> >>>>>>> + evalhost = eval("args[0].%s" % host) >>>>>>> >>>>>>> Martin^2 >>>>>>> >>>>>>> On 12.10.2016 14:03, Oleg Fayans wrote: >>>>>>>> Hi Martin, >>>>>>>> >>>>>>>> After extensive discussion with Ludwig, I finally got the clue on >>>>>>>> how >>>>>>>> does this feature work. When we uninstall the replica, the master >>>>>>>> cleans the replication agreements with this replica and >>>>>>>> automatically >>>>>>>> cleans all replica's RUVs. >>>>>>>> If we clean replica's RUVs on master without uninstalling the >>>>>>>> replica, >>>>>>>> the replica's RUVs get recreated on master (replication >>>>>>>> works!). So, >>>>>>>> the only way to test the clean-ruv subcommand is to turn off the >>>>>>>> replica, or block the traffic on it so it gets inaccessible to >>>>>>>> updates >>>>>>>> from master. >>>>>>>> The testcases were updated, see [1] and [2] >>>>>>>> >>>>>>>> The updated versions of the patches are attached >>>>>>>> >>>>>>>> [1] >>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended_to_handle_CA-specific_RUVs >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> [2] >>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_clean-ruv_subcommand >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 08/05/2016 06:36 PM, Martin Basti wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> On 03.08.2016 14:45, Oleg Fayans wrote: >>>>>>>>>> Hi Martin, >>>>>>>>>> >>>>>>>>>> Thanks for the review! Both patches were updated. >>>>>>>>>> >>>>>>>>>> On 07/28/2016 04:11 PM, Martin Basti wrote: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 08.07.2016 15:41, Oleg Fayans wrote: >>>>>>>>>>>> Hi Martin, >>>>>>>>>>>> >>>>>>>>>>>> Thanks for the review! >>>>>>>>>>>> >>>>>>>>>>>> On 07/08/2016 02:18 PM, Martin Basti wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On 27.06.2016 13:53, Oleg Fayans wrote: >>>>>>>>>>>>>> Hi guys, >>>>>>>>>>>>>> >>>>>>>>>>>>>> Is there a chance the patches NN 0047.1 and 0048.1 get >>>>>>>>>>>>>> reviewed >>>>>>>>>>>>>> before >>>>>>>>>>>>>> 4.4 release? They cover a good part of the Managed Topology >>>>>>>>>>>>>> 4.4 >>>>>>>>>>>>>> feature. >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 06/17/2016 11:18 AM, Oleg Fayans wrote: >>>>>>>>>>>>>>> One more test was added to the patch-0048 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 06/17/2016 09:43 AM, Oleg Fayans wrote: >>>>>>>>>>>>>>>> Fixed a bug in the previous patch, automated 2 more >>>>>>>>>>>>>>>> testcases >>>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 06/16/2016 04:46 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>> IIUC, this will turn off the machine completely, how is >>>>>>>>>>>>> cleanup >>>>>>>>>>>>> done >>>>>>>>>>>>> then. AFAIK our tests cannot turn on machine again and run >>>>>>>>>>>>> cleanup, so >>>>>>>>>>>>> you will not be able to run more tests on the same topology >>>>>>>>>>>>> without >>>>>>>>>>>>> manual cleanup and manual start. >>>>>>>>>>>>> >>>>>>>>>>>>> + replica = self.replicas[0] >>>>>>>>>>>>> + replica.run_command(['poweroff']) >>>>>>>>>>>>> >>>>>>>>>>>>> IMO would be better to just call 'ipactl stop' instead of >>>>>>>>>>>>> 'poweroff' >>>>>>>>>>>> >>>>>>>>>>>> Agreed! Fixed. >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> *Automated ipa-replica-manage del tests* >>>>>>>>>>> >>>>>>>>>>> 1) >>>>>>>>>>> + replica.run_command(['ipactl', 'stop']) >>>>>>>>>>> + time.sleep(3) >>>>>>>>>>> >>>>>>>>>>> Why do you need sleep here? >>>>>>>>>> >>>>>>>>>> Removed, it was left from the old "poweroff" approach >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 2) >>>>>>>>>>> + ruvid_re = re.compile(".*%s:389: (\d+).*" % >>>>>>>>>>> replica.hostname) >>>>>>>>>>> + replica_ruvs = ruvid_re.findall(result.stdout_text) >>>>>>>>>>> + master.run_command(['ipa-replica-manage', 'clean-ruv', >>>>>>>>>>> 'f', >>>>>>>>>>> + '-p', >>>>>>>>>>> master.config.dirman_password, >>>>>>>>>>> + replica_ruvs[0]]) >>>>>>>>>>> >>>>>>>>>>> Because you are using re.findall(), without any match you will >>>>>>>>>>> receive >>>>>>>>>>> IndexError here replica_ruvs[0]. IMO it deserves assert before >>>>>>>>>> >>>>>>>>>> Implemented the assert which checks that the output contains >>>>>>>>>> enough >>>>>>>>>> replica RUVs >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 3) >>>>>>>>>>> assert(replica.hostname in result1.stdout_text) >>>>>>>>>>> >>>>>>>>>>> I think that this is error prone. What if there is just error >>>>>>>>>>> 'could not >>>>>>>>>>> connect to replica ', or something similar. >>>>>>>>>>> instead of >>>>>>>>>>> listing/cleaning/whatever operation was executed. I think >>>>>>>>>>> that it >>>>>>>>>>> should >>>>>>>>>>> be more specific regexp than just finding a replica name >>>>>>>>>>> substring >>>>>>>>>>> (Yes >>>>>>>>>>> In IPA we dont always print error so stderr) >>>>>>>>>>> >>>>>>>>>>> I'm not sure, but probably there might be cases when non >>>>>>>>>>> critical >>>>>>>>>>> error >>>>>>>>>>> happen and exist status is still 0 >>>>>>>>>> >>>>>>>>>> Agree. Implemented a regex-based search >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 4) >>>>>>>>>>> >>>>>>>>>>> + replica.run_command(['poweroff']) >>>>>>>>>>> + time.sleep(3) >>>>>>>>>>> >>>>>>>>>>> There should not be poweroff, probably sleep could be removed >>>>>>>>>>> too. >>>>>>>>>> >>>>>>>>>> Gone >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> * Automated clean-ruv subcommand test* >>>>>>>>>>> >>>>>>>>>>> 1) PEP8, 2 new lines expected >>>>>>>>>>> ./ipatests/test_integration/test_topology.py:163:1: E302 >>>>>>>>>>> expected 2 >>>>>>>>>>> blank lines, found 0 >>>>>>>>>>> ./ipatests/test_integration/test_topology.py:182:80: E501 line >>>>>>>>>>> too >>>>>>>>>>> long >>>>>>>>>>> (85 > 79 characters) >>>>>>>>>> >>>>>>>>>> Fixed >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 2) >>>>>>>>>>> I dont like doing assert just with count of occurences of >>>>>>>>>>> substring in >>>>>>>>>>> STDOUT, would be possible to improve this somehow? >>>>>>>>>> >>>>>>>>>> Maybe, but frankly, I don't see how. In this case we are making >>>>>>>>>> sure >>>>>>>>>> that both simple and CA-specific RUVs of a replica are >>>>>>>>>> displayed. The >>>>>>>>>> format of the output is strict: >>>>>>>>>> Replica Update Vectors: >>>>>>>>>> replica1_hostname:389: RUV_id >>>>>>>>>> replica2_hostname:389: RUV_id >>>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>>> replica1_hostname:389: RUV_id >>>>>>>>>> replica2_hostname:389: RUV_id >>>>>>>>>> If we do not see 2 occurrences of the replica hostname than >>>>>>>>>> definitely >>>>>>>>>> something went wrong >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 3) >>>>>>>>>>> I'm not sure if clean-ruv is instant operations or there is >>>>>>>>>>> some >>>>>>>>>>> magic >>>>>>>>>>> happening in background (we have abort-clean-ruv). Maybe some >>>>>>>>>>> sleep >>>>>>>>>>> should be there, but this needs investigation. >>>>>>>>>>> >>>>>>>>>>> + assert(replica.hostname in result2.stdout_text), ( >>>>>>>>>>> + "The wrong RUV was deleted") >>>>>>>>>>> + result3 = master.run_command(['ipa-replica-manage', >>>>>>>>>>> 'list-ruv', >>>>>>>>>>> + '-p', >>>>>>>>>>> master.config.dirman_password]) >>>>>>>>>>> + assert(result3.stdout_text.count(replica.hostname) == 1), ( >>>>>>>>>>> + "CA RUV of the replica is still displayed") >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Based on my discussion with Stanislav Laznicka, I understood >>>>>>>>>> that by >>>>>>>>>> default clean-ruv does not return the shell until the >>>>>>>>>> operation is >>>>>>>>>> finished. You can force dropping into the shell by pressing >>>>>>>>>> CTRL+C, in >>>>>>>>>> which case the background job will still be running, but this is >>>>>>>>>> not >>>>>>>>>> the default behavior >>>>>>>>>> >>>>>>>>> Test failed: >>>>>>>>> result4 = master.run_command(['ipa-replica-manage', >>>>>>>>> 'list-ruv', >>>>>>>>> '-p', >>>>>>>>> master.config.dirman_password]) >>>>>>>>>> assert(replica.hostname not in result4.stdout_text), ( >>>>>>>>> "replica's RUV is still displayed") >>>>>>>>> E AssertionError: replica's RUV is still displayed >>>>>>>>> E assert 'replica3.ipa.test' not in 'Replica Update >>>>>>>>> V...ipa.test:389: 8\n' >>>>>>>>> E 'replica3.ipa.test' is contained here: >>>>>>>>> E Replica Update Vectors: >>>>>>>>> E \tmaster.ipa.test:389: 4 >>>>>>>>> E \treplica3.ipa.test:389: 3 >>>>>>>>> E \treplica2.ipa.test:389: 7 >>>>>>>>> E Certificate Server Replica Update Vectors: >>>>>>>>> E \tmaster.ipa.test:389: 6 >>>>>>>>> E \treplica2.ipa.test:389: 8 >>>>>>>>> >>>>>>>>> >>>>>>>>> [root at master ~]# ipa topologysegment-find >>>>>>>>> Suffix name: domain >>>>>>>>> ------------------ >>>>>>>>> 2 segments matched >>>>>>>>> ------------------ >>>>>>>>> Segment name: master.ipa.test-to-replica2.ipa.test >>>>>>>>> Left node: master.ipa.test >>>>>>>>> Right node: replica2.ipa.test >>>>>>>>> Connectivity: both >>>>>>>>> >>>>>>>>> Segment name: master.ipa.test-to-replica3.ipa.test >>>>>>>>> Left node: master.ipa.test >>>>>>>>> Right node: replica3.ipa.test >>>>>>>>> Connectivity: both >>>>>>>>> ---------------------------- >>>>>>>>> Number of entries returned 2 >>>>>>>>> ---------------------------- >>>>>>>>> [root at master ~]# ipa-replica-manage list-ruv >>>>>>>>> Directory Manager password: >>>>>>>>> >>>>>>>>> Replica Update Vectors: >>>>>>>>> master.ipa.test:389: 4 >>>>>>>>> replica2.ipa.test:389: 7 >>>>>>>>> replica3.ipa.test:389: 3 >>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>> master.ipa.test:389: 6 >>>>>>>>> replica2.ipa.test:389: 8 >>>>>>>>> [root at master ~]# >>>>>>>>> >>>>>>>>> Then I tried manually to clean RUV 3, and it behaves somehow odd >>>>>>>>> >>>>>>>>> [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' >>>>>>>>> 'Secret123' '-f' >>>>>>>>> Clean the Replication Update Vector for replica3.ipa.test:389 >>>>>>>>> Background task created to clean replication data. This may >>>>>>>>> take a >>>>>>>>> while. >>>>>>>>> This may be safely interrupted with Ctrl+C >>>>>>>>> Cleanup task created >>>>>>>>> [root at master ~]# less /var/log/dirsrv/slapd-IPA-TEST/errors >>>>>>>>> [root at master ~]# ipa-replica-manage list-ruv >>>>>>>>> Directory Manager password: >>>>>>>>> >>>>>>>>> Replica Update Vectors: >>>>>>>>> master.ipa.test:389: 4 >>>>>>>>> replica2.ipa.test:389: 7 >>>>>>>>> replica3.ipa.test:389: 3 >>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>> master.ipa.test:389: 6 >>>>>>>>> replica2.ipa.test:389: 8 >>>>>>>>> [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' >>>>>>>>> 'Secret123' '-f' >>>>>>>>> Clean the Replication Update Vector for replica3.ipa.test:389 >>>>>>>>> CLEANALLRUV task for replica id 3 already exists. >>>>>>>>> This may be safely interrupted with Ctrl+C >>>>>>>>> Cleanup task created >>>>>>>>> >>>>>>>>> [root at master ~]# ipa-replica-manage list-clean-ruv -p Secret123 >>>>>>>>> No CLEANALLRUV tasks running >>>>>>>>> >>>>>>>>> No abort CLEANALLRUV tasks running >>>>>>>>> [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' >>>>>>>>> 'Secret123' '-f' >>>>>>>>> Clean the Replication Update Vector for replica3.ipa.test:389 >>>>>>>>> Background task created to clean replication data. This may >>>>>>>>> take a >>>>>>>>> while. >>>>>>>>> This may be safely interrupted with Ctrl+C >>>>>>>>> Cleanup task created >>>>>>>>> [root at master ~]# ipa-replica-manage list-clean-ruv -p Secret123 >>>>>>>>> CLEANALLRUV tasks >>>>>>>>> RID 3: Successfully cleaned rid(3). >>>>>>>>> >>>>>>>>> No abort CLEANALLRUV tasks running >>>>>>>>> [root at master ~]# ipa-replica-manage list-ruv -p Secret123 >>>>>>>>> Replica Update Vectors: >>>>>>>>> master.ipa.test:389: 4 >>>>>>>>> replica2.ipa.test:389: 7 >>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>> master.ipa.test:389: 6 >>>>>>>>> replica2.ipa.test:389: 8 >>>>>>>>> >>>>>>>>> >>>>>>>>> I'm not sure if this behavior is right, Ludwig may know. >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >> >> > From ofayans at redhat.com Thu Nov 3 15:56:17 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 3 Nov 2016 16:56:17 +0100 Subject: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964 In-Reply-To: References: <5762BBDD.4010502@redhat.com> <5763AA17.60207@redhat.com> <5763C073.5020503@redhat.com> <577113B2.1080904@redhat.com> <8ada929c-ebff-b8ce-6f1f-ae65fb8b1ba2@redhat.com> <577FAD77.7080504@redhat.com> <9149be7c-ee3d-42e5-16fb-fd0c0f351bb8@redhat.com> <57A1E76F.9@redhat.com> <478f33da-10d4-0994-e588-b28ca002b3b4@redhat.com> <36a2eba5-a03d-131e-0042-46f0d4f0299a@redhat.com> <80d2ccd8-8e1b-52a7-df76-087c72f21a12@redhat.com> <8caa3b3a-54a6-e168-6304-09ce8fb60a7f@redhat.com> <5b666684-ada4-8721-0671-a6a0424e115b@redhat.com> <847c5b3d-f43b-7381-a8a2-2fcacc343afc@redhat.com> Message-ID: Hi Martin, The commit message was updated with the correct ticket link Thanks for review! On 11/03/2016 04:22 PM, Martin Basti wrote: > almost ACK, but the ticket in commit message is closed as invalid. So > I'm quite puzzled now what to do. > > > On 03.11.2016 13:28, Oleg Fayans wrote: >> ping for review >> >> On 10/19/2016 04:54 PM, Oleg Fayans wrote: >>> Hi Martin, >>> >>> Thanks for the review. Fixed both issues. >>> >>> $ ipa-run-tests test_integration/test_topology.py -k TestCASpecificRUVs >>> WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] >>> Permission denied: 'lextab.py' >>> WARNING: yacc table file version is out of date >>> WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission >>> denied: 'yacctab.py' >>> ==================================================================================== >>> >>> test session starts >>> ===================================================================================== >>> >>> >>> platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 >>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini >>> plugins: sourceorder-0.5, multihost-1.0 >>> collected 5 items >>> >>> test_integration/test_topology.py .. >>> >>> ================================================================================ >>> >>> 2 passed in 2444.84 seconds >>> ================================================================================= >>> >>> >>> >>> >>> On 10/17/2016 07:05 PM, Martin Basti wrote: >>>> 1) >>>> >>>> you don't need to disable/enable dirsrv, just stop/start. Please remove >>>> disable/enable parts >>>> >>>> >>>> 2) >>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>> traceback >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>> >>>> >>>> self = >>> object at 0x7f6a502eec90> >>>> >>>> def test_delete_ruvs(self): >>>> """ >>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/ >>>> Test_Plan#Test_case:_clean-ruv_subcommand >>>> """ >>>> replica = self.replicas[0] >>>> master = self.master >>>> res1 = master.run_command(['ipa-replica-manage', 'list-ruv', >>>> '-p', >>>> master.config.dirman_password]) >>>>> assert(res1.stdout_text.count(replica.hostname) == 2 and >>>> "Certificate Server Replica Update Vectors" in res1), ( >>>> "CA-specific RUVs are not displayed") >>>> E TypeError: argument of type 'SSHCommand' is not iterable >>>> >>>> test_integration/test_topology.py:215: TypeError >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>> entering PDB >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>> >>>>> >>>> /usr/lib/python2.7/site-packages/ipatests/test_integration/test_topology.py(215)test_delete_ruvs() >>>> >>>> >>>> >>>> >>>> -> assert(res1.stdout_text.count(replica.hostname) == 2 and >>>> >>>> >>>> >>>> On 14.10.2016 11:36, Oleg Fayans wrote: >>>>> Right you are! I am sorry. >>>>> >>>>> On 10/13/2016 06:10 PM, Martin Basti wrote: >>>>>> I think that you forgot to squash commits. Patch 47 doesn't apply >>>>>> >>>>>> >>>>>> On 13.10.2016 14:01, Oleg Fayans wrote: >>>>>>> Hi Martin, >>>>>>> >>>>>>> Thanks for the review. >>>>>>> With disabling directory server it works as well, thanks for the >>>>>>> hint. >>>>>>> Also I moved the cleanup logic to the test itself for the sake of >>>>>>> simplicity. Patch-0048 was not changed >>>>>>> >>>>>>> On 10/12/2016 02:35 PM, Martin Basti wrote: >>>>>>>> 1) >>>>>>>> >>>>>>>> Can you just turn off dirsrv on replica instead of doing iptables >>>>>>>> magic? >>>>>>>> >>>>>>>> >>>>>>>> 2) NACK >>>>>>>> >>>>>>>> No more eval() ever in code, use 'getattr', 'get' or whatever in >>>>>>>> the >>>>>>>> object that can be used. >>>>>>>> >>>>>>>> + evalhost = eval("args[0].%s" % host) >>>>>>>> >>>>>>>> Martin^2 >>>>>>>> >>>>>>>> On 12.10.2016 14:03, Oleg Fayans wrote: >>>>>>>>> Hi Martin, >>>>>>>>> >>>>>>>>> After extensive discussion with Ludwig, I finally got the clue on >>>>>>>>> how >>>>>>>>> does this feature work. When we uninstall the replica, the master >>>>>>>>> cleans the replication agreements with this replica and >>>>>>>>> automatically >>>>>>>>> cleans all replica's RUVs. >>>>>>>>> If we clean replica's RUVs on master without uninstalling the >>>>>>>>> replica, >>>>>>>>> the replica's RUVs get recreated on master (replication >>>>>>>>> works!). So, >>>>>>>>> the only way to test the clean-ruv subcommand is to turn off the >>>>>>>>> replica, or block the traffic on it so it gets inaccessible to >>>>>>>>> updates >>>>>>>>> from master. >>>>>>>>> The testcases were updated, see [1] and [2] >>>>>>>>> >>>>>>>>> The updated versions of the patches are attached >>>>>>>>> >>>>>>>>> [1] >>>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended_to_handle_CA-specific_RUVs >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> [2] >>>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_clean-ruv_subcommand >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On 08/05/2016 06:36 PM, Martin Basti wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 03.08.2016 14:45, Oleg Fayans wrote: >>>>>>>>>>> Hi Martin, >>>>>>>>>>> >>>>>>>>>>> Thanks for the review! Both patches were updated. >>>>>>>>>>> >>>>>>>>>>> On 07/28/2016 04:11 PM, Martin Basti wrote: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On 08.07.2016 15:41, Oleg Fayans wrote: >>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks for the review! >>>>>>>>>>>>> >>>>>>>>>>>>> On 07/08/2016 02:18 PM, Martin Basti wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 27.06.2016 13:53, Oleg Fayans wrote: >>>>>>>>>>>>>>> Hi guys, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Is there a chance the patches NN 0047.1 and 0048.1 get >>>>>>>>>>>>>>> reviewed >>>>>>>>>>>>>>> before >>>>>>>>>>>>>>> 4.4 release? They cover a good part of the Managed Topology >>>>>>>>>>>>>>> 4.4 >>>>>>>>>>>>>>> feature. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 06/17/2016 11:18 AM, Oleg Fayans wrote: >>>>>>>>>>>>>>>> One more test was added to the patch-0048 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 06/17/2016 09:43 AM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>> Fixed a bug in the previous patch, automated 2 more >>>>>>>>>>>>>>>>> testcases >>>>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 06/16/2016 04:46 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> IIUC, this will turn off the machine completely, how is >>>>>>>>>>>>>> cleanup >>>>>>>>>>>>>> done >>>>>>>>>>>>>> then. AFAIK our tests cannot turn on machine again and run >>>>>>>>>>>>>> cleanup, so >>>>>>>>>>>>>> you will not be able to run more tests on the same topology >>>>>>>>>>>>>> without >>>>>>>>>>>>>> manual cleanup and manual start. >>>>>>>>>>>>>> >>>>>>>>>>>>>> + replica = self.replicas[0] >>>>>>>>>>>>>> + replica.run_command(['poweroff']) >>>>>>>>>>>>>> >>>>>>>>>>>>>> IMO would be better to just call 'ipactl stop' instead of >>>>>>>>>>>>>> 'poweroff' >>>>>>>>>>>>> >>>>>>>>>>>>> Agreed! Fixed. >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> *Automated ipa-replica-manage del tests* >>>>>>>>>>>> >>>>>>>>>>>> 1) >>>>>>>>>>>> + replica.run_command(['ipactl', 'stop']) >>>>>>>>>>>> + time.sleep(3) >>>>>>>>>>>> >>>>>>>>>>>> Why do you need sleep here? >>>>>>>>>>> >>>>>>>>>>> Removed, it was left from the old "poweroff" approach >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 2) >>>>>>>>>>>> + ruvid_re = re.compile(".*%s:389: (\d+).*" % >>>>>>>>>>>> replica.hostname) >>>>>>>>>>>> + replica_ruvs = ruvid_re.findall(result.stdout_text) >>>>>>>>>>>> + master.run_command(['ipa-replica-manage', 'clean-ruv', >>>>>>>>>>>> 'f', >>>>>>>>>>>> + '-p', >>>>>>>>>>>> master.config.dirman_password, >>>>>>>>>>>> + replica_ruvs[0]]) >>>>>>>>>>>> >>>>>>>>>>>> Because you are using re.findall(), without any match you will >>>>>>>>>>>> receive >>>>>>>>>>>> IndexError here replica_ruvs[0]. IMO it deserves assert before >>>>>>>>>>> >>>>>>>>>>> Implemented the assert which checks that the output contains >>>>>>>>>>> enough >>>>>>>>>>> replica RUVs >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 3) >>>>>>>>>>>> assert(replica.hostname in result1.stdout_text) >>>>>>>>>>>> >>>>>>>>>>>> I think that this is error prone. What if there is just error >>>>>>>>>>>> 'could not >>>>>>>>>>>> connect to replica ', or something similar. >>>>>>>>>>>> instead of >>>>>>>>>>>> listing/cleaning/whatever operation was executed. I think >>>>>>>>>>>> that it >>>>>>>>>>>> should >>>>>>>>>>>> be more specific regexp than just finding a replica name >>>>>>>>>>>> substring >>>>>>>>>>>> (Yes >>>>>>>>>>>> In IPA we dont always print error so stderr) >>>>>>>>>>>> >>>>>>>>>>>> I'm not sure, but probably there might be cases when non >>>>>>>>>>>> critical >>>>>>>>>>>> error >>>>>>>>>>>> happen and exist status is still 0 >>>>>>>>>>> >>>>>>>>>>> Agree. Implemented a regex-based search >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 4) >>>>>>>>>>>> >>>>>>>>>>>> + replica.run_command(['poweroff']) >>>>>>>>>>>> + time.sleep(3) >>>>>>>>>>>> >>>>>>>>>>>> There should not be poweroff, probably sleep could be removed >>>>>>>>>>>> too. >>>>>>>>>>> >>>>>>>>>>> Gone >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> * Automated clean-ruv subcommand test* >>>>>>>>>>>> >>>>>>>>>>>> 1) PEP8, 2 new lines expected >>>>>>>>>>>> ./ipatests/test_integration/test_topology.py:163:1: E302 >>>>>>>>>>>> expected 2 >>>>>>>>>>>> blank lines, found 0 >>>>>>>>>>>> ./ipatests/test_integration/test_topology.py:182:80: E501 line >>>>>>>>>>>> too >>>>>>>>>>>> long >>>>>>>>>>>> (85 > 79 characters) >>>>>>>>>>> >>>>>>>>>>> Fixed >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 2) >>>>>>>>>>>> I dont like doing assert just with count of occurences of >>>>>>>>>>>> substring in >>>>>>>>>>>> STDOUT, would be possible to improve this somehow? >>>>>>>>>>> >>>>>>>>>>> Maybe, but frankly, I don't see how. In this case we are making >>>>>>>>>>> sure >>>>>>>>>>> that both simple and CA-specific RUVs of a replica are >>>>>>>>>>> displayed. The >>>>>>>>>>> format of the output is strict: >>>>>>>>>>> Replica Update Vectors: >>>>>>>>>>> replica1_hostname:389: RUV_id >>>>>>>>>>> replica2_hostname:389: RUV_id >>>>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>>>> replica1_hostname:389: RUV_id >>>>>>>>>>> replica2_hostname:389: RUV_id >>>>>>>>>>> If we do not see 2 occurrences of the replica hostname than >>>>>>>>>>> definitely >>>>>>>>>>> something went wrong >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 3) >>>>>>>>>>>> I'm not sure if clean-ruv is instant operations or there is >>>>>>>>>>>> some >>>>>>>>>>>> magic >>>>>>>>>>>> happening in background (we have abort-clean-ruv). Maybe some >>>>>>>>>>>> sleep >>>>>>>>>>>> should be there, but this needs investigation. >>>>>>>>>>>> >>>>>>>>>>>> + assert(replica.hostname in result2.stdout_text), ( >>>>>>>>>>>> + "The wrong RUV was deleted") >>>>>>>>>>>> + result3 = master.run_command(['ipa-replica-manage', >>>>>>>>>>>> 'list-ruv', >>>>>>>>>>>> + '-p', >>>>>>>>>>>> master.config.dirman_password]) >>>>>>>>>>>> + assert(result3.stdout_text.count(replica.hostname) == 1), ( >>>>>>>>>>>> + "CA RUV of the replica is still displayed") >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Based on my discussion with Stanislav Laznicka, I understood >>>>>>>>>>> that by >>>>>>>>>>> default clean-ruv does not return the shell until the >>>>>>>>>>> operation is >>>>>>>>>>> finished. You can force dropping into the shell by pressing >>>>>>>>>>> CTRL+C, in >>>>>>>>>>> which case the background job will still be running, but this is >>>>>>>>>>> not >>>>>>>>>>> the default behavior >>>>>>>>>>> >>>>>>>>>> Test failed: >>>>>>>>>> result4 = master.run_command(['ipa-replica-manage', >>>>>>>>>> 'list-ruv', >>>>>>>>>> '-p', >>>>>>>>>> master.config.dirman_password]) >>>>>>>>>>> assert(replica.hostname not in result4.stdout_text), ( >>>>>>>>>> "replica's RUV is still displayed") >>>>>>>>>> E AssertionError: replica's RUV is still displayed >>>>>>>>>> E assert 'replica3.ipa.test' not in 'Replica Update >>>>>>>>>> V...ipa.test:389: 8\n' >>>>>>>>>> E 'replica3.ipa.test' is contained here: >>>>>>>>>> E Replica Update Vectors: >>>>>>>>>> E \tmaster.ipa.test:389: 4 >>>>>>>>>> E \treplica3.ipa.test:389: 3 >>>>>>>>>> E \treplica2.ipa.test:389: 7 >>>>>>>>>> E Certificate Server Replica Update Vectors: >>>>>>>>>> E \tmaster.ipa.test:389: 6 >>>>>>>>>> E \treplica2.ipa.test:389: 8 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> [root at master ~]# ipa topologysegment-find >>>>>>>>>> Suffix name: domain >>>>>>>>>> ------------------ >>>>>>>>>> 2 segments matched >>>>>>>>>> ------------------ >>>>>>>>>> Segment name: master.ipa.test-to-replica2.ipa.test >>>>>>>>>> Left node: master.ipa.test >>>>>>>>>> Right node: replica2.ipa.test >>>>>>>>>> Connectivity: both >>>>>>>>>> >>>>>>>>>> Segment name: master.ipa.test-to-replica3.ipa.test >>>>>>>>>> Left node: master.ipa.test >>>>>>>>>> Right node: replica3.ipa.test >>>>>>>>>> Connectivity: both >>>>>>>>>> ---------------------------- >>>>>>>>>> Number of entries returned 2 >>>>>>>>>> ---------------------------- >>>>>>>>>> [root at master ~]# ipa-replica-manage list-ruv >>>>>>>>>> Directory Manager password: >>>>>>>>>> >>>>>>>>>> Replica Update Vectors: >>>>>>>>>> master.ipa.test:389: 4 >>>>>>>>>> replica2.ipa.test:389: 7 >>>>>>>>>> replica3.ipa.test:389: 3 >>>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>>> master.ipa.test:389: 6 >>>>>>>>>> replica2.ipa.test:389: 8 >>>>>>>>>> [root at master ~]# >>>>>>>>>> >>>>>>>>>> Then I tried manually to clean RUV 3, and it behaves somehow odd >>>>>>>>>> >>>>>>>>>> [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' >>>>>>>>>> 'Secret123' '-f' >>>>>>>>>> Clean the Replication Update Vector for replica3.ipa.test:389 >>>>>>>>>> Background task created to clean replication data. This may >>>>>>>>>> take a >>>>>>>>>> while. >>>>>>>>>> This may be safely interrupted with Ctrl+C >>>>>>>>>> Cleanup task created >>>>>>>>>> [root at master ~]# less /var/log/dirsrv/slapd-IPA-TEST/errors >>>>>>>>>> [root at master ~]# ipa-replica-manage list-ruv >>>>>>>>>> Directory Manager password: >>>>>>>>>> >>>>>>>>>> Replica Update Vectors: >>>>>>>>>> master.ipa.test:389: 4 >>>>>>>>>> replica2.ipa.test:389: 7 >>>>>>>>>> replica3.ipa.test:389: 3 >>>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>>> master.ipa.test:389: 6 >>>>>>>>>> replica2.ipa.test:389: 8 >>>>>>>>>> [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' >>>>>>>>>> 'Secret123' '-f' >>>>>>>>>> Clean the Replication Update Vector for replica3.ipa.test:389 >>>>>>>>>> CLEANALLRUV task for replica id 3 already exists. >>>>>>>>>> This may be safely interrupted with Ctrl+C >>>>>>>>>> Cleanup task created >>>>>>>>>> >>>>>>>>>> [root at master ~]# ipa-replica-manage list-clean-ruv -p Secret123 >>>>>>>>>> No CLEANALLRUV tasks running >>>>>>>>>> >>>>>>>>>> No abort CLEANALLRUV tasks running >>>>>>>>>> [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' >>>>>>>>>> 'Secret123' '-f' >>>>>>>>>> Clean the Replication Update Vector for replica3.ipa.test:389 >>>>>>>>>> Background task created to clean replication data. This may >>>>>>>>>> take a >>>>>>>>>> while. >>>>>>>>>> This may be safely interrupted with Ctrl+C >>>>>>>>>> Cleanup task created >>>>>>>>>> [root at master ~]# ipa-replica-manage list-clean-ruv -p Secret123 >>>>>>>>>> CLEANALLRUV tasks >>>>>>>>>> RID 3: Successfully cleaned rid(3). >>>>>>>>>> >>>>>>>>>> No abort CLEANALLRUV tasks running >>>>>>>>>> [root at master ~]# ipa-replica-manage list-ruv -p Secret123 >>>>>>>>>> Replica Update Vectors: >>>>>>>>>> master.ipa.test:389: 4 >>>>>>>>>> replica2.ipa.test:389: 7 >>>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>>> master.ipa.test:389: 6 >>>>>>>>>> replica2.ipa.test:389: 8 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I'm not sure if this behavior is right, Ludwig may know. >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >>> >>> >> > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0047.7-Automated-clean-ruv-subcommand-tests.patch Type: text/x-patch Size: 4418 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 3 16:21:37 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 03 Nov 2016 17:21:37 +0100 Subject: [Freeipa-devel] [freeipa PR#145][comment] Refactoring: LDAP Connection Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/145 Title: #145: Refactoring: LDAP Connection Management mbasti-rh commented: """ I don't like `_missing` value in ldap2 class for time and sizelimit IIUC then `_missing` means that by default the search is unlimited. Why we just dont create constants for unlimited search and use it, it is more clear than combinations of three types `_missing`, Int and None ``` class LDAPClient(object): SIZE_NOLIMIT = 0 TIME_NOLIMIT = -1.0 class ldap2(CrudBackend, LDAPClient) def create_connection(..., time_limit=TIME_NOLIMIT, size_limit=SIZE_NOLIMIT): ... ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/145#issuecomment-258193578 From freeipa-github-notification at redhat.com Thu Nov 3 16:48:31 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 03 Nov 2016 17:48:31 +0100 Subject: [Freeipa-devel] [freeipa PR#145][comment] Refactoring: LDAP Connection Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/145 Title: #145: Refactoring: LDAP Connection Management mbasti-rh commented: """ LGTM except my previous comment, lets wait for test results """ See the full comment at https://github.com/freeipa/freeipa/pull/145#issuecomment-258201939 From freeipa-github-notification at redhat.com Thu Nov 3 16:50:50 2016 From: freeipa-github-notification at redhat.com (Akasurde) Date: Thu, 03 Nov 2016 17:50:50 +0100 Subject: [Freeipa-devel] [freeipa PR#207][synchronized] Provide user hint about IP address in IPA install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/207 Author: Akasurde Title: #207: Provide user hint about IP address in IPA install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/207/head:pr207 git checkout pr207 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-207.patch Type: text/x-diff Size: 1412 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 3 17:15:27 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 03 Nov 2016 18:15:27 +0100 Subject: [Freeipa-devel] [freeipa PR#207][comment] Provide user hint about IP address in IPA install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/207 Title: #207: Provide user hint about IP address in IPA install mbasti-rh commented: """ May I propose following? ``` + msg_first = "Please provide the IP address to be used for this host name" + msg_other = ( + "Additional IP address (leave blank to continue with the installation)") while True: - ip = ipautil.user_input("Please provide the IP address to be used for this host name", allow_empty = True) + msg = msg_other if ips else msg_first + ip = ipautil.user_input(msg, allow_empty=True) ``` Please use rather `()` than `\` in future to split string """ See the full comment at https://github.com/freeipa/freeipa/pull/207#issuecomment-258210379 From freeipa-github-notification at redhat.com Fri Nov 4 03:55:10 2016 From: freeipa-github-notification at redhat.com (Akasurde) Date: Fri, 04 Nov 2016 04:55:10 +0100 Subject: [Freeipa-devel] [freeipa PR#207][synchronized] Provide user hint about IP address in IPA install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/207 Author: Akasurde Title: #207: Provide user hint about IP address in IPA install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/207/head:pr207 git checkout pr207 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-207.patch Type: text/x-diff Size: 1434 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 4 06:36:15 2016 From: freeipa-github-notification at redhat.com (Akasurde) Date: Fri, 04 Nov 2016 07:36:15 +0100 Subject: [Freeipa-devel] [freeipa PR#207][synchronized] Provide user hint about IP address in IPA install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/207 Author: Akasurde Title: #207: Provide user hint about IP address in IPA install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/207/head:pr207 git checkout pr207 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-207.patch Type: text/x-diff Size: 1445 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 4 06:54:27 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 04 Nov 2016 07:54:27 +0100 Subject: [Freeipa-devel] [freeipa PR#145][comment] Refactoring: LDAP Connection Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/145 Title: #145: Refactoring: LDAP Connection Management jcholast commented: """ @mbasti: YDUC, that would break `ipa config`-defined limits. """ See the full comment at https://github.com/freeipa/freeipa/pull/145#issuecomment-258357216 From freeipa-github-notification at redhat.com Fri Nov 4 07:51:54 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 04 Nov 2016 08:51:54 +0100 Subject: [Freeipa-devel] [freeipa PR#145][comment] Refactoring: LDAP Connection Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/145 Title: #145: Refactoring: LDAP Connection Management mbasti-rh commented: """ @jcholast how? With this patchset you have to set `None` to time_limit/size_limit to apply `ipa config` limits because `_missing` means "unlimited" ``` if time_limit is not _missing: self.time_limit = time_limit ``` So with _missing default value is used, what is 0 (unlimited) ``` self.__time_limit = float(LDAPClient.time_limit) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/145#issuecomment-258364648 From freeipa-github-notification at redhat.com Fri Nov 4 08:23:11 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 04 Nov 2016 09:23:11 +0100 Subject: [Freeipa-devel] [freeipa PR#202][comment] ipa-getkeytab enhancements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/202 Title: #202: ipa-getkeytab enhancements martbab commented: """ Bump for review, this is prerequisite to further installer refactoring work. """ See the full comment at https://github.com/freeipa/freeipa/pull/202#issuecomment-258369401 From freeipa-github-notification at redhat.com Fri Nov 4 08:52:28 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 04 Nov 2016 09:52:28 +0100 Subject: [Freeipa-devel] [freeipa PR#145][comment] Refactoring: LDAP Connection Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/145 Title: #145: Refactoring: LDAP Connection Management jcholast commented: """ @mbasti: Because if the argument default values were constants as you suggested, they would take precedence over `ipa config` limits. """ See the full comment at https://github.com/freeipa/freeipa/pull/145#issuecomment-258374383 From freeipa-github-notification at redhat.com Fri Nov 4 11:28:29 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 04 Nov 2016 12:28:29 +0100 Subject: [Freeipa-devel] [freeipa PR#145][comment] Refactoring: LDAP Connection Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/145 Title: #145: Refactoring: LDAP Connection Management pvoborni commented: """ We have a lot of refactoring patches which needs to be serialized and pushed and we don't have much time for it. If the remaining issue doesn't break everything else and can be fixed by small patch later then please push this and allow other efforts to rebase on it. """ See the full comment at https://github.com/freeipa/freeipa/pull/145#issuecomment-258408318 From freeipa-github-notification at redhat.com Fri Nov 4 12:33:00 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 04 Nov 2016 13:33:00 +0100 Subject: [Freeipa-devel] [freeipa PR#145][comment] Refactoring: LDAP Connection Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/145 Title: #145: Refactoring: LDAP Connection Management mbasti-rh commented: """ NACK Multiple tests are failing with: ``` TypeError: 'int' object has no attribute '__getitem__' self = def test_full_backup_and_restore(self): """backup, uninstall, restore""" > with restore_checker(self.master): test_integration/test_backup_and_restore.py:146: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ /usr/lib64/python2.7/contextlib.py:17: in __enter__ return self.gen.next() test_integration/test_backup_and_restore.py:114: in restore_checker results.append(check(host)) test_integration/test_backup_and_restore.py:53: in check_admin_in_ldap ldap = host.ldap_connect() test_integration/host.py:47: in ldap_connect ldap_uri = ipaldap.LDAPClient(self.external_hostname) ../ipapython/ipaldap.py:747: in __init__ self._conn = self._connect() ../ipapython/ipaldap.py:1120: in _connect conn.start_tls_s() /usr/lib64/python2.7/contextlib.py:35: in __exit__ self.gen.throw(type, value, traceback) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ self = , arg_desc = None @contextlib.contextmanager def error_handler(self, arg_desc=None): """Context manager that handles LDAPErrors """ try: try: yield except ldap.TIMEOUT: raise errors.DatabaseTimeout() except ldap.LDAPError as e: > desc = e.args[0]['desc'].strip() E TypeError: 'int' object has no attribute '__getitem__' ../ipapython/ipaldap.py:995: TypeError ``` and replica installations fails in some cases with ``` : [5/7]: enable GSSAPI for replication : [error] OBJECT_CLASS_VIOLATION: {'desc': 'Object class violation'} : ipa.ipapython.install.cli.install_tool(Replica): ERROR {'desc': 'Object class violation'} : ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information ``` None of above is happening in master branch tests. """ See the full comment at https://github.com/freeipa/freeipa/pull/145#issuecomment-258419460 From freeipa-github-notification at redhat.com Fri Nov 4 12:54:10 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 04 Nov 2016 13:54:10 +0100 Subject: [Freeipa-devel] [freeipa PR#202][synchronized] ipa-getkeytab enhancements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/202 Author: martbab Title: #202: ipa-getkeytab enhancements Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/202/head:pr202 git checkout pr202 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-202.patch Type: text/x-diff Size: 36921 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 4 17:48:44 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 04 Nov 2016 18:48:44 +0100 Subject: [Freeipa-devel] [freeipa PR#212][opened] KRA: don't add KRA container when KRA replica Message-ID: URL: https://github.com/freeipa/freeipa/pull/212 Author: mbasti-rh Title: #212: KRA: don't add KRA container when KRA replica Action: opened PR body: """ Regression in master branch only This fixes regression caused by c56256e2a29f076e6afa559225a66f58b0773eb5 """ [9/11]: add vault container ipa : CRITICAL Failed to load vault.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmpxxO9IC -H ldapi://%2fvar%2frun%2fslapd-IPA-TEST.socket -x -D cn=Directory Manager -y /tmp/tmpVKinCZ' returned non-zero exit status 68 [10/11]: apply LDAP updates """ and removes unneded steps during installation of KRA replica, because KRA container must be there since installation of first KRA instance. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/212/head:pr212 git checkout pr212 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-212.patch Type: text/x-diff Size: 2009 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 4 19:00:29 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 04 Nov 2016 20:00:29 +0100 Subject: [Freeipa-devel] [freeipa PR#145][comment] Refactoring: LDAP Connection Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/145 Title: #145: Refactoring: LDAP Connection Management mbasti-rh commented: """ INFO related to LDAPError: ``` -> desc = e.args[0]['desc'].strip() (Pdb) print e LDAPError(2, 'No such file or directory') (Pdb) print self.ldap_uri 'master.ipa.test' ``` Probaly we should open ticket and improve LDAP error handling to cover this issue error is in test_integration/host.py:ldap_connect ``` ldap_uri = ipaldap.LDAPClient(self.external_hostname) ldap = ipaldap.LDAPClient(ldap_uri) <-------- you created ldap_uri as LDAPClient object ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/145#issuecomment-258519796 From mharmsen at redhat.com Sat Nov 5 07:30:02 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Sat, 5 Nov 2016 01:30:02 -0600 Subject: [Freeipa-devel] Karma Requests for pki-core-10.3.5-8 Message-ID: *The following updated candidate builds of pki-core 10.3.5 were generated:* * *Fedora 24* o *pki-core-10.3.5-8.fc24 * * *Fedora 25* o *pki-core-10.3.5-8.fc25 * * *Fedora 26* o *pki-core-10.3.5-8.fc26 * *Additionally, the CentOS 7 COPR EPEL Builds of Dogtag 10.3.3 were also updated:* * https://copr.fedorainfracloud.org/coprs/g/pki/epel-7.3/repo/epel-7/group_pki-epel-7.3-epel-7.repo [group_pki-epel-7.3] name=Copr repo for epel-7.3 owned by @pki baseurl=https://copr-be.cloud.fedoraproject.org/results/@pki/epel-7.3/epel-7-$basearch/ type=rpm-md skip_if_unavailable=True gpgcheck=1 gpgkey=https://copr-be.cloud.fedoraproject.org/results/@pki/epel-7.3/pubkey.gpg repo_gpgcheck=0 enabled=1 enabled_metadata=1 *These builds address the following PKI tickets:* * *PKI TRAC Ticket #850 - JSS certificate validation function does not pass up exact errors from NSS * * *PKI TRAC Ticket #1247 - Better error message when try to renew a certificate that expires outside renewal grace period * * *PKI TRAC Ticket #1536 - CA EE: Submit caUserCert request without uid does not show proper error message * * *PKI TRAC Ticket #2460 - Typo in comment line of UserPwdDirAuthentication.java * * *PKI TRAC ticket #2486 - Automatic recovery of encryption cert is not working when a token is physically damaged and a temporary token is issued * * *PKI TRAC Ticket #2498 - Token format with external reg fails when op.format.externalRegAddToToken.revokeCert=true * * *PKI TRAC Ticket #2500 - Problems with FIPS mode * * *PKI TRAC Ticket #2510 - PIN_RESET policy is not giving expected results when set on a token * * *PKI TRAC Ticket #2513 - TPS token enrollment fails to setupSecureChannel when TPS and TKS security db is on fips mode. * *Please provide Karma for the following builds:* * *Fedora 24* o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-393715962d pki-core-10.3.5-8.fc24 * * *Fedora 25* o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-d0eb45e120 pki-core-10.3.5-8.fc25 * -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Sun Nov 6 21:13:32 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Sun, 06 Nov 2016 22:13:32 +0100 Subject: [Freeipa-devel] [freeipa PR#145][synchronized] Refactoring: LDAP Connection Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/145 Author: tomaskrizek Title: #145: Refactoring: LDAP Connection Management Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/145/head:pr145 git checkout pr145 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-145.patch Type: text/x-diff Size: 228132 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sun Nov 6 21:23:33 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Sun, 06 Nov 2016 22:23:33 +0100 Subject: [Freeipa-devel] [freeipa PR#145][comment] Refactoring: LDAP Connection Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/145 Title: #145: Refactoring: LDAP Connection Management tomaskrizek commented: """ - Fixed the `LDAPClient` typo; affected integration tests now pass - Not able to reproduce the `[5/7]: enable GSSAPI for replication` replica installation error nor locally (tried twice), nor in jenkins - Improved doc text for the `_missing` idiom in `ldap2.create_connection()` - Ran integration tests again. The only difference from master are 4 failing tests in caless domlelv1: `test_caless.TestReplicaInstall`. I'm not able to reproduce these locally, but they seem to occur persistently in Jenkins. I wonder if they might be caused by some configuration or reusing VMs. """ See the full comment at https://github.com/freeipa/freeipa/pull/145#issuecomment-258711754 From freeipa-github-notification at redhat.com Mon Nov 7 09:23:41 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 07 Nov 2016 10:23:41 +0100 Subject: [Freeipa-devel] [freeipa PR#145][comment] Refactoring: LDAP Connection Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/145 Title: #145: Refactoring: LDAP Connection Management mbasti-rh commented: """ It was decided to push this and unblock other developer, minor issues will be addressed separately. """ See the full comment at https://github.com/freeipa/freeipa/pull/145#issuecomment-258784923 From freeipa-github-notification at redhat.com Mon Nov 7 09:24:05 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 07 Nov 2016 10:24:05 +0100 Subject: [Freeipa-devel] [freeipa PR#145][+ack] Refactoring: LDAP Connection Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/145 Title: #145: Refactoring: LDAP Connection Management Label: +ack From freeipa-github-notification at redhat.com Mon Nov 7 09:42:27 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 07 Nov 2016 10:42:27 +0100 Subject: [Freeipa-devel] [freeipa PR#145][synchronized] Refactoring: LDAP Connection Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/145 Author: tomaskrizek Title: #145: Refactoring: LDAP Connection Management Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/145/head:pr145 git checkout pr145 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-145.patch Type: text/x-diff Size: 229236 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 7 09:42:51 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 07 Nov 2016 10:42:51 +0100 Subject: [Freeipa-devel] [freeipa PR#145][comment] Refactoring: LDAP Connection Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/145 Title: #145: Refactoring: LDAP Connection Management tomaskrizek commented: """ Updated commit messages with link to a ticket. """ See the full comment at https://github.com/freeipa/freeipa/pull/145#issuecomment-258789249 From freeipa-github-notification at redhat.com Mon Nov 7 10:34:55 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 07 Nov 2016 11:34:55 +0100 Subject: [Freeipa-devel] [freeipa PR#145][closed] Refactoring: LDAP Connection Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/145 Author: tomaskrizek Title: #145: Refactoring: LDAP Connection Management Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/145/head:pr145 git checkout pr145 From freeipa-github-notification at redhat.com Mon Nov 7 10:34:57 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 07 Nov 2016 11:34:57 +0100 Subject: [Freeipa-devel] [freeipa PR#145][comment] Refactoring: LDAP Connection Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/145 Title: #145: Refactoring: LDAP Connection Management mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/5760b7e983da6bda8f5383d9079551e4acb4c2da https://fedorahosted.org/freeipa/changeset/de58a5c60596de8b45c8016c3318bac78305477a https://fedorahosted.org/freeipa/changeset/60e38ecc7ff6b983f4f3af0a66c08eb3a3fda22d https://fedorahosted.org/freeipa/changeset/4f1a6a177666c475156f496d3f7719b37e66a7b0 https://fedorahosted.org/freeipa/changeset/5b81dbfda1e4f0799d4ce87e9987a896af3ff299 https://fedorahosted.org/freeipa/changeset/9340a1417acf120fed3e9ffbe9d658d3456743a1 https://fedorahosted.org/freeipa/changeset/24baccbd6ac8a19ba52619a3cc59366220c4ca1f https://fedorahosted.org/freeipa/changeset/9fca820b6bc2144cd827bddba69cb53f8ba3f42a https://fedorahosted.org/freeipa/changeset/7a1c0db989cf59a778676635e160f73ebc610694 https://fedorahosted.org/freeipa/changeset/e2780b2106a6e6bab0cb3f3d3ec06482cde9d374 https://fedorahosted.org/freeipa/changeset/8934d03b3b5bbf02e9e20a1644ef31d27fa0f483 https://fedorahosted.org/freeipa/changeset/e8aa2627c7a3dcb0b0745e656ea58ccbbccd38fb https://fedorahosted.org/freeipa/changeset/e05bdeb6cf4505ef84e485b95b37aabba625160b https://fedorahosted.org/freeipa/changeset/a77469f5984b12e201a3d349efad1ca2925ee5af https://fedorahosted.org/freeipa/changeset/df86efdc69271cca0774868ab85b5be7df529136 https://fedorahosted.org/freeipa/changeset/49ff159a5f0cfd2f9d037ad00e75d8ac5bfba585 https://fedorahosted.org/freeipa/changeset/c51b04fae77149a09e921495c5b3c9802d199076 https://fedorahosted.org/freeipa/changeset/03d113cdd7c5f943d8937eb4fec1086bfe47e909 https://fedorahosted.org/freeipa/changeset/1240262a0b01ff8408c06058d6d4d61fc5cde548 https://fedorahosted.org/freeipa/changeset/36d95472d983ff342a43a5df36d932b9de8c32ac https://fedorahosted.org/freeipa/changeset/922062eb559d1bb82a9d787763aacb31c0cf9b8d https://fedorahosted.org/freeipa/changeset/7d028992ea2c2bf6acabe79f101621bdebbf9dbc https://fedorahosted.org/freeipa/changeset/a9585ec563d1e54c3cd7de14789457f72cd00843 https://fedorahosted.org/freeipa/changeset/41098e3f7bb517f7445ed34d555bc3fb2083c6ce """ See the full comment at https://github.com/freeipa/freeipa/pull/145#issuecomment-258801005 From freeipa-github-notification at redhat.com Mon Nov 7 10:34:58 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 07 Nov 2016 11:34:58 +0100 Subject: [Freeipa-devel] [freeipa PR#145][+pushed] Refactoring: LDAP Connection Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/145 Title: #145: Refactoring: LDAP Connection Management Label: +pushed From freeipa-github-notification at redhat.com Mon Nov 7 11:35:54 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 07 Nov 2016 12:35:54 +0100 Subject: [Freeipa-devel] [freeipa PR#207][comment] Provide user hint about IP address in IPA install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/207 Title: #207: Provide user hint about IP address in IPA install mbasti-rh commented: """ I realized that this is somehow inconsistent with getting IP addresses for forwarders DNS forwarders: `Enter an IP address for a DNS forwarder, or press Enter to skip` So IMO we should be more consistent and use: `Enter an additional IP address, or press Enter to skip` What do you think? """ See the full comment at https://github.com/freeipa/freeipa/pull/207#issuecomment-258813380 From freeipa-github-notification at redhat.com Mon Nov 7 11:39:27 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 07 Nov 2016 12:39:27 +0100 Subject: [Freeipa-devel] [freeipa PR#208][+pushed] Tests: Fix integration sudo test In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/208 Title: #208: Tests: Fix integration sudo test Label: +pushed From freeipa-github-notification at redhat.com Mon Nov 7 11:39:28 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 07 Nov 2016 12:39:28 +0100 Subject: [Freeipa-devel] [freeipa PR#208][comment] Tests: Fix integration sudo test In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/208 Title: #208: Tests: Fix integration sudo test mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/e3b7d235d5e59e496f3d99a05e3dd379f845e4ea ipa-4-4: https://fedorahosted.org/freeipa/changeset/803dd590ccba44f8dcdc19aee1ea1d60e11c9a4b ipa-4-3: https://fedorahosted.org/freeipa/changeset/3ebc0d4d7d38f3f59da668aa08fd762e08280d32 """ See the full comment at https://github.com/freeipa/freeipa/pull/208#issuecomment-258814046 From freeipa-github-notification at redhat.com Mon Nov 7 11:39:29 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 07 Nov 2016 12:39:29 +0100 Subject: [Freeipa-devel] [freeipa PR#208][closed] Tests: Fix integration sudo test In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/208 Author: mirielka Title: #208: Tests: Fix integration sudo test Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/208/head:pr208 git checkout pr208 From freeipa-github-notification at redhat.com Mon Nov 7 11:41:52 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 07 Nov 2016 12:41:52 +0100 Subject: [Freeipa-devel] [freeipa PR#192][+ack] server-del: fix incorrect check for one IPA master In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/192 Title: #192: server-del: fix incorrect check for one IPA master Label: +ack From freeipa-github-notification at redhat.com Mon Nov 7 11:42:30 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 07 Nov 2016 12:42:30 +0100 Subject: [Freeipa-devel] [freeipa PR#192][+pushed] server-del: fix incorrect check for one IPA master In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/192 Title: #192: server-del: fix incorrect check for one IPA master Label: +pushed From freeipa-github-notification at redhat.com Mon Nov 7 11:42:32 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 07 Nov 2016 12:42:32 +0100 Subject: [Freeipa-devel] [freeipa PR#192][closed] server-del: fix incorrect check for one IPA master In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/192 Author: martbab Title: #192: server-del: fix incorrect check for one IPA master Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/192/head:pr192 git checkout pr192 From freeipa-github-notification at redhat.com Mon Nov 7 11:42:33 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 07 Nov 2016 12:42:33 +0100 Subject: [Freeipa-devel] [freeipa PR#192][comment] server-del: fix incorrect check for one IPA master In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/192 Title: #192: server-del: fix incorrect check for one IPA master mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/7a183bad66b91821a75e2a1cdbd3106fc31dcab4 ipa-4-4: https://fedorahosted.org/freeipa/changeset/ae5acd9120315d980cb6c725589c57f207ce56cc """ See the full comment at https://github.com/freeipa/freeipa/pull/192#issuecomment-258814618 From freeipa-github-notification at redhat.com Mon Nov 7 13:41:32 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 07 Nov 2016 14:41:32 +0100 Subject: [Freeipa-devel] [freeipa PR#143][comment] Issue6386 nss dir In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/143 Title: #143: Issue6386 nss dir tomaskrizek commented: """ Functional ACK. In the ticket, you mention other places where `paths.IPA_NSSDB_DIR` is used. What's the reason this change affects only client plugins? """ See the full comment at https://github.com/freeipa/freeipa/pull/143#issuecomment-258837978 From freeipa-github-notification at redhat.com Mon Nov 7 13:44:53 2016 From: freeipa-github-notification at redhat.com (Akasurde) Date: Mon, 07 Nov 2016 14:44:53 +0100 Subject: [Freeipa-devel] [freeipa PR#207][comment] Provide user hint about IP address in IPA install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/207 Title: #207: Provide user hint about IP address in IPA install Akasurde commented: """ @mbasti-rh I will change message for DNS forwarders from `Enter an IP address for a DNS forwarder,...` to `Enter an additional IP address, or press Enter to skip`. """ See the full comment at https://github.com/freeipa/freeipa/pull/207#issuecomment-258838780 From freeipa-github-notification at redhat.com Mon Nov 7 13:51:44 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 07 Nov 2016 14:51:44 +0100 Subject: [Freeipa-devel] [freeipa PR#207][comment] Provide user hint about IP address in IPA install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/207 Title: #207: Provide user hint about IP address in IPA install mbasti-rh commented: """ @Akasurde I would rather keep explicitly `DNS forwarder` there """ See the full comment at https://github.com/freeipa/freeipa/pull/207#issuecomment-258840357 From freeipa-github-notification at redhat.com Mon Nov 7 13:52:17 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 07 Nov 2016 14:52:17 +0100 Subject: [Freeipa-devel] [freeipa PR#207][comment] Provide user hint about IP address in IPA install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/207 Title: #207: Provide user hint about IP address in IPA install mbasti-rh commented: """ What I meant was to change message for host IP address """ See the full comment at https://github.com/freeipa/freeipa/pull/207#issuecomment-258840461 From freeipa-github-notification at redhat.com Mon Nov 7 14:48:49 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 07 Nov 2016 15:48:49 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context tomaskrizek commented: """ I also think `IPA_CONFDIR` environment variable is the proper way to configure the config directory with use cases such as Ansible. However, with the current solution, if the `AttributeError` is raised, the command will fail and show a traceback. I'd really prefer to only see the error message itself. Perhaps this could be solved by using `ScriptError`? ``` # IPA_CONFDIR=/root/ipa ipa ping [2016-11-07T14:38:11Z ipa] : AttributeError: IPA_CONFDIR must be an absolute path to an existing directory. Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1345, in run (_options, argv) = api.bootstrap_with_global_options(context='cli') File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 580, in bootstrap_with_global_options self.bootstrap(parser, **overrides) File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 436, in bootstrap self.env._bootstrap(**overrides) File "/usr/lib/python2.7/site-packages/ipalib/config.py", line 469, in _bootstrap 'IPA_CONFDIR must be an absolute path to an ' AttributeError: IPA_CONFDIR must be an absolute path to an existing directory. [2016-11-07T14:38:11Z ipa] : an internal error has occurred ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-258855038 From freeipa-github-notification at redhat.com Mon Nov 7 16:11:34 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 07 Nov 2016 17:11:34 +0100 Subject: [Freeipa-devel] [freeipa PR#205][comment] Support DAL version 5 and version 6 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/205 Title: #205: Support DAL version 5 and version 6 tomaskrizek commented: """ NACK `ipa-server-install` will fail at: ``` Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. ipa.ipapython.install.cli.install_tool(Server): ERROR CA did not start in 300.0s ipa.ipapython.install.cli.install_tool(Server): ERROR The ipa-server-install command failed ``` From `/var/log/pki/pki-tomcat/ca/debug`, it seems PKI can't authenticate towards LDAP: ``` [07/Nov/2016:16:42:11][localhost-startStop-1]: SSL handshake happened Could not connect to LDAP server host vm-059.abc.idm.lab.eng.brq.redhat.com port 636 Error netscape.ldap.LDAPException: Authentication failed (48) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/205#issuecomment-258879524 From freeipa-github-notification at redhat.com Mon Nov 7 16:16:09 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 07 Nov 2016 17:16:09 +0100 Subject: [Freeipa-devel] [freeipa PR#205][comment] Support DAL version 5 and version 6 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/205 Title: #205: Support DAL version 5 and version 6 simo5 commented: """ On Mon, 2016-11-07 at 08:11 -0800, Tomas Krizek wrote: > NACK > > `ipa-server-install` will fail at: > ``` > Configuring kadmin > [1/2]: starting kadmin > [2/2]: configuring kadmin to start on boot > Done configuring kadmin. > ipa.ipapython.install.cli.install_tool(Server): ERROR CA did not start in 300.0s > ipa.ipapython.install.cli.install_tool(Server): ERROR The ipa-server-install command failed > ``` > From `/var/log/pki/pki-tomcat/ca/debug`, it seems PKI can't authenticate towards LDAP: > ``` > [07/Nov/2016:16:42:11][localhost-startStop-1]: SSL handshake happened > Could not connect to LDAP server host vm-059.abc.idm.lab.eng.brq.redhat.com port 636 Error netscape.ldap.LDAPException: Authentication failed (48) > ``` > I've seen this error recently too, but it is unrelated, re-installed on F25 and it went away. I think there is some issue with dogtag in some conditions when you re-install, although I could not figure what it is. Simo. -- Simo Sorce * Red Hat, Inc * New York """ See the full comment at https://github.com/freeipa/freeipa/pull/205#issuecomment-258880929 From freeipa-github-notification at redhat.com Mon Nov 7 16:26:40 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 07 Nov 2016 17:26:40 +0100 Subject: [Freeipa-devel] [freeipa PR#205][comment] Support DAL version 5 and version 6 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/205 Title: #205: Support DAL version 5 and version 6 tomaskrizek commented: """ It is not caused by re-installing. I've created a new VM when I was testing it. """ See the full comment at https://github.com/freeipa/freeipa/pull/205#issuecomment-258883945 From jumitche at redhat.com Mon Nov 7 16:43:03 2016 From: jumitche at redhat.com (Justin Mitchell) Date: Mon, 07 Nov 2016 16:43:03 +0000 Subject: [Freeipa-devel] Script to setup Kerberized NFS exports using IPA Message-ID: <1478536983.4373.12.camel@redhat.com> I have been working on a python script to setup secure NFS exports using kerberos that relies heavily on FreeIPA, and is in many ways the server side compliment to ipa-client-automount. It attempts to automatically discover the setup, and falls back to asking simple questions, in the same way as ipa-server-install et al do. I'm not sure quite where it would fit best in the freeipa source tree, perhaps under 'client' ? Also, whats would be the best way to submit the script, as a patch or a github pull request ? thanks From mbabinsk at redhat.com Mon Nov 7 16:49:21 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 7 Nov 2016 17:49:21 +0100 Subject: [Freeipa-devel] Script to setup Kerberized NFS exports using IPA In-Reply-To: <1478536983.4373.12.camel@redhat.com> References: <1478536983.4373.12.camel@redhat.com> Message-ID: On 11/07/2016 05:43 PM, Justin Mitchell wrote: > I have been working on a python script to setup secure NFS exports using > kerberos that relies heavily on FreeIPA, and is in many ways the server > side compliment to ipa-client-automount. It attempts to automatically > discover the setup, and falls back to asking simple questions, in the > same way as ipa-server-install et al do. > > I'm not sure quite where it would fit best in the freeipa source tree, > perhaps under 'client' ? > Also, whats would be the best way to submit the script, as a patch or a > github pull request ? > > thanks > > > If it is a server-side code then it should go into ipaserver/ namespace. We now prefer contributions in form of Github pull-requests. -- Martin^3 Babinsky From freeipa-github-notification at redhat.com Mon Nov 7 17:02:09 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 07 Nov 2016 18:02:09 +0100 Subject: [Freeipa-devel] [freeipa PR#205][comment] Support DAL version 5 and version 6 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/205 Title: #205: Support DAL version 5 and version 6 simo5 commented: """ Sure, but I do not see how a change in the KDC DAL, can affect PKI connecting to LDAP. Does this problem go away if you remove the patch and re-build/install on the same machine ? """ See the full comment at https://github.com/freeipa/freeipa/pull/205#issuecomment-258894858 From pvoborni at redhat.com Mon Nov 7 17:06:01 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 7 Nov 2016 18:06:01 +0100 Subject: [Freeipa-devel] Script to setup Kerberized NFS exports using IPA In-Reply-To: References: <1478536983.4373.12.camel@redhat.com> Message-ID: On 11/07/2016 05:49 PM, Martin Babinsky wrote: > On 11/07/2016 05:43 PM, Justin Mitchell wrote: >> I have been working on a python script to setup secure NFS exports using >> kerberos that relies heavily on FreeIPA, and is in many ways the server >> side compliment to ipa-client-automount. It attempts to automatically >> discover the setup, and falls back to asking simple questions, in the >> same way as ipa-server-install et al do. >> >> I'm not sure quite where it would fit best in the freeipa source tree, >> perhaps under 'client' ? >> Also, whats would be the best way to submit the script, as a patch or a >> github pull request ? >> >> thanks >> >> >> > > If it is a server-side code then it should go into ipaserver/ namespace. Could you describe the use case in more details? IIUIC it's about configuring NFS server against IPA and not IPA server itself as NFS server. In that case it should be IMO in client package because NFS server is also a client from IPA's perspective. > > We now prefer contributions in form of Github pull-requests. Right -- Petr Vobornik From freeipa-github-notification at redhat.com Mon Nov 7 17:06:56 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 07 Nov 2016 18:06:56 +0100 Subject: [Freeipa-devel] [freeipa PR#205][comment] Support DAL version 5 and version 6 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/205 Title: #205: Support DAL version 5 and version 6 tomaskrizek commented: """ The issue above is indeed unrelated to this patch. Since KDC installation passed, I think it's safe to assume the patch works. """ See the full comment at https://github.com/freeipa/freeipa/pull/205#issuecomment-258896370 From freeipa-github-notification at redhat.com Mon Nov 7 17:07:01 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 07 Nov 2016 18:07:01 +0100 Subject: [Freeipa-devel] [freeipa PR#205][+ack] Support DAL version 5 and version 6 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/205 Title: #205: Support DAL version 5 and version 6 Label: +ack From jumitche at redhat.com Mon Nov 7 17:24:32 2016 From: jumitche at redhat.com (Justin Mitchell) Date: Mon, 07 Nov 2016 17:24:32 +0000 Subject: [Freeipa-devel] Script to setup Kerberized NFS exports using IPA In-Reply-To: References: <1478536983.4373.12.camel@redhat.com> Message-ID: <1478539472.4373.15.camel@redhat.com> On Mon, 2016-11-07 at 18:06 +0100, Petr Vobornik wrote: > On 11/07/2016 05:49 PM, Martin Babinsky wrote: > > On 11/07/2016 05:43 PM, Justin Mitchell wrote: > >> I have been working on a python script to setup secure NFS exports using > >> kerberos that relies heavily on FreeIPA, and is in many ways the server > >> side compliment to ipa-client-automount. It attempts to automatically > >> discover the setup, and falls back to asking simple questions, in the > >> same way as ipa-server-install et al do. > >> > >> I'm not sure quite where it would fit best in the freeipa source tree, > >> perhaps under 'client' ? > >> Also, whats would be the best way to submit the script, as a patch or a > >> github pull request ? > >> > >> thanks > >> > >> > >> > > > > If it is a server-side code then it should go into ipaserver/ namespace. > > Could you describe the use case in more details? > > IIUIC it's about configuring NFS server against IPA and not IPA server > itself as NFS server. In that case it should be IMO in client package > because NFS server is also a client from IPA's perspective. Yes, it is to configure the NFS server, which is already an IPA client, to provide exports to other IPA clients which may like to use ipa-client-automount > > > > > We now prefer contributions in form of Github pull-requests. > Right Okay thanks, i will set that up. From freeipa-github-notification at redhat.com Mon Nov 7 17:35:30 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 07 Nov 2016 18:35:30 +0100 Subject: [Freeipa-devel] [freeipa PR#213][opened] Build system refactoring phase 3 Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Author: pspacek Title: #213: Build system refactoring phase 3 Action: opened PR body: """ This monster patch-set refactors most of build system and moves most of the logic from SPEC file to build system. It is not yet complete, missing parts are: - [ ] Python 3 support - [ ] Linters are not executed at all - [ ] IPA_VERSION_IS_GIT_SNAPSHOT does not work These will be sorted out later on but the review of the patch set can begin. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/213/head:pr213 git checkout pr213 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-213.patch Type: text/x-diff Size: 188556 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 7 19:29:34 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 07 Nov 2016 20:29:34 +0100 Subject: [Freeipa-devel] [freeipa PR#205][comment] Support DAL version 5 and version 6 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/205 Title: #205: Support DAL version 5 and version 6 simo5 commented: """ I just verified I reproduce your error in my tree without the patch. """ See the full comment at https://github.com/freeipa/freeipa/pull/205#issuecomment-258937044 From zhenglei at kylinos.cn Tue Nov 8 02:29:29 2016 From: zhenglei at kylinos.cn (=?utf-8?B?6YOR56OK?=) Date: Tue, 8 Nov 2016 10:29:29 +0800 Subject: [Freeipa-devel] Configuring ipa-otpd error when selinux is enable Message-ID: Hello everyone, I have successfully set up the FreeIPA environment on Ubuntu when selinux is disable. But when selinux is enable, there is a configuring ipa-otpd error occurred. The ipaserver-install.log shows following informations: 2016-11-08T01:55:18Z DEBUG [1/2]: starting ipa-otpd 2016-11-08T01:55:18Z DEBUG Starting external process 2016-11-08T01:55:18Z DEBUG args=/bin/systemctl is-active ipa-otpd.socket 2016-11-08T01:55:18Z DEBUG Process finished, return code=3 2016-11-08T01:55:18Z DEBUG stdout=inactive 2016-11-08T01:55:18Z DEBUG stderr= 2016-11-08T01:55:18Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-11-08T01:55:18Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-11-08T01:55:18Z DEBUG Starting external process 2016-11-08T01:55:18Z DEBUG args=/bin/systemctl restart ipa-otpd.socket 2016-11-08T01:55:18Z DEBUG Process finished, return code=1 2016-11-08T01:55:18Z DEBUG stdout= 2016-11-08T01:55:18Z DEBUG stderr=Job for ipa-otpd.socket failed. See "systemctl status ipa-otpd.socket" and "journalctl -xe" for details. 2016-11-08T01:55:18Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 447, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 437, in run_step method() File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 585, in __start self.restart() File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 347, in restart self.service.restart(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python2.7/dist-packages/ipaplatform/base/services.py", line 301, in restart skip_output=not capture_output) File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 479, in run raise CalledProcessError(p.returncode, arg_string, str(output)) CalledProcessError: Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1 2016-11-08T01:55:18Z DEBUG [error] CalledProcessError: Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1 2016-11-08T01:55:18Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 359, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 359, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/dist-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 1513, in main install(self) File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 267, in decorated func(installer) File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 944, in install ipautil.realm_to_suffix(realm_name)) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 579, in create_instance self.start_creation("Configuring %s" % self.service_name) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 447, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 437, in run_step method() File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 585, in __start self.restart() File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 347, in restart self.service.restart(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python2.7/dist-packages/ipaplatform/base/services.py", line 301, in restart skip_output=not capture_output) File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 479, in run raise CalledProcessError(p.returncode, arg_string, str(output)) 2016-11-08T01:55:18Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1 2016-11-08T01:55:18Z ERROR Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1 2016-11-08T01:55:18Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information the ipa-otpd.socket status is as follows: root at ipaserver:~# systemctl status ipa-otpd.socket ? ipa-otpd.socket - ipa-otpd socket Loaded: loaded (/lib/systemd/system/ipa-otpd.socket; disabled; vendor preset: enabled) Active: failed (Result: exit-code) since ? 2016-11-08 09:55:18 CST; 26min ago Listen: /var/run/krb5kdc/DEFAULT.socket (Stream) Accepted: 0; Connected: 0 Process: 19864 ExecStopPre=/usr/bin/unlink /var/run/krb5kdc/DEFAULT.socket (code=exited, status=1/FAILURE) 11? 08 09:55:18 ipaserver.test.com systemd[1]: Starting ipa-otpd socket. 11? 08 09:55:18 ipaserver.test.com unlink[19864]: /usr/bin/unlink: Unable to remove '/var/run/krb5kdc/DEFAULT.socket' links: no such files or directories 11? 08 09:55:18 ipaserver.test.com systemd[1]: ipa-otpd.socket: Control process exited, code=exited status=1 11? 08 09:55:18 ipaserver.test.com systemd[1]: Failed to listen on ipa-otpd socket. 11? 08 09:55:18 ipaserver.test.com systemd[1]: ipa-otpd.socket: Unit entered failed state. I found that the file or directory is automatically created when ipa-otpd.socket is started. Is there anyone help me? Thank you! ------------------ ?? ?????????? -------------------------- ?????? ?? ???18684703229 ???zhenglei at kylinos.cn ??????????????? ?????????????????????? -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Tue Nov 8 02:37:39 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 8 Nov 2016 12:37:39 +1000 Subject: [Freeipa-devel] Configuring ipa-otpd error when selinux is enable In-Reply-To: References: Message-ID: <20161108023739.GV8861@dhcp-40-8.bne.redhat.com> On Tue, Nov 08, 2016 at 10:29:29AM +0800, ?? wrote: > Hello everyone, > > I have successfully set up the FreeIPA environment on Ubuntu when selinux is disable. But when selinux is enable, there is a configuring ipa-otpd error occurred. > > The ipaserver-install.log shows following informations: > 2016-11-08T01:55:18Z DEBUG [1/2]: starting ipa-otpd > 2016-11-08T01:55:18Z DEBUG Starting external process > 2016-11-08T01:55:18Z DEBUG args=/bin/systemctl is-active ipa-otpd.socket > 2016-11-08T01:55:18Z DEBUG Process finished, return code=3 > 2016-11-08T01:55:18Z DEBUG stdout=inactive > > 2016-11-08T01:55:18Z DEBUG stderr= > 2016-11-08T01:55:18Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2016-11-08T01:55:18Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2016-11-08T01:55:18Z DEBUG Starting external process > 2016-11-08T01:55:18Z DEBUG args=/bin/systemctl restart ipa-otpd.socket > 2016-11-08T01:55:18Z DEBUG Process finished, return code=1 > 2016-11-08T01:55:18Z DEBUG stdout= > 2016-11-08T01:55:18Z DEBUG stderr=Job for ipa-otpd.socket failed. See "systemctl status ipa-otpd.socket" and "journalctl -xe" for details. > > 2016-11-08T01:55:18Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 447, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 437, in run_step > method() > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 585, in __start > self.restart() > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 347, in restart > self.service.restart(instance_name, capture_output=capture_output, wait=wait) > File "/usr/lib/python2.7/dist-packages/ipaplatform/base/services.py", line 301, in restart > skip_output=not capture_output) > File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 479, in run > raise CalledProcessError(p.returncode, arg_string, str(output)) > CalledProcessError: Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1 > > 2016-11-08T01:55:18Z DEBUG [error] CalledProcessError: Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1 > 2016-11-08T01:55:18Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 171, in execute > return_value = self.run() > File "/usr/lib/python2.7/dist-packages/ipapython/install/cli.py", line 318, in run > cfgr.run() > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 310, in run > self.execute() > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 332, in execute > for nothing in self._executor(): > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 372, in __runner > self._handle_exception(exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 362, in __runner > step() > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 359, in > step = lambda: next(self.__gen) > File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 586, in _configure > next(executor) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 372, in __runner > self._handle_exception(exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 449, in _handle_exception > self.__parent._handle_exception(exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 446, in _handle_exception > super(ComponentBase, self)._handle_exception(exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 362, in __runner > step() > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 359, in > step = lambda: next(self.__gen) > File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python2.7/dist-packages/ipapython/install/common.py", line 63, in _install > for nothing in self._installer(self.parent): > File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 1513, in main > install(self) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 267, in decorated > func(installer) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 944, in install > ipautil.realm_to_suffix(realm_name)) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 579, in create_instance > self.start_creation("Configuring %s" % self.service_name) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 447, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 437, in run_step > method() > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 585, in __start > self.restart() > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 347, in restart > self.service.restart(instance_name, capture_output=capture_output, wait=wait) > File "/usr/lib/python2.7/dist-packages/ipaplatform/base/services.py", line 301, in restart > skip_output=not capture_output) > File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 479, in run > raise CalledProcessError(p.returncode, arg_string, str(output)) > > 2016-11-08T01:55:18Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1 > 2016-11-08T01:55:18Z ERROR Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1 > 2016-11-08T01:55:18Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information > > the ipa-otpd.socket status is as follows: > root at ipaserver:~# systemctl status ipa-otpd.socket > ? ipa-otpd.socket - ipa-otpd socket > Loaded: loaded (/lib/systemd/system/ipa-otpd.socket; disabled; vendor preset: enabled) > Active: failed (Result: exit-code) since ? 2016-11-08 09:55:18 CST; 26min ago > Listen: /var/run/krb5kdc/DEFAULT.socket (Stream) > Accepted: 0; Connected: 0 > Process: 19864 ExecStopPre=/usr/bin/unlink /var/run/krb5kdc/DEFAULT.socket (code=exited, status=1/FAILURE) > > 11? 08 09:55:18 ipaserver.test.com systemd[1]: Starting ipa-otpd socket. > 11? 08 09:55:18 ipaserver.test.com unlink[19864]: /usr/bin/unlink: Unable to remove '/var/run/krb5kdc/DEFAULT.socket' links: no such files or directories > 11? 08 09:55:18 ipaserver.test.com systemd[1]: ipa-otpd.socket: Control process exited, code=exited status=1 > 11? 08 09:55:18 ipaserver.test.com systemd[1]: Failed to listen on ipa-otpd socket. > 11? 08 09:55:18 ipaserver.test.com systemd[1]: ipa-otpd.socket: Unit entered failed state. > I found that the file or directory is automatically created when ipa-otpd.socket is started. > > Is there anyone help me? > > Thank you! > Thanks for reporting. It is a known issue. There is a ticket against selinux-policy-targeted: https://bugzilla.redhat.com/show_bug.cgi?id=1384872 Until it is resolved, you will have to `setenforce 0`. Cheers, Fraser From zhenglei at kylinos.cn Tue Nov 8 02:43:08 2016 From: zhenglei at kylinos.cn (=?utf-8?B?6YOR56OK?=) Date: Tue, 8 Nov 2016 10:43:08 +0800 Subject: [Freeipa-devel] Configuring ipa-otpd error when selinux is enable In-Reply-To: <20161108023739.GV8861@dhcp-40-8.bne.redhat.com> References: <20161108023739.GV8861@dhcp-40-8.bne.redhat.com> Message-ID: Thank you for your reply! I have already performed `setenforce 0` and the selinux mode is already permissive, but the problem still exists. ------------------ ?? ?????????? -------------------------- ?????? ?? ???18684703229 ???zhenglei at kylinos.cn ??????????????? ?????????????????????? ------------------ Original ------------------ From: "Fraser Tweedale"; Date: Tue, Nov 8, 2016 10:37 AM To: "??"; Cc: "freeipa-devel"; Subject: Re: [Freeipa-devel] Configuring ipa-otpd error when selinux is enable On Tue, Nov 08, 2016 at 10:29:29AM +0800, ?? wrote: > Hello everyone, > > I have successfully set up the FreeIPA environment on Ubuntu when selinux is disable. But when selinux is enable, there is a configuring ipa-otpd error occurred. > > The ipaserver-install.log shows following informations: > 2016-11-08T01:55:18Z DEBUG [1/2]: starting ipa-otpd > 2016-11-08T01:55:18Z DEBUG Starting external process > 2016-11-08T01:55:18Z DEBUG args=/bin/systemctl is-active ipa-otpd.socket > 2016-11-08T01:55:18Z DEBUG Process finished, return code=3 > 2016-11-08T01:55:18Z DEBUG stdout=inactive > > 2016-11-08T01:55:18Z DEBUG stderr= > 2016-11-08T01:55:18Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2016-11-08T01:55:18Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2016-11-08T01:55:18Z DEBUG Starting external process > 2016-11-08T01:55:18Z DEBUG args=/bin/systemctl restart ipa-otpd.socket > 2016-11-08T01:55:18Z DEBUG Process finished, return code=1 > 2016-11-08T01:55:18Z DEBUG stdout= > 2016-11-08T01:55:18Z DEBUG stderr=Job for ipa-otpd.socket failed. See "systemctl status ipa-otpd.socket" and "journalctl -xe" for details. > > 2016-11-08T01:55:18Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 447, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 437, in run_step > method() > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 585, in __start > self.restart() > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 347, in restart > self.service.restart(instance_name, capture_output=capture_output, wait=wait) > File "/usr/lib/python2.7/dist-packages/ipaplatform/base/services.py", line 301, in restart > skip_output=not capture_output) > File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 479, in run > raise CalledProcessError(p.returncode, arg_string, str(output)) > CalledProcessError: Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1 > > 2016-11-08T01:55:18Z DEBUG [error] CalledProcessError: Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1 > 2016-11-08T01:55:18Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 171, in execute > return_value = self.run() > File "/usr/lib/python2.7/dist-packages/ipapython/install/cli.py", line 318, in run > cfgr.run() > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 310, in run > self.execute() > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 332, in execute > for nothing in self._executor(): > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 372, in __runner > self._handle_exception(exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 362, in __runner > step() > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 359, in > step = lambda: next(self.__gen) > File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 586, in _configure > next(executor) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 372, in __runner > self._handle_exception(exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 449, in _handle_exception > self.__parent._handle_exception(exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 446, in _handle_exception > super(ComponentBase, self)._handle_exception(exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 362, in __runner > step() > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 359, in > step = lambda: next(self.__gen) > File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python2.7/dist-packages/ipapython/install/common.py", line 63, in _install > for nothing in self._installer(self.parent): > File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 1513, in main > install(self) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 267, in decorated > func(installer) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 944, in install > ipautil.realm_to_suffix(realm_name)) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 579, in create_instance > self.start_creation("Configuring %s" % self.service_name) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 447, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 437, in run_step > method() > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 585, in __start > self.restart() > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 347, in restart > self.service.restart(instance_name, capture_output=capture_output, wait=wait) > File "/usr/lib/python2.7/dist-packages/ipaplatform/base/services.py", line 301, in restart > skip_output=not capture_output) > File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 479, in run > raise CalledProcessError(p.returncode, arg_string, str(output)) > > 2016-11-08T01:55:18Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1 > 2016-11-08T01:55:18Z ERROR Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1 > 2016-11-08T01:55:18Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information > > the ipa-otpd.socket status is as follows: > root at ipaserver:~# systemctl status ipa-otpd.socket > ? ipa-otpd.socket - ipa-otpd socket > Loaded: loaded (/lib/systemd/system/ipa-otpd.socket; disabled; vendor preset: enabled) > Active: failed (Result: exit-code) since ? 2016-11-08 09:55:18 CST; 26min ago > Listen: /var/run/krb5kdc/DEFAULT.socket (Stream) > Accepted: 0; Connected: 0 > Process: 19864 ExecStopPre=/usr/bin/unlink /var/run/krb5kdc/DEFAULT.socket (code=exited, status=1/FAILURE) > > 11? 08 09:55:18 ipaserver.test.com systemd[1]: Starting ipa-otpd socket. > 11? 08 09:55:18 ipaserver.test.com unlink[19864]: /usr/bin/unlink: Unable to remove '/var/run/krb5kdc/DEFAULT.socket' links: no such files or directories > 11? 08 09:55:18 ipaserver.test.com systemd[1]: ipa-otpd.socket: Control process exited, code=exited status=1 > 11? 08 09:55:18 ipaserver.test.com systemd[1]: Failed to listen on ipa-otpd socket. > 11? 08 09:55:18 ipaserver.test.com systemd[1]: ipa-otpd.socket: Unit entered failed state. > I found that the file or directory is automatically created when ipa-otpd.socket is started. > > Is there anyone help me? > > Thank you! > Thanks for reporting. It is a known issue. There is a ticket against selinux-policy-targeted: https://bugzilla.redhat.com/show_bug.cgi?id=1384872 Until it is resolved, you will have to `setenforce 0`. Cheers, Fraser -------------- next part -------------- An HTML attachment was scrubbed... URL: From zhenglei at kylinos.cn Tue Nov 8 03:51:57 2016 From: zhenglei at kylinos.cn (=?utf-8?B?6YOR56OK?=) Date: Tue, 8 Nov 2016 11:51:57 +0800 Subject: [Freeipa-devel] Configuring ipa-otpd error when selinux isenable In-Reply-To: References: <20161108023739.GV8861@dhcp-40-8.bne.redhat.com> Message-ID: The problem is solved. The reason is that the path of ExecStart program is incorrect in the /lib/systemd/system/ipa-otpd at .service file. Need to make the following changes? [Unit] Description=ipa-otpd service [Service] EnvironmentFile=/etc/ipa/default.conf ExecStart=/usr/lib/ipa-otpd $ldap_uri StandardInput=socket StandardOutput=socket StandardError=syslog change to [Unit] Description=ipa-otpd service [Service] EnvironmentFile=/etc/ipa/default.conf ExecStart=/usr/lib/ipa/ipa-otpd $ldap_uri StandardInput=socket StandardOutput=socket StandardError=syslog Note: my system is Ubuntu. ------------------ ?? ?????????? -------------------------- ?????? ?? ???18684703229 ???zhenglei at kylinos.cn ??????????????? ?????????????????????? ------------------ Original ------------------ From: "??"; Date: Tue, Nov 8, 2016 10:43 AM To: "Fraser Tweedale"; Cc: "freeipa-devel"; Subject: Re: [Freeipa-devel] Configuring ipa-otpd error when selinux isenable Thank you for your reply! I have already performed `setenforce 0` and the selinux mode is already permissive, but the problem still exists. ------------------ ?? ?????????? -------------------------- ?????? ?? ???18684703229 ???zhenglei at kylinos.cn ??????????????? ?????????????????????? ------------------ Original ------------------ From: "Fraser Tweedale"; Date: Tue, Nov 8, 2016 10:37 AM To: "??"; Cc: "freeipa-devel"; Subject: Re: [Freeipa-devel] Configuring ipa-otpd error when selinux is enable On Tue, Nov 08, 2016 at 10:29:29AM +0800, ?? wrote: > Hello everyone, > > I have successfully set up the FreeIPA environment on Ubuntu when selinux is disable. But when selinux is enable, there is a configuring ipa-otpd error occurred. > > The ipaserver-install.log shows following informations: > 2016-11-08T01:55:18Z DEBUG [1/2]: starting ipa-otpd > 2016-11-08T01:55:18Z DEBUG Starting external process > 2016-11-08T01:55:18Z DEBUG args=/bin/systemctl is-active ipa-otpd.socket > 2016-11-08T01:55:18Z DEBUG Process finished, return code=3 > 2016-11-08T01:55:18Z DEBUG stdout=inactive > > 2016-11-08T01:55:18Z DEBUG stderr= > 2016-11-08T01:55:18Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2016-11-08T01:55:18Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' > 2016-11-08T01:55:18Z DEBUG Starting external process > 2016-11-08T01:55:18Z DEBUG args=/bin/systemctl restart ipa-otpd.socket > 2016-11-08T01:55:18Z DEBUG Process finished, return code=1 > 2016-11-08T01:55:18Z DEBUG stdout= > 2016-11-08T01:55:18Z DEBUG stderr=Job for ipa-otpd.socket failed. See "systemctl status ipa-otpd.socket" and "journalctl -xe" for details. > > 2016-11-08T01:55:18Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 447, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 437, in run_step > method() > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 585, in __start > self.restart() > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 347, in restart > self.service.restart(instance_name, capture_output=capture_output, wait=wait) > File "/usr/lib/python2.7/dist-packages/ipaplatform/base/services.py", line 301, in restart > skip_output=not capture_output) > File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 479, in run > raise CalledProcessError(p.returncode, arg_string, str(output)) > CalledProcessError: Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1 > > 2016-11-08T01:55:18Z DEBUG [error] CalledProcessError: Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1 > 2016-11-08T01:55:18Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 171, in execute > return_value = self.run() > File "/usr/lib/python2.7/dist-packages/ipapython/install/cli.py", line 318, in run > cfgr.run() > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 310, in run > self.execute() > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 332, in execute > for nothing in self._executor(): > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 372, in __runner > self._handle_exception(exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 362, in __runner > step() > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 359, in > step = lambda: next(self.__gen) > File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 586, in _configure > next(executor) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 372, in __runner > self._handle_exception(exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 449, in _handle_exception > self.__parent._handle_exception(exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 446, in _handle_exception > super(ComponentBase, self)._handle_exception(exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 362, in __runner > step() > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 359, in > step = lambda: next(self.__gen) > File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python2.7/dist-packages/ipapython/install/common.py", line 63, in _install > for nothing in self._installer(self.parent): > File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 1513, in main > install(self) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 267, in decorated > func(installer) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 944, in install > ipautil.realm_to_suffix(realm_name)) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 579, in create_instance > self.start_creation("Configuring %s" % self.service_name) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 447, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 437, in run_step > method() > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 585, in __start > self.restart() > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 347, in restart > self.service.restart(instance_name, capture_output=capture_output, wait=wait) > File "/usr/lib/python2.7/dist-packages/ipaplatform/base/services.py", line 301, in restart > skip_output=not capture_output) > File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 479, in run > raise CalledProcessError(p.returncode, arg_string, str(output)) > > 2016-11-08T01:55:18Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1 > 2016-11-08T01:55:18Z ERROR Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1 > 2016-11-08T01:55:18Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information > > the ipa-otpd.socket status is as follows: > root at ipaserver:~# systemctl status ipa-otpd.socket > ? ipa-otpd.socket - ipa-otpd socket > Loaded: loaded (/lib/systemd/system/ipa-otpd.socket; disabled; vendor preset: enabled) > Active: failed (Result: exit-code) since ? 2016-11-08 09:55:18 CST; 26min ago > Listen: /var/run/krb5kdc/DEFAULT.socket (Stream) > Accepted: 0; Connected: 0 > Process: 19864 ExecStopPre=/usr/bin/unlink /var/run/krb5kdc/DEFAULT.socket (code=exited, status=1/FAILURE) > > 11? 08 09:55:18 ipaserver.test.com systemd[1]: Starting ipa-otpd socket. > 11? 08 09:55:18 ipaserver.test.com unlink[19864]: /usr/bin/unlink: Unable to remove '/var/run/krb5kdc/DEFAULT.socket' links: no such files or directories > 11? 08 09:55:18 ipaserver.test.com systemd[1]: ipa-otpd.socket: Control process exited, code=exited status=1 > 11? 08 09:55:18 ipaserver.test.com systemd[1]: Failed to listen on ipa-otpd socket. > 11? 08 09:55:18 ipaserver.test.com systemd[1]: ipa-otpd.socket: Unit entered failed state. > I found that the file or directory is automatically created when ipa-otpd.socket is started. > > Is there anyone help me? > > Thank you! > Thanks for reporting. It is a known issue. There is a ticket against selinux-policy-targeted: https://bugzilla.redhat.com/show_bug.cgi?id=1384872 Until it is resolved, you will have to `setenforce 0`. Cheers, Fraser -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Tue Nov 8 06:06:05 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 8 Nov 2016 07:06:05 +0100 Subject: [Freeipa-devel] Configuring ipa-otpd error when selinux is enable In-Reply-To: References: Message-ID: <20161108060604.GA25346@10.4.128.1> On (08/11/16 10:29), ?? wrote: >Hello everyone, > >I have successfully set up the FreeIPA environment on Ubuntu when selinux is disable. But when selinux is enable, there is a configuring ipa-otpd error occurred. > >The ipaserver-install.log shows following informations: >2016-11-08T01:55:18Z DEBUG [1/2]: starting ipa-otpd >2016-11-08T01:55:18Z DEBUG Starting external process >2016-11-08T01:55:18Z DEBUG args=/bin/systemctl is-active ipa-otpd.socket >2016-11-08T01:55:18Z DEBUG Process finished, return code=3 >2016-11-08T01:55:18Z DEBUG stdout=inactive > >2016-11-08T01:55:18Z DEBUG stderr= >2016-11-08T01:55:18Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >2016-11-08T01:55:18Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2016-11-08T01:55:18Z DEBUG Starting external process >2016-11-08T01:55:18Z DEBUG args=/bin/systemctl restart ipa-otpd.socket >2016-11-08T01:55:18Z DEBUG Process finished, return code=1 >2016-11-08T01:55:18Z DEBUG stdout= >2016-11-08T01:55:18Z DEBUG stderr=Job for ipa-otpd.socket failed. See "systemctl status ipa-otpd.socket" and "journalctl -xe" for details. > >2016-11-08T01:55:18Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 447, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 437, in run_step > method() > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 585, in __start > self.restart() > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 347, in restart > self.service.restart(instance_name, capture_output=capture_output, wait=wait) > File "/usr/lib/python2.7/dist-packages/ipaplatform/base/services.py", line 301, in restart > skip_output=not capture_output) > File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 479, in run > raise CalledProcessError(p.returncode, arg_string, str(output)) >CalledProcessError: Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1 > >2016-11-08T01:55:18Z DEBUG [error] CalledProcessError: Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1 >2016-11-08T01:55:18Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 171, in execute > return_value = self.run() > File "/usr/lib/python2.7/dist-packages/ipapython/install/cli.py", line 318, in run > cfgr.run() > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 310, in run > self.execute() > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 332, in execute > for nothing in self._executor(): > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 372, in __runner > self._handle_exception(exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 362, in __runner > step() > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 359, in > step = lambda: next(self.__gen) > File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 586, in _configure > next(executor) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 372, in __runner > self._handle_exception(exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 449, in _handle_exception > self.__parent._handle_exception(exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 446, in _handle_exception > super(ComponentBase, self)._handle_exception(exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 362, in __runner > step() > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 359, in > step = lambda: next(self.__gen) > File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python2.7/dist-packages/ipapython/install/common.py", line 63, in _install > for nothing in self._installer(self.parent): > File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 1513, in main > install(self) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 267, in decorated > func(installer) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 944, in install > ipautil.realm_to_suffix(realm_name)) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 579, in create_instance > self.start_creation("Configuring %s" % self.service_name) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 447, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 437, in run_step > method() > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 585, in __start > self.restart() > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 347, in restart > self.service.restart(instance_name, capture_output=capture_output, wait=wait) > File "/usr/lib/python2.7/dist-packages/ipaplatform/base/services.py", line 301, in restart > skip_output=not capture_output) > File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 479, in run > raise CalledProcessError(p.returncode, arg_string, str(output)) > >2016-11-08T01:55:18Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1 >2016-11-08T01:55:18Z ERROR Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1 >2016-11-08T01:55:18Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information > >the ipa-otpd.socket status is as follows: >root at ipaserver:~# systemctl status ipa-otpd.socket >? ipa-otpd.socket - ipa-otpd socket > Loaded: loaded (/lib/systemd/system/ipa-otpd.socket; disabled; vendor preset: enabled) > Active: failed (Result: exit-code) since ? 2016-11-08 09:55:18 CST; 26min ago > Listen: /var/run/krb5kdc/DEFAULT.socket (Stream) > Accepted: 0; Connected: 0 > Process: 19864 ExecStopPre=/usr/bin/unlink /var/run/krb5kdc/DEFAULT.socket (code=exited, status=1/FAILURE) > >11? 08 09:55:18 ipaserver.test.com systemd[1]: Starting ipa-otpd socket. >11? 08 09:55:18 ipaserver.test.com unlink[19864]: /usr/bin/unlink: Unable to remove '/var/run/krb5kdc/DEFAULT.socket' links: no such files or directories >11? 08 09:55:18 ipaserver.test.com systemd[1]: ipa-otpd.socket: Control process exited, code=exited status=1 >11? 08 09:55:18 ipaserver.test.com systemd[1]: Failed to listen on ipa-otpd socket. >11? 08 09:55:18 ipaserver.test.com systemd[1]: ipa-otpd.socket: Unit entered failed state. >I found that the file or directory is automatically created when ipa-otpd.socket is started. > >Is there anyone help me? > Are you sure it's caused by SELinux? IIRC Ubuntu has apparmor and not SELinux. And BTW this mail thread should have beed on freeipa-users and not on devel. LS From zhenglei at kylinos.cn Tue Nov 8 06:20:04 2016 From: zhenglei at kylinos.cn (=?utf-8?B?6YOR56OK?=) Date: Tue, 8 Nov 2016 14:20:04 +0800 Subject: [Freeipa-devel] Configuring ipa-otpd error when selinux is enable In-Reply-To: <20161108060604.GA25346@10.4.128.1> References: <20161108060604.GA25346@10.4.128.1> Message-ID: Thank you for your reply! The problem is solved. The reason is that the path of ExecStart program is incorrect in the /lib/systemd/system/ipa-otpd at .service file. I will send mail to freeipa-users if there is any problem. ------------------ ?? ?????????? -------------------------- ?????? ?? ???18684703229 ???zhenglei at kylinos.cn ??????????????? ?????????????????????? ------------------ Original ------------------ From: "Lukas Slebodnik"; Date: Tue, Nov 8, 2016 02:06 PM To: "??"; Cc: "freeipa-devel"; Subject: Re: [Freeipa-devel] Configuring ipa-otpd error when selinux is enable On (08/11/16 10:29), ?? wrote: >Hello everyone, > >I have successfully set up the FreeIPA environment on Ubuntu when selinux is disable. But when selinux is enable, there is a configuring ipa-otpd error occurred. > >The ipaserver-install.log shows following informations: >2016-11-08T01:55:18Z DEBUG [1/2]: starting ipa-otpd >2016-11-08T01:55:18Z DEBUG Starting external process >2016-11-08T01:55:18Z DEBUG args=/bin/systemctl is-active ipa-otpd.socket >2016-11-08T01:55:18Z DEBUG Process finished, return code=3 >2016-11-08T01:55:18Z DEBUG stdout=inactive > >2016-11-08T01:55:18Z DEBUG stderr= >2016-11-08T01:55:18Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >2016-11-08T01:55:18Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2016-11-08T01:55:18Z DEBUG Starting external process >2016-11-08T01:55:18Z DEBUG args=/bin/systemctl restart ipa-otpd.socket >2016-11-08T01:55:18Z DEBUG Process finished, return code=1 >2016-11-08T01:55:18Z DEBUG stdout= >2016-11-08T01:55:18Z DEBUG stderr=Job for ipa-otpd.socket failed. See "systemctl status ipa-otpd.socket" and "journalctl -xe" for details. > >2016-11-08T01:55:18Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 447, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 437, in run_step > method() > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 585, in __start > self.restart() > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 347, in restart > self.service.restart(instance_name, capture_output=capture_output, wait=wait) > File "/usr/lib/python2.7/dist-packages/ipaplatform/base/services.py", line 301, in restart > skip_output=not capture_output) > File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 479, in run > raise CalledProcessError(p.returncode, arg_string, str(output)) >CalledProcessError: Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1 > >2016-11-08T01:55:18Z DEBUG [error] CalledProcessError: Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1 >2016-11-08T01:55:18Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 171, in execute > return_value = self.run() > File "/usr/lib/python2.7/dist-packages/ipapython/install/cli.py", line 318, in run > cfgr.run() > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 310, in run > self.execute() > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 332, in execute > for nothing in self._executor(): > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 372, in __runner > self._handle_exception(exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 362, in __runner > step() > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 359, in > step = lambda: next(self.__gen) > File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 586, in _configure > next(executor) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 372, in __runner > self._handle_exception(exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 449, in _handle_exception > self.__parent._handle_exception(exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 446, in _handle_exception > super(ComponentBase, self)._handle_exception(exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 362, in __runner > step() > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 359, in > step = lambda: next(self.__gen) > File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python2.7/dist-packages/ipapython/install/common.py", line 63, in _install > for nothing in self._installer(self.parent): > File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 1513, in main > install(self) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 267, in decorated > func(installer) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 944, in install > ipautil.realm_to_suffix(realm_name)) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 579, in create_instance > self.start_creation("Configuring %s" % self.service_name) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 447, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 437, in run_step > method() > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 585, in __start > self.restart() > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 347, in restart > self.service.restart(instance_name, capture_output=capture_output, wait=wait) > File "/usr/lib/python2.7/dist-packages/ipaplatform/base/services.py", line 301, in restart > skip_output=not capture_output) > File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 479, in run > raise CalledProcessError(p.returncode, arg_string, str(output)) > >2016-11-08T01:55:18Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1 >2016-11-08T01:55:18Z ERROR Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1 >2016-11-08T01:55:18Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information > >the ipa-otpd.socket status is as follows: >root at ipaserver:~# systemctl status ipa-otpd.socket >? ipa-otpd.socket - ipa-otpd socket > Loaded: loaded (/lib/systemd/system/ipa-otpd.socket; disabled; vendor preset: enabled) > Active: failed (Result: exit-code) since ? 2016-11-08 09:55:18 CST; 26min ago > Listen: /var/run/krb5kdc/DEFAULT.socket (Stream) > Accepted: 0; Connected: 0 > Process: 19864 ExecStopPre=/usr/bin/unlink /var/run/krb5kdc/DEFAULT.socket (code=exited, status=1/FAILURE) > >11? 08 09:55:18 ipaserver.test.com systemd[1]: Starting ipa-otpd socket. >11? 08 09:55:18 ipaserver.test.com unlink[19864]: /usr/bin/unlink: Unable to remove '/var/run/krb5kdc/DEFAULT.socket' links: no such files or directories >11? 08 09:55:18 ipaserver.test.com systemd[1]: ipa-otpd.socket: Control process exited, code=exited status=1 >11? 08 09:55:18 ipaserver.test.com systemd[1]: Failed to listen on ipa-otpd socket. >11? 08 09:55:18 ipaserver.test.com systemd[1]: ipa-otpd.socket: Unit entered failed state. >I found that the file or directory is automatically created when ipa-otpd.socket is started. > >Is there anyone help me? > Are you sure it's caused by SELinux? IIRC Ubuntu has apparmor and not SELinux. And BTW this mail thread should have beed on freeipa-users and not on devel. LS -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Tue Nov 8 06:54:15 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 8 Nov 2016 07:54:15 +0100 Subject: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation In-Reply-To: References: <8198a4a5-14fa-485f-fa89-325468b65c96@redhat.com> <23f5ad4f-c624-87db-0807-770979880bfb@redhat.com> <20160725111123.qthtarfgcsfbdnzk@redhat.com> <4eb3fe2f-ac80-4cf9-0f17-1c420fd52034@redhat.com> <57f0be1e-2915-fa33-d579-f173f1f5d019@redhat.com> <4f2f65ed-e525-1f04-f19b-c8a00b23001f@redhat.com> <57BF50E1.8030209@redhat.com> <82017bee-a989-cbe5-d5ed-f481441269e6@redhat.com> <8d6899e2-4357-8bf2-4e3e-dfd2c2466b01@redhat.com> Message-ID: <6c0d2e30-c589-80ca-7395-355c053ad82a@redhat.com> On 3.11.2016 00:18, Ben Lipton wrote: > On 10/20/2016 03:52 PM, Ben Lipton wrote: >> On 10/17/2016 02:16 AM, Jan Cholasta wrote: >>> On 13.10.2016 17:23, Ben Lipton wrote: >>>> Thank you, this was a really helpful clarification of your point. >>>> Comments below. Once again, I'm sorry I missed the email for so long. >>>> >>>> Ben >>>> >>>> On 09/05/2016 06:52 AM, Jan Cholasta wrote: >>>>> On 27.8.2016 22:40, Ben Lipton wrote: >>>>>> On 08/25/2016 04:11 PM, Rob Crittenden wrote: >>>>>>> Ben Lipton wrote: >>>>>>>> On 08/23/2016 03:54 AM, Jan Cholasta wrote: >>>>>>>>> On 8.8.2016 22:23, Ben Lipton wrote: >>>>>>>>>> On 07/25/2016 07:45 AM, Jan Cholasta wrote: >>>>>>>>>>> On 25.7.2016 13:11, Alexander Bokovoy wrote: >>>>>>>>>>>> On Mon, 25 Jul 2016, Jan Cholasta wrote: >>>>>>>>>>>>> On 20.7.2016 16:05, Ben Lipton wrote: >>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks very much for the feedback! Some responses below; I >>>>>>>>>>>>>> hope >>>>>>>>>>>>>> you'll >>>>>>>>>>>>>> let me know what you think of my reasoning. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 07/20/2016 04:20 AM, Jan Cholasta wrote: >>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 17.6.2016 00:06, Ben Lipton wrote: >>>>>>>>>>>>>>>> On 06/14/2016 08:27 AM, Ben Lipton wrote: >>>>>>>>>>>>>>>>> Hello all, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I have written up a design proposal for making certificate >>>>>>>>>>>>>>>>> requests >>>>>>>>>>>>>>>>> easier to generate when using alternate certificate >>>>>>>>>>>>>>>>> profiles: >>>>>>>>>>>>>>>>> http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> The use case for this is described in >>>>>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4899. I will be >>>>>>>>>>>>>>>>> working on >>>>>>>>>>>>>>>>> implementing this design over the next couple of months. >>>>>>>>>>>>>>>>> If you >>>>>>>>>>>>>>>>> have >>>>>>>>>>>>>>>>> the time and interest, please take a look and share any >>>>>>>>>>>>>>>>> comments or >>>>>>>>>>>>>>>>> concerns that you have. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Thanks! >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Ben >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Just a quick update to say that I've created a new document >>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>> covers >>>>>>>>>>>>>>>> the proposed schema additions in a more descriptive way >>>>>>>>>>>>>>>> (with >>>>>>>>>>>>>>>> diagrams!) >>>>>>>>>>>>>>>> I'm very new to developing with LDAP, so some more >>>>>>>>>>>>>>>> experienced >>>>>>>>>>>>>>>> eyes on >>>>>>>>>>>>>>>> the proposal would be very helpful, even if you don't have >>>>>>>>>>>>>>>> time to >>>>>>>>>>>>>>>> absorb the full design. Please take a look at >>>>>>>>>>>>>>>> http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Schema >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> if you have a chance. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I finally had a chance to take a look at this, here are some >>>>>>>>>>>>>>> comments: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 1) I don't like how transformation rules are tied to a >>>>>>>>>>>>>>> particular >>>>>>>>>>>>>>> helper and have to be duplicated for each of them. They >>>>>>>>>>>>>>> should be >>>>>>>>>>>>>>> generic and work with any helper, as helpers are just an >>>>>>>>>>>>>>> implementation detail and their resulting data is the same. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> In fact, I think I would prefer if the CSR was generated >>>>>>>>>>>>>>> using >>>>>>>>>>>>>>> python-cryptography's CertificateSigningRequestBuilder [1] >>>>>>>>>>>>>>> rather >>>>>>>>>>>>>>> than >>>>>>>>>>>>>>> openssl or certutil or any other command line tool. >>>>>>>>>>>>>>> >>>>>>>>>>>>>> There are lots of tools that users might want to use to >>>>>>>>>>>>>> manage >>>>>>>>>>>>>> their >>>>>>>>>>>>>> private keys, so I don't know if we can assume that whatever >>>>>>>>>>>>>> library we >>>>>>>>>>>>>> prefer will actually be able to access the private key to >>>>>>>>>>>>>> sign a >>>>>>>>>>>>>> CSR, >>>>>>>>>>>>>> which is why I thought it would be useful to support more >>>>>>>>>>>>>> than >>>>>>>>>>>>>> one. >>>>>>>>>>>>> >>>>>>>>>>>>> python-cryptography has the notion of backends, which allow >>>>>>>>>>>>> it to >>>>>>>>>>>>> support multiple crypto implementations. Upstream it currently >>>>>>>>>>>>> supports only OpenSSL [2], but some work has been done on >>>>>>>>>>>>> PKCS#11 >>>>>>>>>>>>> backend [3], which provides support for HSMs and soft-tokens >>>>>>>>>>>>> (like >>>>>>>>>>>>> NSS >>>>>>>>>>>>> databases). >>>>>>>>>>>>> >>>>>>>>>>>>> Alternatively, for NSS databases (and other "simple" >>>>>>>>>>>>> cases), you >>>>>>>>>>>>> can >>>>>>>>>>>>> generate the private key with python-cryptography using the >>>>>>>>>>>>> default >>>>>>>>>>>>> backend, export it to a file and import the file to the target >>>>>>>>>>>>> database, so you don't actually need the PKCS#11 backend for >>>>>>>>>>>>> them. >>>>>>>>>>>>> >>>>>>>>>>>>> So, the only thing that's currently lacking is HSM support, >>>>>>>>>>>>> but >>>>>>>>>>>>> given >>>>>>>>>>>>> that we don't support HSMs in IPA nor in certmonger, I don't >>>>>>>>>>>>> think >>>>>>>>>>>>> it's an issue for now. >>>>>>>>>>>>> >>>>>>>>>>>>>> The >>>>>>>>>>>>>> purpose of the mapping rule is to tie together the >>>>>>>>>>>>>> transformation >>>>>>>>>>>>>> rules >>>>>>>>>>>>>> that produce the same data into an object that's >>>>>>>>>>>>>> implementation-agnostic, so that profiles referencing those >>>>>>>>>>>>>> rules >>>>>>>>>>>>>> are >>>>>>>>>>>>>> automatically compatible with all the helper options. >>>>>>>>>>>>> >>>>>>>>>>>>> They are implementation-agnostic, as long as you consider >>>>>>>>>>>>> `openssl` >>>>>>>>>>>>> and `certutil` the only implementations :-) But I don't think >>>>>>>>>>>>> this >>>>>>>>>>>>> solution scales well to other possible implementations. >>>>>>>>>>>>> >>>>>>>>>>>>> Anyway, my main grudge is that the transformation rules >>>>>>>>>>>>> shouldn't >>>>>>>>>>>>> really be stored on and processed by the server. The server >>>>>>>>>>>>> should >>>>>>>>>>>>> know the *what* (mapping rules), but not the *how* >>>>>>>>>>>>> (transformation >>>>>>>>>>>>> rules). The *how* is an implementation detail and does not >>>>>>>>>>>>> change in >>>>>>>>>>>>> time, so there's no benefit in handling it on the server. It >>>>>>>>>>>>> should be >>>>>>>>>>>>> handled exclusively on the client, which I believe would also >>>>>>>>>>>>> make >>>>>>>>>>>>> the >>>>>>>>>>>>> whole thing more robust (it would not be possible for a bug on >>>>>>>>>>>>> the >>>>>>>>>>>>> server to break all the clients). >>>>>>>>>>>> This is a good point. However, for the scope of Ben's project >>>>>>>>>>>> can we >>>>>>>>>>>> limit it by openssl and certutil support? Otherwise Ben >>>>>>>>>>>> wouldn't be >>>>>>>>>>>> able >>>>>>>>>>>> to complete the project in time. >>>>>>>>>>> >>>>>>>>>>> I'm fine with that, but I don't think it's up to me :-) >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>>> This is turning out to be a common (and, I think, reasonable) >>>>>>>>>>>>>> reaction >>>>>>>>>>>>>> to the proposal. It is rather complex, and I worry that it >>>>>>>>>>>>>> will be >>>>>>>>>>>>>> difficult to configure. On the other hand, there is some >>>>>>>>>>>>>> hidden >>>>>>>>>>>>>> complexity to enabling a simpler config format, as well. >>>>>>>>>>>>>> One of >>>>>>>>>>>>>> the >>>>>>>>>>>>>> goals of the project as it was presented to me was to >>>>>>>>>>>>>> allow the >>>>>>>>>>>>>> creation >>>>>>>>>>>>>> of profiles that add certificate extensions *that FreeIPA >>>>>>>>>>>>>> doesn't >>>>>>>>>>>>>> yet >>>>>>>>>>>>>> know about*. With the current proposal, one only has to add a >>>>>>>>>>>>>> rule >>>>>>>>>>>>>> generating text that the helper will understand. >>>>>>>>>>>>> >>>>>>>>>>>>> ... which will be possible only as long as the helper >>>>>>>>>>>>> understands the >>>>>>>>>>>>> extension. Which it might not, thus the current proposal works >>>>>>>>>>>>> only >>>>>>>>>>>>> for *some* extensions that FreeIPA doesn't yet support. >>>>>>>>>>>> We can go ad infinitum here but with any helper implementation, >>>>>>>>>>>> be it >>>>>>>>>>>> python-cryptography or anything else, you will need to have a >>>>>>>>>>>> support >>>>>>>>>>>> there as well. >>>>>>>>>>> >>>>>>>>>>> My point was that the current proposal is not any better than my >>>>>>>>>>> proposal in this regard, as neither of them allows one to use an >>>>>>>>>>> arbitrary extension. >>>>>>>>>>> >>>>>>>>>>>> The idea with unknown extensions was to allow mapping >>>>>>>>>>>> their acceptance to a specific relationship between IPA objects >>>>>>>>>>>> (optionally) and an input from the CSR. A simplest example >>>>>>>>>>>> would >>>>>>>>>>>> be an >>>>>>>>>>>> identity rule that would copy an ASN.1 encoded content from the >>>>>>>>>>>> CSR to >>>>>>>>>>>> the certificate. >>>>>>>>>>>> >>>>>>>>>>>> That's on the mapping side, not on the CSR generation side, >>>>>>>>>>>> but it >>>>>>>>>>>> would >>>>>>>>>>>> go similarly for the CSR if you would be able to enter >>>>>>>>>>>> unknown but >>>>>>>>>>>> otherwise correct ASN.1 stream. There is no difference at which >>>>>>>>>>>> helper >>>>>>>>>>>> type we are talking about because all of them support inserting >>>>>>>>>>>> ASN.1 >>>>>>>>>>>> content. >>>>>>>>>>>> >>>>>>>>>>>>>> With your suggestion, >>>>>>>>>>>>>> if there's a mapping between "san_directoryname" and the >>>>>>>>>>>>>> corresponding >>>>>>>>>>>>>> API calls or configuration lines, we need some way for >>>>>>>>>>>>>> users to >>>>>>>>>>>>>> augment >>>>>>>>>>>>>> that mapping without changing the code. If there's no >>>>>>>>>>>>>> mapping, and >>>>>>>>>>>>>> it's >>>>>>>>>>>>>> just done with text processing, we need enough in the config >>>>>>>>>>>>>> format to >>>>>>>>>>>>>> be able to generate fairly complex structures: >>>>>>>>>>>>>> >>>>>>>>>>>>>> builder = >>>>>>>>>>>>>> builder.subject_name(x509.Name(u'CN=user,O=EXAMPLE.COM')) >>>>>>>>>>>>>> builder = >>>>>>>>>>>>>> builder.add_extension(x509.SubjectAlternativeName([x509.RFC822Name(u'user at example.com'), >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> x509.DirectoryName(x509.Name(u'CN=user,O=EXAMPLE.COM'))]), >>>>>>>>>>>>>> False) >>>>>>>>>>>>>> >>>>>>>>>>>>>> and we need to do it without it being equivalent to calling >>>>>>>>>>>>>> eval() on >>>>>>>>>>>>>> the config attributes. I'm not sure how to achieve this >>>>>>>>>>>>>> (is it >>>>>>>>>>>>>> safe to >>>>>>>>>>>>>> call getattr(x509, extensiontype)(value) where >>>>>>>>>>>>>> extensiontype and >>>>>>>>>>>>>> value >>>>>>>>>>>>>> are user-specified?) and it definitely would have to be tied >>>>>>>>>>>>>> to a >>>>>>>>>>>>>> particular library/tool. >>>>>>>>>>>>> >>>>>>>>>>>>> As I pointed out above, this needs to be figured out for the >>>>>>>>>>>>> generic >>>>>>>>>>>>> case for both the current proposal and my suggestion. >>>>>>>>>> I have a proof of concept[1] for using openssl-based rules to >>>>>>>>>> add a >>>>>>>>>> subject alt name extension without using openssl's knowledge >>>>>>>>>> of that >>>>>>>>>> extension. It's not extremely pretty, and it took some trial and >>>>>>>>>> error, >>>>>>>>>> but no code changes. So, I think this actually is a difference >>>>>>>>>> between >>>>>>>>>> the two proposals. >>>>>>>>> >>>>>>>>> With the obvious catch being that it works only with OpenSSL, >>>>>>>>> which >>>>>>>>> might not work for everyone, e.g. when using HSMs or >>>>>>>>> SmartCards, due >>>>>>>>> to a limited PKCS#11 support in OpenSSL. >>>>>>>> >>>>>>>> Very true. Even certutil's equivalent feature (--extGeneric) >>>>>>>> doesn't >>>>>>>> seem like it would work very well in this context, as you are >>>>>>>> supposed >>>>>>>> to pass in an already-encoded extension, so text-based templating >>>>>>>> wouldn't be able to do much. >>>>>>> >>>>>>> Yeah, I struggled with this myself. I ended up writing a pyasn1 >>>>>>> script >>>>>>> to generate the extension I needed, wrote that to a file, and passed >>>>>>> it to certutil using: >>>>>>> >>>>>>> --extGeneric 2.5.29.17:not-critical:/path/to/msupn.der >>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Next we have the easy case, extensions that we as FreeIPA >>>>>>>>>> developers >>>>>>>>>> know are important and build support for. For these, the two >>>>>>>>>> proposals >>>>>>>>>> work equivalently well, but yours is simpler to configure because >>>>>>>>>> the >>>>>>>>>> knowledge of how to make a san_rfc822name is built into the >>>>>>>>>> library >>>>>>>>>> instead of being stored on the server as a set of rules. >>>>>>>>>> >>>>>>>>>> Finally, we have the case of extensions that are known to the >>>>>>>>>> helper, >>>>>>>>>> but not to FreeIPA. In the existing proposal, new rules can be >>>>>>>>>> written >>>>>>>>>> to support these extensions under a particular helper. Further, >>>>>>>>>> those >>>>>>>>>> rules can be used by reference in many profiles, reducing >>>>>>>>>> duplication of >>>>>>>>>> effort/data/errors. >>>>>>>>>> >>>>>>>>>> As I understand it, the main objections in this thread are that >>>>>>>>>> transformation rules are implementation (i.e. helper) specific >>>>>>>>>> data >>>>>>>>>> stored in the IPA server, and that the system has several >>>>>>>>>> levels of >>>>>>>>>> schema when it could just embed rules in the profile. But without >>>>>>>>>> helper-specific rules, administrators could not take advantage of >>>>>>>>>> the >>>>>>>>>> additional extensions supported by the helper they are using. >>>>>>>>> >>>>>>>>> There is *no* advantage in forcing the user to choose between >>>>>>>>> helpers >>>>>>>>> which differ only in the set of limitations on the CSR they are >>>>>>>>> able >>>>>>>>> to produce. The user should specify a) where the private key is >>>>>>>>> located and b) what profile to use, and that's it, it should just >>>>>>>>> work. >>>>>>>> Ok, this is a good point about usability. The user creating the CSR >>>>>>>> shouldn't have to care about helpers, and I agree that the >>>>>>>> current way >>>>>>>> they are exposed is clunky. I do think that an administrator >>>>>>>> creating >>>>>>>> custom rules might want to take advantage of a helper, so they >>>>>>>> wouldn't >>>>>>>> need to understand the ASN.1 representation of their chosen >>>>>>>> certificate >>>>>>>> extension. Of course, the desired extension might not be >>>>>>>> supported by >>>>>>>> the helper either. Since I don't know what specific extensions >>>>>>>> people >>>>>>>> will want to use this for, I don't know how to balance the better >>>>>>>> administrator experience of adding extensions via a helper with the >>>>>>>> limited extension support. >>>>>>>> >>>>>>>> The original reason we arrived at the concept of "helpers" was to >>>>>>>> support different ways of getting at private keys, but perhaps this >>>>>>>> should not be the concern of the CSR data generator. In your >>>>>>>> opinion, >>>>>>>> would it be sufficient to support just one key format (PKCS#12? >>>>>>>> PEM?) >>>>>>>> and let the user deal with putting those keys into whatever >>>>>>>> formats/databases they need? If that's ok, maybe we can stop having >>>>>>>> *multiple* helpers, but if we want to replace helpers entirely I'm >>>>>>>> still >>>>>>>> not certain what to replace them with. >>>>>>> >>>>>>> I'd just add an option to specify the output format, e.g PEM, NSS, >>>>>>> Java keystore, PKCS#12, whatever. You can probably get away with the >>>>>>> first two for starters. Different output format is going to mean >>>>>>> different options but that is probably not a big deal. >>>>>> >>>>>> My point was that if we want to get rid of all the helpers but >>>>>> one, or >>>>>> replace helpers with something else entirely like somehow templating >>>>>> ASN1 structures directly, it will get harder to support all those >>>>>> formats (or even both of the first two). For example, if we drop >>>>>> certutil as a helper, how will we sign CSRs with keys stored in NSS >>>>>> databases? >>>>> >>>>> 1. get the public part of the key from the NSS database >>>>> 2. construct a CertificationRequestInfo [1] from the template and the >>>>> public key >>>>> 3. sign the CertificationRequestInfo with NSS using the private key to >>>>> get a CSR >>>>> >>>>> This is purely client side, will work with any crypto library (just >>>>> substitute NSS for something else) and, if done right, using very >>>>> little code. >>>> >>>> Ok, I like this. If an encoded CertificationRequestInfo is something we >>>> can expect to be compatible with any reasonable library (it sounds like >>>> it should be) then the library can be used client-side to do the >>>> key-storage-specific parts. I'm going to try writing this data -> >>>> encoded CertificationRequestInfo -> CSR flow to make sure it works as >>>> well as it sounds. If it does, it will also be useful for the code I'm >>>> working on right now to connect certmonger with the current version of >>>> the CSR autogeneration tool. >>> >>> Note that this will most probably require calling C functions. You >>> might want to look into python-cffi. > > For now I just went ahead and implemented it in C, for simplicity. So > far it only does the data + SubjectPublicKeyInfo -> > CertificationRequestInfo conversion (data in the openssl config file > format), but I'm convinced that both openssl and NSS should be able to > sign this to turn it into a CSR. I'm also pretty sure you were right > that calling C functions is required - none of the python libraries seem > to have bindings for the functions that manipulate these objects. You > can see the prototype here: > https://github.com/LiptonB/freeipa-prototypes/blob/master/build_requestinfo.c Nice, glad to hear it works :-) > >>> >>>>> >>>>>>> >>>>>>> Remember that the private key will be at rest for some period of >>>>>>> time >>>>>>> while the CSR is being approved. The key needs to be protected at >>>>>>> that >>>>>>> time. >>>>>>> >>>>>>> rob >>>>>>> >>>>>>>>> >>>>>>>>>> And >>>>>>>>>> without the separation of profiles from mapping rules in the >>>>>>>>>> schema, >>>>>>>>>> rules would need to be copy+pasted among profiles, and grouping >>>>>>>>>> rules >>>>>>>>>> with the same effect under different helpers would be much >>>>>>>>>> uglier. We >>>>>>>>>> can and should discuss whether these are the right tradeoffs, but >>>>>>>>>> this >>>>>>>>>> is where those decisions came from. >>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> OTOH, I think we could use GSER encoding of the extension >>>>>>>>>>>>> value: >>>>>>>>>>>>> >>>>>>>>>>>>> { rfc822Name:"user at example.com", >>>>>>>>>>>>> directoryName:rdnSequence:"CN=user,O=EXAMPLE.COM" } >>>>>>>>>>>> GSER is not really used widely and does not have standardized >>>>>>>>>>>> encoding >>>>>>>>>>>> rules beyond its own definition. If you want to allow >>>>>>>>>>>> transformation >>>>>>>>>>>> rules in GSER that mention existing content in IPA objects, you >>>>>>>>>>>> would >>>>>>>>>>>> need to deal with templating anyway. At this point it becomes >>>>>>>>>>>> irrelevant >>>>>>>>>>>> what you are templating, though. >>>>>>>>>>> >>>>>>>>>>> True, but the goal here is not to avoid templating, but >>>>>>>>>>> rather to >>>>>>>>>>> avoid implementation-specific bits on the server, and GSER is >>>>>>>>>>> the >>>>>>>>>>> only >>>>>>>>>>> thing that is textual, implementation-neutral and, as a bonus, >>>>>>>>>>> standardized. >>>>>>>>>>> >>>>>>>>>> As I said elsewhere, we could use GSER as a textual output format >>>>>>>>>> instead of openssl or certutil, but it still needs its own >>>>>>>>>> "helper" to >>>>>>>>>> build the CSR, and unlike the other options, it seems like we >>>>>>>>>> might >>>>>>>>>> need >>>>>>>>>> to implement that helper. I'm not sure it's fair to call it >>>>>>>>>> implementation-neutral if no implementation exists yet :) >>>>>>>>> >>>>>>>>> Right. Like I said, using GSER was just a quick idea off the top >>>>>>>>> of my >>>>>>>>> head. I would actually rather use some sort of data structure >>>>>>>>> templating rather than textual templating on top of any kind of >>>>>>>>> textual representation of said data structures. I don't know if >>>>>>>>> there >>>>>>>>> is such a thing, though. >>>>>>>> >>>>>>>> This sounds interesting, can you give an example of what this might >>>>>>>> look >>>>>>>> like? >>>>> >>>>> It would be something like XSLT, but for ASN.1 rather than XML. >>>>> >>>>>>>> >>>>>>>> I learned that there's also an XML encoding for ASN.1, XER, but >>>>>>>> that's >>>>>>>> still a textual representation and we'd have to insert the data >>>>>>>> textually. >>>>> >>>>> Well, yes and no. While it's true that it's still a textual >>>>> representation, what really makes a difference is that for XML, there >>>>> is a templating mechanism which understands the structure of the data >>>>> (XLST, as mentioned above). >>>>> >>>>> Unforutantely, XER has the same shortcoming as GSER: to be able to >>>>> convert it to DER, you need to know the ASN.1 definition of the data >>>>> structure. If we used XER+XSLT, we would also have to provide means of >>>>> adding custom ASN.1 definitions and run them through ASN.1 compiler to >>>>> convert between XER and DER. >>>> >>>> This is a little disappointing, but it makes sense. I don't think I >>>> realized that we'll need to compile the ASN.1 data definitions for any >>>> extensions we want to use in a cert. That limitation didn't come up >>>> when >>>> we were only talking about extensions that were supported by the helper >>>> utility. But providing the ASN.1 spec for unusual extensions an admin >>>> wants to use in their certs is probably a reasonable expectation. >>> >>> Yes, that's what I think as well. It could be a simple IPA object >>> with name, description, extension OID and the ASN.1 definition. >>> >>>>> >>>>>>>> It doesn't seem to be supported by any python libraries, >>>>>>>> either, but it does look like it's supported by the asn1 compiler >>>>>>>> in the >>>>>>>> IPA source distribution.I could imagine an implementation that >>>>>>>> builds >>>>>>>> an XML representation of the CSR via python templating, then >>>>>>>> makes a >>>>>>>> signed CSR out of it in C. I'm a little concerned about it >>>>>>>> because it >>>>>>>> would have to implement the whole CSR structure from scratch, >>>>>>>> but is >>>>>>>> this a prototype that you'd be interested in seeing? >>>>> >>>>> I can imagine something like this might work: >>>>> >>>>> 1. (client) generate a key pair >>>>> 2. (client) get SubjectPublicKeyInfo [2] for the public key >>>>> 3. (client) encode the SubjectPublicKeyInfo as XER using asn1c and >>>>> python-cffi in API mode [3] >>>>> 4. (client) call server to construct CertificationRequestInfo for >>>>> specified subject from a specified template and the >>>>> SubjectPublicKeyInfo >>>>> 5. (server) get the subject's LDAP entry >>>>> 6. (server) create a XML document which contains the subject's LDAP >>>>> attributes and the SubjectPublicKeyInfo >>>>> 7. (server) use XSLT to transform the XML document to >>>>> CertificationRequestInfo using the specified template >>>>> 8. (server) return the CertificationRequestInfo to the client >>>>> 9. (client) convert the CertificationRequestInfo from XER to DER using >>>>> asn1c and python-cffi in API mode >>>>> 10. (client) sign the CertificationRequestInfo using the private key >>>>> to get a CSR >>>>> >>>>> It would be better if the XER-DER conversion was done on the server, >>>>> but I don't think that compiling and running code on the fly on the >>>>> server is a particularly good idea. Apparently there is a ASN.1 >>>>> compiler available for PyASN1 [4], maybe that could be used instead, >>>>> but we would have to write a XER codec for PyASN1 ourselves (which >>>>> shouldn't be too hard IMO). >>>> >>>> Yeah, running programs compiled from arbitrary ASN.1 seems like a risk. >>>> Maybe a little better because the ASN.1 is provided by an >>>> administrator, >>>> but we'd still be depending a lot on the security of the generated >>>> code. >>>> On the other hand, if we compile on the client, the CSR generation >>>> feature is limited to platforms where asn1c can be installed. I wish I >>>> could think of a way to do the compilation once when the profile is >>>> created, but run it on the client. That seems like asking for >>>> compatibility problems, though... >>> >>> It seems you missed the most important thing in the above paragraph >>> :-) - that is asn1ate, the PyASN1-based compiler. The nice thing >>> about it is that it compiles the ASN.1 definition into a PyASN1 type >>> object, which means you can compile the definition and use it to >>> (un)parse data in the same Python program. If we used it, we could >>> JIT-compile the ASN.1 definitions on the server, without the security >>> risk of executing native code and without the compatibility issues of >>> compilation on the client. >> >> What do you see as the risks of compiling native code with asn1c and >> executing it that are not present when generating python code with >> asn1ate and loading it? I would think that, native or not, we're >> depending on the ASN.1 compiler to generate secure code from any ASN.1 >> definition the admin might give it. Even a parser like libtasn1 that >> interprets the structure on the fly rather than generating executable >> code could do something dangerous when given poorly-constructed input. >> I don't mean to create a false equivalence, but are the interpreted >> options really safer than the native code? I suppose asn1ate is not really safer than asn1c, as either of them may allow you to inject and execute arbitrary code (doesn't matter if it's C or Python), but I think it would be much harder with libtasn1, as it would require overcoming buffer overflow and/or SELinux execmem protection. >>> >>> I did a little research since my last email, andt doesn't seem to >>> have there is also another library which allows you to compile and >>> use ASN.1 definitions on the fly - libtasn1 [5]. Compared to asn1ate, >>> it seems to be pretty stable (asn1ate is currently in alpha) and is >>> written in C, so it makes it possible to use the >>> administrator-defined extensions outside of IPA (specifically, it >>> could be useful for certificate matching and mapping [6] in SSSD). >> >> Good find. That seems quite useful for being able to interact with >> ASN.1 defined on the fly. I wonder how hard it would be to connect it >> to pyasn1 to get more flexible ASN.1 decoding within python. Still >> doesn't help with XER encoding/decoding, but I suppose that's a SMOP :) >>> >>>> >>>>> >>>>>>>> >>>>>> On further investigation, it turns out the version of >>>>>> python-cryptography in F24 includes a feature allowing arbitrary >>>>>> extensions to be added by adding an UnrecognizedExtension to the >>>>>> CertificateSigningRequestBuilder. This makes me feel somewhat better >>>>>> both about python-cryptography as a tool for this task and about the >>>>>> solution I just proposed. But I still don't have a clear idea that >>>>>> answers 1) how to make templates that we can turn into encoded >>>>>> extensions, and 2) how to deal with all the desired key formats. >>>>> >>>>> I hope the above clarifies these a little bit. >>>>> >>>>> [1] >>>>> [2] >>>>> [3] >>>>> >>>>> [4] >>> >>> [5] >>> [6] >>> >>> >>> >> > -- Jan Cholasta From tjaalton at ubuntu.com Tue Nov 8 07:19:40 2016 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Tue, 8 Nov 2016 09:19:40 +0200 Subject: [Freeipa-devel] Configuring ipa-otpd error when selinux isenable In-Reply-To: References: <20161108023739.GV8861@dhcp-40-8.bne.redhat.com> Message-ID: On 08.11.2016 05:51, ?? wrote: > The problem is solved. The reason is that the path of ExecStart program > is incorrect in the /lib/systemd/system/ipa-otpd at .service file. Need to > make the following changes? > [Unit] > Description=ipa-otpd service > > [Service] > EnvironmentFile=/etc/ipa/default.conf > ExecStart=/usr/lib/ipa-otpd $ldap_uri > StandardInput=socket > StandardOutput=socket > StandardError=syslog > > change to > > [Unit] > Description=ipa-otpd service > > [Service] > EnvironmentFile=/etc/ipa/default.conf > ExecStart=/usr/lib/ipa/ipa-otpd $ldap_uri > StandardInput=socket > StandardOutput=socket > StandardError=syslog > > Note: my system is Ubuntu. this is LP:#1628884 and fixed in 4.3.2-2 -- t From freeipa-github-notification at redhat.com Tue Nov 8 07:58:59 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 08 Nov 2016 08:58:59 +0100 Subject: [Freeipa-devel] [freeipa PR#202][comment] ipa-getkeytab enhancements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/202 Title: #202: ipa-getkeytab enhancements martbab commented: """ Another bump for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/202#issuecomment-259070113 From ofayans at redhat.com Tue Nov 8 08:32:34 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 8 Nov 2016 09:32:34 +0100 Subject: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964 In-Reply-To: References: <5762BBDD.4010502@redhat.com> <5763AA17.60207@redhat.com> <5763C073.5020503@redhat.com> <577113B2.1080904@redhat.com> <8ada929c-ebff-b8ce-6f1f-ae65fb8b1ba2@redhat.com> <577FAD77.7080504@redhat.com> <9149be7c-ee3d-42e5-16fb-fd0c0f351bb8@redhat.com> <57A1E76F.9@redhat.com> <478f33da-10d4-0994-e588-b28ca002b3b4@redhat.com> <36a2eba5-a03d-131e-0042-46f0d4f0299a@redhat.com> <80d2ccd8-8e1b-52a7-df76-087c72f21a12@redhat.com> <8caa3b3a-54a6-e168-6304-09ce8fb60a7f@redhat.com> <5b666684-ada4-8721-0671-a6a0424e115b@redhat.com> <847c5b3d-f43b-7381-a8a2-2fcacc343afc@redhat.com> Message-ID: <968c71cb-95c1-bda4-ab93-56f097fa72bf@redhat.com> Ping for review On 11/03/2016 04:56 PM, Oleg Fayans wrote: > Hi Martin, > > The commit message was updated with the correct ticket link > Thanks for review! > > On 11/03/2016 04:22 PM, Martin Basti wrote: >> almost ACK, but the ticket in commit message is closed as invalid. So >> I'm quite puzzled now what to do. >> >> >> On 03.11.2016 13:28, Oleg Fayans wrote: >>> ping for review >>> >>> On 10/19/2016 04:54 PM, Oleg Fayans wrote: >>>> Hi Martin, >>>> >>>> Thanks for the review. Fixed both issues. >>>> >>>> $ ipa-run-tests test_integration/test_topology.py -k TestCASpecificRUVs >>>> WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] >>>> Permission denied: 'lextab.py' >>>> WARNING: yacc table file version is out of date >>>> WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission >>>> denied: 'yacctab.py' >>>> ==================================================================================== >>>> >>>> >>>> test session starts >>>> ===================================================================================== >>>> >>>> >>>> >>>> platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 >>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini >>>> plugins: sourceorder-0.5, multihost-1.0 >>>> collected 5 items >>>> >>>> test_integration/test_topology.py .. >>>> >>>> ================================================================================ >>>> >>>> >>>> 2 passed in 2444.84 seconds >>>> ================================================================================= >>>> >>>> >>>> >>>> >>>> >>>> On 10/17/2016 07:05 PM, Martin Basti wrote: >>>>> 1) >>>>> >>>>> you don't need to disable/enable dirsrv, just stop/start. Please >>>>> remove >>>>> disable/enable parts >>>>> >>>>> >>>>> 2) >>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> traceback >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> >>>>> >>>>> self = >>>> object at 0x7f6a502eec90> >>>>> >>>>> def test_delete_ruvs(self): >>>>> """ >>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/ >>>>> Test_Plan#Test_case:_clean-ruv_subcommand >>>>> """ >>>>> replica = self.replicas[0] >>>>> master = self.master >>>>> res1 = master.run_command(['ipa-replica-manage', 'list-ruv', >>>>> '-p', >>>>> master.config.dirman_password]) >>>>>> assert(res1.stdout_text.count(replica.hostname) == 2 and >>>>> "Certificate Server Replica Update Vectors" in res1), ( >>>>> "CA-specific RUVs are not displayed") >>>>> E TypeError: argument of type 'SSHCommand' is not iterable >>>>> >>>>> test_integration/test_topology.py:215: TypeError >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> entering PDB >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> >>>>>> >>>>> /usr/lib/python2.7/site-packages/ipatests/test_integration/test_topology.py(215)test_delete_ruvs() >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -> assert(res1.stdout_text.count(replica.hostname) == 2 and >>>>> >>>>> >>>>> >>>>> On 14.10.2016 11:36, Oleg Fayans wrote: >>>>>> Right you are! I am sorry. >>>>>> >>>>>> On 10/13/2016 06:10 PM, Martin Basti wrote: >>>>>>> I think that you forgot to squash commits. Patch 47 doesn't apply >>>>>>> >>>>>>> >>>>>>> On 13.10.2016 14:01, Oleg Fayans wrote: >>>>>>>> Hi Martin, >>>>>>>> >>>>>>>> Thanks for the review. >>>>>>>> With disabling directory server it works as well, thanks for the >>>>>>>> hint. >>>>>>>> Also I moved the cleanup logic to the test itself for the sake of >>>>>>>> simplicity. Patch-0048 was not changed >>>>>>>> >>>>>>>> On 10/12/2016 02:35 PM, Martin Basti wrote: >>>>>>>>> 1) >>>>>>>>> >>>>>>>>> Can you just turn off dirsrv on replica instead of doing iptables >>>>>>>>> magic? >>>>>>>>> >>>>>>>>> >>>>>>>>> 2) NACK >>>>>>>>> >>>>>>>>> No more eval() ever in code, use 'getattr', 'get' or whatever in >>>>>>>>> the >>>>>>>>> object that can be used. >>>>>>>>> >>>>>>>>> + evalhost = eval("args[0].%s" % host) >>>>>>>>> >>>>>>>>> Martin^2 >>>>>>>>> >>>>>>>>> On 12.10.2016 14:03, Oleg Fayans wrote: >>>>>>>>>> Hi Martin, >>>>>>>>>> >>>>>>>>>> After extensive discussion with Ludwig, I finally got the clue on >>>>>>>>>> how >>>>>>>>>> does this feature work. When we uninstall the replica, the master >>>>>>>>>> cleans the replication agreements with this replica and >>>>>>>>>> automatically >>>>>>>>>> cleans all replica's RUVs. >>>>>>>>>> If we clean replica's RUVs on master without uninstalling the >>>>>>>>>> replica, >>>>>>>>>> the replica's RUVs get recreated on master (replication >>>>>>>>>> works!). So, >>>>>>>>>> the only way to test the clean-ruv subcommand is to turn off the >>>>>>>>>> replica, or block the traffic on it so it gets inaccessible to >>>>>>>>>> updates >>>>>>>>>> from master. >>>>>>>>>> The testcases were updated, see [1] and [2] >>>>>>>>>> >>>>>>>>>> The updated versions of the patches are attached >>>>>>>>>> >>>>>>>>>> [1] >>>>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended_to_handle_CA-specific_RUVs >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> [2] >>>>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_clean-ruv_subcommand >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 08/05/2016 06:36 PM, Martin Basti wrote: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 03.08.2016 14:45, Oleg Fayans wrote: >>>>>>>>>>>> Hi Martin, >>>>>>>>>>>> >>>>>>>>>>>> Thanks for the review! Both patches were updated. >>>>>>>>>>>> >>>>>>>>>>>> On 07/28/2016 04:11 PM, Martin Basti wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On 08.07.2016 15:41, Oleg Fayans wrote: >>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks for the review! >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 07/08/2016 02:18 PM, Martin Basti wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 27.06.2016 13:53, Oleg Fayans wrote: >>>>>>>>>>>>>>>> Hi guys, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Is there a chance the patches NN 0047.1 and 0048.1 get >>>>>>>>>>>>>>>> reviewed >>>>>>>>>>>>>>>> before >>>>>>>>>>>>>>>> 4.4 release? They cover a good part of the Managed Topology >>>>>>>>>>>>>>>> 4.4 >>>>>>>>>>>>>>>> feature. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 06/17/2016 11:18 AM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>> One more test was added to the patch-0048 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 06/17/2016 09:43 AM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>> Fixed a bug in the previous patch, automated 2 more >>>>>>>>>>>>>>>>>> testcases >>>>>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 06/16/2016 04:46 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> IIUC, this will turn off the machine completely, how is >>>>>>>>>>>>>>> cleanup >>>>>>>>>>>>>>> done >>>>>>>>>>>>>>> then. AFAIK our tests cannot turn on machine again and run >>>>>>>>>>>>>>> cleanup, so >>>>>>>>>>>>>>> you will not be able to run more tests on the same topology >>>>>>>>>>>>>>> without >>>>>>>>>>>>>>> manual cleanup and manual start. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> + replica = self.replicas[0] >>>>>>>>>>>>>>> + replica.run_command(['poweroff']) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> IMO would be better to just call 'ipactl stop' instead of >>>>>>>>>>>>>>> 'poweroff' >>>>>>>>>>>>>> >>>>>>>>>>>>>> Agreed! Fixed. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> *Automated ipa-replica-manage del tests* >>>>>>>>>>>>> >>>>>>>>>>>>> 1) >>>>>>>>>>>>> + replica.run_command(['ipactl', 'stop']) >>>>>>>>>>>>> + time.sleep(3) >>>>>>>>>>>>> >>>>>>>>>>>>> Why do you need sleep here? >>>>>>>>>>>> >>>>>>>>>>>> Removed, it was left from the old "poweroff" approach >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 2) >>>>>>>>>>>>> + ruvid_re = re.compile(".*%s:389: (\d+).*" % >>>>>>>>>>>>> replica.hostname) >>>>>>>>>>>>> + replica_ruvs = ruvid_re.findall(result.stdout_text) >>>>>>>>>>>>> + master.run_command(['ipa-replica-manage', 'clean-ruv', >>>>>>>>>>>>> 'f', >>>>>>>>>>>>> + '-p', >>>>>>>>>>>>> master.config.dirman_password, >>>>>>>>>>>>> + replica_ruvs[0]]) >>>>>>>>>>>>> >>>>>>>>>>>>> Because you are using re.findall(), without any match you will >>>>>>>>>>>>> receive >>>>>>>>>>>>> IndexError here replica_ruvs[0]. IMO it deserves assert before >>>>>>>>>>>> >>>>>>>>>>>> Implemented the assert which checks that the output contains >>>>>>>>>>>> enough >>>>>>>>>>>> replica RUVs >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 3) >>>>>>>>>>>>> assert(replica.hostname in result1.stdout_text) >>>>>>>>>>>>> >>>>>>>>>>>>> I think that this is error prone. What if there is just error >>>>>>>>>>>>> 'could not >>>>>>>>>>>>> connect to replica ', or something similar. >>>>>>>>>>>>> instead of >>>>>>>>>>>>> listing/cleaning/whatever operation was executed. I think >>>>>>>>>>>>> that it >>>>>>>>>>>>> should >>>>>>>>>>>>> be more specific regexp than just finding a replica name >>>>>>>>>>>>> substring >>>>>>>>>>>>> (Yes >>>>>>>>>>>>> In IPA we dont always print error so stderr) >>>>>>>>>>>>> >>>>>>>>>>>>> I'm not sure, but probably there might be cases when non >>>>>>>>>>>>> critical >>>>>>>>>>>>> error >>>>>>>>>>>>> happen and exist status is still 0 >>>>>>>>>>>> >>>>>>>>>>>> Agree. Implemented a regex-based search >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 4) >>>>>>>>>>>>> >>>>>>>>>>>>> + replica.run_command(['poweroff']) >>>>>>>>>>>>> + time.sleep(3) >>>>>>>>>>>>> >>>>>>>>>>>>> There should not be poweroff, probably sleep could be removed >>>>>>>>>>>>> too. >>>>>>>>>>>> >>>>>>>>>>>> Gone >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> * Automated clean-ruv subcommand test* >>>>>>>>>>>>> >>>>>>>>>>>>> 1) PEP8, 2 new lines expected >>>>>>>>>>>>> ./ipatests/test_integration/test_topology.py:163:1: E302 >>>>>>>>>>>>> expected 2 >>>>>>>>>>>>> blank lines, found 0 >>>>>>>>>>>>> ./ipatests/test_integration/test_topology.py:182:80: E501 line >>>>>>>>>>>>> too >>>>>>>>>>>>> long >>>>>>>>>>>>> (85 > 79 characters) >>>>>>>>>>>> >>>>>>>>>>>> Fixed >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 2) >>>>>>>>>>>>> I dont like doing assert just with count of occurences of >>>>>>>>>>>>> substring in >>>>>>>>>>>>> STDOUT, would be possible to improve this somehow? >>>>>>>>>>>> >>>>>>>>>>>> Maybe, but frankly, I don't see how. In this case we are making >>>>>>>>>>>> sure >>>>>>>>>>>> that both simple and CA-specific RUVs of a replica are >>>>>>>>>>>> displayed. The >>>>>>>>>>>> format of the output is strict: >>>>>>>>>>>> Replica Update Vectors: >>>>>>>>>>>> replica1_hostname:389: RUV_id >>>>>>>>>>>> replica2_hostname:389: RUV_id >>>>>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>>>>> replica1_hostname:389: RUV_id >>>>>>>>>>>> replica2_hostname:389: RUV_id >>>>>>>>>>>> If we do not see 2 occurrences of the replica hostname than >>>>>>>>>>>> definitely >>>>>>>>>>>> something went wrong >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 3) >>>>>>>>>>>>> I'm not sure if clean-ruv is instant operations or there is >>>>>>>>>>>>> some >>>>>>>>>>>>> magic >>>>>>>>>>>>> happening in background (we have abort-clean-ruv). Maybe some >>>>>>>>>>>>> sleep >>>>>>>>>>>>> should be there, but this needs investigation. >>>>>>>>>>>>> >>>>>>>>>>>>> + assert(replica.hostname in result2.stdout_text), ( >>>>>>>>>>>>> + "The wrong RUV was deleted") >>>>>>>>>>>>> + result3 = master.run_command(['ipa-replica-manage', >>>>>>>>>>>>> 'list-ruv', >>>>>>>>>>>>> + '-p', >>>>>>>>>>>>> master.config.dirman_password]) >>>>>>>>>>>>> + assert(result3.stdout_text.count(replica.hostname) == 1), ( >>>>>>>>>>>>> + "CA RUV of the replica is still displayed") >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Based on my discussion with Stanislav Laznicka, I understood >>>>>>>>>>>> that by >>>>>>>>>>>> default clean-ruv does not return the shell until the >>>>>>>>>>>> operation is >>>>>>>>>>>> finished. You can force dropping into the shell by pressing >>>>>>>>>>>> CTRL+C, in >>>>>>>>>>>> which case the background job will still be running, but >>>>>>>>>>>> this is >>>>>>>>>>>> not >>>>>>>>>>>> the default behavior >>>>>>>>>>>> >>>>>>>>>>> Test failed: >>>>>>>>>>> result4 = master.run_command(['ipa-replica-manage', >>>>>>>>>>> 'list-ruv', >>>>>>>>>>> '-p', >>>>>>>>>>> master.config.dirman_password]) >>>>>>>>>>>> assert(replica.hostname not in result4.stdout_text), ( >>>>>>>>>>> "replica's RUV is still displayed") >>>>>>>>>>> E AssertionError: replica's RUV is still displayed >>>>>>>>>>> E assert 'replica3.ipa.test' not in 'Replica Update >>>>>>>>>>> V...ipa.test:389: 8\n' >>>>>>>>>>> E 'replica3.ipa.test' is contained here: >>>>>>>>>>> E Replica Update Vectors: >>>>>>>>>>> E \tmaster.ipa.test:389: 4 >>>>>>>>>>> E \treplica3.ipa.test:389: 3 >>>>>>>>>>> E \treplica2.ipa.test:389: 7 >>>>>>>>>>> E Certificate Server Replica Update Vectors: >>>>>>>>>>> E \tmaster.ipa.test:389: 6 >>>>>>>>>>> E \treplica2.ipa.test:389: 8 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> [root at master ~]# ipa topologysegment-find >>>>>>>>>>> Suffix name: domain >>>>>>>>>>> ------------------ >>>>>>>>>>> 2 segments matched >>>>>>>>>>> ------------------ >>>>>>>>>>> Segment name: master.ipa.test-to-replica2.ipa.test >>>>>>>>>>> Left node: master.ipa.test >>>>>>>>>>> Right node: replica2.ipa.test >>>>>>>>>>> Connectivity: both >>>>>>>>>>> >>>>>>>>>>> Segment name: master.ipa.test-to-replica3.ipa.test >>>>>>>>>>> Left node: master.ipa.test >>>>>>>>>>> Right node: replica3.ipa.test >>>>>>>>>>> Connectivity: both >>>>>>>>>>> ---------------------------- >>>>>>>>>>> Number of entries returned 2 >>>>>>>>>>> ---------------------------- >>>>>>>>>>> [root at master ~]# ipa-replica-manage list-ruv >>>>>>>>>>> Directory Manager password: >>>>>>>>>>> >>>>>>>>>>> Replica Update Vectors: >>>>>>>>>>> master.ipa.test:389: 4 >>>>>>>>>>> replica2.ipa.test:389: 7 >>>>>>>>>>> replica3.ipa.test:389: 3 >>>>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>>>> master.ipa.test:389: 6 >>>>>>>>>>> replica2.ipa.test:389: 8 >>>>>>>>>>> [root at master ~]# >>>>>>>>>>> >>>>>>>>>>> Then I tried manually to clean RUV 3, and it behaves somehow odd >>>>>>>>>>> >>>>>>>>>>> [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' >>>>>>>>>>> 'Secret123' '-f' >>>>>>>>>>> Clean the Replication Update Vector for replica3.ipa.test:389 >>>>>>>>>>> Background task created to clean replication data. This may >>>>>>>>>>> take a >>>>>>>>>>> while. >>>>>>>>>>> This may be safely interrupted with Ctrl+C >>>>>>>>>>> Cleanup task created >>>>>>>>>>> [root at master ~]# less /var/log/dirsrv/slapd-IPA-TEST/errors >>>>>>>>>>> [root at master ~]# ipa-replica-manage list-ruv >>>>>>>>>>> Directory Manager password: >>>>>>>>>>> >>>>>>>>>>> Replica Update Vectors: >>>>>>>>>>> master.ipa.test:389: 4 >>>>>>>>>>> replica2.ipa.test:389: 7 >>>>>>>>>>> replica3.ipa.test:389: 3 >>>>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>>>> master.ipa.test:389: 6 >>>>>>>>>>> replica2.ipa.test:389: 8 >>>>>>>>>>> [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' >>>>>>>>>>> 'Secret123' '-f' >>>>>>>>>>> Clean the Replication Update Vector for replica3.ipa.test:389 >>>>>>>>>>> CLEANALLRUV task for replica id 3 already exists. >>>>>>>>>>> This may be safely interrupted with Ctrl+C >>>>>>>>>>> Cleanup task created >>>>>>>>>>> >>>>>>>>>>> [root at master ~]# ipa-replica-manage list-clean-ruv -p Secret123 >>>>>>>>>>> No CLEANALLRUV tasks running >>>>>>>>>>> >>>>>>>>>>> No abort CLEANALLRUV tasks running >>>>>>>>>>> [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' >>>>>>>>>>> 'Secret123' '-f' >>>>>>>>>>> Clean the Replication Update Vector for replica3.ipa.test:389 >>>>>>>>>>> Background task created to clean replication data. This may >>>>>>>>>>> take a >>>>>>>>>>> while. >>>>>>>>>>> This may be safely interrupted with Ctrl+C >>>>>>>>>>> Cleanup task created >>>>>>>>>>> [root at master ~]# ipa-replica-manage list-clean-ruv -p Secret123 >>>>>>>>>>> CLEANALLRUV tasks >>>>>>>>>>> RID 3: Successfully cleaned rid(3). >>>>>>>>>>> >>>>>>>>>>> No abort CLEANALLRUV tasks running >>>>>>>>>>> [root at master ~]# ipa-replica-manage list-ruv -p Secret123 >>>>>>>>>>> Replica Update Vectors: >>>>>>>>>>> master.ipa.test:389: 4 >>>>>>>>>>> replica2.ipa.test:389: 7 >>>>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>>>> master.ipa.test:389: 6 >>>>>>>>>>> replica2.ipa.test:389: 8 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I'm not sure if this behavior is right, Ludwig may know. >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>>> >>>> >>> >> > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From freeipa-github-notification at redhat.com Tue Nov 8 11:42:04 2016 From: freeipa-github-notification at redhat.com (Akasurde) Date: Tue, 08 Nov 2016 12:42:04 +0100 Subject: [Freeipa-devel] [freeipa PR#207][synchronized] Provide user hint about IP address in IPA install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/207 Author: Akasurde Title: #207: Provide user hint about IP address in IPA install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/207/head:pr207 git checkout pr207 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-207.patch Type: text/x-diff Size: 1410 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 8 11:42:09 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 08 Nov 2016 12:42:09 +0100 Subject: [Freeipa-devel] [freeipa PR#214][opened] ipaldap: remove do_bind from LDAPClient Message-ID: URL: https://github.com/freeipa/freeipa/pull/214 Author: tomaskrizek Title: #214: ipaldap: remove do_bind from LDAPClient Action: opened PR body: """ Remove do_bind() method that was a relict used in IPAdmin. Replace its uses with simple / external binds. https://fedorahosted.org/freeipa/ticket/6461 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/214/head:pr214 git checkout pr214 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-214.patch Type: text/x-diff Size: 3755 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 8 11:44:39 2016 From: freeipa-github-notification at redhat.com (jumitche) Date: Tue, 08 Nov 2016 12:44:39 +0100 Subject: [Freeipa-devel] [freeipa PR#215][opened] Add script to setup krb5 NFS exports Message-ID: URL: https://github.com/freeipa/freeipa/pull/215 Author: jumitche Title: #215: Add script to setup krb5 NFS exports Action: opened PR body: """ python script to setup secure NFS exports with kerberos that relies heavily on FreeIPA, and is in many ways the compliment to ipa-client-automount that sets up the NFS server side. It attempts to automatically discover the existing ipa/kerneros setup and falls back to asking simple questions, in much the same way as ipa-server-install does. Difficult to figure out exactly what it should be called, have taken a guess and gone for: ipa-client-exportnfs """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/215/head:pr215 git checkout pr215 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-215.patch Type: text/x-diff Size: 26428 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 8 12:13:04 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 08 Nov 2016 13:13:04 +0100 Subject: [Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 mbasti-rh commented: """ Why are there these whitespace errors? ``` git am ... ... Applying: Build: stop build when a step in web UI build fails Applying: Build: fix distribution of static files for web UI .git/rebase-apply/patch:413: space before tab in indent. "./fs", .git/rebase-apply/patch:414: space before tab in indent. "./fileUtils", .git/rebase-apply/patch:415: space before tab in indent. "./process", .git/rebase-apply/patch:418: space before tab in indent. "./stringify", .git/rebase-apply/patch:419: space before tab in indent. "./version", warning: squelched 49 whitespace errors warning: 54 lines add whitespace errors. Applying: Web UI: Remove offline version of Web UI ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259121223 From freeipa-github-notification at redhat.com Tue Nov 8 12:16:24 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 08 Nov 2016 13:16:24 +0100 Subject: [Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 mbasti-rh commented: """ I cannot build rpms ``` ./makerpms.sh ... config.status: executing libtool commands IPA Server 4.4.90.201611071629GITbcd4f03 ======================== prefix: /usr/local exec_prefix: ${prefix} libdir: ${exec_prefix}/lib bindir: ${exec_prefix}/bin sbindir: ${exec_prefix}/sbin sysconfdir: ${prefix}/etc localstatedir: ${prefix}/var datadir: ${datarootdir} krb5rundir: ${prefix}/var/run/krb5kdc systemdsystemunitdir: /usr/lib/systemd/system source code location: . compiler: gcc cflags: -g -O2 LDAP libs: -lldap_r -llber KRB5 libs: -lkrb5 -lk5crypto -lcom_err KRAD libs: -lkrad OpenSSL crypto libs: -lcrypto Maintainer mode: no make: *** No rule to make target 'rpms'. Stop. ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259121797 From freeipa-github-notification at redhat.com Tue Nov 8 12:52:38 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 08 Nov 2016 13:52:38 +0100 Subject: [Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 mbasti-rh commented: """ Build works for me, error was on my side """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259128604 From freeipa-github-notification at redhat.com Tue Nov 8 13:52:00 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 08 Nov 2016 14:52:00 +0100 Subject: [Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 mbasti-rh commented: """ Works for me I read commits, it makes sense, works for me, but I'm not an autotools expert so I might miss something. I'm curious about one commit: Build: cleanup unused LDIFs from install/share - do we have somewhere a documentation for Solaris that requires this file? """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259141292 From freeipa-github-notification at redhat.com Tue Nov 8 14:39:05 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 08 Nov 2016 15:39:05 +0100 Subject: [Freeipa-devel] [freeipa PR#202][synchronized] ipa-getkeytab enhancements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/202 Author: martbab Title: #202: ipa-getkeytab enhancements Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/202/head:pr202 git checkout pr202 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-202.patch Type: text/x-diff Size: 36922 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 8 14:39:17 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 08 Nov 2016 15:39:17 +0100 Subject: [Freeipa-devel] [freeipa PR#202][comment] ipa-getkeytab enhancements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/202 Title: #202: ipa-getkeytab enhancements martbab commented: """ Done. """ See the full comment at https://github.com/freeipa/freeipa/pull/202#issuecomment-259153194 From freeipa-github-notification at redhat.com Tue Nov 8 14:50:37 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 08 Nov 2016 15:50:37 +0100 Subject: [Freeipa-devel] [freeipa PR#172][comment] fix pki-tomcat error after uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/172 Title: #172: fix pki-tomcat error after uninstall tomaskrizek commented: """ I have not encountered this issue in Fedora. I guess it's related to using FreeIPA on Ubuntu 16.04. The proposed solution is distribution dependant workaround. I'm closing this PR, because the bug should be fixed properly (perhaps by some exception handling). You can also open a bug in https://fedorahosted.org/freeipa """ See the full comment at https://github.com/freeipa/freeipa/pull/172#issuecomment-259156367 From freeipa-github-notification at redhat.com Tue Nov 8 15:02:19 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 08 Nov 2016 16:02:19 +0100 Subject: [Freeipa-devel] [freeipa PR#168][comment] Update cli.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/168 Title: #168: Update cli.py tomaskrizek commented: """ Could you please file a ticket for the issue, describing what is the problem and how to reproduce it? https://fedorahosted.org/freeipa """ See the full comment at https://github.com/freeipa/freeipa/pull/168#issuecomment-259159758 From freeipa-github-notification at redhat.com Tue Nov 8 15:20:51 2016 From: freeipa-github-notification at redhat.com (Garont) Date: Tue, 08 Nov 2016 16:20:51 +0100 Subject: [Freeipa-devel] [freeipa PR#168][comment] Update cli.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/168 Title: #168: Update cli.py Garont commented: """ Sorry, I've already quit the job where I've implemented freeipa, so now stack bug is unavailable for me :) """ See the full comment at https://github.com/freeipa/freeipa/pull/168#issuecomment-259165084 From freeipa-github-notification at redhat.com Tue Nov 8 15:22:00 2016 From: freeipa-github-notification at redhat.com (Garont) Date: Tue, 08 Nov 2016 16:22:00 +0100 Subject: [Freeipa-devel] [freeipa PR#168][comment] Update cli.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/168 Title: #168: Update cli.py Garont commented: """ Sorry, I've already quit the job where I've implemented freeipa, so now stack with bug is unavailable for me :) """ See the full comment at https://github.com/freeipa/freeipa/pull/168#issuecomment-259165084 From freeipa-github-notification at redhat.com Tue Nov 8 16:01:15 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 08 Nov 2016 17:01:15 +0100 Subject: [Freeipa-devel] [freeipa PR#202][+ack] ipa-getkeytab enhancements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/202 Title: #202: ipa-getkeytab enhancements Label: +ack From freeipa-github-notification at redhat.com Tue Nov 8 16:02:41 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 08 Nov 2016 17:02:41 +0100 Subject: [Freeipa-devel] [freeipa PR#202][synchronized] ipa-getkeytab enhancements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/202 Author: martbab Title: #202: ipa-getkeytab enhancements Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/202/head:pr202 git checkout pr202 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-202.patch Type: text/x-diff Size: 36923 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 8 16:03:04 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 08 Nov 2016 17:03:04 +0100 Subject: [Freeipa-devel] [freeipa PR#202][+pushed] ipa-getkeytab enhancements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/202 Title: #202: ipa-getkeytab enhancements Label: +pushed From freeipa-github-notification at redhat.com Tue Nov 8 16:03:05 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 08 Nov 2016 17:03:05 +0100 Subject: [Freeipa-devel] [freeipa PR#202][comment] ipa-getkeytab enhancements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/202 Title: #202: ipa-getkeytab enhancements martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/294fc3dc5645eeb7942908c3e351c06aa0af329e https://fedorahosted.org/freeipa/changeset/0c68c27e51c2a30265a760382d7d4fab7d21937b https://fedorahosted.org/freeipa/changeset/8480d0e3333f6813439e7b3321a0e33ce80d30f1 https://fedorahosted.org/freeipa/changeset/2725e440bf1e4930f9b1d19223424bcb0d4b7066 """ See the full comment at https://github.com/freeipa/freeipa/pull/202#issuecomment-259177616 From freeipa-github-notification at redhat.com Tue Nov 8 16:03:07 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 08 Nov 2016 17:03:07 +0100 Subject: [Freeipa-devel] [freeipa PR#202][closed] ipa-getkeytab enhancements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/202 Author: martbab Title: #202: ipa-getkeytab enhancements Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/202/head:pr202 git checkout pr202 From ofayans at redhat.com Tue Nov 8 16:22:52 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 8 Nov 2016 17:22:52 +0100 Subject: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964 In-Reply-To: <968c71cb-95c1-bda4-ab93-56f097fa72bf@redhat.com> References: <5762BBDD.4010502@redhat.com> <5763AA17.60207@redhat.com> <5763C073.5020503@redhat.com> <577113B2.1080904@redhat.com> <8ada929c-ebff-b8ce-6f1f-ae65fb8b1ba2@redhat.com> <577FAD77.7080504@redhat.com> <9149be7c-ee3d-42e5-16fb-fd0c0f351bb8@redhat.com> <57A1E76F.9@redhat.com> <478f33da-10d4-0994-e588-b28ca002b3b4@redhat.com> <36a2eba5-a03d-131e-0042-46f0d4f0299a@redhat.com> <80d2ccd8-8e1b-52a7-df76-087c72f21a12@redhat.com> <8caa3b3a-54a6-e168-6304-09ce8fb60a7f@redhat.com> <5b666684-ada4-8721-0671-a6a0424e115b@redhat.com> <847c5b3d-f43b-7381-a8a2-2fcacc343afc@redhat.com> <968c71cb-95c1-bda4-ab93-56f097fa72bf@redhat.com> Message-ID: <4226d6fe-d2bd-17e9-1ae4-3ce3b8366ff5@redhat.com> another ping for review On 11/08/2016 09:32 AM, Oleg Fayans wrote: > Ping for review > > On 11/03/2016 04:56 PM, Oleg Fayans wrote: >> Hi Martin, >> >> The commit message was updated with the correct ticket link >> Thanks for review! >> >> On 11/03/2016 04:22 PM, Martin Basti wrote: >>> almost ACK, but the ticket in commit message is closed as invalid. So >>> I'm quite puzzled now what to do. >>> >>> >>> On 03.11.2016 13:28, Oleg Fayans wrote: >>>> ping for review >>>> >>>> On 10/19/2016 04:54 PM, Oleg Fayans wrote: >>>>> Hi Martin, >>>>> >>>>> Thanks for the review. Fixed both issues. >>>>> >>>>> $ ipa-run-tests test_integration/test_topology.py -k >>>>> TestCASpecificRUVs >>>>> WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] >>>>> Permission denied: 'lextab.py' >>>>> WARNING: yacc table file version is out of date >>>>> WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission >>>>> denied: 'yacctab.py' >>>>> ==================================================================================== >>>>> >>>>> >>>>> >>>>> test session starts >>>>> ===================================================================================== >>>>> >>>>> >>>>> >>>>> >>>>> platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, >>>>> pluggy-0.3.1 >>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>> pytest.ini >>>>> plugins: sourceorder-0.5, multihost-1.0 >>>>> collected 5 items >>>>> >>>>> test_integration/test_topology.py .. >>>>> >>>>> ================================================================================ >>>>> >>>>> >>>>> >>>>> 2 passed in 2444.84 seconds >>>>> ================================================================================= >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On 10/17/2016 07:05 PM, Martin Basti wrote: >>>>>> 1) >>>>>> >>>>>> you don't need to disable/enable dirsrv, just stop/start. Please >>>>>> remove >>>>>> disable/enable parts >>>>>> >>>>>> >>>>>> 2) >>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>> traceback >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>> >>>>>> >>>>>> self = >>>>> object at 0x7f6a502eec90> >>>>>> >>>>>> def test_delete_ruvs(self): >>>>>> """ >>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/ >>>>>> Test_Plan#Test_case:_clean-ruv_subcommand >>>>>> """ >>>>>> replica = self.replicas[0] >>>>>> master = self.master >>>>>> res1 = master.run_command(['ipa-replica-manage', 'list-ruv', >>>>>> '-p', >>>>>> master.config.dirman_password]) >>>>>>> assert(res1.stdout_text.count(replica.hostname) == 2 and >>>>>> "Certificate Server Replica Update Vectors" in >>>>>> res1), ( >>>>>> "CA-specific RUVs are not displayed") >>>>>> E TypeError: argument of type 'SSHCommand' is not iterable >>>>>> >>>>>> test_integration/test_topology.py:215: TypeError >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>> entering PDB >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>> >>>>>>> >>>>>> /usr/lib/python2.7/site-packages/ipatests/test_integration/test_topology.py(215)test_delete_ruvs() >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -> assert(res1.stdout_text.count(replica.hostname) == 2 and >>>>>> >>>>>> >>>>>> >>>>>> On 14.10.2016 11:36, Oleg Fayans wrote: >>>>>>> Right you are! I am sorry. >>>>>>> >>>>>>> On 10/13/2016 06:10 PM, Martin Basti wrote: >>>>>>>> I think that you forgot to squash commits. Patch 47 doesn't apply >>>>>>>> >>>>>>>> >>>>>>>> On 13.10.2016 14:01, Oleg Fayans wrote: >>>>>>>>> Hi Martin, >>>>>>>>> >>>>>>>>> Thanks for the review. >>>>>>>>> With disabling directory server it works as well, thanks for the >>>>>>>>> hint. >>>>>>>>> Also I moved the cleanup logic to the test itself for the sake of >>>>>>>>> simplicity. Patch-0048 was not changed >>>>>>>>> >>>>>>>>> On 10/12/2016 02:35 PM, Martin Basti wrote: >>>>>>>>>> 1) >>>>>>>>>> >>>>>>>>>> Can you just turn off dirsrv on replica instead of doing iptables >>>>>>>>>> magic? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 2) NACK >>>>>>>>>> >>>>>>>>>> No more eval() ever in code, use 'getattr', 'get' or whatever in >>>>>>>>>> the >>>>>>>>>> object that can be used. >>>>>>>>>> >>>>>>>>>> + evalhost = eval("args[0].%s" % host) >>>>>>>>>> >>>>>>>>>> Martin^2 >>>>>>>>>> >>>>>>>>>> On 12.10.2016 14:03, Oleg Fayans wrote: >>>>>>>>>>> Hi Martin, >>>>>>>>>>> >>>>>>>>>>> After extensive discussion with Ludwig, I finally got the >>>>>>>>>>> clue on >>>>>>>>>>> how >>>>>>>>>>> does this feature work. When we uninstall the replica, the >>>>>>>>>>> master >>>>>>>>>>> cleans the replication agreements with this replica and >>>>>>>>>>> automatically >>>>>>>>>>> cleans all replica's RUVs. >>>>>>>>>>> If we clean replica's RUVs on master without uninstalling the >>>>>>>>>>> replica, >>>>>>>>>>> the replica's RUVs get recreated on master (replication >>>>>>>>>>> works!). So, >>>>>>>>>>> the only way to test the clean-ruv subcommand is to turn off the >>>>>>>>>>> replica, or block the traffic on it so it gets inaccessible to >>>>>>>>>>> updates >>>>>>>>>>> from master. >>>>>>>>>>> The testcases were updated, see [1] and [2] >>>>>>>>>>> >>>>>>>>>>> The updated versions of the patches are attached >>>>>>>>>>> >>>>>>>>>>> [1] >>>>>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended_to_handle_CA-specific_RUVs >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> [2] >>>>>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_clean-ruv_subcommand >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 08/05/2016 06:36 PM, Martin Basti wrote: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On 03.08.2016 14:45, Oleg Fayans wrote: >>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks for the review! Both patches were updated. >>>>>>>>>>>>> >>>>>>>>>>>>> On 07/28/2016 04:11 PM, Martin Basti wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 08.07.2016 15:41, Oleg Fayans wrote: >>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks for the review! >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 07/08/2016 02:18 PM, Martin Basti wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 27.06.2016 13:53, Oleg Fayans wrote: >>>>>>>>>>>>>>>>> Hi guys, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Is there a chance the patches NN 0047.1 and 0048.1 get >>>>>>>>>>>>>>>>> reviewed >>>>>>>>>>>>>>>>> before >>>>>>>>>>>>>>>>> 4.4 release? They cover a good part of the Managed >>>>>>>>>>>>>>>>> Topology >>>>>>>>>>>>>>>>> 4.4 >>>>>>>>>>>>>>>>> feature. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 06/17/2016 11:18 AM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>> One more test was added to the patch-0048 >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 06/17/2016 09:43 AM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>> Fixed a bug in the previous patch, automated 2 more >>>>>>>>>>>>>>>>>>> testcases >>>>>>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On 06/16/2016 04:46 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> IIUC, this will turn off the machine completely, how is >>>>>>>>>>>>>>>> cleanup >>>>>>>>>>>>>>>> done >>>>>>>>>>>>>>>> then. AFAIK our tests cannot turn on machine again and run >>>>>>>>>>>>>>>> cleanup, so >>>>>>>>>>>>>>>> you will not be able to run more tests on the same topology >>>>>>>>>>>>>>>> without >>>>>>>>>>>>>>>> manual cleanup and manual start. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> + replica = self.replicas[0] >>>>>>>>>>>>>>>> + replica.run_command(['poweroff']) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> IMO would be better to just call 'ipactl stop' instead of >>>>>>>>>>>>>>>> 'poweroff' >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Agreed! Fixed. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> *Automated ipa-replica-manage del tests* >>>>>>>>>>>>>> >>>>>>>>>>>>>> 1) >>>>>>>>>>>>>> + replica.run_command(['ipactl', 'stop']) >>>>>>>>>>>>>> + time.sleep(3) >>>>>>>>>>>>>> >>>>>>>>>>>>>> Why do you need sleep here? >>>>>>>>>>>>> >>>>>>>>>>>>> Removed, it was left from the old "poweroff" approach >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> 2) >>>>>>>>>>>>>> + ruvid_re = re.compile(".*%s:389: (\d+).*" % >>>>>>>>>>>>>> replica.hostname) >>>>>>>>>>>>>> + replica_ruvs = ruvid_re.findall(result.stdout_text) >>>>>>>>>>>>>> + master.run_command(['ipa-replica-manage', 'clean-ruv', >>>>>>>>>>>>>> 'f', >>>>>>>>>>>>>> + '-p', >>>>>>>>>>>>>> master.config.dirman_password, >>>>>>>>>>>>>> + replica_ruvs[0]]) >>>>>>>>>>>>>> >>>>>>>>>>>>>> Because you are using re.findall(), without any match you >>>>>>>>>>>>>> will >>>>>>>>>>>>>> receive >>>>>>>>>>>>>> IndexError here replica_ruvs[0]. IMO it deserves assert >>>>>>>>>>>>>> before >>>>>>>>>>>>> >>>>>>>>>>>>> Implemented the assert which checks that the output contains >>>>>>>>>>>>> enough >>>>>>>>>>>>> replica RUVs >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> 3) >>>>>>>>>>>>>> assert(replica.hostname in result1.stdout_text) >>>>>>>>>>>>>> >>>>>>>>>>>>>> I think that this is error prone. What if there is just error >>>>>>>>>>>>>> 'could not >>>>>>>>>>>>>> connect to replica ', or something similar. >>>>>>>>>>>>>> instead of >>>>>>>>>>>>>> listing/cleaning/whatever operation was executed. I think >>>>>>>>>>>>>> that it >>>>>>>>>>>>>> should >>>>>>>>>>>>>> be more specific regexp than just finding a replica name >>>>>>>>>>>>>> substring >>>>>>>>>>>>>> (Yes >>>>>>>>>>>>>> In IPA we dont always print error so stderr) >>>>>>>>>>>>>> >>>>>>>>>>>>>> I'm not sure, but probably there might be cases when non >>>>>>>>>>>>>> critical >>>>>>>>>>>>>> error >>>>>>>>>>>>>> happen and exist status is still 0 >>>>>>>>>>>>> >>>>>>>>>>>>> Agree. Implemented a regex-based search >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> 4) >>>>>>>>>>>>>> >>>>>>>>>>>>>> + replica.run_command(['poweroff']) >>>>>>>>>>>>>> + time.sleep(3) >>>>>>>>>>>>>> >>>>>>>>>>>>>> There should not be poweroff, probably sleep could be removed >>>>>>>>>>>>>> too. >>>>>>>>>>>>> >>>>>>>>>>>>> Gone >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> * Automated clean-ruv subcommand test* >>>>>>>>>>>>>> >>>>>>>>>>>>>> 1) PEP8, 2 new lines expected >>>>>>>>>>>>>> ./ipatests/test_integration/test_topology.py:163:1: E302 >>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>> blank lines, found 0 >>>>>>>>>>>>>> ./ipatests/test_integration/test_topology.py:182:80: E501 >>>>>>>>>>>>>> line >>>>>>>>>>>>>> too >>>>>>>>>>>>>> long >>>>>>>>>>>>>> (85 > 79 characters) >>>>>>>>>>>>> >>>>>>>>>>>>> Fixed >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> 2) >>>>>>>>>>>>>> I dont like doing assert just with count of occurences of >>>>>>>>>>>>>> substring in >>>>>>>>>>>>>> STDOUT, would be possible to improve this somehow? >>>>>>>>>>>>> >>>>>>>>>>>>> Maybe, but frankly, I don't see how. In this case we are >>>>>>>>>>>>> making >>>>>>>>>>>>> sure >>>>>>>>>>>>> that both simple and CA-specific RUVs of a replica are >>>>>>>>>>>>> displayed. The >>>>>>>>>>>>> format of the output is strict: >>>>>>>>>>>>> Replica Update Vectors: >>>>>>>>>>>>> replica1_hostname:389: RUV_id >>>>>>>>>>>>> replica2_hostname:389: RUV_id >>>>>>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>>>>>> replica1_hostname:389: RUV_id >>>>>>>>>>>>> replica2_hostname:389: RUV_id >>>>>>>>>>>>> If we do not see 2 occurrences of the replica hostname than >>>>>>>>>>>>> definitely >>>>>>>>>>>>> something went wrong >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> 3) >>>>>>>>>>>>>> I'm not sure if clean-ruv is instant operations or there is >>>>>>>>>>>>>> some >>>>>>>>>>>>>> magic >>>>>>>>>>>>>> happening in background (we have abort-clean-ruv). Maybe some >>>>>>>>>>>>>> sleep >>>>>>>>>>>>>> should be there, but this needs investigation. >>>>>>>>>>>>>> >>>>>>>>>>>>>> + assert(replica.hostname in result2.stdout_text), ( >>>>>>>>>>>>>> + "The wrong RUV was deleted") >>>>>>>>>>>>>> + result3 = master.run_command(['ipa-replica-manage', >>>>>>>>>>>>>> 'list-ruv', >>>>>>>>>>>>>> + '-p', >>>>>>>>>>>>>> master.config.dirman_password]) >>>>>>>>>>>>>> + assert(result3.stdout_text.count(replica.hostname) == 1), ( >>>>>>>>>>>>>> + "CA RUV of the replica is still displayed") >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Based on my discussion with Stanislav Laznicka, I understood >>>>>>>>>>>>> that by >>>>>>>>>>>>> default clean-ruv does not return the shell until the >>>>>>>>>>>>> operation is >>>>>>>>>>>>> finished. You can force dropping into the shell by pressing >>>>>>>>>>>>> CTRL+C, in >>>>>>>>>>>>> which case the background job will still be running, but >>>>>>>>>>>>> this is >>>>>>>>>>>>> not >>>>>>>>>>>>> the default behavior >>>>>>>>>>>>> >>>>>>>>>>>> Test failed: >>>>>>>>>>>> result4 = master.run_command(['ipa-replica-manage', >>>>>>>>>>>> 'list-ruv', >>>>>>>>>>>> '-p', >>>>>>>>>>>> master.config.dirman_password]) >>>>>>>>>>>>> assert(replica.hostname not in result4.stdout_text), ( >>>>>>>>>>>> "replica's RUV is still displayed") >>>>>>>>>>>> E AssertionError: replica's RUV is still displayed >>>>>>>>>>>> E assert 'replica3.ipa.test' not in 'Replica Update >>>>>>>>>>>> V...ipa.test:389: 8\n' >>>>>>>>>>>> E 'replica3.ipa.test' is contained here: >>>>>>>>>>>> E Replica Update Vectors: >>>>>>>>>>>> E \tmaster.ipa.test:389: 4 >>>>>>>>>>>> E \treplica3.ipa.test:389: 3 >>>>>>>>>>>> E \treplica2.ipa.test:389: 7 >>>>>>>>>>>> E Certificate Server Replica Update Vectors: >>>>>>>>>>>> E \tmaster.ipa.test:389: 6 >>>>>>>>>>>> E \treplica2.ipa.test:389: 8 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> [root at master ~]# ipa topologysegment-find >>>>>>>>>>>> Suffix name: domain >>>>>>>>>>>> ------------------ >>>>>>>>>>>> 2 segments matched >>>>>>>>>>>> ------------------ >>>>>>>>>>>> Segment name: master.ipa.test-to-replica2.ipa.test >>>>>>>>>>>> Left node: master.ipa.test >>>>>>>>>>>> Right node: replica2.ipa.test >>>>>>>>>>>> Connectivity: both >>>>>>>>>>>> >>>>>>>>>>>> Segment name: master.ipa.test-to-replica3.ipa.test >>>>>>>>>>>> Left node: master.ipa.test >>>>>>>>>>>> Right node: replica3.ipa.test >>>>>>>>>>>> Connectivity: both >>>>>>>>>>>> ---------------------------- >>>>>>>>>>>> Number of entries returned 2 >>>>>>>>>>>> ---------------------------- >>>>>>>>>>>> [root at master ~]# ipa-replica-manage list-ruv >>>>>>>>>>>> Directory Manager password: >>>>>>>>>>>> >>>>>>>>>>>> Replica Update Vectors: >>>>>>>>>>>> master.ipa.test:389: 4 >>>>>>>>>>>> replica2.ipa.test:389: 7 >>>>>>>>>>>> replica3.ipa.test:389: 3 >>>>>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>>>>> master.ipa.test:389: 6 >>>>>>>>>>>> replica2.ipa.test:389: 8 >>>>>>>>>>>> [root at master ~]# >>>>>>>>>>>> >>>>>>>>>>>> Then I tried manually to clean RUV 3, and it behaves somehow >>>>>>>>>>>> odd >>>>>>>>>>>> >>>>>>>>>>>> [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' >>>>>>>>>>>> 'Secret123' '-f' >>>>>>>>>>>> Clean the Replication Update Vector for replica3.ipa.test:389 >>>>>>>>>>>> Background task created to clean replication data. This may >>>>>>>>>>>> take a >>>>>>>>>>>> while. >>>>>>>>>>>> This may be safely interrupted with Ctrl+C >>>>>>>>>>>> Cleanup task created >>>>>>>>>>>> [root at master ~]# less /var/log/dirsrv/slapd-IPA-TEST/errors >>>>>>>>>>>> [root at master ~]# ipa-replica-manage list-ruv >>>>>>>>>>>> Directory Manager password: >>>>>>>>>>>> >>>>>>>>>>>> Replica Update Vectors: >>>>>>>>>>>> master.ipa.test:389: 4 >>>>>>>>>>>> replica2.ipa.test:389: 7 >>>>>>>>>>>> replica3.ipa.test:389: 3 >>>>>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>>>>> master.ipa.test:389: 6 >>>>>>>>>>>> replica2.ipa.test:389: 8 >>>>>>>>>>>> [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' >>>>>>>>>>>> 'Secret123' '-f' >>>>>>>>>>>> Clean the Replication Update Vector for replica3.ipa.test:389 >>>>>>>>>>>> CLEANALLRUV task for replica id 3 already exists. >>>>>>>>>>>> This may be safely interrupted with Ctrl+C >>>>>>>>>>>> Cleanup task created >>>>>>>>>>>> >>>>>>>>>>>> [root at master ~]# ipa-replica-manage list-clean-ruv -p Secret123 >>>>>>>>>>>> No CLEANALLRUV tasks running >>>>>>>>>>>> >>>>>>>>>>>> No abort CLEANALLRUV tasks running >>>>>>>>>>>> [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' >>>>>>>>>>>> 'Secret123' '-f' >>>>>>>>>>>> Clean the Replication Update Vector for replica3.ipa.test:389 >>>>>>>>>>>> Background task created to clean replication data. This may >>>>>>>>>>>> take a >>>>>>>>>>>> while. >>>>>>>>>>>> This may be safely interrupted with Ctrl+C >>>>>>>>>>>> Cleanup task created >>>>>>>>>>>> [root at master ~]# ipa-replica-manage list-clean-ruv -p Secret123 >>>>>>>>>>>> CLEANALLRUV tasks >>>>>>>>>>>> RID 3: Successfully cleaned rid(3). >>>>>>>>>>>> >>>>>>>>>>>> No abort CLEANALLRUV tasks running >>>>>>>>>>>> [root at master ~]# ipa-replica-manage list-ruv -p Secret123 >>>>>>>>>>>> Replica Update Vectors: >>>>>>>>>>>> master.ipa.test:389: 4 >>>>>>>>>>>> replica2.ipa.test:389: 7 >>>>>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>>>>> master.ipa.test:389: 6 >>>>>>>>>>>> replica2.ipa.test:389: 8 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> I'm not sure if this behavior is right, Ludwig may know. >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>> >> >> >> > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From freeipa-github-notification at redhat.com Tue Nov 8 16:23:40 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Tue, 08 Nov 2016 17:23:40 +0100 Subject: [Freeipa-devel] [freeipa PR#213][synchronized] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Author: pspacek Title: #213: Build system refactoring phase 3 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/213/head:pr213 git checkout pr213 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-213.patch Type: text/x-diff Size: 194923 bytes Desc: not available URL: From ofayans at redhat.com Tue Nov 8 16:23:47 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 8 Nov 2016 17:23:47 +0100 Subject: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test In-Reply-To: <2b219705-2007-0983-6b61-e52e60d0307b@redhat.com> References: <57A07FE4.8000904@redhat.com> <2b0ed7fe-f0bc-7137-bdc1-b0758ffe9cd6@redhat.com> <20160914154119.mkk2ma7tvks55xsu@redhat.com> <97eaa313-e889-cd4a-e900-9e88596577a0@redhat.com> <20160914155320.iowrijrq3z62evoo@redhat.com> <1af52e6c-c24b-d58b-ccf5-a85c5c290e0c@redhat.com> <20160914165348.GE2761@p.Speedport_W_724V_Typ_A_05011603_00_009> <59763ea7-2ab5-bdc2-72c1-489a462f78ef@redhat.com> <6089c103-ab56-62f7-971c-a41710eee22f@redhat.com> <1d744d16-75de-2bdc-5892-b3c36a305581@redhat.com> <39a8af61-056b-df40-9126-50997a5b54c8@redhat.com> <5ca38d5c-0f0b-46ef-71e2-3d493425e9c2@redhat.com> <2b219705-2007-0983-6b61-e52e60d0307b@redhat.com> Message-ID: <01fbb523-dcaf-fc4b-0bed-3d147f1039ee@redhat.com> Never give up pinging :) On 11/03/2016 12:43 PM, Martin Basti wrote: > LGTM > > > On 03.11.2016 09:42, Oleg Fayans wrote: >> One more ping for review >> >> On 10/27/2016 02:21 PM, Oleg Fayans wrote: >>> ping for review >>> >>> On 10/25/2016 10:24 AM, Oleg Fayans wrote: >>>> Integration part of the tests is ready. 2 tests: >>>> >>>> 1. Adds a cert to idoverride of a windows user >>>> 2. sssd part - looks up user by his certificate using dbus-sssd >>>> >>>> Second and third dbus call are executed as a string insted of as array >>>> of strings because it just does not work otherwise. Some quote escaping >>>> gets screwed probably, but the system returns "Error >>>> org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the >>>> command is executed using the standard array-based approach >>>> >>>> The run looks like this: >>>> >>>> bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb >>>> WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] >>>> Permission denied: 'lextab.py' >>>> WARNING: yacc table file version is out of date >>>> WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission >>>> denied: 'yacctab.py' >>>> ==================================== test session starts >>>> ==================================== >>>> platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 >>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini >>>> plugins: sourceorder-0.5, multihost-1.0 >>>> collected 2 items >>>> >>>> test_integration/test_idviews.py .. >>>> >>>> ================================ 2 passed in 948.44 seconds >>>> ================================= >>>> >>>> >>>> On 10/21/2016 10:54 AM, Oleg Fayans wrote: >>>>> Added one more test, resolved the pep8 issues >>>>> >>>>> On 10/19/2016 12:32 PM, Oleg Fayans wrote: >>>>>> Hi Martin, >>>>>> >>>>>> As you suggested, I've extended the >>>>>> test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for >>>>>> certs >>>>>> in idoverrides. >>>>>> The integration part still needs some polishing in the part >>>>>> related to >>>>>> user lookup by cert >>>>>> >>>>>> On 10/14/2016 03:57 PM, Martin Babinsky wrote: >>>>>>> On 10/14/2016 03:48 PM, Oleg Fayans wrote: >>>>>>>> So, did I understand correctly, that there would be 2 patches: one >>>>>>>> containing test for basic idoverrides functionality without >>>>>>>> AD-integration, and the second one - with AD-integration and an >>>>>>>> sssd >>>>>>>> check, correct? >>>>>>>> I guess, the >>>>>>>> freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> might be a good candidate for the first one, I only have to change >>>>>>>> the >>>>>>>> filename to test_idviews.py, right? >>>>>>>> >>>>>>> >>>>>>> Oleg, we already have XMLRPC tests for idoverrides: >>>>>>> >>>>>>> ipatests/test_xmlrpc/test_idviews_plugin.py >>>>>>> >>>>>>> Is there any particular reason why not to extend them with add >>>>>>> cert/remove cert operations? >>>>>>> >>>>>>> Even better, you can extend >>>>>>> `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing >>>>>>> the >>>>>>> same set of tests on idoverrideuser objects. >>>>>>> >>>>>>> Or am I missing something? >>>>>>> >>>>>>>> On 09/15/2016 10:32 AM, Martin Basti wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> On 15.09.2016 10:10, Oleg Fayans wrote: >>>>>>>>>> Hi Martin, >>>>>>>>>> >>>>>>>>>> The file was renamed. Did I understand correctly that for now we >>>>>>>>>> are >>>>>>>>>> leaving the test as is and are planning to extend it later? >>>>>>>>> >>>>>>>>> I would like to have there SSSD check involved, please use what >>>>>>>>> Summit >>>>>>>>> recommends. No new test cases. >>>>>>>>> >>>>>>>>> And this can be done by separate patch, I want to have API/CLI >>>>>>>>> certificate override tests for non-AD idview (extending current >>>>>>>>> tests I >>>>>>>>> posted in this thread) >>>>>>>>> >>>>>>>>> Martin^2 >>>>>>>>>> >>>>>>>>>> On 09/15/2016 09:49 AM, Martin Basti wrote: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 14.09.2016 18:53, Sumit Bose wrote: >>>>>>>>>>>> On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> On 14.09.2016 17:53, Alexander Bokovoy wrote: >>>>>>>>>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 14.09.2016 17:41, Alexander Bokovoy wrote: >>>>>>>>>>>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote: >>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>> I still don't see the reason why AD trust is needed. >>>>>>>>>>>>>>>>> Default >>>>>>>>>>>>>>>>> trust ID view is added just by ipa-adtrust-install, adding >>>>>>>>>>>>>>>>> trust is not needed for current implementation. You don't >>>>>>>>>>>>>>>>> need AD for this, IDviews is generic feature not just for >>>>>>>>>>>>>>>>> AD. Is that user configured on AD side? >>>>>>>>>>>>>>>> You cannot add non-AD user to 'default trust view', so you >>>>>>>>>>>>>>>> will >>>>>>>>>>>>>>>> not be >>>>>>>>>>>>>>>> able to set up certificates to ID override which does not >>>>>>>>>>>>>>>> exist. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> For non-'default trust view' you can add both IPA and AD >>>>>>>>>>>>>>>> users, >>>>>>>>>>>>>>>> so using >>>>>>>>>>>>>>>> some other view and then assign certificate for a ID >>>>>>>>>>>>>>>> override in >>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>> one. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Ok then, but anyway I would like to see API/CLI tests for >>>>>>>>>>>>>>> this >>>>>>>>>>>>>>> feature with proper output validation. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> How can be this tested with SSSD? >>>>>>>>>>>>>> You need to log into the system with a certificate... >>>>>>>>>>>>> Is this possible from test? We are logged remotely as root, is >>>>>>>>>>>>> there any >>>>>>>>>>>>> cmdline util which allows us to test certificate against AD >>>>>>>>>>>>> user? >>>>>>>>>>>> >>>>>>>>>>>> You can use 'sss_ssh_authorizedkeys aduser at ad.domain' which >>>>>>>>>>>> should >>>>>>>>>>>> return the ssh key derived from the public key in the >>>>>>>>>>>> certificate. >>>>>>>>>>>> This >>>>>>>>>>>> should work for certificate stored in AD as well as for >>>>>>>>>>>> overrides. >>>>>>>>>>>> >>>>>>>>>>>> You can also you the DBus lookup by certificate as described in >>>>>>>>>>>> https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> . >>>>>>>>>>>> >>>>>>>>>>>> HTH >>>>>>>>>>>> >>>>>>>>>>>> bye, >>>>>>>>>>>> Sumit >>>>>>>>>>> >>>>>>>>>>> Thank you Alexander and Summit for hints. >>>>>>>>>>> >>>>>>>>>>> Oleg I realized we don't have any other idviews integration >>>>>>>>>>> tests >>>>>>>>>>> >>>>>>>>>>> So I propose to rename test file you are adding to >>>>>>>>>>> test_idviews.py. We >>>>>>>>>>> can add more testcases for idviews there later >>>>>>>>>>> >>>>>>>>>>> Martin^2 >>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Manage your subscription for the Freeipa-devel mailing list: >>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>>>>>>>>> Contribute to FreeIPA: >>>>>>>>>>>>> http://www.freeipa.org/page/Contribute/Code >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >> > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From ofayans at redhat.com Tue Nov 8 16:24:13 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 8 Nov 2016 17:24:13 +0100 Subject: [Freeipa-devel] [test][patch-0057] test for ticket N 6146 (installing rules with service principals) In-Reply-To: <402f9a42-71dd-3b38-6974-4061c10660dc@redhat.com> References: <57AAE7EA.5090604@redhat.com> <745bf2dc-18d4-9f89-b97c-980b447f2823@redhat.com> <57AB1418.60903@redhat.com> <7d137bdf-883c-2ef9-468d-f8b7de358804@redhat.com> <9e419344-e733-76b0-b103-77496dd1097c@redhat.com> <402f9a42-71dd-3b38-6974-4061c10660dc@redhat.com> Message-ID: <53f34ed7-7da4-a4e5-ec03-3e4bd199b357@redhat.com> And this one. On 11/03/2016 09:42 AM, Oleg Fayans wrote: > One more ping for review > > On 10/27/2016 02:21 PM, Oleg Fayans wrote: >> ping for review >> >> On 10/25/2016 11:29 AM, Oleg Fayans wrote: >>> The patch was rebased to be able to apply on top of latest version of >>> certs in idoverrides patch. As before, it requires patches NN 0049 and >>> 0059 to apply >>> >>> On 08/10/2016 01:46 PM, Oleg Fayans wrote: >>>> Hi Martin, >>>> >>>> I am sorry, yes it depends on my patches 0049 and 0050. >>>> >>>> >>>> On 08/10/2016 12:27 PM, Martin Basti wrote: >>>>> >>>>> >>>>> On 10.08.2016 10:38, Oleg Fayans wrote: >>>>>> >>>>>> >>>>>> >>>>> Hello, >>>>> >>>>> I cannot apply this patch >>>>> error: ipatests/test_integration/test_certs_in_idoverrides.py: does >>>>> not >>>>> exist in index >>>>> It probably depends on another patch (which one?) >>>>> >>>>> Please, use human readable subjects in email, I do not remember from >>>>> top >>>>> of my head what #6146 is. >>>>> >>>>> Martin^2 >>>>> >>>>> >>>> >>> >>> >>> >> > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From freeipa-github-notification at redhat.com Tue Nov 8 16:24:37 2016 From: freeipa-github-notification at redhat.com (rcritten) Date: Tue, 08 Nov 2016 17:24:37 +0100 Subject: [Freeipa-devel] [freeipa PR#195][comment] [WIP] Make ipaclient pip install-able In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/195 Title: #195: [WIP] Make ipaclient pip install-able rcritten commented: """ This is an important feature for integration. OpenStack uses pip to install dependencies into virtual environments for doing multi-version python testing. I'll need ipalib to be pip installable for the automatic enrollment feature, novajoin, that I'm working on. """ See the full comment at https://github.com/freeipa/freeipa/pull/195#issuecomment-259184042 From freeipa-github-notification at redhat.com Tue Nov 8 16:31:41 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Tue, 08 Nov 2016 17:31:41 +0100 Subject: [Freeipa-devel] [freeipa PR#213][edited] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Author: pspacek Title: #213: Build system refactoring phase 3 Action: edited Changed field: body Original value: """ This monster patch-set refactors most of build system and moves most of the logic from SPEC file to build system. It is not yet complete, missing parts are: - [ ] Python 3 support - [ ] Linters are not executed at all - [ ] IPA_VERSION_IS_GIT_SNAPSHOT does not work These will be sorted out later on but the review of the patch set can begin. """ From freeipa-github-notification at redhat.com Tue Nov 8 16:33:19 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Tue, 08 Nov 2016 17:33:19 +0100 Subject: [Freeipa-devel] [freeipa PR#213][synchronized] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Author: pspacek Title: #213: Build system refactoring phase 3 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/213/head:pr213 git checkout pr213 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-213.patch Type: text/x-diff Size: 195387 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 8 16:34:58 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Tue, 08 Nov 2016 17:34:58 +0100 Subject: [Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 pspacek commented: """ - This version supports lint target and all configuration options for linters listed in the design document. - Fixes in systemd-tmpfiles call from make install. - Updates .travis.yml to account for new method of RPM build. """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259187271 From freeipa-github-notification at redhat.com Tue Nov 8 17:06:30 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 08 Nov 2016 18:06:30 +0100 Subject: [Freeipa-devel] [freeipa PR#195][comment] [WIP] Make ipaclient pip install-able In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/195 Title: #195: [WIP] Make ipaclient pip install-able mbasti-rh commented: """ Where is a ticket? :) """ See the full comment at https://github.com/freeipa/freeipa/pull/195#issuecomment-259196360 From freeipa-github-notification at redhat.com Tue Nov 8 18:38:24 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 08 Nov 2016 19:38:24 +0100 Subject: [Freeipa-devel] [freeipa PR#205][comment] Support DAL version 5 and version 6 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/205 Title: #205: Support DAL version 5 and version 6 simo5 commented: """ There was no upstream ticket when I created the commit :-) I'll add. """ See the full comment at https://github.com/freeipa/freeipa/pull/205#issuecomment-259221154 From freeipa-github-notification at redhat.com Tue Nov 8 18:39:58 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 08 Nov 2016 19:39:58 +0100 Subject: [Freeipa-devel] [freeipa PR#205][synchronized] Support DAL version 5 and version 6 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/205 Author: simo5 Title: #205: Support DAL version 5 and version 6 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/205/head:pr205 git checkout pr205 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-205.patch Type: text/x-diff Size: 5565 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 9 09:00:55 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 09 Nov 2016 10:00:55 +0100 Subject: [Freeipa-devel] [freeipa PR#216][opened] libexec scripts: ldap conn management Message-ID: URL: https://github.com/freeipa/freeipa/pull/216 Author: tomaskrizek Title: #216: libexec scripts: ldap conn management Action: opened PR body: """ Certificate renewal scripts require connection to LDAP. Properly handle connects and disconnects from LDAP. https://fedorahosted.org/freeipa/ticket/6461 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/216/head:pr216 git checkout pr216 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-216.patch Type: text/x-diff Size: 2463 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 9 09:05:19 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 09 Nov 2016 10:05:19 +0100 Subject: [Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 mbasti-rh commented: """ commit `Build: add rpms target and makerpms.sh script` misses makerpms.sh and ticket, and it looks like you forgot to squash this commit """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259364783 From freeipa-github-notification at redhat.com Wed Nov 9 09:07:51 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 09 Nov 2016 10:07:51 +0100 Subject: [Freeipa-devel] [freeipa PR#213][+ack] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 Label: +ack From freeipa-github-notification at redhat.com Wed Nov 9 09:23:32 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 09 Nov 2016 10:23:32 +0100 Subject: [Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 tiran commented: """ The patch has some minor creases but works. Let's merge it to master and iron out the remaining small issues with PRs. """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259368347 From freeipa-github-notification at redhat.com Wed Nov 9 09:37:53 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 09 Nov 2016 10:37:53 +0100 Subject: [Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 tiran commented: """ memo for me: - [ ] /freeipa*.tar.gz is not removed - [ ] ```MOSTLYCLEANFILES``` only cleans ipasetup.py[co] but keeps __pycache__ and other pyc/pyo. add ```clean-local: rm -rf *.pyc *.pyc __pycache__``` - [ ] ```Makefile.python.am``` clean-local has ```-delete``` and ```-exec```. AFAIK only one action is supported. - [ ] neither clean nor distclean removes ```/dist``` and ```/rpmbuild``` - [ ] autoconf and automake files are not removed (Makefile.in, /config.sub ...) """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259371190 From freeipa-github-notification at redhat.com Wed Nov 9 10:03:53 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 09 Nov 2016 11:03:53 +0100 Subject: [Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 tiran commented: """ memo for me: - [ ] /freeipa*.tar.gz is not removed - [ ] ```MOSTLYCLEANFILES``` only cleans ipasetup.py[co] but keeps __pycache__ and other pyc/pyo. add ```clean-local: rm -rf *.pyc *.pyc __pycache__``` - [ ] ```Makefile.python.am``` clean-local has ```-delete``` and ```-exec```. AFAIK only one action is supported. - [ ] neither clean nor distclean removes ```/dist``` and ```/rpmbuild``` - [ ] autoconf and automake files are not removed (Makefile.in, /config.sub ...) - [] add ```ipasetup.py``` to ```dist_noinst_SCRIPTS``` ? """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259371190 From freeipa-github-notification at redhat.com Wed Nov 9 10:03:59 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 09 Nov 2016 11:03:59 +0100 Subject: [Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 tiran commented: """ memo for me: - [ ] /freeipa*.tar.gz is not removed - [ ] ```MOSTLYCLEANFILES``` only cleans ipasetup.py[co] but keeps __pycache__ and other pyc/pyo. add ```clean-local: rm -rf *.pyc *.pyc __pycache__``` - [ ] ```Makefile.python.am``` clean-local has ```-delete``` and ```-exec```. AFAIK only one action is supported. - [ ] neither clean nor distclean removes ```/dist``` and ```/rpmbuild``` - [ ] autoconf and automake files are not removed (Makefile.in, /config.sub ...) - [] add ```ipasetup.py``` to ```dist_noinst_SCRIPTS``` ? """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259371190 From freeipa-github-notification at redhat.com Wed Nov 9 10:55:04 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 09 Nov 2016 11:55:04 +0100 Subject: [Freeipa-devel] [freeipa PR#217][opened] change certificate processing code to use python-cryptography Message-ID: URL: https://github.com/freeipa/freeipa/pull/217 Author: frasertweedale Title: #217: change certificate processing code to use python-cryptography Action: opened PR body: """ This commit changes certificate processing code to use python-cryptography instead of NSS. Part of the refactoring effort, certificates sub-effort. Reviewed at dkupka/freeipa:pull/1 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/217/head:pr217 git checkout pr217 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-217.patch Type: text/x-diff Size: 100294 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 9 10:56:39 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 09 Nov 2016 11:56:39 +0100 Subject: [Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ Bump for review """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-259387372 From freeipa-github-notification at redhat.com Wed Nov 9 11:02:06 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 09 Nov 2016 12:02:06 +0100 Subject: [Freeipa-devel] [freeipa PR#218][opened] test_ipagetkeytab: use system-wide IPA CA cert location in tests Message-ID: URL: https://github.com/freeipa/freeipa/pull/218 Author: martbab Title: #218: test_ipagetkeytab: use system-wide IPA CA cert location in tests Action: opened PR body: """ Since /etc/ipa/ca.crt should be always present on the test runner, we should use it in bind method tests and not rely on its presence in user conf dir. https://fedorahosted.org/freeipa/ticket/6409 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/218/head:pr218 git checkout pr218 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-218.patch Type: text/x-diff Size: 1258 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 9 11:13:24 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 09 Nov 2016 12:13:24 +0100 Subject: [Freeipa-devel] [freeipa PR#213][synchronized] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Author: pspacek Title: #213: Build system refactoring phase 3 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/213/head:pr213 git checkout pr213 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-213.patch Type: text/x-diff Size: 195287 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 9 11:16:24 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 09 Nov 2016 12:16:24 +0100 Subject: [Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 tiran commented: """ memo for me: - [ ] /freeipa*.tar.gz is not removed - [ ] ```MOSTLYCLEANFILES``` only cleans ipasetup.py[co] but keeps __pycache__ and other pyc/pyo. add ```clean-local: rm -rf *.pyc *.pyc __pycache__``` - [ ] ```Makefile.python.am``` clean-local has ```-delete``` and ```-exec```. AFAIK only one action is supported. - [ ] neither clean nor distclean removes ```/dist``` and ```/rpmbuild``` - [ ] autoconf and automake files are not removed (Makefile.in, /config.sub ...) - [x] add ```ipasetup.py``` to ```dist_noinst_SCRIPTS``` ? """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259371190 From freeipa-github-notification at redhat.com Wed Nov 9 11:17:37 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 09 Nov 2016 12:17:37 +0100 Subject: [Freeipa-devel] [freeipa PR#219][opened] Refactor installer code requesting certificates Message-ID: URL: https://github.com/freeipa/freeipa/pull/219 Author: flo-renaud Title: #219: Refactor installer code requesting certificates Action: opened PR body: """ With this PR, the certificates requested during server installation are now consistently obtained through certmonger (applies to HTTP/LDAP and renew agent cert). https://fedorahosted.org/freeipa/ticket/6433 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/219/head:pr219 git checkout pr219 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-219.patch Type: text/x-diff Size: 27594 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 9 11:18:28 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 09 Nov 2016 12:18:28 +0100 Subject: [Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 pspacek commented: """ @tiran > add ipasetup.py to dist_noinst_SCRIPTS ? `ipasetup.py` file is auto-generated from `ipasetup.py.in` so it should not be part of distibution tarball. I've marked this item as "done". """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259391220 From freeipa-github-notification at redhat.com Wed Nov 9 11:19:36 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 09 Nov 2016 12:19:36 +0100 Subject: [Freeipa-devel] [freeipa PR#216][synchronized] libexec scripts: ldap conn management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/216 Author: tomaskrizek Title: #216: libexec scripts: ldap conn management Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/216/head:pr216 git checkout pr216 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-216.patch Type: text/x-diff Size: 2684 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 9 11:20:19 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 09 Nov 2016 12:20:19 +0100 Subject: [Freeipa-devel] [freeipa PR#219][edited] Refactor installer code requesting certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/219 Author: flo-renaud Title: #219: Refactor installer code requesting certificates Action: edited Changed field: body Original value: """ With this PR, the certificates requested during server installation are now consistently obtained through certmonger (applies to HTTP/LDAP and renew agent cert). https://fedorahosted.org/freeipa/ticket/6433 """ From freeipa-github-notification at redhat.com Wed Nov 9 11:26:43 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 09 Nov 2016 12:26:43 +0100 Subject: [Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 pspacek commented: """ @tiran I've tested the find command and it works. The trick is `-o` which acts like OR and allows you to specify different conditions and associate different actions to them. I'm going to check the checkbox as well :-) """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259392845 From freeipa-github-notification at redhat.com Wed Nov 9 11:26:57 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 09 Nov 2016 12:26:57 +0100 Subject: [Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 tiran commented: """ memo for me: - [ ] /freeipa*.tar.gz is not removed - [ ] ```MOSTLYCLEANFILES``` only cleans ipasetup.py[co] but keeps __pycache__ and other pyc/pyo. add ```clean-local: rm -rf *.pyc *.pyc __pycache__``` - [x] ```Makefile.python.am``` clean-local has ```-delete``` and ```-exec```. AFAIK only one action is supported. - [ ] neither clean nor distclean removes ```/dist``` and ```/rpmbuild``` - [ ] autoconf and automake files are not removed (Makefile.in, /config.sub ...) - [x] add ```ipasetup.py``` to ```dist_noinst_SCRIPTS``` ? """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259371190 From freeipa-github-notification at redhat.com Wed Nov 9 12:02:58 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 09 Nov 2016 13:02:58 +0100 Subject: [Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 mbasti-rh commented: """ ACK """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259399255 From freeipa-github-notification at redhat.com Wed Nov 9 12:05:41 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 09 Nov 2016 13:05:41 +0100 Subject: [Freeipa-devel] [freeipa PR#213][+ack] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 Label: +ack From freeipa-github-notification at redhat.com Wed Nov 9 12:09:03 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 09 Nov 2016 13:09:03 +0100 Subject: [Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/c48e5fd811326dc64e19490f88003e442815a052 https://fedorahosted.org/freeipa/changeset/0a17155e5b0434d4cab4d1696fac7f5ef88f0808 https://fedorahosted.org/freeipa/changeset/81da45ffb13d126c9b56a2022d88ba8bed2ee18c https://fedorahosted.org/freeipa/changeset/8de11b091fc705f235b1304fb101c27a82dcda6f https://fedorahosted.org/freeipa/changeset/3d6b8f8bdd5568c44d293cba960209941e4d2545 https://fedorahosted.org/freeipa/changeset/3a41b3bb8860cf73fef7efd54db2da5ecbd608d5 https://fedorahosted.org/freeipa/changeset/820fd4c7ce6ccc80272f45d6f64227567692dd39 https://fedorahosted.org/freeipa/changeset/24feae47f26f40f757fbdd711399128d88c9b62c https://fedorahosted.org/freeipa/changeset/b8d81ba3a12d93c38c4a0a8d439845746a32ae35 https://fedorahosted.org/freeipa/changeset/fa8a468dba0ed866497669bd9c08b7de3a2cfbe3 https://fedorahosted.org/freeipa/changeset/7282776c05c2fb254ae65b63977ba604be316038 https://fedorahosted.org/freeipa/changeset/2f6712893be5e66260a169c367a4607be6043d11 https://fedorahosted.org/freeipa/changeset/021a52d6801b74ded03cfdf6c7fb73bd1cab978f https://fedorahosted.org/freeipa/changeset/f95098b2b645a62497dc6e1d66be2b7397567d25 https://fedorahosted.org/freeipa/changeset/441acf7797b2069e8d9a123aa11bb33fd42d9187 https://fedorahosted.org/freeipa/changeset/24525fd086450616d4edd2aaf26dec868ff80ea9 https://fedorahosted.org/freeipa/changeset/b910683e19356390351a6b82240762969ecf89c0 https://fedorahosted.org/freeipa/changeset/04be25082c60da01552d5e7c73d12930b10bd02e https://fedorahosted.org/freeipa/changeset/deec97abaec933709718464c4aa233a04de1844a https://fedorahosted.org/freeipa/changeset/a125370becb045b6e757df88e520ef3f8ab4ca09 https://fedorahosted.org/freeipa/changeset/dabc65f6b1989fb8f938e4b7249fcf5d41706e17 https://fedorahosted.org/freeipa/changeset/886d9167eb939a3ab5226ca420c404a9810186cf https://fedorahosted.org/freeipa/changeset/c951a491a9082b8b5931782f45f82e251eb93c3c https://fedorahosted.org/freeipa/changeset/0d5fe1dba0459b09bc7518d34c58444c96435801 https://fedorahosted.org/freeipa/changeset/125bf25577e58d11252cb41d34065d49f581e0ac https://fedorahosted.org/freeipa/changeset/684a2c6a58b99a72f68e4c7f827d6601007cea26 https://fedorahosted.org/freeipa/changeset/4fb2f535ca73dd16738ce4a3b692931fb26227aa https://fedorahosted.org/freeipa/changeset/14bce67cf0cad1aecc132a2c67ad2dc686bcd2af https://fedorahosted.org/freeipa/changeset/c1652f92af6bea13ecd96c0ad7be38784e2faeb5 https://fedorahosted.org/freeipa/changeset/278cda7ede3777f61f31ec77199d02954512e133 https://fedorahosted.org/freeipa/changeset/53cd71a63c7d6ba97a5593e5a8922af71c5a4b6f https://fedorahosted.org/freeipa/changeset/74820fe3d8774244476357036406014680d54211 https://fedorahosted.org/freeipa/changeset/39b17ef2abd885ab87c1a39d3036f762b6b084c8 https://fedorahosted.org/freeipa/changeset/f229bb56b73487758ed9bd9c7f0a4cc74134992b https://fedorahosted.org/freeipa/changeset/312e780041fc9025ca3c189e6c9fcb54c7340714 https://fedorahosted.org/freeipa/changeset/8ffd3bdf142f0f852918186ce0a338a7818bbe8e https://fedorahosted.org/freeipa/changeset/d3cab75d7e79fbc89ef08df3e6d2b1e28b4ef163 https://fedorahosted.org/freeipa/changeset/a027bf739848371fa91b5ba9766e031c9003d322 https://fedorahosted.org/freeipa/changeset/288d624336d502a7df9856cdc2f6543b6e7c0b79 https://fedorahosted.org/freeipa/changeset/6cb0271509fe95ae38fc743f2a13faf32fe29a99 https://fedorahosted.org/freeipa/changeset/cc6382550fcf32bd4b843c922c10c5a5d247dd38 https://fedorahosted.org/freeipa/changeset/dc5699a8a40dd27ffd25d9ad3185ba40d93ec95b https://fedorahosted.org/freeipa/changeset/4ce3aa3b12004ca4eb29e4bbca415a585fbd432f https://fedorahosted.org/freeipa/changeset/75a944e980c64061e51f4ec7215033c118f39863 https://fedorahosted.org/freeipa/changeset/fee9bbd85afeac3593abd791de2d002bed300c8e https://fedorahosted.org/freeipa/changeset/2df98772556de0d964028bbb78a9efbdd13ecd40 https://fedorahosted.org/freeipa/changeset/14c1c8dfd0aa894af2d60dfa4f2ce2510d791328 https://fedorahosted.org/freeipa/changeset/f31a489d246e01250536b7187225fb7ca6398ba5 https://fedorahosted.org/freeipa/changeset/b54e9e86dfaed1320f7ccce560f82c233f67bf1a https://fedorahosted.org/freeipa/changeset/e3b537af18afa03b1f04530b42cdba5c1fc3ff97 https://fedorahosted.org/freeipa/changeset/4498998f1763d673056423a73d3b3ff22f94954f https://fedorahosted.org/freeipa/changeset/c0674e89d1e6b5abd82cf3b7bf8054eec0fa6418 """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259400321 From freeipa-github-notification at redhat.com Wed Nov 9 12:09:05 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 09 Nov 2016 13:09:05 +0100 Subject: [Freeipa-devel] [freeipa PR#213][closed] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Author: pspacek Title: #213: Build system refactoring phase 3 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/213/head:pr213 git checkout pr213 From freeipa-github-notification at redhat.com Wed Nov 9 12:09:09 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 09 Nov 2016 13:09:09 +0100 Subject: [Freeipa-devel] [freeipa PR#213][+pushed] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 Label: +pushed From pspacek at redhat.com Wed Nov 9 12:19:16 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 9 Nov 2016 13:19:16 +0100 Subject: [Freeipa-devel] Build system refactoring was pushed to master Message-ID: <3106e845-d233-629f-b96d-0d09325f64e0@redhat.com> Hi FreeIPA gang, we just pushed Build system refactoring to master. Most visible change is that you need to use command "./makerpms.sh" instead of "make rpms" when building FreeIPA from clean Git tree. "make rpms" will work as usual after initial autoreconf -i && ./configure combo so this affects only the very first build. Page http://www.freeipa.org/page/Build was updated with other changes as well, most notably file VERSION was renamed to VERSION.m4. Other details are mentioned in design document http://www.freeipa.org/page/V4/Build_system_refactoring and pull request: https://github.com/freeipa/freeipa/pull/213 Let me know if you encounter any issues! -- Petr^2 Spacek From freeipa-github-notification at redhat.com Wed Nov 9 12:34:14 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 09 Nov 2016 13:34:14 +0100 Subject: [Freeipa-devel] [freeipa PR#195][edited] [WIP] Make ipaclient pip install-able In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/195 Author: tiran Title: #195: [WIP] Make ipaclient pip install-able Action: edited Changed field: body Original value: """ ## proof of concept This makes ipaclient and dependencies pip install-able by adding install requirements to all `setup.py`. A new make target `bdist_wheel` creates wheel distributions. ## example ``` $ make bdist_wheel $ cp ../custodia/dist/custodia-0.2-py2.py3-none-any.whl dist/ $ virtualenv /tmp/ipaenv New python executable in /tmp/ipaenv/bin/python2 Also creating executable in /tmp/ipaenv/bin/python Installing setuptools, pip, wheel...done. $ /tmp/ipaenv/bin/pip install dist/*.whl Processing ./dist/custodia-0.2-py2.py3-none-any.whl Processing ./dist/ipaclient-4.4.90.201610271437GITd812266-py2.py3-none-any.whl Processing ./dist/ipalib-4.4.90.201610271437GITd812266-py2.py3-none-any.whl Processing ./dist/ipaplatform-4.4.90.201610271437GITd812266-py2.py3-none-any.whl Processing ./dist/ipapython-4.4.90.201610271437GITd812266-py2.py3-none-any.whl ... Installing collected packages: configparser, requests, six, idna, pycparser, cffi, pyasn1, enum34, ipaddress, cryptography, jwcrypto, custodia, qrcode, python-nss, ipaplatform, netaddr, lxml, pyldap, netifaces, decorator, gssapi, dnspython, ipapython, ipalib, ipaclient Running setup.py install for python-nss ... done Successfully installed cffi-1.8.3 configparser-3.5.0 cryptography-1.5.2 custodia-0.2 decorator-4.0.10 dnspython-1.15.0 enum34-1.1.6 gssapi-1.2.0 idna-2.1 ipaclient-4.4.90.201610271437GITd812266 ipaddress-1.0.17 ipalib-4.4.90.201610271437GITd812266 ipaplatform-4.4.90.201610271437GITd812266 ipapython-4.4.90.201610271437GITd812266 jwcrypto-0.3.1 lxml-3.6.4 netaddr-0.7.18 netifaces-0.10.5 pyasn1-0.1.9 pycparser-2.16 pyldap-2.4.25.1 python-nss-1.0.0 qrcode-5.3 requests-2.11.1 six-1.10.0 ``` ## open problems - [ ] Custodia is not yet released on PyPI (to be released soon) - [ ] dependencies are duplicated in setup.py and RPM spec - [ ] ipaplatform hard-codes the distribution on build time """ From freeipa-github-notification at redhat.com Wed Nov 9 12:43:52 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 09 Nov 2016 13:43:52 +0100 Subject: [Freeipa-devel] [freeipa PR#216][+ack] libexec scripts: ldap conn management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/216 Title: #216: libexec scripts: ldap conn management Label: +ack From freeipa-github-notification at redhat.com Wed Nov 9 12:44:16 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 09 Nov 2016 13:44:16 +0100 Subject: [Freeipa-devel] [freeipa PR#216][comment] libexec scripts: ldap conn management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/216 Title: #216: libexec scripts: ldap conn management flo-renaud commented: """ Thanks for the update. Works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/216#issuecomment-259406309 From freeipa-github-notification at redhat.com Wed Nov 9 13:02:35 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 09 Nov 2016 14:02:35 +0100 Subject: [Freeipa-devel] [freeipa PR#220][opened] Build: fix make clean to remove build artifacts from top-level directory Message-ID: URL: https://github.com/freeipa/freeipa/pull/220 Author: pspacek Title: #220: Build: fix make clean to remove build artifacts from top-level directory Action: opened PR body: """ make lint and make dist were generating files which were not removed by make clean. https://fedorahosted.org/freeipa/ticket/6418 This fixed some of missing checkboxes in #213. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/220/head:pr220 git checkout pr220 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-220.patch Type: text/x-diff Size: 1338 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 9 13:03:24 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 09 Nov 2016 14:03:24 +0100 Subject: [Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 pspacek commented: """ @tiran > autoconf and automake files are not removed (Makefile.in, /config.sub ...) According to [Automake manual section 13 What Gets Cleaned](https://www.gnu.org/software/automake/manual/html_node/Clean.html) we must not remove files necessary for `./configure`. As far as I can tell from testing, make distclean + PR #220 leaves behind only files generated by `autoreconf` so we should not remove any of them. It would prevent users from running `configure` again. """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259409721 From freeipa-github-notification at redhat.com Wed Nov 9 13:04:01 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 09 Nov 2016 14:04:01 +0100 Subject: [Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 tiran commented: """ memo for me: - [ ] /freeipa*.tar.gz is not removed - [ ] ```MOSTLYCLEANFILES``` only cleans ipasetup.py[co] but keeps __pycache__ and other pyc/pyo. add ```clean-local: rm -rf *.pyc *.pyc __pycache__``` - [x] ```Makefile.python.am``` clean-local has ```-delete``` and ```-exec```. AFAIK only one action is supported. - [ ] neither clean nor distclean removes ```/dist``` and ```/rpmbuild``` - [ ] autoconf and automake files are not removed (Makefile.in, /config.sub ...) - [x] add ```ipasetup.py``` to ```dist_noinst_SCRIPTS``` ? """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259371190 From freeipa-github-notification at redhat.com Wed Nov 9 13:04:23 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 09 Nov 2016 14:04:23 +0100 Subject: [Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 pspacek commented: """ @tiran > autoconf and automake files are not removed (Makefile.in, /config.sub ...) According to [Automake manual section 13 What Gets Cleaned](https://www.gnu.org/software/automake/manual/html_node/Clean.html) we must not remove files necessary for `./configure`. As far as I can tell from testing, make distclean + PR #220 leaves behind only files generated by `autoreconf` so we should not remove any of them. It would prevent users from running `configure` again. """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259409721 From freeipa-github-notification at redhat.com Wed Nov 9 13:31:25 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 09 Nov 2016 14:31:25 +0100 Subject: [Freeipa-devel] [freeipa PR#195][edited] [WIP] Make ipaclient pip install-able In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/195 Author: tiran Title: #195: [WIP] Make ipaclient pip install-able Action: edited Changed field: body Original value: """ ## proof of concept This makes ipaclient and dependencies pip install-able by adding install requirements to all `setup.py`. A new make target `bdist_wheel` creates wheel distributions. ## example ``` $ make bdist_wheel $ cp ../custodia/dist/custodia-0.2-py2.py3-none-any.whl dist/ $ virtualenv /tmp/ipaenv New python executable in /tmp/ipaenv/bin/python2 Also creating executable in /tmp/ipaenv/bin/python Installing setuptools, pip, wheel...done. $ /tmp/ipaenv/bin/pip install dist/*.whl Processing ./dist/custodia-0.2-py2.py3-none-any.whl Processing ./dist/ipaclient-4.4.90.201610271437GITd812266-py2.py3-none-any.whl Processing ./dist/ipalib-4.4.90.201610271437GITd812266-py2.py3-none-any.whl Processing ./dist/ipaplatform-4.4.90.201610271437GITd812266-py2.py3-none-any.whl Processing ./dist/ipapython-4.4.90.201610271437GITd812266-py2.py3-none-any.whl ... Installing collected packages: configparser, requests, six, idna, pycparser, cffi, pyasn1, enum34, ipaddress, cryptography, jwcrypto, custodia, qrcode, python-nss, ipaplatform, netaddr, lxml, pyldap, netifaces, decorator, gssapi, dnspython, ipapython, ipalib, ipaclient Running setup.py install for python-nss ... done Successfully installed cffi-1.8.3 configparser-3.5.0 cryptography-1.5.2 custodia-0.2 decorator-4.0.10 dnspython-1.15.0 enum34-1.1.6 gssapi-1.2.0 idna-2.1 ipaclient-4.4.90.201610271437GITd812266 ipaddress-1.0.17 ipalib-4.4.90.201610271437GITd812266 ipaplatform-4.4.90.201610271437GITd812266 ipapython-4.4.90.201610271437GITd812266 jwcrypto-0.3.1 lxml-3.6.4 netaddr-0.7.18 netifaces-0.10.5 pyasn1-0.1.9 pycparser-2.16 pyldap-2.4.25.1 python-nss-1.0.0 qrcode-5.3 requests-2.11.1 six-1.10.0 ``` ## open problems - [x] Custodia is not yet released on PyPI (to be released soon) - [ ] dependencies are duplicated in setup.py and RPM spec - [ ] ipaplatform hard-codes the distribution on build time """ From freeipa-github-notification at redhat.com Wed Nov 9 13:38:21 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 09 Nov 2016 14:38:21 +0100 Subject: [Freeipa-devel] [freeipa PR#217][synchronized] change certificate processing code to use python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/217 Author: frasertweedale Title: #217: change certificate processing code to use python-cryptography Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/217/head:pr217 git checkout pr217 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-217.patch Type: text/x-diff Size: 100361 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 9 14:07:11 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 09 Nov 2016 15:07:11 +0100 Subject: [Freeipa-devel] [freeipa PR#217][comment] change certificate processing code to use python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/217 Title: #217: change certificate processing code to use python-cryptography frasertweedale commented: """ The travis-ci failure is due to two minor pep8 violations, which I intend :) """ See the full comment at https://github.com/freeipa/freeipa/pull/217#issuecomment-259422303 From freeipa-github-notification at redhat.com Wed Nov 9 14:33:11 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 09 Nov 2016 15:33:11 +0100 Subject: [Freeipa-devel] [freeipa PR#216][closed] libexec scripts: ldap conn management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/216 Author: tomaskrizek Title: #216: libexec scripts: ldap conn management Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/216/head:pr216 git checkout pr216 From freeipa-github-notification at redhat.com Wed Nov 9 14:33:12 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 09 Nov 2016 15:33:12 +0100 Subject: [Freeipa-devel] [freeipa PR#216][+pushed] libexec scripts: ldap conn management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/216 Title: #216: libexec scripts: ldap conn management Label: +pushed From freeipa-github-notification at redhat.com Wed Nov 9 14:33:13 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 09 Nov 2016 15:33:13 +0100 Subject: [Freeipa-devel] [freeipa PR#216][comment] libexec scripts: ldap conn management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/216 Title: #216: libexec scripts: ldap conn management mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/33f7b8dc32bc95e0db067ac4df49807ee2b5120e """ See the full comment at https://github.com/freeipa/freeipa/pull/216#issuecomment-259428015 From freeipa-github-notification at redhat.com Wed Nov 9 15:19:08 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 09 Nov 2016 16:19:08 +0100 Subject: [Freeipa-devel] [freeipa PR#218][comment] test_ipagetkeytab: use system-wide IPA CA cert location in tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/218 Title: #218: test_ipagetkeytab: use system-wide IPA CA cert location in tests pspacek commented: """ Jenkins tests now pass. """ See the full comment at https://github.com/freeipa/freeipa/pull/218#issuecomment-259439106 From freeipa-github-notification at redhat.com Wed Nov 9 15:19:12 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 09 Nov 2016 16:19:12 +0100 Subject: [Freeipa-devel] [freeipa PR#218][+ack] test_ipagetkeytab: use system-wide IPA CA cert location in tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/218 Title: #218: test_ipagetkeytab: use system-wide IPA CA cert location in tests Label: +ack From freeipa-github-notification at redhat.com Wed Nov 9 15:26:02 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 09 Nov 2016 16:26:02 +0100 Subject: [Freeipa-devel] [freeipa PR#221][opened] gitignore: ignore tar ball Message-ID: URL: https://github.com/freeipa/freeipa/pull/221 Author: tomaskrizek Title: #221: gitignore: ignore tar ball Action: opened PR body: """ Add tar ball generated by build to gitignore. https://fedorahosted.org/freeipa/ticket/6418 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/221/head:pr221 git checkout pr221 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-221.patch Type: text/x-diff Size: 546 bytes Desc: not available URL: From mkubik at redhat.com Wed Nov 9 15:34:23 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Wed, 9 Nov 2016 16:34:23 +0100 Subject: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964 In-Reply-To: References: <5762BBDD.4010502@redhat.com> <5763AA17.60207@redhat.com> <5763C073.5020503@redhat.com> <577113B2.1080904@redhat.com> <8ada929c-ebff-b8ce-6f1f-ae65fb8b1ba2@redhat.com> <577FAD77.7080504@redhat.com> <9149be7c-ee3d-42e5-16fb-fd0c0f351bb8@redhat.com> <57A1E76F.9@redhat.com> <478f33da-10d4-0994-e588-b28ca002b3b4@redhat.com> <36a2eba5-a03d-131e-0042-46f0d4f0299a@redhat.com> <80d2ccd8-8e1b-52a7-df76-087c72f21a12@redhat.com> <8caa3b3a-54a6-e168-6304-09ce8fb60a7f@redhat.com> <5b666684-ada4-8721-0671-a6a0424e115b@redhat.com> <847c5b3d-f43b-7381-a8a2-2fcacc343afc@redhat.com> Message-ID: <72c34ab8-5076-0d70-73dd-f6143ac62569@redhat.com> On 11/03/2016 04:56 PM, Oleg Fayans wrote: > Hi Martin, > > The commit message was updated with the correct ticket link > Thanks for review! > > On 11/03/2016 04:22 PM, Martin Basti wrote: >> almost ACK, but the ticket in commit message is closed as invalid. So >> I'm quite puzzled now what to do. >> >> >> On 03.11.2016 13:28, Oleg Fayans wrote: >>> ping for review >>> >>> On 10/19/2016 04:54 PM, Oleg Fayans wrote: >>>> Hi Martin, >>>> >>>> Thanks for the review. Fixed both issues. >>>> >>>> $ ipa-run-tests test_integration/test_topology.py -k >>>> TestCASpecificRUVs >>>> WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] >>>> Permission denied: 'lextab.py' >>>> WARNING: yacc table file version is out of date >>>> WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission >>>> denied: 'yacctab.py' >>>> ==================================================================================== >>>> >>>> >>>> test session starts >>>> ===================================================================================== >>>> >>>> >>>> >>>> platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, >>>> pluggy-0.3.1 >>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>> pytest.ini >>>> plugins: sourceorder-0.5, multihost-1.0 >>>> collected 5 items >>>> >>>> test_integration/test_topology.py .. >>>> >>>> ================================================================================ >>>> >>>> >>>> 2 passed in 2444.84 seconds >>>> ================================================================================= >>>> >>>> >>>> >>>> >>>> >>>> On 10/17/2016 07:05 PM, Martin Basti wrote: >>>>> 1) >>>>> >>>>> you don't need to disable/enable dirsrv, just stop/start. Please >>>>> remove >>>>> disable/enable parts >>>>> >>>>> >>>>> 2) >>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> traceback >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> >>>>> >>>>> self = >>>> object at 0x7f6a502eec90> >>>>> >>>>> def test_delete_ruvs(self): >>>>> """ >>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/ >>>>> Test_Plan#Test_case:_clean-ruv_subcommand >>>>> """ >>>>> replica = self.replicas[0] >>>>> master = self.master >>>>> res1 = master.run_command(['ipa-replica-manage', 'list-ruv', >>>>> '-p', >>>>> master.config.dirman_password]) >>>>>> assert(res1.stdout_text.count(replica.hostname) == 2 and >>>>> "Certificate Server Replica Update Vectors" in >>>>> res1), ( >>>>> "CA-specific RUVs are not displayed") >>>>> E TypeError: argument of type 'SSHCommand' is not iterable >>>>> >>>>> test_integration/test_topology.py:215: TypeError >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> entering PDB >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> >>>>>> >>>>> /usr/lib/python2.7/site-packages/ipatests/test_integration/test_topology.py(215)test_delete_ruvs() >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -> assert(res1.stdout_text.count(replica.hostname) == 2 and >>>>> >>>>> >>>>> >>>>> On 14.10.2016 11:36, Oleg Fayans wrote: >>>>>> Right you are! I am sorry. >>>>>> >>>>>> On 10/13/2016 06:10 PM, Martin Basti wrote: >>>>>>> I think that you forgot to squash commits. Patch 47 doesn't apply >>>>>>> >>>>>>> >>>>>>> On 13.10.2016 14:01, Oleg Fayans wrote: >>>>>>>> Hi Martin, >>>>>>>> >>>>>>>> Thanks for the review. >>>>>>>> With disabling directory server it works as well, thanks for the >>>>>>>> hint. >>>>>>>> Also I moved the cleanup logic to the test itself for the sake of >>>>>>>> simplicity. Patch-0048 was not changed >>>>>>>> >>>>>>>> On 10/12/2016 02:35 PM, Martin Basti wrote: >>>>>>>>> 1) >>>>>>>>> >>>>>>>>> Can you just turn off dirsrv on replica instead of doing iptables >>>>>>>>> magic? >>>>>>>>> >>>>>>>>> >>>>>>>>> 2) NACK >>>>>>>>> >>>>>>>>> No more eval() ever in code, use 'getattr', 'get' or whatever in >>>>>>>>> the >>>>>>>>> object that can be used. >>>>>>>>> >>>>>>>>> + evalhost = eval("args[0].%s" % host) >>>>>>>>> >>>>>>>>> Martin^2 >>>>>>>>> >>>>>>>>> On 12.10.2016 14:03, Oleg Fayans wrote: >>>>>>>>>> Hi Martin, >>>>>>>>>> >>>>>>>>>> After extensive discussion with Ludwig, I finally got the >>>>>>>>>> clue on >>>>>>>>>> how >>>>>>>>>> does this feature work. When we uninstall the replica, the >>>>>>>>>> master >>>>>>>>>> cleans the replication agreements with this replica and >>>>>>>>>> automatically >>>>>>>>>> cleans all replica's RUVs. >>>>>>>>>> If we clean replica's RUVs on master without uninstalling the >>>>>>>>>> replica, >>>>>>>>>> the replica's RUVs get recreated on master (replication >>>>>>>>>> works!). So, >>>>>>>>>> the only way to test the clean-ruv subcommand is to turn off the >>>>>>>>>> replica, or block the traffic on it so it gets inaccessible to >>>>>>>>>> updates >>>>>>>>>> from master. >>>>>>>>>> The testcases were updated, see [1] and [2] >>>>>>>>>> >>>>>>>>>> The updated versions of the patches are attached >>>>>>>>>> >>>>>>>>>> [1] >>>>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended_to_handle_CA-specific_RUVs >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> [2] >>>>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_clean-ruv_subcommand >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 08/05/2016 06:36 PM, Martin Basti wrote: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 03.08.2016 14:45, Oleg Fayans wrote: >>>>>>>>>>>> Hi Martin, >>>>>>>>>>>> >>>>>>>>>>>> Thanks for the review! Both patches were updated. >>>>>>>>>>>> >>>>>>>>>>>> On 07/28/2016 04:11 PM, Martin Basti wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On 08.07.2016 15:41, Oleg Fayans wrote: >>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks for the review! >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 07/08/2016 02:18 PM, Martin Basti wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 27.06.2016 13:53, Oleg Fayans wrote: >>>>>>>>>>>>>>>> Hi guys, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Is there a chance the patches NN 0047.1 and 0048.1 get >>>>>>>>>>>>>>>> reviewed >>>>>>>>>>>>>>>> before >>>>>>>>>>>>>>>> 4.4 release? They cover a good part of the Managed >>>>>>>>>>>>>>>> Topology >>>>>>>>>>>>>>>> 4.4 >>>>>>>>>>>>>>>> feature. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 06/17/2016 11:18 AM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>> One more test was added to the patch-0048 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 06/17/2016 09:43 AM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>> Fixed a bug in the previous patch, automated 2 more >>>>>>>>>>>>>>>>>> testcases >>>>>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 06/16/2016 04:46 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> IIUC, this will turn off the machine completely, how is >>>>>>>>>>>>>>> cleanup >>>>>>>>>>>>>>> done >>>>>>>>>>>>>>> then. AFAIK our tests cannot turn on machine again and run >>>>>>>>>>>>>>> cleanup, so >>>>>>>>>>>>>>> you will not be able to run more tests on the same topology >>>>>>>>>>>>>>> without >>>>>>>>>>>>>>> manual cleanup and manual start. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> + replica = self.replicas[0] >>>>>>>>>>>>>>> + replica.run_command(['poweroff']) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> IMO would be better to just call 'ipactl stop' instead of >>>>>>>>>>>>>>> 'poweroff' >>>>>>>>>>>>>> >>>>>>>>>>>>>> Agreed! Fixed. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> *Automated ipa-replica-manage del tests* >>>>>>>>>>>>> >>>>>>>>>>>>> 1) >>>>>>>>>>>>> + replica.run_command(['ipactl', 'stop']) >>>>>>>>>>>>> + time.sleep(3) >>>>>>>>>>>>> >>>>>>>>>>>>> Why do you need sleep here? >>>>>>>>>>>> >>>>>>>>>>>> Removed, it was left from the old "poweroff" approach >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 2) >>>>>>>>>>>>> + ruvid_re = re.compile(".*%s:389: (\d+).*" % >>>>>>>>>>>>> replica.hostname) >>>>>>>>>>>>> + replica_ruvs = ruvid_re.findall(result.stdout_text) >>>>>>>>>>>>> + master.run_command(['ipa-replica-manage', 'clean-ruv', >>>>>>>>>>>>> 'f', >>>>>>>>>>>>> + '-p', >>>>>>>>>>>>> master.config.dirman_password, >>>>>>>>>>>>> + replica_ruvs[0]]) >>>>>>>>>>>>> >>>>>>>>>>>>> Because you are using re.findall(), without any match you >>>>>>>>>>>>> will >>>>>>>>>>>>> receive >>>>>>>>>>>>> IndexError here replica_ruvs[0]. IMO it deserves assert >>>>>>>>>>>>> before >>>>>>>>>>>> >>>>>>>>>>>> Implemented the assert which checks that the output contains >>>>>>>>>>>> enough >>>>>>>>>>>> replica RUVs >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 3) >>>>>>>>>>>>> assert(replica.hostname in result1.stdout_text) >>>>>>>>>>>>> >>>>>>>>>>>>> I think that this is error prone. What if there is just error >>>>>>>>>>>>> 'could not >>>>>>>>>>>>> connect to replica ', or something similar. >>>>>>>>>>>>> instead of >>>>>>>>>>>>> listing/cleaning/whatever operation was executed. I think >>>>>>>>>>>>> that it >>>>>>>>>>>>> should >>>>>>>>>>>>> be more specific regexp than just finding a replica name >>>>>>>>>>>>> substring >>>>>>>>>>>>> (Yes >>>>>>>>>>>>> In IPA we dont always print error so stderr) >>>>>>>>>>>>> >>>>>>>>>>>>> I'm not sure, but probably there might be cases when non >>>>>>>>>>>>> critical >>>>>>>>>>>>> error >>>>>>>>>>>>> happen and exist status is still 0 >>>>>>>>>>>> >>>>>>>>>>>> Agree. Implemented a regex-based search >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 4) >>>>>>>>>>>>> >>>>>>>>>>>>> + replica.run_command(['poweroff']) >>>>>>>>>>>>> + time.sleep(3) >>>>>>>>>>>>> >>>>>>>>>>>>> There should not be poweroff, probably sleep could be removed >>>>>>>>>>>>> too. >>>>>>>>>>>> >>>>>>>>>>>> Gone >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> * Automated clean-ruv subcommand test* >>>>>>>>>>>>> >>>>>>>>>>>>> 1) PEP8, 2 new lines expected >>>>>>>>>>>>> ./ipatests/test_integration/test_topology.py:163:1: E302 >>>>>>>>>>>>> expected 2 >>>>>>>>>>>>> blank lines, found 0 >>>>>>>>>>>>> ./ipatests/test_integration/test_topology.py:182:80: E501 >>>>>>>>>>>>> line >>>>>>>>>>>>> too >>>>>>>>>>>>> long >>>>>>>>>>>>> (85 > 79 characters) >>>>>>>>>>>> >>>>>>>>>>>> Fixed >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 2) >>>>>>>>>>>>> I dont like doing assert just with count of occurences of >>>>>>>>>>>>> substring in >>>>>>>>>>>>> STDOUT, would be possible to improve this somehow? >>>>>>>>>>>> >>>>>>>>>>>> Maybe, but frankly, I don't see how. In this case we are >>>>>>>>>>>> making >>>>>>>>>>>> sure >>>>>>>>>>>> that both simple and CA-specific RUVs of a replica are >>>>>>>>>>>> displayed. The >>>>>>>>>>>> format of the output is strict: >>>>>>>>>>>> Replica Update Vectors: >>>>>>>>>>>> replica1_hostname:389: RUV_id >>>>>>>>>>>> replica2_hostname:389: RUV_id >>>>>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>>>>> replica1_hostname:389: RUV_id >>>>>>>>>>>> replica2_hostname:389: RUV_id >>>>>>>>>>>> If we do not see 2 occurrences of the replica hostname than >>>>>>>>>>>> definitely >>>>>>>>>>>> something went wrong >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 3) >>>>>>>>>>>>> I'm not sure if clean-ruv is instant operations or there is >>>>>>>>>>>>> some >>>>>>>>>>>>> magic >>>>>>>>>>>>> happening in background (we have abort-clean-ruv). Maybe some >>>>>>>>>>>>> sleep >>>>>>>>>>>>> should be there, but this needs investigation. >>>>>>>>>>>>> >>>>>>>>>>>>> + assert(replica.hostname in result2.stdout_text), ( >>>>>>>>>>>>> + "The wrong RUV was deleted") >>>>>>>>>>>>> + result3 = master.run_command(['ipa-replica-manage', >>>>>>>>>>>>> 'list-ruv', >>>>>>>>>>>>> + '-p', >>>>>>>>>>>>> master.config.dirman_password]) >>>>>>>>>>>>> + assert(result3.stdout_text.count(replica.hostname) == 1), ( >>>>>>>>>>>>> + "CA RUV of the replica is still displayed") >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Based on my discussion with Stanislav Laznicka, I understood >>>>>>>>>>>> that by >>>>>>>>>>>> default clean-ruv does not return the shell until the >>>>>>>>>>>> operation is >>>>>>>>>>>> finished. You can force dropping into the shell by pressing >>>>>>>>>>>> CTRL+C, in >>>>>>>>>>>> which case the background job will still be running, but >>>>>>>>>>>> this is >>>>>>>>>>>> not >>>>>>>>>>>> the default behavior >>>>>>>>>>>> >>>>>>>>>>> Test failed: >>>>>>>>>>> result4 = master.run_command(['ipa-replica-manage', >>>>>>>>>>> 'list-ruv', >>>>>>>>>>> '-p', >>>>>>>>>>> master.config.dirman_password]) >>>>>>>>>>>> assert(replica.hostname not in result4.stdout_text), ( >>>>>>>>>>> "replica's RUV is still displayed") >>>>>>>>>>> E AssertionError: replica's RUV is still displayed >>>>>>>>>>> E assert 'replica3.ipa.test' not in 'Replica Update >>>>>>>>>>> V...ipa.test:389: 8\n' >>>>>>>>>>> E 'replica3.ipa.test' is contained here: >>>>>>>>>>> E Replica Update Vectors: >>>>>>>>>>> E \tmaster.ipa.test:389: 4 >>>>>>>>>>> E \treplica3.ipa.test:389: 3 >>>>>>>>>>> E \treplica2.ipa.test:389: 7 >>>>>>>>>>> E Certificate Server Replica Update Vectors: >>>>>>>>>>> E \tmaster.ipa.test:389: 6 >>>>>>>>>>> E \treplica2.ipa.test:389: 8 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> [root at master ~]# ipa topologysegment-find >>>>>>>>>>> Suffix name: domain >>>>>>>>>>> ------------------ >>>>>>>>>>> 2 segments matched >>>>>>>>>>> ------------------ >>>>>>>>>>> Segment name: master.ipa.test-to-replica2.ipa.test >>>>>>>>>>> Left node: master.ipa.test >>>>>>>>>>> Right node: replica2.ipa.test >>>>>>>>>>> Connectivity: both >>>>>>>>>>> >>>>>>>>>>> Segment name: master.ipa.test-to-replica3.ipa.test >>>>>>>>>>> Left node: master.ipa.test >>>>>>>>>>> Right node: replica3.ipa.test >>>>>>>>>>> Connectivity: both >>>>>>>>>>> ---------------------------- >>>>>>>>>>> Number of entries returned 2 >>>>>>>>>>> ---------------------------- >>>>>>>>>>> [root at master ~]# ipa-replica-manage list-ruv >>>>>>>>>>> Directory Manager password: >>>>>>>>>>> >>>>>>>>>>> Replica Update Vectors: >>>>>>>>>>> master.ipa.test:389: 4 >>>>>>>>>>> replica2.ipa.test:389: 7 >>>>>>>>>>> replica3.ipa.test:389: 3 >>>>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>>>> master.ipa.test:389: 6 >>>>>>>>>>> replica2.ipa.test:389: 8 >>>>>>>>>>> [root at master ~]# >>>>>>>>>>> >>>>>>>>>>> Then I tried manually to clean RUV 3, and it behaves somehow >>>>>>>>>>> odd >>>>>>>>>>> >>>>>>>>>>> [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' >>>>>>>>>>> 'Secret123' '-f' >>>>>>>>>>> Clean the Replication Update Vector for replica3.ipa.test:389 >>>>>>>>>>> Background task created to clean replication data. This may >>>>>>>>>>> take a >>>>>>>>>>> while. >>>>>>>>>>> This may be safely interrupted with Ctrl+C >>>>>>>>>>> Cleanup task created >>>>>>>>>>> [root at master ~]# less /var/log/dirsrv/slapd-IPA-TEST/errors >>>>>>>>>>> [root at master ~]# ipa-replica-manage list-ruv >>>>>>>>>>> Directory Manager password: >>>>>>>>>>> >>>>>>>>>>> Replica Update Vectors: >>>>>>>>>>> master.ipa.test:389: 4 >>>>>>>>>>> replica2.ipa.test:389: 7 >>>>>>>>>>> replica3.ipa.test:389: 3 >>>>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>>>> master.ipa.test:389: 6 >>>>>>>>>>> replica2.ipa.test:389: 8 >>>>>>>>>>> [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' >>>>>>>>>>> 'Secret123' '-f' >>>>>>>>>>> Clean the Replication Update Vector for replica3.ipa.test:389 >>>>>>>>>>> CLEANALLRUV task for replica id 3 already exists. >>>>>>>>>>> This may be safely interrupted with Ctrl+C >>>>>>>>>>> Cleanup task created >>>>>>>>>>> >>>>>>>>>>> [root at master ~]# ipa-replica-manage list-clean-ruv -p Secret123 >>>>>>>>>>> No CLEANALLRUV tasks running >>>>>>>>>>> >>>>>>>>>>> No abort CLEANALLRUV tasks running >>>>>>>>>>> [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' >>>>>>>>>>> 'Secret123' '-f' >>>>>>>>>>> Clean the Replication Update Vector for replica3.ipa.test:389 >>>>>>>>>>> Background task created to clean replication data. This may >>>>>>>>>>> take a >>>>>>>>>>> while. >>>>>>>>>>> This may be safely interrupted with Ctrl+C >>>>>>>>>>> Cleanup task created >>>>>>>>>>> [root at master ~]# ipa-replica-manage list-clean-ruv -p Secret123 >>>>>>>>>>> CLEANALLRUV tasks >>>>>>>>>>> RID 3: Successfully cleaned rid(3). >>>>>>>>>>> >>>>>>>>>>> No abort CLEANALLRUV tasks running >>>>>>>>>>> [root at master ~]# ipa-replica-manage list-ruv -p Secret123 >>>>>>>>>>> Replica Update Vectors: >>>>>>>>>>> master.ipa.test:389: 4 >>>>>>>>>>> replica2.ipa.test:389: 7 >>>>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>>>> master.ipa.test:389: 6 >>>>>>>>>>> replica2.ipa.test:389: 8 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I'm not sure if this behavior is right, Ludwig may know. >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>>> >>>> >>> >> > > > ACK -- Milan Kubik -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Wed Nov 9 15:34:56 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 09 Nov 2016 16:34:56 +0100 Subject: [Freeipa-devel] [freeipa PR#222][opened] Fix ipa-replica-install when upgrade from ca-less to ca-full Message-ID: URL: https://github.com/freeipa/freeipa/pull/222 Author: flo-renaud Title: #222: Fix ipa-replica-install when upgrade from ca-less to ca-full Action: opened PR body: """ When ipa-replica-prepare is run on a master upgraded from CA-less to CA-full, it creates the replica file with a copy of the local /etc/ipa/ca.crt. This causes issues if this file hasn't been updated with ipa-certupdate, as it contains the external CA that signed http/ldap certs, but not the newly installed IPA CA. As a consequence, ipa-replica-install fails with "Could not find a CA cert". The fix consists in retrieving the CA certificates from LDAP instead of the local /etc/ipa/ca.crt. https://fedorahosted.org/freeipa/ticket/6375 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/222/head:pr222 git checkout pr222 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-222.patch Type: text/x-diff Size: 2647 bytes Desc: not available URL: From mkubik at redhat.com Wed Nov 9 15:37:27 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Wed, 9 Nov 2016 16:37:27 +0100 Subject: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964 In-Reply-To: <72c34ab8-5076-0d70-73dd-f6143ac62569@redhat.com> References: <5762BBDD.4010502@redhat.com> <5763AA17.60207@redhat.com> <5763C073.5020503@redhat.com> <577113B2.1080904@redhat.com> <8ada929c-ebff-b8ce-6f1f-ae65fb8b1ba2@redhat.com> <577FAD77.7080504@redhat.com> <9149be7c-ee3d-42e5-16fb-fd0c0f351bb8@redhat.com> <57A1E76F.9@redhat.com> <478f33da-10d4-0994-e588-b28ca002b3b4@redhat.com> <36a2eba5-a03d-131e-0042-46f0d4f0299a@redhat.com> <80d2ccd8-8e1b-52a7-df76-087c72f21a12@redhat.com> <8caa3b3a-54a6-e168-6304-09ce8fb60a7f@redhat.com> <5b666684-ada4-8721-0671-a6a0424e115b@redhat.com> <847c5b3d-f43b-7381-a8a2-2fcacc343afc@redhat.com> <72c34ab8-5076-0d70-73dd-f6143ac62569@redhat.com> Message-ID: <6cb87374-7c34-47f7-8ba1-0b8f241b9af0@redhat.com> On 11/09/2016 04:34 PM, Milan Kub?k wrote: > On 11/03/2016 04:56 PM, Oleg Fayans wrote: >> Hi Martin, >> >> The commit message was updated with the correct ticket link >> Thanks for review! >> >> On 11/03/2016 04:22 PM, Martin Basti wrote: >>> almost ACK, but the ticket in commit message is closed as invalid. So >>> I'm quite puzzled now what to do. >>> >>> >>> On 03.11.2016 13:28, Oleg Fayans wrote: >>>> ping for review >>>> >>>> On 10/19/2016 04:54 PM, Oleg Fayans wrote: >>>>> Hi Martin, >>>>> >>>>> Thanks for the review. Fixed both issues. >>>>> >>>>> $ ipa-run-tests test_integration/test_topology.py -k >>>>> TestCASpecificRUVs >>>>> WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] >>>>> Permission denied: 'lextab.py' >>>>> WARNING: yacc table file version is out of date >>>>> WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission >>>>> denied: 'yacctab.py' >>>>> ==================================================================================== >>>>> >>>>> >>>>> test session starts >>>>> ===================================================================================== >>>>> >>>>> >>>>> >>>>> platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, >>>>> pluggy-0.3.1 >>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>> pytest.ini >>>>> plugins: sourceorder-0.5, multihost-1.0 >>>>> collected 5 items >>>>> >>>>> test_integration/test_topology.py .. >>>>> >>>>> ================================================================================ >>>>> >>>>> >>>>> 2 passed in 2444.84 seconds >>>>> ================================================================================= >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On 10/17/2016 07:05 PM, Martin Basti wrote: >>>>>> 1) >>>>>> >>>>>> you don't need to disable/enable dirsrv, just stop/start. Please >>>>>> remove >>>>>> disable/enable parts >>>>>> >>>>>> >>>>>> 2) >>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>> traceback >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>> >>>>>> >>>>>> self = >>>>> object at 0x7f6a502eec90> >>>>>> >>>>>> def test_delete_ruvs(self): >>>>>> """ >>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/ >>>>>> Test_Plan#Test_case:_clean-ruv_subcommand >>>>>> """ >>>>>> replica = self.replicas[0] >>>>>> master = self.master >>>>>> res1 = master.run_command(['ipa-replica-manage', 'list-ruv', >>>>>> '-p', >>>>>> master.config.dirman_password]) >>>>>>> assert(res1.stdout_text.count(replica.hostname) == 2 and >>>>>> "Certificate Server Replica Update Vectors" in >>>>>> res1), ( >>>>>> "CA-specific RUVs are not displayed") >>>>>> E TypeError: argument of type 'SSHCommand' is not iterable >>>>>> >>>>>> test_integration/test_topology.py:215: TypeError >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>> entering PDB >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>> >>>>>>> >>>>>> /usr/lib/python2.7/site-packages/ipatests/test_integration/test_topology.py(215)test_delete_ruvs() >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -> assert(res1.stdout_text.count(replica.hostname) == 2 and >>>>>> >>>>>> >>>>>> >>>>>> On 14.10.2016 11:36, Oleg Fayans wrote: >>>>>>> Right you are! I am sorry. >>>>>>> >>>>>>> On 10/13/2016 06:10 PM, Martin Basti wrote: >>>>>>>> I think that you forgot to squash commits. Patch 47 doesn't apply >>>>>>>> >>>>>>>> >>>>>>>> On 13.10.2016 14:01, Oleg Fayans wrote: >>>>>>>>> Hi Martin, >>>>>>>>> >>>>>>>>> Thanks for the review. >>>>>>>>> With disabling directory server it works as well, thanks for the >>>>>>>>> hint. >>>>>>>>> Also I moved the cleanup logic to the test itself for the sake of >>>>>>>>> simplicity. Patch-0048 was not changed >>>>>>>>> >>>>>>>>> On 10/12/2016 02:35 PM, Martin Basti wrote: >>>>>>>>>> 1) >>>>>>>>>> >>>>>>>>>> Can you just turn off dirsrv on replica instead of doing >>>>>>>>>> iptables >>>>>>>>>> magic? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 2) NACK >>>>>>>>>> >>>>>>>>>> No more eval() ever in code, use 'getattr', 'get' or whatever in >>>>>>>>>> the >>>>>>>>>> object that can be used. >>>>>>>>>> >>>>>>>>>> + evalhost = eval("args[0].%s" % host) >>>>>>>>>> >>>>>>>>>> Martin^2 >>>>>>>>>> >>>>>>>>>> On 12.10.2016 14:03, Oleg Fayans wrote: >>>>>>>>>>> Hi Martin, >>>>>>>>>>> >>>>>>>>>>> After extensive discussion with Ludwig, I finally got the >>>>>>>>>>> clue on >>>>>>>>>>> how >>>>>>>>>>> does this feature work. When we uninstall the replica, the >>>>>>>>>>> master >>>>>>>>>>> cleans the replication agreements with this replica and >>>>>>>>>>> automatically >>>>>>>>>>> cleans all replica's RUVs. >>>>>>>>>>> If we clean replica's RUVs on master without uninstalling the >>>>>>>>>>> replica, >>>>>>>>>>> the replica's RUVs get recreated on master (replication >>>>>>>>>>> works!). So, >>>>>>>>>>> the only way to test the clean-ruv subcommand is to turn off >>>>>>>>>>> the >>>>>>>>>>> replica, or block the traffic on it so it gets inaccessible to >>>>>>>>>>> updates >>>>>>>>>>> from master. >>>>>>>>>>> The testcases were updated, see [1] and [2] >>>>>>>>>>> >>>>>>>>>>> The updated versions of the patches are attached >>>>>>>>>>> >>>>>>>>>>> [1] >>>>>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended_to_handle_CA-specific_RUVs >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> [2] >>>>>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_clean-ruv_subcommand >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 08/05/2016 06:36 PM, Martin Basti wrote: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On 03.08.2016 14:45, Oleg Fayans wrote: >>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks for the review! Both patches were updated. >>>>>>>>>>>>> >>>>>>>>>>>>> On 07/28/2016 04:11 PM, Martin Basti wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 08.07.2016 15:41, Oleg Fayans wrote: >>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks for the review! >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 07/08/2016 02:18 PM, Martin Basti wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 27.06.2016 13:53, Oleg Fayans wrote: >>>>>>>>>>>>>>>>> Hi guys, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Is there a chance the patches NN 0047.1 and 0048.1 get >>>>>>>>>>>>>>>>> reviewed >>>>>>>>>>>>>>>>> before >>>>>>>>>>>>>>>>> 4.4 release? They cover a good part of the Managed >>>>>>>>>>>>>>>>> Topology >>>>>>>>>>>>>>>>> 4.4 >>>>>>>>>>>>>>>>> feature. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 06/17/2016 11:18 AM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>> One more test was added to the patch-0048 >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 06/17/2016 09:43 AM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>> Fixed a bug in the previous patch, automated 2 more >>>>>>>>>>>>>>>>>>> testcases >>>>>>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On 06/16/2016 04:46 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> IIUC, this will turn off the machine completely, how is >>>>>>>>>>>>>>>> cleanup >>>>>>>>>>>>>>>> done >>>>>>>>>>>>>>>> then. AFAIK our tests cannot turn on machine again and >>>>>>>>>>>>>>>> run >>>>>>>>>>>>>>>> cleanup, so >>>>>>>>>>>>>>>> you will not be able to run more tests on the same >>>>>>>>>>>>>>>> topology >>>>>>>>>>>>>>>> without >>>>>>>>>>>>>>>> manual cleanup and manual start. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> + replica = self.replicas[0] >>>>>>>>>>>>>>>> + replica.run_command(['poweroff']) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> IMO would be better to just call 'ipactl stop' instead of >>>>>>>>>>>>>>>> 'poweroff' >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Agreed! Fixed. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> *Automated ipa-replica-manage del tests* >>>>>>>>>>>>>> >>>>>>>>>>>>>> 1) >>>>>>>>>>>>>> + replica.run_command(['ipactl', 'stop']) >>>>>>>>>>>>>> + time.sleep(3) >>>>>>>>>>>>>> >>>>>>>>>>>>>> Why do you need sleep here? >>>>>>>>>>>>> >>>>>>>>>>>>> Removed, it was left from the old "poweroff" approach >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> 2) >>>>>>>>>>>>>> + ruvid_re = re.compile(".*%s:389: (\d+).*" % >>>>>>>>>>>>>> replica.hostname) >>>>>>>>>>>>>> + replica_ruvs = ruvid_re.findall(result.stdout_text) >>>>>>>>>>>>>> + master.run_command(['ipa-replica-manage', 'clean-ruv', >>>>>>>>>>>>>> 'f', >>>>>>>>>>>>>> + '-p', >>>>>>>>>>>>>> master.config.dirman_password, >>>>>>>>>>>>>> + replica_ruvs[0]]) >>>>>>>>>>>>>> >>>>>>>>>>>>>> Because you are using re.findall(), without any match you >>>>>>>>>>>>>> will >>>>>>>>>>>>>> receive >>>>>>>>>>>>>> IndexError here replica_ruvs[0]. IMO it deserves assert >>>>>>>>>>>>>> before >>>>>>>>>>>>> >>>>>>>>>>>>> Implemented the assert which checks that the output contains >>>>>>>>>>>>> enough >>>>>>>>>>>>> replica RUVs >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> 3) >>>>>>>>>>>>>> assert(replica.hostname in result1.stdout_text) >>>>>>>>>>>>>> >>>>>>>>>>>>>> I think that this is error prone. What if there is just >>>>>>>>>>>>>> error >>>>>>>>>>>>>> 'could not >>>>>>>>>>>>>> connect to replica ', or something >>>>>>>>>>>>>> similar. >>>>>>>>>>>>>> instead of >>>>>>>>>>>>>> listing/cleaning/whatever operation was executed. I think >>>>>>>>>>>>>> that it >>>>>>>>>>>>>> should >>>>>>>>>>>>>> be more specific regexp than just finding a replica name >>>>>>>>>>>>>> substring >>>>>>>>>>>>>> (Yes >>>>>>>>>>>>>> In IPA we dont always print error so stderr) >>>>>>>>>>>>>> >>>>>>>>>>>>>> I'm not sure, but probably there might be cases when non >>>>>>>>>>>>>> critical >>>>>>>>>>>>>> error >>>>>>>>>>>>>> happen and exist status is still 0 >>>>>>>>>>>>> >>>>>>>>>>>>> Agree. Implemented a regex-based search >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> 4) >>>>>>>>>>>>>> >>>>>>>>>>>>>> + replica.run_command(['poweroff']) >>>>>>>>>>>>>> + time.sleep(3) >>>>>>>>>>>>>> >>>>>>>>>>>>>> There should not be poweroff, probably sleep could be >>>>>>>>>>>>>> removed >>>>>>>>>>>>>> too. >>>>>>>>>>>>> >>>>>>>>>>>>> Gone >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> * Automated clean-ruv subcommand test* >>>>>>>>>>>>>> >>>>>>>>>>>>>> 1) PEP8, 2 new lines expected >>>>>>>>>>>>>> ./ipatests/test_integration/test_topology.py:163:1: E302 >>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>> blank lines, found 0 >>>>>>>>>>>>>> ./ipatests/test_integration/test_topology.py:182:80: E501 >>>>>>>>>>>>>> line >>>>>>>>>>>>>> too >>>>>>>>>>>>>> long >>>>>>>>>>>>>> (85 > 79 characters) >>>>>>>>>>>>> >>>>>>>>>>>>> Fixed >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> 2) >>>>>>>>>>>>>> I dont like doing assert just with count of occurences of >>>>>>>>>>>>>> substring in >>>>>>>>>>>>>> STDOUT, would be possible to improve this somehow? >>>>>>>>>>>>> >>>>>>>>>>>>> Maybe, but frankly, I don't see how. In this case we are >>>>>>>>>>>>> making >>>>>>>>>>>>> sure >>>>>>>>>>>>> that both simple and CA-specific RUVs of a replica are >>>>>>>>>>>>> displayed. The >>>>>>>>>>>>> format of the output is strict: >>>>>>>>>>>>> Replica Update Vectors: >>>>>>>>>>>>> replica1_hostname:389: RUV_id >>>>>>>>>>>>> replica2_hostname:389: RUV_id >>>>>>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>>>>>> replica1_hostname:389: RUV_id >>>>>>>>>>>>> replica2_hostname:389: RUV_id >>>>>>>>>>>>> If we do not see 2 occurrences of the replica hostname than >>>>>>>>>>>>> definitely >>>>>>>>>>>>> something went wrong >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> 3) >>>>>>>>>>>>>> I'm not sure if clean-ruv is instant operations or there is >>>>>>>>>>>>>> some >>>>>>>>>>>>>> magic >>>>>>>>>>>>>> happening in background (we have abort-clean-ruv). Maybe >>>>>>>>>>>>>> some >>>>>>>>>>>>>> sleep >>>>>>>>>>>>>> should be there, but this needs investigation. >>>>>>>>>>>>>> >>>>>>>>>>>>>> + assert(replica.hostname in result2.stdout_text), ( >>>>>>>>>>>>>> + "The wrong RUV was deleted") >>>>>>>>>>>>>> + result3 = master.run_command(['ipa-replica-manage', >>>>>>>>>>>>>> 'list-ruv', >>>>>>>>>>>>>> + '-p', >>>>>>>>>>>>>> master.config.dirman_password]) >>>>>>>>>>>>>> + assert(result3.stdout_text.count(replica.hostname) == >>>>>>>>>>>>>> 1), ( >>>>>>>>>>>>>> + "CA RUV of the replica is still displayed") >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Based on my discussion with Stanislav Laznicka, I understood >>>>>>>>>>>>> that by >>>>>>>>>>>>> default clean-ruv does not return the shell until the >>>>>>>>>>>>> operation is >>>>>>>>>>>>> finished. You can force dropping into the shell by pressing >>>>>>>>>>>>> CTRL+C, in >>>>>>>>>>>>> which case the background job will still be running, but >>>>>>>>>>>>> this is >>>>>>>>>>>>> not >>>>>>>>>>>>> the default behavior >>>>>>>>>>>>> >>>>>>>>>>>> Test failed: >>>>>>>>>>>> result4 = master.run_command(['ipa-replica-manage', >>>>>>>>>>>> 'list-ruv', >>>>>>>>>>>> '-p', >>>>>>>>>>>> master.config.dirman_password]) >>>>>>>>>>>>> assert(replica.hostname not in result4.stdout_text), ( >>>>>>>>>>>> "replica's RUV is still displayed") >>>>>>>>>>>> E AssertionError: replica's RUV is still displayed >>>>>>>>>>>> E assert 'replica3.ipa.test' not in 'Replica Update >>>>>>>>>>>> V...ipa.test:389: 8\n' >>>>>>>>>>>> E 'replica3.ipa.test' is contained here: >>>>>>>>>>>> E Replica Update Vectors: >>>>>>>>>>>> E \tmaster.ipa.test:389: 4 >>>>>>>>>>>> E \treplica3.ipa.test:389: 3 >>>>>>>>>>>> E \treplica2.ipa.test:389: 7 >>>>>>>>>>>> E Certificate Server Replica Update Vectors: >>>>>>>>>>>> E \tmaster.ipa.test:389: 6 >>>>>>>>>>>> E \treplica2.ipa.test:389: 8 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> [root at master ~]# ipa topologysegment-find >>>>>>>>>>>> Suffix name: domain >>>>>>>>>>>> ------------------ >>>>>>>>>>>> 2 segments matched >>>>>>>>>>>> ------------------ >>>>>>>>>>>> Segment name: master.ipa.test-to-replica2.ipa.test >>>>>>>>>>>> Left node: master.ipa.test >>>>>>>>>>>> Right node: replica2.ipa.test >>>>>>>>>>>> Connectivity: both >>>>>>>>>>>> >>>>>>>>>>>> Segment name: master.ipa.test-to-replica3.ipa.test >>>>>>>>>>>> Left node: master.ipa.test >>>>>>>>>>>> Right node: replica3.ipa.test >>>>>>>>>>>> Connectivity: both >>>>>>>>>>>> ---------------------------- >>>>>>>>>>>> Number of entries returned 2 >>>>>>>>>>>> ---------------------------- >>>>>>>>>>>> [root at master ~]# ipa-replica-manage list-ruv >>>>>>>>>>>> Directory Manager password: >>>>>>>>>>>> >>>>>>>>>>>> Replica Update Vectors: >>>>>>>>>>>> master.ipa.test:389: 4 >>>>>>>>>>>> replica2.ipa.test:389: 7 >>>>>>>>>>>> replica3.ipa.test:389: 3 >>>>>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>>>>> master.ipa.test:389: 6 >>>>>>>>>>>> replica2.ipa.test:389: 8 >>>>>>>>>>>> [root at master ~]# >>>>>>>>>>>> >>>>>>>>>>>> Then I tried manually to clean RUV 3, and it behaves >>>>>>>>>>>> somehow odd >>>>>>>>>>>> >>>>>>>>>>>> [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' >>>>>>>>>>>> 'Secret123' '-f' >>>>>>>>>>>> Clean the Replication Update Vector for replica3.ipa.test:389 >>>>>>>>>>>> Background task created to clean replication data. This may >>>>>>>>>>>> take a >>>>>>>>>>>> while. >>>>>>>>>>>> This may be safely interrupted with Ctrl+C >>>>>>>>>>>> Cleanup task created >>>>>>>>>>>> [root at master ~]# less /var/log/dirsrv/slapd-IPA-TEST/errors >>>>>>>>>>>> [root at master ~]# ipa-replica-manage list-ruv >>>>>>>>>>>> Directory Manager password: >>>>>>>>>>>> >>>>>>>>>>>> Replica Update Vectors: >>>>>>>>>>>> master.ipa.test:389: 4 >>>>>>>>>>>> replica2.ipa.test:389: 7 >>>>>>>>>>>> replica3.ipa.test:389: 3 >>>>>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>>>>> master.ipa.test:389: 6 >>>>>>>>>>>> replica2.ipa.test:389: 8 >>>>>>>>>>>> [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' >>>>>>>>>>>> 'Secret123' '-f' >>>>>>>>>>>> Clean the Replication Update Vector for replica3.ipa.test:389 >>>>>>>>>>>> CLEANALLRUV task for replica id 3 already exists. >>>>>>>>>>>> This may be safely interrupted with Ctrl+C >>>>>>>>>>>> Cleanup task created >>>>>>>>>>>> >>>>>>>>>>>> [root at master ~]# ipa-replica-manage list-clean-ruv -p >>>>>>>>>>>> Secret123 >>>>>>>>>>>> No CLEANALLRUV tasks running >>>>>>>>>>>> >>>>>>>>>>>> No abort CLEANALLRUV tasks running >>>>>>>>>>>> [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' >>>>>>>>>>>> 'Secret123' '-f' >>>>>>>>>>>> Clean the Replication Update Vector for replica3.ipa.test:389 >>>>>>>>>>>> Background task created to clean replication data. This may >>>>>>>>>>>> take a >>>>>>>>>>>> while. >>>>>>>>>>>> This may be safely interrupted with Ctrl+C >>>>>>>>>>>> Cleanup task created >>>>>>>>>>>> [root at master ~]# ipa-replica-manage list-clean-ruv -p >>>>>>>>>>>> Secret123 >>>>>>>>>>>> CLEANALLRUV tasks >>>>>>>>>>>> RID 3: Successfully cleaned rid(3). >>>>>>>>>>>> >>>>>>>>>>>> No abort CLEANALLRUV tasks running >>>>>>>>>>>> [root at master ~]# ipa-replica-manage list-ruv -p Secret123 >>>>>>>>>>>> Replica Update Vectors: >>>>>>>>>>>> master.ipa.test:389: 4 >>>>>>>>>>>> replica2.ipa.test:389: 7 >>>>>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>>>>> master.ipa.test:389: 6 >>>>>>>>>>>> replica2.ipa.test:389: 8 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> I'm not sure if this behavior is right, Ludwig may know. >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>> >> >> >> > > ACK > On the other hand, make it a conditional one. The link in the comment does not work. Please fix that. > > -- > Milan Kubik > > -- Milan Kubik -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Wed Nov 9 15:40:13 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 09 Nov 2016 16:40:13 +0100 Subject: [Freeipa-devel] [freeipa PR#218][closed] test_ipagetkeytab: use system-wide IPA CA cert location in tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/218 Author: martbab Title: #218: test_ipagetkeytab: use system-wide IPA CA cert location in tests Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/218/head:pr218 git checkout pr218 From freeipa-github-notification at redhat.com Wed Nov 9 15:40:14 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 09 Nov 2016 16:40:14 +0100 Subject: [Freeipa-devel] [freeipa PR#218][comment] test_ipagetkeytab: use system-wide IPA CA cert location in tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/218 Title: #218: test_ipagetkeytab: use system-wide IPA CA cert location in tests martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/3ecda74d14066f6609d72422041bcc0c6499de77 """ See the full comment at https://github.com/freeipa/freeipa/pull/218#issuecomment-259444757 From freeipa-github-notification at redhat.com Wed Nov 9 15:40:18 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 09 Nov 2016 16:40:18 +0100 Subject: [Freeipa-devel] [freeipa PR#218][+pushed] test_ipagetkeytab: use system-wide IPA CA cert location in tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/218 Title: #218: test_ipagetkeytab: use system-wide IPA CA cert location in tests Label: +pushed From mkubik at redhat.com Wed Nov 9 15:43:40 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Wed, 9 Nov 2016 16:43:40 +0100 Subject: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test In-Reply-To: <39a8af61-056b-df40-9126-50997a5b54c8@redhat.com> References: <57A07FE4.8000904@redhat.com> <2b0ed7fe-f0bc-7137-bdc1-b0758ffe9cd6@redhat.com> <20160914154119.mkk2ma7tvks55xsu@redhat.com> <97eaa313-e889-cd4a-e900-9e88596577a0@redhat.com> <20160914155320.iowrijrq3z62evoo@redhat.com> <1af52e6c-c24b-d58b-ccf5-a85c5c290e0c@redhat.com> <20160914165348.GE2761@p.Speedport_W_724V_Typ_A_05011603_00_009> <59763ea7-2ab5-bdc2-72c1-489a462f78ef@redhat.com> <6089c103-ab56-62f7-971c-a41710eee22f@redhat.com> <1d744d16-75de-2bdc-5892-b3c36a305581@redhat.com> <39a8af61-056b-df40-9126-50997a5b54c8@redhat.com> Message-ID: <1d11dfa3-eb74-6ca2-1dfa-e65000d92b82@redhat.com> On 10/25/2016 10:24 AM, Oleg Fayans wrote: > Integration part of the tests is ready. 2 tests: > > 1. Adds a cert to idoverride of a windows user > 2. sssd part - looks up user by his certificate using dbus-sssd > > Second and third dbus call are executed as a string insted of as array > of strings because it just does not work otherwise. Some quote > escaping gets screwed probably, but the system returns "Error > org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the > command is executed using the standard array-based approach > > The run looks like this: > > bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb > WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] > Permission denied: 'lextab.py' > WARNING: yacc table file version is out of date > WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission > denied: 'yacctab.py' > ==================================== test session starts > ==================================== > platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 > rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini > plugins: sourceorder-0.5, multihost-1.0 > collected 2 items > > test_integration/test_idviews.py .. > > ================================ 2 passed in 948.44 seconds > ================================= > > > On 10/21/2016 10:54 AM, Oleg Fayans wrote: >> Added one more test, resolved the pep8 issues >> >> On 10/19/2016 12:32 PM, Oleg Fayans wrote: >>> Hi Martin, >>> >>> As you suggested, I've extended the >>> test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for >>> certs >>> in idoverrides. >>> The integration part still needs some polishing in the part related to >>> user lookup by cert >>> >>> On 10/14/2016 03:57 PM, Martin Babinsky wrote: >>>> On 10/14/2016 03:48 PM, Oleg Fayans wrote: >>>>> So, did I understand correctly, that there would be 2 patches: one >>>>> containing test for basic idoverrides functionality without >>>>> AD-integration, and the second one - with AD-integration and an sssd >>>>> check, correct? >>>>> I guess, the >>>>> freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch >>>>> >>>>> >>>>> >>>>> >>>>> might be a good candidate for the first one, I only have to change >>>>> the >>>>> filename to test_idviews.py, right? >>>>> >>>> >>>> Oleg, we already have XMLRPC tests for idoverrides: >>>> >>>> ipatests/test_xmlrpc/test_idviews_plugin.py >>>> >>>> Is there any particular reason why not to extend them with add >>>> cert/remove cert operations? >>>> >>>> Even better, you can extend >>>> `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the >>>> same set of tests on idoverrideuser objects. >>>> >>>> Or am I missing something? >>>> >>>>> On 09/15/2016 10:32 AM, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 15.09.2016 10:10, Oleg Fayans wrote: >>>>>>> Hi Martin, >>>>>>> >>>>>>> The file was renamed. Did I understand correctly that for now we >>>>>>> are >>>>>>> leaving the test as is and are planning to extend it later? >>>>>> >>>>>> I would like to have there SSSD check involved, please use what >>>>>> Summit >>>>>> recommends. No new test cases. >>>>>> >>>>>> And this can be done by separate patch, I want to have API/CLI >>>>>> certificate override tests for non-AD idview (extending current >>>>>> tests I >>>>>> posted in this thread) >>>>>> >>>>>> Martin^2 >>>>>>> >>>>>>> On 09/15/2016 09:49 AM, Martin Basti wrote: >>>>>>>> >>>>>>>> >>>>>>>> On 14.09.2016 18:53, Sumit Bose wrote: >>>>>>>>> On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: >>>>>>>>>> >>>>>>>>>> On 14.09.2016 17:53, Alexander Bokovoy wrote: >>>>>>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote: >>>>>>>>>>>> >>>>>>>>>>>> On 14.09.2016 17:41, Alexander Bokovoy wrote: >>>>>>>>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote: >>>>>>>>>>>>>> 1) >>>>>>>>>>>>>> I still don't see the reason why AD trust is needed. Default >>>>>>>>>>>>>> trust ID view is added just by ipa-adtrust-install, adding >>>>>>>>>>>>>> trust is not needed for current implementation. You don't >>>>>>>>>>>>>> need AD for this, IDviews is generic feature not just for >>>>>>>>>>>>>> AD. Is that user configured on AD side? >>>>>>>>>>>>> You cannot add non-AD user to 'default trust view', so you >>>>>>>>>>>>> will >>>>>>>>>>>>> not be >>>>>>>>>>>>> able to set up certificates to ID override which does not >>>>>>>>>>>>> exist. >>>>>>>>>>>>> >>>>>>>>>>>>> For non-'default trust view' you can add both IPA and AD >>>>>>>>>>>>> users, >>>>>>>>>>>>> so using >>>>>>>>>>>>> some other view and then assign certificate for a ID >>>>>>>>>>>>> override in >>>>>>>>>>>>> that >>>>>>>>>>>>> one. >>>>>>>>>>>>> >>>>>>>>>>>> Ok then, but anyway I would like to see API/CLI tests for this >>>>>>>>>>>> feature with proper output validation. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> How can be this tested with SSSD? >>>>>>>>>>> You need to log into the system with a certificate... >>>>>>>>>> Is this possible from test? We are logged remotely as root, is >>>>>>>>>> there any >>>>>>>>>> cmdline util which allows us to test certificate against AD >>>>>>>>>> user? >>>>>>>>> >>>>>>>>> You can use 'sss_ssh_authorizedkeys aduser at ad.domain' which >>>>>>>>> should >>>>>>>>> return the ssh key derived from the public key in the >>>>>>>>> certificate. >>>>>>>>> This >>>>>>>>> should work for certificate stored in AD as well as for >>>>>>>>> overrides. >>>>>>>>> >>>>>>>>> You can also you the DBus lookup by certificate as described in >>>>>>>>> https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> . >>>>>>>>> >>>>>>>>> HTH >>>>>>>>> >>>>>>>>> bye, >>>>>>>>> Sumit >>>>>>>> >>>>>>>> Thank you Alexander and Summit for hints. >>>>>>>> >>>>>>>> Oleg I realized we don't have any other idviews integration tests >>>>>>>> >>>>>>>> So I propose to rename test file you are adding to >>>>>>>> test_idviews.py. We >>>>>>>> can add more testcases for idviews there later >>>>>>>> >>>>>>>> Martin^2 >>>>>>>>>> Martin^2 >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Manage your subscription for the Freeipa-devel mailing list: >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>>>>>> Contribute to FreeIPA: >>>>>>>>>> http://www.freeipa.org/page/Contribute/Code >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>> >>>> >>> >>> >>> >> >> >> > > > Putting `config.ad_domains[0].ads[0]` to a class variable prevents other classes from running without enough resources for the TestCertsInIDOverrides class. Please do this kind of things in the __init__ method. As for the actual test run, me or Lenka will check that tomorrow. -- Milan Kubik -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Wed Nov 9 15:57:46 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 09 Nov 2016 16:57:46 +0100 Subject: [Freeipa-devel] [freeipa PR#223][opened] LDAP refactoring: remove admin_conn Message-ID: URL: https://github.com/freeipa/freeipa/pull/223 Author: tomaskrizek Title: #223: LDAP refactoring: remove admin_conn Action: opened PR body: """ This first commit removes the admin_conn alias for api.Backend.ldap2 that was previously used in services. When trying to get rid of it, I found some legacy code in ipa-server-upgrade. The second commit improves ldap connection management in upgrade and removes useless start and stops of directory server at random places. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/223/head:pr223 git checkout pr223 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-223.patch Type: text/x-diff Size: 49267 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 9 15:59:30 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 09 Nov 2016 16:59:30 +0100 Subject: [Freeipa-devel] [freeipa PR#215][comment] Add script to setup krb5 NFS exports In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/215 Title: #215: Add script to setup krb5 NFS exports mbasti-rh commented: """ Hello, can you please provide user cases for this, or some kind of top level design what problem are you solving, why and how do you plan resolve it? We may help you then to create optimal solution. Current code is hard to read and I think you copy&pasted a lot of code from other IPA parts, also IPA code should not install any other packages. For me it looks more like work for some provisioning system like ansible than IPA script, so I would like to see design/user cases first. Thanks """ See the full comment at https://github.com/freeipa/freeipa/pull/215#issuecomment-259449810 From freeipa-github-notification at redhat.com Wed Nov 9 16:12:02 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 09 Nov 2016 17:12:02 +0100 Subject: [Freeipa-devel] [freeipa PR#188][comment] Move Python egg-info to top level directory In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/188 Title: #188: Move Python egg-info to top level directory tiran commented: """ I'm closing this PR because the issue can't be fixed w/o patching setuptools heavily. I got it mostly right except for SOURCES.txt. We need to revise the project structure at a later point. """ See the full comment at https://github.com/freeipa/freeipa/pull/188#issuecomment-259453244 From freeipa-github-notification at redhat.com Wed Nov 9 16:12:04 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 09 Nov 2016 17:12:04 +0100 Subject: [Freeipa-devel] [freeipa PR#188][closed] Move Python egg-info to top level directory In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/188 Author: tiran Title: #188: Move Python egg-info to top level directory Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/188/head:pr188 git checkout pr188 From freeipa-github-notification at redhat.com Wed Nov 9 16:16:27 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 09 Nov 2016 17:16:27 +0100 Subject: [Freeipa-devel] [freeipa PR#197][synchronized] Make setup.py files PyPI compatible In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/197 Author: tiran Title: #197: Make setup.py files PyPI compatible Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/197/head:pr197 git checkout pr197 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-197.patch Type: text/x-diff Size: 2739 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 9 16:18:47 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 09 Nov 2016 17:18:47 +0100 Subject: [Freeipa-devel] [freeipa PR#187][synchronized] Register entry points of Custodia plugins In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/187 Author: tiran Title: #187: Register entry points of Custodia plugins Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/187/head:pr187 git checkout pr187 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-187.patch Type: text/x-diff Size: 1025 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 9 16:19:20 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 09 Nov 2016 17:19:20 +0100 Subject: [Freeipa-devel] [freeipa PR#180][synchronized] Make api.env.nss_dir relative to api.env.confdir In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/180 Author: tiran Title: #180: Make api.env.nss_dir relative to api.env.confdir Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/180/head:pr180 git checkout pr180 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-180.patch Type: text/x-diff Size: 2021 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 9 16:20:51 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 09 Nov 2016 17:20:51 +0100 Subject: [Freeipa-devel] [freeipa PR#143][synchronized] Issue6386 nss dir In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/143 Author: tiran Title: #143: Issue6386 nss dir Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/143/head:pr143 git checkout pr143 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-143.patch Type: text/x-diff Size: 3180 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 9 16:23:12 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 09 Nov 2016 17:23:12 +0100 Subject: [Freeipa-devel] [freeipa PR#143][comment] Issue6386 nss dir In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/143 Title: #143: Issue6386 nss dir tiran commented: """ I have fixed all places that don't depend on hard-coded paths. The other places are used for client enrolment and depend on hard-coded paths for sysrestore. Some places use the path before ipalib.api is initialized. """ See the full comment at https://github.com/freeipa/freeipa/pull/143#issuecomment-259456183 From freeipa-github-notification at redhat.com Wed Nov 9 16:40:19 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 09 Nov 2016 17:40:19 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context tiran commented: """ ipapython.admintool.ScriptError still prints the full traceback: ``` $ IPA_CONFDIR=/tmp/ipa ./ipa [2016-11-09T16:35:38Z ipa] : ScriptError: IPA_CONFDIR must be an absolute path to an existing directory. Traceback (most recent call last): File "/home/heimes/redhat/freeipa/ipalib/cli.py", line 1345, in run (_options, argv) = api.bootstrap_with_global_options(context='cli') File "/home/heimes/redhat/freeipa/ipalib/plugable.py", line 580, in bootstrap_with_global_options self.bootstrap(parser, **overrides) File "/home/heimes/redhat/freeipa/ipalib/plugable.py", line 436, in bootstrap self.env._bootstrap(**overrides) File "/home/heimes/redhat/freeipa/ipalib/config.py", line 470, in _bootstrap 'IPA_CONFDIR must be an absolute path to an ' ScriptError: IPA_CONFDIR must be an absolute path to an existing directory. [2016-11-09T16:35:38Z ipa] : an internal error has occurred ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-259460953 From freeipa-github-notification at redhat.com Wed Nov 9 16:42:55 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 09 Nov 2016 17:42:55 +0100 Subject: [Freeipa-devel] [freeipa PR#182][synchronized] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Author: tiran Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/182/head:pr182 git checkout pr182 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-182.patch Type: text/x-diff Size: 2409 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 9 17:25:41 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 09 Nov 2016 18:25:41 +0100 Subject: [Freeipa-devel] [freeipa PR#195][synchronized] [WIP] Make ipaclient pip install-able In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/195 Author: tiran Title: #195: [WIP] Make ipaclient pip install-able Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/195/head:pr195 git checkout pr195 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-195.patch Type: text/x-diff Size: 12043 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 9 17:37:48 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 09 Nov 2016 18:37:48 +0100 Subject: [Freeipa-devel] [freeipa PR#195][synchronized] [WIP] Make ipaclient pip install-able In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/195 Author: tiran Title: #195: [WIP] Make ipaclient pip install-able Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/195/head:pr195 git checkout pr195 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-195.patch Type: text/x-diff Size: 7499 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 10 00:59:34 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Thu, 10 Nov 2016 01:59:34 +0100 Subject: [Freeipa-devel] [freeipa PR#217][synchronized] change certificate processing code to use python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/217 Author: frasertweedale Title: #217: change certificate processing code to use python-cryptography Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/217/head:pr217 git checkout pr217 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-217.patch Type: text/x-diff Size: 100276 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 10 05:16:00 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Thu, 10 Nov 2016 06:16:00 +0100 Subject: [Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/219 Title: #219: Refactor installer code requesting certificates frasertweedale commented: """ Although there are conflicts with `master`, there are problems when the patches are rebased. Server installation (CA-ful) fails when requesting the RA certificate. ``` 2016-11-10T04:58:02Z DEBUG [16/30]: requesting RA certificate from CA 2016-11-10T04:58:02Z DEBUG Starting external process 2016-11-10T04:58:02Z DEBUG args=/usr/bin/openssl pkcs7 -inform DER -print_certs -out /var/lib/ipa/tmpyozdnw 2016-11-10T04:58:02Z DEBUG Process finished, return code=0 2016-11-10T04:58:02Z DEBUG stdout= 2016-11-10T04:58:02Z DEBUG stderr= 2016-11-10T04:58:03Z DEBUG certmonger request is in state dbus.String(u'NEWLY_ADDED_READING_CERT', variant_level=1) 2016-11-10T04:58:08Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:13Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:18Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:23Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:28Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:33Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:38Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:43Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:48Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:53Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:58Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:59:03Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 397, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 387, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 830, in __request_ra_certificate post_command='renew_ra_cert') File "/usr/lib/python2.7/site-packages/ipapython/certmonger.py", line 312, in request_and_wait_for_cert state = wait_for_request(reqId, timeout=60) File "/usr/lib/python2.7/site-packages/ipapython/certmonger.py", line 601, in wait_for_request raise RuntimeError("request timed out") RuntimeError: request timed out ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/219#issuecomment-259603552 From freeipa-github-notification at redhat.com Thu Nov 10 05:16:15 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Thu, 10 Nov 2016 06:16:15 +0100 Subject: [Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/219 Title: #219: Refactor installer code requesting certificates frasertweedale commented: """ Although there are no conflicts with `master`, there are problems when the patches are rebased. Server installation (CA-ful) fails when requesting the RA certificate. ``` 2016-11-10T04:58:02Z DEBUG [16/30]: requesting RA certificate from CA 2016-11-10T04:58:02Z DEBUG Starting external process 2016-11-10T04:58:02Z DEBUG args=/usr/bin/openssl pkcs7 -inform DER -print_certs -out /var/lib/ipa/tmpyozdnw 2016-11-10T04:58:02Z DEBUG Process finished, return code=0 2016-11-10T04:58:02Z DEBUG stdout= 2016-11-10T04:58:02Z DEBUG stderr= 2016-11-10T04:58:03Z DEBUG certmonger request is in state dbus.String(u'NEWLY_ADDED_READING_CERT', variant_level=1) 2016-11-10T04:58:08Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:13Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:18Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:23Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:28Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:33Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:38Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:43Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:48Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:53Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:58Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:59:03Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 397, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 387, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 830, in __request_ra_certificate post_command='renew_ra_cert') File "/usr/lib/python2.7/site-packages/ipapython/certmonger.py", line 312, in request_and_wait_for_cert state = wait_for_request(reqId, timeout=60) File "/usr/lib/python2.7/site-packages/ipapython/certmonger.py", line 601, in wait_for_request raise RuntimeError("request timed out") RuntimeError: request timed out ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/219#issuecomment-259603552 From freeipa-github-notification at redhat.com Thu Nov 10 07:11:07 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Thu, 10 Nov 2016 08:11:07 +0100 Subject: [Freeipa-devel] [freeipa PR#221][+ack] gitignore: ignore tar ball In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/221 Title: #221: gitignore: ignore tar ball Label: +ack From freeipa-github-notification at redhat.com Thu Nov 10 07:52:03 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 10 Nov 2016 08:52:03 +0100 Subject: [Freeipa-devel] [freeipa PR#187][comment] Register entry points of Custodia plugins In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/187 Title: #187: Register entry points of Custodia plugins jcholast commented: """ Just curious, why is the store class called `iSecStore` and not `IPASecStore` or something similar to make it apparent that it comes from IPA? """ See the full comment at https://github.com/freeipa/freeipa/pull/187#issuecomment-259623574 From freeipa-github-notification at redhat.com Thu Nov 10 08:00:47 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 10 Nov 2016 09:00:47 +0100 Subject: [Freeipa-devel] [freeipa PR#143][+ack] Issue6386 nss dir In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/143 Title: #143: Issue6386 nss dir Label: +ack From freeipa-github-notification at redhat.com Thu Nov 10 08:05:37 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 10 Nov 2016 09:05:37 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context tomaskrizek commented: """ In that case, we probably need to properly handle the exception somewhere. Since that's out of the scope of this PR, I'm going to ACK this. We can either open a ticket for this or wait until someone encounters the issue. I think it's a rather rare use case with low priority and low impact. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-259625751 From freeipa-github-notification at redhat.com Thu Nov 10 08:05:41 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 10 Nov 2016 09:05:41 +0100 Subject: [Freeipa-devel] [freeipa PR#182][+ack] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context Label: +ack From freeipa-github-notification at redhat.com Thu Nov 10 08:11:46 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 10 Nov 2016 09:11:46 +0100 Subject: [Freeipa-devel] [freeipa PR#180][comment] Make api.env.nss_dir relative to api.env.confdir In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/180 Title: #180: Make api.env.nss_dir relative to api.env.confdir tomaskrizek commented: """ I've discussed this change with @jcholast. He doesn't like this change unless we use `nss_dir` everywhere. However, like you mentioned in #143, that might not be easily achievable. I'm going to wait for his opinion on this. """ See the full comment at https://github.com/freeipa/freeipa/pull/180#issuecomment-259626805 From freeipa-github-notification at redhat.com Thu Nov 10 08:30:31 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Thu, 10 Nov 2016 09:30:31 +0100 Subject: [Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/219 Title: #219: Refactor installer code requesting certificates flo-renaud commented: """ Hi Fraser, can you check if the renewal lock was released after the last uninstallation? The file /var/run/ipa/renewal.lock should display something like ``` cat /var/run/ipa/renewal.lock [lock] locked = 0 ``` If it is showing instead that the lock is taken, then the install will fail on timeout. I wonder whether I should clean this file at the beginning of the installation, to avoid this specific issue. """ See the full comment at https://github.com/freeipa/freeipa/pull/219#issuecomment-259630260 From freeipa-github-notification at redhat.com Thu Nov 10 08:33:32 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 10 Nov 2016 09:33:32 +0100 Subject: [Freeipa-devel] [freeipa PR#221][+pushed] gitignore: ignore tar ball In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/221 Title: #221: gitignore: ignore tar ball Label: +pushed From freeipa-github-notification at redhat.com Thu Nov 10 08:33:33 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 10 Nov 2016 09:33:33 +0100 Subject: [Freeipa-devel] [freeipa PR#221][comment] gitignore: ignore tar ball In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/221 Title: #221: gitignore: ignore tar ball mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/9bb6d8643f4eb7214897de28821839a14a3bcb37 """ See the full comment at https://github.com/freeipa/freeipa/pull/221#issuecomment-259630835 From freeipa-github-notification at redhat.com Thu Nov 10 08:33:35 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 10 Nov 2016 09:33:35 +0100 Subject: [Freeipa-devel] [freeipa PR#221][closed] gitignore: ignore tar ball In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/221 Author: tomaskrizek Title: #221: gitignore: ignore tar ball Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/221/head:pr221 git checkout pr221 From freeipa-github-notification at redhat.com Thu Nov 10 08:36:43 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 10 Nov 2016 09:36:43 +0100 Subject: [Freeipa-devel] [freeipa PR#182][-ack] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context Label: -ack From mkubik at redhat.com Thu Nov 10 08:38:04 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Thu, 10 Nov 2016 09:38:04 +0100 Subject: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964 In-Reply-To: <6cb87374-7c34-47f7-8ba1-0b8f241b9af0@redhat.com> References: <5762BBDD.4010502@redhat.com> <5763AA17.60207@redhat.com> <5763C073.5020503@redhat.com> <577113B2.1080904@redhat.com> <8ada929c-ebff-b8ce-6f1f-ae65fb8b1ba2@redhat.com> <577FAD77.7080504@redhat.com> <9149be7c-ee3d-42e5-16fb-fd0c0f351bb8@redhat.com> <57A1E76F.9@redhat.com> <478f33da-10d4-0994-e588-b28ca002b3b4@redhat.com> <36a2eba5-a03d-131e-0042-46f0d4f0299a@redhat.com> <80d2ccd8-8e1b-52a7-df76-087c72f21a12@redhat.com> <8caa3b3a-54a6-e168-6304-09ce8fb60a7f@redhat.com> <5b666684-ada4-8721-0671-a6a0424e115b@redhat.com> <847c5b3d-f43b-7381-a8a2-2fcacc343afc@redhat.com> <72c34ab8-5076-0d70-73dd-f6143ac62569@redhat.com> <6cb87374-7c34-47f7-8ba1-0b8f241b9af0@redhat.com> Message-ID: <2deed6db-92df-867a-b03d-862df369ee8d@redhat.com> On 11/09/2016 04:37 PM, Milan Kub?k wrote: > On 11/09/2016 04:34 PM, Milan Kub?k wrote: >> On 11/03/2016 04:56 PM, Oleg Fayans wrote: >>> Hi Martin, >>> >>> The commit message was updated with the correct ticket link >>> Thanks for review! >>> >>> On 11/03/2016 04:22 PM, Martin Basti wrote: >>>> almost ACK, but the ticket in commit message is closed as invalid. So >>>> I'm quite puzzled now what to do. >>>> >>>> >>>> On 03.11.2016 13:28, Oleg Fayans wrote: >>>>> ping for review >>>>> >>>>> On 10/19/2016 04:54 PM, Oleg Fayans wrote: >>>>>> Hi Martin, >>>>>> >>>>>> Thanks for the review. Fixed both issues. >>>>>> >>>>>> $ ipa-run-tests test_integration/test_topology.py -k >>>>>> TestCASpecificRUVs >>>>>> WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] >>>>>> Permission denied: 'lextab.py' >>>>>> WARNING: yacc table file version is out of date >>>>>> WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission >>>>>> denied: 'yacctab.py' >>>>>> ==================================================================================== >>>>>> >>>>>> >>>>>> test session starts >>>>>> ===================================================================================== >>>>>> >>>>>> >>>>>> >>>>>> platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, >>>>>> pluggy-0.3.1 >>>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>>> pytest.ini >>>>>> plugins: sourceorder-0.5, multihost-1.0 >>>>>> collected 5 items >>>>>> >>>>>> test_integration/test_topology.py .. >>>>>> >>>>>> ================================================================================ >>>>>> >>>>>> >>>>>> 2 passed in 2444.84 seconds >>>>>> ================================================================================= >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On 10/17/2016 07:05 PM, Martin Basti wrote: >>>>>>> 1) >>>>>>> >>>>>>> you don't need to disable/enable dirsrv, just stop/start. Please >>>>>>> remove >>>>>>> disable/enable parts >>>>>>> >>>>>>> >>>>>>> 2) >>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>> traceback >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>> >>>>>>> >>>>>>> self = >>>>>> object at 0x7f6a502eec90> >>>>>>> >>>>>>> def test_delete_ruvs(self): >>>>>>> """ >>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/ >>>>>>> Test_Plan#Test_case:_clean-ruv_subcommand >>>>>>> """ >>>>>>> replica = self.replicas[0] >>>>>>> master = self.master >>>>>>> res1 = master.run_command(['ipa-replica-manage', >>>>>>> 'list-ruv', >>>>>>> '-p', >>>>>>> master.config.dirman_password]) >>>>>>>> assert(res1.stdout_text.count(replica.hostname) == 2 and >>>>>>> "Certificate Server Replica Update Vectors" in >>>>>>> res1), ( >>>>>>> "CA-specific RUVs are not displayed") >>>>>>> E TypeError: argument of type 'SSHCommand' is not iterable >>>>>>> >>>>>>> test_integration/test_topology.py:215: TypeError >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>> entering PDB >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>> >>>>>>>> >>>>>>> /usr/lib/python2.7/site-packages/ipatests/test_integration/test_topology.py(215)test_delete_ruvs() >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -> assert(res1.stdout_text.count(replica.hostname) == 2 and >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 14.10.2016 11:36, Oleg Fayans wrote: >>>>>>>> Right you are! I am sorry. >>>>>>>> >>>>>>>> On 10/13/2016 06:10 PM, Martin Basti wrote: >>>>>>>>> I think that you forgot to squash commits. Patch 47 doesn't apply >>>>>>>>> >>>>>>>>> >>>>>>>>> On 13.10.2016 14:01, Oleg Fayans wrote: >>>>>>>>>> Hi Martin, >>>>>>>>>> >>>>>>>>>> Thanks for the review. >>>>>>>>>> With disabling directory server it works as well, thanks for the >>>>>>>>>> hint. >>>>>>>>>> Also I moved the cleanup logic to the test itself for the >>>>>>>>>> sake of >>>>>>>>>> simplicity. Patch-0048 was not changed >>>>>>>>>> >>>>>>>>>> On 10/12/2016 02:35 PM, Martin Basti wrote: >>>>>>>>>>> 1) >>>>>>>>>>> >>>>>>>>>>> Can you just turn off dirsrv on replica instead of doing >>>>>>>>>>> iptables >>>>>>>>>>> magic? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 2) NACK >>>>>>>>>>> >>>>>>>>>>> No more eval() ever in code, use 'getattr', 'get' or >>>>>>>>>>> whatever in >>>>>>>>>>> the >>>>>>>>>>> object that can be used. >>>>>>>>>>> >>>>>>>>>>> + evalhost = eval("args[0].%s" % host) >>>>>>>>>>> >>>>>>>>>>> Martin^2 >>>>>>>>>>> >>>>>>>>>>> On 12.10.2016 14:03, Oleg Fayans wrote: >>>>>>>>>>>> Hi Martin, >>>>>>>>>>>> >>>>>>>>>>>> After extensive discussion with Ludwig, I finally got the >>>>>>>>>>>> clue on >>>>>>>>>>>> how >>>>>>>>>>>> does this feature work. When we uninstall the replica, the >>>>>>>>>>>> master >>>>>>>>>>>> cleans the replication agreements with this replica and >>>>>>>>>>>> automatically >>>>>>>>>>>> cleans all replica's RUVs. >>>>>>>>>>>> If we clean replica's RUVs on master without uninstalling the >>>>>>>>>>>> replica, >>>>>>>>>>>> the replica's RUVs get recreated on master (replication >>>>>>>>>>>> works!). So, >>>>>>>>>>>> the only way to test the clean-ruv subcommand is to turn >>>>>>>>>>>> off the >>>>>>>>>>>> replica, or block the traffic on it so it gets inaccessible to >>>>>>>>>>>> updates >>>>>>>>>>>> from master. >>>>>>>>>>>> The testcases were updated, see [1] and [2] >>>>>>>>>>>> >>>>>>>>>>>> The updated versions of the patches are attached >>>>>>>>>>>> >>>>>>>>>>>> [1] >>>>>>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended_to_handle_CA-specific_RUVs >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> [2] >>>>>>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_clean-ruv_subcommand >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On 08/05/2016 06:36 PM, Martin Basti wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On 03.08.2016 14:45, Oleg Fayans wrote: >>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks for the review! Both patches were updated. >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 07/28/2016 04:11 PM, Martin Basti wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 08.07.2016 15:41, Oleg Fayans wrote: >>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thanks for the review! >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 07/08/2016 02:18 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 27.06.2016 13:53, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>> Hi guys, >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Is there a chance the patches NN 0047.1 and 0048.1 get >>>>>>>>>>>>>>>>>> reviewed >>>>>>>>>>>>>>>>>> before >>>>>>>>>>>>>>>>>> 4.4 release? They cover a good part of the Managed >>>>>>>>>>>>>>>>>> Topology >>>>>>>>>>>>>>>>>> 4.4 >>>>>>>>>>>>>>>>>> feature. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 06/17/2016 11:18 AM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>> One more test was added to the patch-0048 >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On 06/17/2016 09:43 AM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>> Fixed a bug in the previous patch, automated 2 more >>>>>>>>>>>>>>>>>>>> testcases >>>>>>>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On 06/16/2016 04:46 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> IIUC, this will turn off the machine completely, how is >>>>>>>>>>>>>>>>> cleanup >>>>>>>>>>>>>>>>> done >>>>>>>>>>>>>>>>> then. AFAIK our tests cannot turn on machine again >>>>>>>>>>>>>>>>> and run >>>>>>>>>>>>>>>>> cleanup, so >>>>>>>>>>>>>>>>> you will not be able to run more tests on the same >>>>>>>>>>>>>>>>> topology >>>>>>>>>>>>>>>>> without >>>>>>>>>>>>>>>>> manual cleanup and manual start. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> + replica = self.replicas[0] >>>>>>>>>>>>>>>>> + replica.run_command(['poweroff']) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> IMO would be better to just call 'ipactl stop' instead of >>>>>>>>>>>>>>>>> 'poweroff' >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Agreed! Fixed. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> *Automated ipa-replica-manage del tests* >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>> + replica.run_command(['ipactl', 'stop']) >>>>>>>>>>>>>>> + time.sleep(3) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Why do you need sleep here? >>>>>>>>>>>>>> >>>>>>>>>>>>>> Removed, it was left from the old "poweroff" approach >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>> + ruvid_re = re.compile(".*%s:389: (\d+).*" % >>>>>>>>>>>>>>> replica.hostname) >>>>>>>>>>>>>>> + replica_ruvs = >>>>>>>>>>>>>>> ruvid_re.findall(result.stdout_text) >>>>>>>>>>>>>>> + master.run_command(['ipa-replica-manage', 'clean-ruv', >>>>>>>>>>>>>>> 'f', >>>>>>>>>>>>>>> + '-p', >>>>>>>>>>>>>>> master.config.dirman_password, >>>>>>>>>>>>>>> + replica_ruvs[0]]) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Because you are using re.findall(), without any match >>>>>>>>>>>>>>> you will >>>>>>>>>>>>>>> receive >>>>>>>>>>>>>>> IndexError here replica_ruvs[0]. IMO it deserves assert >>>>>>>>>>>>>>> before >>>>>>>>>>>>>> >>>>>>>>>>>>>> Implemented the assert which checks that the output contains >>>>>>>>>>>>>> enough >>>>>>>>>>>>>> replica RUVs >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>> assert(replica.hostname in result1.stdout_text) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I think that this is error prone. What if there is just >>>>>>>>>>>>>>> error >>>>>>>>>>>>>>> 'could not >>>>>>>>>>>>>>> connect to replica ', or something >>>>>>>>>>>>>>> similar. >>>>>>>>>>>>>>> instead of >>>>>>>>>>>>>>> listing/cleaning/whatever operation was executed. I think >>>>>>>>>>>>>>> that it >>>>>>>>>>>>>>> should >>>>>>>>>>>>>>> be more specific regexp than just finding a replica name >>>>>>>>>>>>>>> substring >>>>>>>>>>>>>>> (Yes >>>>>>>>>>>>>>> In IPA we dont always print error so stderr) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I'm not sure, but probably there might be cases when non >>>>>>>>>>>>>>> critical >>>>>>>>>>>>>>> error >>>>>>>>>>>>>>> happen and exist status is still 0 >>>>>>>>>>>>>> >>>>>>>>>>>>>> Agree. Implemented a regex-based search >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> + replica.run_command(['poweroff']) >>>>>>>>>>>>>>> + time.sleep(3) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> There should not be poweroff, probably sleep could be >>>>>>>>>>>>>>> removed >>>>>>>>>>>>>>> too. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Gone >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> * Automated clean-ruv subcommand test* >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 1) PEP8, 2 new lines expected >>>>>>>>>>>>>>> ./ipatests/test_integration/test_topology.py:163:1: E302 >>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>> blank lines, found 0 >>>>>>>>>>>>>>> ./ipatests/test_integration/test_topology.py:182:80: >>>>>>>>>>>>>>> E501 line >>>>>>>>>>>>>>> too >>>>>>>>>>>>>>> long >>>>>>>>>>>>>>> (85 > 79 characters) >>>>>>>>>>>>>> >>>>>>>>>>>>>> Fixed >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>> I dont like doing assert just with count of occurences of >>>>>>>>>>>>>>> substring in >>>>>>>>>>>>>>> STDOUT, would be possible to improve this somehow? >>>>>>>>>>>>>> >>>>>>>>>>>>>> Maybe, but frankly, I don't see how. In this case we are >>>>>>>>>>>>>> making >>>>>>>>>>>>>> sure >>>>>>>>>>>>>> that both simple and CA-specific RUVs of a replica are >>>>>>>>>>>>>> displayed. The >>>>>>>>>>>>>> format of the output is strict: >>>>>>>>>>>>>> Replica Update Vectors: >>>>>>>>>>>>>> replica1_hostname:389: RUV_id >>>>>>>>>>>>>> replica2_hostname:389: RUV_id >>>>>>>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>>>>>>> replica1_hostname:389: RUV_id >>>>>>>>>>>>>> replica2_hostname:389: RUV_id >>>>>>>>>>>>>> If we do not see 2 occurrences of the replica hostname than >>>>>>>>>>>>>> definitely >>>>>>>>>>>>>> something went wrong >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>> I'm not sure if clean-ruv is instant operations or there is >>>>>>>>>>>>>>> some >>>>>>>>>>>>>>> magic >>>>>>>>>>>>>>> happening in background (we have abort-clean-ruv). Maybe >>>>>>>>>>>>>>> some >>>>>>>>>>>>>>> sleep >>>>>>>>>>>>>>> should be there, but this needs investigation. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> + assert(replica.hostname in result2.stdout_text), ( >>>>>>>>>>>>>>> + "The wrong RUV was deleted") >>>>>>>>>>>>>>> + result3 = >>>>>>>>>>>>>>> master.run_command(['ipa-replica-manage', >>>>>>>>>>>>>>> 'list-ruv', >>>>>>>>>>>>>>> + '-p', >>>>>>>>>>>>>>> master.config.dirman_password]) >>>>>>>>>>>>>>> + assert(result3.stdout_text.count(replica.hostname) == >>>>>>>>>>>>>>> 1), ( >>>>>>>>>>>>>>> + "CA RUV of the replica is still displayed") >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Based on my discussion with Stanislav Laznicka, I understood >>>>>>>>>>>>>> that by >>>>>>>>>>>>>> default clean-ruv does not return the shell until the >>>>>>>>>>>>>> operation is >>>>>>>>>>>>>> finished. You can force dropping into the shell by pressing >>>>>>>>>>>>>> CTRL+C, in >>>>>>>>>>>>>> which case the background job will still be running, but >>>>>>>>>>>>>> this is >>>>>>>>>>>>>> not >>>>>>>>>>>>>> the default behavior >>>>>>>>>>>>>> >>>>>>>>>>>>> Test failed: >>>>>>>>>>>>> result4 = master.run_command(['ipa-replica-manage', >>>>>>>>>>>>> 'list-ruv', >>>>>>>>>>>>> '-p', >>>>>>>>>>>>> master.config.dirman_password]) >>>>>>>>>>>>>> assert(replica.hostname not in result4.stdout_text), ( >>>>>>>>>>>>> "replica's RUV is still displayed") >>>>>>>>>>>>> E AssertionError: replica's RUV is still displayed >>>>>>>>>>>>> E assert 'replica3.ipa.test' not in 'Replica Update >>>>>>>>>>>>> V...ipa.test:389: 8\n' >>>>>>>>>>>>> E 'replica3.ipa.test' is contained here: >>>>>>>>>>>>> E Replica Update Vectors: >>>>>>>>>>>>> E \tmaster.ipa.test:389: 4 >>>>>>>>>>>>> E \treplica3.ipa.test:389: 3 >>>>>>>>>>>>> E \treplica2.ipa.test:389: 7 >>>>>>>>>>>>> E Certificate Server Replica Update Vectors: >>>>>>>>>>>>> E \tmaster.ipa.test:389: 6 >>>>>>>>>>>>> E \treplica2.ipa.test:389: 8 >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> [root at master ~]# ipa topologysegment-find >>>>>>>>>>>>> Suffix name: domain >>>>>>>>>>>>> ------------------ >>>>>>>>>>>>> 2 segments matched >>>>>>>>>>>>> ------------------ >>>>>>>>>>>>> Segment name: master.ipa.test-to-replica2.ipa.test >>>>>>>>>>>>> Left node: master.ipa.test >>>>>>>>>>>>> Right node: replica2.ipa.test >>>>>>>>>>>>> Connectivity: both >>>>>>>>>>>>> >>>>>>>>>>>>> Segment name: master.ipa.test-to-replica3.ipa.test >>>>>>>>>>>>> Left node: master.ipa.test >>>>>>>>>>>>> Right node: replica3.ipa.test >>>>>>>>>>>>> Connectivity: both >>>>>>>>>>>>> ---------------------------- >>>>>>>>>>>>> Number of entries returned 2 >>>>>>>>>>>>> ---------------------------- >>>>>>>>>>>>> [root at master ~]# ipa-replica-manage list-ruv >>>>>>>>>>>>> Directory Manager password: >>>>>>>>>>>>> >>>>>>>>>>>>> Replica Update Vectors: >>>>>>>>>>>>> master.ipa.test:389: 4 >>>>>>>>>>>>> replica2.ipa.test:389: 7 >>>>>>>>>>>>> replica3.ipa.test:389: 3 >>>>>>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>>>>>> master.ipa.test:389: 6 >>>>>>>>>>>>> replica2.ipa.test:389: 8 >>>>>>>>>>>>> [root at master ~]# >>>>>>>>>>>>> >>>>>>>>>>>>> Then I tried manually to clean RUV 3, and it behaves >>>>>>>>>>>>> somehow odd >>>>>>>>>>>>> >>>>>>>>>>>>> [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' >>>>>>>>>>>>> 'Secret123' '-f' >>>>>>>>>>>>> Clean the Replication Update Vector for replica3.ipa.test:389 >>>>>>>>>>>>> Background task created to clean replication data. This may >>>>>>>>>>>>> take a >>>>>>>>>>>>> while. >>>>>>>>>>>>> This may be safely interrupted with Ctrl+C >>>>>>>>>>>>> Cleanup task created >>>>>>>>>>>>> [root at master ~]# less /var/log/dirsrv/slapd-IPA-TEST/errors >>>>>>>>>>>>> [root at master ~]# ipa-replica-manage list-ruv >>>>>>>>>>>>> Directory Manager password: >>>>>>>>>>>>> >>>>>>>>>>>>> Replica Update Vectors: >>>>>>>>>>>>> master.ipa.test:389: 4 >>>>>>>>>>>>> replica2.ipa.test:389: 7 >>>>>>>>>>>>> replica3.ipa.test:389: 3 >>>>>>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>>>>>> master.ipa.test:389: 6 >>>>>>>>>>>>> replica2.ipa.test:389: 8 >>>>>>>>>>>>> [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' >>>>>>>>>>>>> 'Secret123' '-f' >>>>>>>>>>>>> Clean the Replication Update Vector for replica3.ipa.test:389 >>>>>>>>>>>>> CLEANALLRUV task for replica id 3 already exists. >>>>>>>>>>>>> This may be safely interrupted with Ctrl+C >>>>>>>>>>>>> Cleanup task created >>>>>>>>>>>>> >>>>>>>>>>>>> [root at master ~]# ipa-replica-manage list-clean-ruv -p >>>>>>>>>>>>> Secret123 >>>>>>>>>>>>> No CLEANALLRUV tasks running >>>>>>>>>>>>> >>>>>>>>>>>>> No abort CLEANALLRUV tasks running >>>>>>>>>>>>> [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' >>>>>>>>>>>>> 'Secret123' '-f' >>>>>>>>>>>>> Clean the Replication Update Vector for replica3.ipa.test:389 >>>>>>>>>>>>> Background task created to clean replication data. This may >>>>>>>>>>>>> take a >>>>>>>>>>>>> while. >>>>>>>>>>>>> This may be safely interrupted with Ctrl+C >>>>>>>>>>>>> Cleanup task created >>>>>>>>>>>>> [root at master ~]# ipa-replica-manage list-clean-ruv -p >>>>>>>>>>>>> Secret123 >>>>>>>>>>>>> CLEANALLRUV tasks >>>>>>>>>>>>> RID 3: Successfully cleaned rid(3). >>>>>>>>>>>>> >>>>>>>>>>>>> No abort CLEANALLRUV tasks running >>>>>>>>>>>>> [root at master ~]# ipa-replica-manage list-ruv -p Secret123 >>>>>>>>>>>>> Replica Update Vectors: >>>>>>>>>>>>> master.ipa.test:389: 4 >>>>>>>>>>>>> replica2.ipa.test:389: 7 >>>>>>>>>>>>> Certificate Server Replica Update Vectors: >>>>>>>>>>>>> master.ipa.test:389: 6 >>>>>>>>>>>>> replica2.ipa.test:389: 8 >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> I'm not sure if this behavior is right, Ludwig may know. >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >>> >>> >> >> ACK >> > On the other hand, make it a conditional one. The link in the comment > does not work. Please fix that. >> >> -- >> Milan Kubik >> >> > > > -- > Milan Kubik > > After offline discussion and some clarification, the comment is right. ACK -- Milan Kubik -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Nov 10 08:43:44 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 10 Nov 2016 09:43:44 +0100 Subject: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964 In-Reply-To: <2deed6db-92df-867a-b03d-862df369ee8d@redhat.com> References: <5762BBDD.4010502@redhat.com> <5763AA17.60207@redhat.com> <5763C073.5020503@redhat.com> <577113B2.1080904@redhat.com> <8ada929c-ebff-b8ce-6f1f-ae65fb8b1ba2@redhat.com> <577FAD77.7080504@redhat.com> <9149be7c-ee3d-42e5-16fb-fd0c0f351bb8@redhat.com> <57A1E76F.9@redhat.com> <478f33da-10d4-0994-e588-b28ca002b3b4@redhat.com> <36a2eba5-a03d-131e-0042-46f0d4f0299a@redhat.com> <80d2ccd8-8e1b-52a7-df76-087c72f21a12@redhat.com> <8caa3b3a-54a6-e168-6304-09ce8fb60a7f@redhat.com> <5b666684-ada4-8721-0671-a6a0424e115b@redhat.com> <847c5b3d-f43b-7381-a8a2-2fcacc343afc@redhat.com> <72c34ab8-5076-0d70-73dd-f6143ac62569@redhat.com> <6cb87374-7c34-47f7-8ba1-0b8f241b9af0@redhat.com> <2deed6db-92df-867a-b03d-862df369ee8d@redhat.com> Message-ID: <417e7796-c017-cf0a-be6c-e1e0b9d4ac90@redhat.com> >>> ACK >>> >> On the other hand, make it a conditional one. The link in the comment >> does not work. Please fix that. >>> >>> -- >>> Milan Kubik >>> >>> >> >> >> -- >> Milan Kubik >> >> > After offline discussion and some clarification, the comment is right. ACK > > -- > Milan Kubik Because patches are scattered over this thread, am I right that those versions should be pushed? freeipa-ofayans-0047.7-Automated-clean-ruv-subcommand-tests.patch freeipa-ofayans-0048.4-Automated-ipa-replica-manage-del-tests.patch Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Thu Nov 10 08:59:22 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 10 Nov 2016 09:59:22 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context jcholast commented: """ @tiran, setting `confdir` explicitly is not a hack, but the proper way to set the config directory path and there is nothing that makes the environment variable better as an API for integrators. I would argue that it's actually worse, because it is implicit and optimized towards the less common usage (everyone who wants to use the default path has to unset the variable now to make sure that's what they actually get), and while some software does indeed allow changing configuration using environment variables, there is other software (such as GNU grep) which is actually deprecating this way of changing configuration. If majority of people think it is a good idea, I won't push back, but NACK on respecting the variable only in specific contexts. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-259635859 From freeipa-github-notification at redhat.com Thu Nov 10 09:00:21 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 10 Nov 2016 10:00:21 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context jcholast commented: """ @tiran, setting `confdir` explicitly is not a hack, but the proper way to set the config directory path and there is nothing that makes the environment variable better as an API for integrators. I would argue that it's actually worse, because it is implicit and optimized towards the less common usage (everyone who wants to use the default path has to unset the variable now to make sure that's what they actually get), and while some software does indeed allow changing configuration using environment variables, there is other software (such as GNU grep) which is actually deprecating this way of changing configuration. If majority of people think it is a good idea, I won't push back, but NACK on respecting the variable only in certain contexts. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-259635859 From ofayans at redhat.com Thu Nov 10 09:06:32 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 10 Nov 2016 10:06:32 +0100 Subject: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964 In-Reply-To: <417e7796-c017-cf0a-be6c-e1e0b9d4ac90@redhat.com> References: <5762BBDD.4010502@redhat.com> <577113B2.1080904@redhat.com> <8ada929c-ebff-b8ce-6f1f-ae65fb8b1ba2@redhat.com> <577FAD77.7080504@redhat.com> <9149be7c-ee3d-42e5-16fb-fd0c0f351bb8@redhat.com> <57A1E76F.9@redhat.com> <478f33da-10d4-0994-e588-b28ca002b3b4@redhat.com> <36a2eba5-a03d-131e-0042-46f0d4f0299a@redhat.com> <80d2ccd8-8e1b-52a7-df76-087c72f21a12@redhat.com> <8caa3b3a-54a6-e168-6304-09ce8fb60a7f@redhat.com> <5b666684-ada4-8721-0671-a6a0424e115b@redhat.com> <847c5b3d-f43b-7381-a8a2-2fcacc343afc@redhat.com> <72c34ab8-5076-0d70-73dd-f6143ac62569@redhat.com> <6cb87374-7c34-47f7-8ba1-0b8f241b9af0@redhat.com> <2deed6db-92df-867a-b03d-862df369ee8d@redhat.com> <417e7796-c017-cf0a-be6c-e1e0b9d4ac90@redhat.com> Message-ID: <8429464f-c6e2-5152-1bef-2188e1478f76@redhat.com> On 11/10/2016 09:43 AM, Martin Basti wrote: > > >>>> ACK >>>> >>> On the other hand, make it a conditional one. The link in the comment >>> does not work. Please fix that. >>>> >>>> -- >>>> Milan Kubik >>>> >>>> >>> >>> >>> -- >>> Milan Kubik >>> >>> >> After offline discussion and some clarification, the comment is right. ACK >> >> -- >> Milan Kubik > > Because patches are scattered over this thread, am I right that those > versions should be pushed? > > freeipa-ofayans-0047.7-Automated-clean-ruv-subcommand-tests.patch > freeipa-ofayans-0048.4-Automated-ipa-replica-manage-del-tests.patch Precisely! > > Martin^2 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From freeipa-github-notification at redhat.com Thu Nov 10 09:17:40 2016 From: freeipa-github-notification at redhat.com (Akasurde) Date: Thu, 10 Nov 2016 10:17:40 +0100 Subject: [Freeipa-devel] [freeipa PR#209][comment] Enumerate available options in IPA installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/209 Title: #209: Enumerate available options in IPA installer Akasurde commented: """ ping """ See the full comment at https://github.com/freeipa/freeipa/pull/209#issuecomment-259639629 From freeipa-github-notification at redhat.com Thu Nov 10 09:21:32 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 10 Nov 2016 10:21:32 +0100 Subject: [Freeipa-devel] [freeipa PR#217][+ack] change certificate processing code to use python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/217 Title: #217: change certificate processing code to use python-cryptography Label: +ack From freeipa-github-notification at redhat.com Thu Nov 10 09:22:18 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 10 Nov 2016 10:22:18 +0100 Subject: [Freeipa-devel] [freeipa PR#217][+pushed] change certificate processing code to use python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/217 Title: #217: change certificate processing code to use python-cryptography Label: +pushed From freeipa-github-notification at redhat.com Thu Nov 10 09:22:20 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 10 Nov 2016 10:22:20 +0100 Subject: [Freeipa-devel] [freeipa PR#217][comment] change certificate processing code to use python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/217 Title: #217: change certificate processing code to use python-cryptography dkupka commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/9522970bfa28900abc90e959de483f59c79a3e5f https://fedorahosted.org/freeipa/changeset/66637f766dd0ddc50888013962be2294fd8d0e9a https://fedorahosted.org/freeipa/changeset/85487281cdc09720f6a0385ebb7157742d762a0c https://fedorahosted.org/freeipa/changeset/44c2d685f01eb4c03e4659125e41d73b8be47c19 https://fedorahosted.org/freeipa/changeset/c57dc890b2bf447ab575f2e91249179bce3f05d5 https://fedorahosted.org/freeipa/changeset/db116f73fe5fc199bb2e28103cf5e3e2a24eab4c https://fedorahosted.org/freeipa/changeset/b0430b67dc90fddf1e35fde9a0cf2977a07d7cbd """ See the full comment at https://github.com/freeipa/freeipa/pull/217#issuecomment-259640577 From freeipa-github-notification at redhat.com Thu Nov 10 09:22:21 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 10 Nov 2016 10:22:21 +0100 Subject: [Freeipa-devel] [freeipa PR#217][closed] change certificate processing code to use python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/217 Author: frasertweedale Title: #217: change certificate processing code to use python-cryptography Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/217/head:pr217 git checkout pr217 From freeipa-github-notification at redhat.com Thu Nov 10 09:44:55 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Thu, 10 Nov 2016 10:44:55 +0100 Subject: [Freeipa-devel] [freeipa PR#224][opened] Integration tests for certs in idoverrides Message-ID: URL: https://github.com/freeipa/freeipa/pull/224 Author: ofayans Title: #224: Integration tests for certs in idoverrides Action: opened PR body: """ Original mailing list thread: https://www.redhat.com/archives/freeipa-devel/2016-September/msg00134.html """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/224/head:pr224 git checkout pr224 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-224.patch Type: text/x-diff Size: 8992 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 10 09:47:33 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Thu, 10 Nov 2016 10:47:33 +0100 Subject: [Freeipa-devel] [freeipa PR#225][opened] tests: Added basic tests for certs in idoverrides Message-ID: URL: https://github.com/freeipa/freeipa/pull/225 Author: ofayans Title: #225: tests: Added basic tests for certs in idoverrides Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6412 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/225/head:pr225 git checkout pr225 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-225.patch Type: text/x-diff Size: 4274 bytes Desc: not available URL: From ofayans at redhat.com Thu Nov 10 09:49:22 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 10 Nov 2016 10:49:22 +0100 Subject: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test In-Reply-To: <1d11dfa3-eb74-6ca2-1dfa-e65000d92b82@redhat.com> References: <57A07FE4.8000904@redhat.com> <2b0ed7fe-f0bc-7137-bdc1-b0758ffe9cd6@redhat.com> <20160914154119.mkk2ma7tvks55xsu@redhat.com> <97eaa313-e889-cd4a-e900-9e88596577a0@redhat.com> <20160914155320.iowrijrq3z62evoo@redhat.com> <1af52e6c-c24b-d58b-ccf5-a85c5c290e0c@redhat.com> <20160914165348.GE2761@p.Speedport_W_724V_Typ_A_05011603_00_009> <59763ea7-2ab5-bdc2-72c1-489a462f78ef@redhat.com> <6089c103-ab56-62f7-971c-a41710eee22f@redhat.com> <1d744d16-75de-2bdc-5892-b3c36a305581@redhat.com> <39a8af61-056b-df40-9126-50997a5b54c8@redhat.com> <1d11dfa3-eb74-6ca2-1dfa-e65000d92b82@redhat.com> Message-ID: <32b8fa5c-5e0c-26da-7fe1-db750cf4d129@redhat.com> All the patches from this thread were converted into github pull requests: [1]: https://github.com/freeipa/freeipa/pull/224 [2]: https://github.com/freeipa/freeipa/pull/225 On 11/09/2016 04:43 PM, Milan Kub?k wrote: > On 10/25/2016 10:24 AM, Oleg Fayans wrote: >> Integration part of the tests is ready. 2 tests: >> >> 1. Adds a cert to idoverride of a windows user >> 2. sssd part - looks up user by his certificate using dbus-sssd >> >> Second and third dbus call are executed as a string insted of as array >> of strings because it just does not work otherwise. Some quote >> escaping gets screwed probably, but the system returns "Error >> org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the >> command is executed using the standard array-based approach >> >> The run looks like this: >> >> bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb >> WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] >> Permission denied: 'lextab.py' >> WARNING: yacc table file version is out of date >> WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission >> denied: 'yacctab.py' >> ==================================== test session starts >> ==================================== >> platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 >> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini >> plugins: sourceorder-0.5, multihost-1.0 >> collected 2 items >> >> test_integration/test_idviews.py .. >> >> ================================ 2 passed in 948.44 seconds >> ================================= >> >> >> On 10/21/2016 10:54 AM, Oleg Fayans wrote: >>> Added one more test, resolved the pep8 issues >>> >>> On 10/19/2016 12:32 PM, Oleg Fayans wrote: >>>> Hi Martin, >>>> >>>> As you suggested, I've extended the >>>> test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for >>>> certs >>>> in idoverrides. >>>> The integration part still needs some polishing in the part related to >>>> user lookup by cert >>>> >>>> On 10/14/2016 03:57 PM, Martin Babinsky wrote: >>>>> On 10/14/2016 03:48 PM, Oleg Fayans wrote: >>>>>> So, did I understand correctly, that there would be 2 patches: one >>>>>> containing test for basic idoverrides functionality without >>>>>> AD-integration, and the second one - with AD-integration and an sssd >>>>>> check, correct? >>>>>> I guess, the >>>>>> freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> might be a good candidate for the first one, I only have to change >>>>>> the >>>>>> filename to test_idviews.py, right? >>>>>> >>>>> >>>>> Oleg, we already have XMLRPC tests for idoverrides: >>>>> >>>>> ipatests/test_xmlrpc/test_idviews_plugin.py >>>>> >>>>> Is there any particular reason why not to extend them with add >>>>> cert/remove cert operations? >>>>> >>>>> Even better, you can extend >>>>> `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the >>>>> same set of tests on idoverrideuser objects. >>>>> >>>>> Or am I missing something? >>>>> >>>>>> On 09/15/2016 10:32 AM, Martin Basti wrote: >>>>>>> >>>>>>> >>>>>>> On 15.09.2016 10:10, Oleg Fayans wrote: >>>>>>>> Hi Martin, >>>>>>>> >>>>>>>> The file was renamed. Did I understand correctly that for now we >>>>>>>> are >>>>>>>> leaving the test as is and are planning to extend it later? >>>>>>> >>>>>>> I would like to have there SSSD check involved, please use what >>>>>>> Summit >>>>>>> recommends. No new test cases. >>>>>>> >>>>>>> And this can be done by separate patch, I want to have API/CLI >>>>>>> certificate override tests for non-AD idview (extending current >>>>>>> tests I >>>>>>> posted in this thread) >>>>>>> >>>>>>> Martin^2 >>>>>>>> >>>>>>>> On 09/15/2016 09:49 AM, Martin Basti wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> On 14.09.2016 18:53, Sumit Bose wrote: >>>>>>>>>> On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: >>>>>>>>>>> >>>>>>>>>>> On 14.09.2016 17:53, Alexander Bokovoy wrote: >>>>>>>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> On 14.09.2016 17:41, Alexander Bokovoy wrote: >>>>>>>>>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote: >>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>> I still don't see the reason why AD trust is needed. Default >>>>>>>>>>>>>>> trust ID view is added just by ipa-adtrust-install, adding >>>>>>>>>>>>>>> trust is not needed for current implementation. You don't >>>>>>>>>>>>>>> need AD for this, IDviews is generic feature not just for >>>>>>>>>>>>>>> AD. Is that user configured on AD side? >>>>>>>>>>>>>> You cannot add non-AD user to 'default trust view', so you >>>>>>>>>>>>>> will >>>>>>>>>>>>>> not be >>>>>>>>>>>>>> able to set up certificates to ID override which does not >>>>>>>>>>>>>> exist. >>>>>>>>>>>>>> >>>>>>>>>>>>>> For non-'default trust view' you can add both IPA and AD >>>>>>>>>>>>>> users, >>>>>>>>>>>>>> so using >>>>>>>>>>>>>> some other view and then assign certificate for a ID >>>>>>>>>>>>>> override in >>>>>>>>>>>>>> that >>>>>>>>>>>>>> one. >>>>>>>>>>>>>> >>>>>>>>>>>>> Ok then, but anyway I would like to see API/CLI tests for this >>>>>>>>>>>>> feature with proper output validation. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> How can be this tested with SSSD? >>>>>>>>>>>> You need to log into the system with a certificate... >>>>>>>>>>> Is this possible from test? We are logged remotely as root, is >>>>>>>>>>> there any >>>>>>>>>>> cmdline util which allows us to test certificate against AD >>>>>>>>>>> user? >>>>>>>>>> >>>>>>>>>> You can use 'sss_ssh_authorizedkeys aduser at ad.domain' which >>>>>>>>>> should >>>>>>>>>> return the ssh key derived from the public key in the >>>>>>>>>> certificate. >>>>>>>>>> This >>>>>>>>>> should work for certificate stored in AD as well as for >>>>>>>>>> overrides. >>>>>>>>>> >>>>>>>>>> You can also you the DBus lookup by certificate as described in >>>>>>>>>> https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> . >>>>>>>>>> >>>>>>>>>> HTH >>>>>>>>>> >>>>>>>>>> bye, >>>>>>>>>> Sumit >>>>>>>>> >>>>>>>>> Thank you Alexander and Summit for hints. >>>>>>>>> >>>>>>>>> Oleg I realized we don't have any other idviews integration tests >>>>>>>>> >>>>>>>>> So I propose to rename test file you are adding to >>>>>>>>> test_idviews.py. We >>>>>>>>> can add more testcases for idviews there later >>>>>>>>> >>>>>>>>> Martin^2 >>>>>>>>>>> Martin^2 >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Manage your subscription for the Freeipa-devel mailing list: >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>>>>>>> Contribute to FreeIPA: >>>>>>>>>>> http://www.freeipa.org/page/Contribute/Code >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >>> >>> >> >> >> > > Putting `config.ad_domains[0].ads[0]` to a class variable prevents other > classes from running without enough resources for the > TestCertsInIDOverrides class. Please do this kind of things in the > __init__ method. > > As for the actual test run, me or Lenka will check that tomorrow. > > -- > Milan Kubik > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From freeipa-github-notification at redhat.com Thu Nov 10 09:53:31 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Thu, 10 Nov 2016 10:53:31 +0100 Subject: [Freeipa-devel] [freeipa PR#224][synchronized] Integration tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/224 Author: ofayans Title: #224: Integration tests for certs in idoverrides Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/224/head:pr224 git checkout pr224 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-224.patch Type: text/x-diff Size: 12903 bytes Desc: not available URL: From ofayans at redhat.com Thu Nov 10 09:54:48 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 10 Nov 2016 10:54:48 +0100 Subject: [Freeipa-devel] [test][patch-0057] test for ticket N 6146 (installing rules with service principals) In-Reply-To: <53f34ed7-7da4-a4e5-ec03-3e4bd199b357@redhat.com> References: <57AAE7EA.5090604@redhat.com> <745bf2dc-18d4-9f89-b97c-980b447f2823@redhat.com> <57AB1418.60903@redhat.com> <7d137bdf-883c-2ef9-468d-f8b7de358804@redhat.com> <9e419344-e733-76b0-b103-77496dd1097c@redhat.com> <402f9a42-71dd-3b38-6974-4061c10660dc@redhat.com> <53f34ed7-7da4-a4e5-ec03-3e4bd199b357@redhat.com> Message-ID: <8602b5ba-3ea9-5072-6f32-6a8eb9850666@redhat.com> The patch was added to existing PR: https://github.com/freeipa/freeipa/pull/224 On 11/08/2016 05:24 PM, Oleg Fayans wrote: > And this one. > > On 11/03/2016 09:42 AM, Oleg Fayans wrote: >> One more ping for review >> >> On 10/27/2016 02:21 PM, Oleg Fayans wrote: >>> ping for review >>> >>> On 10/25/2016 11:29 AM, Oleg Fayans wrote: >>>> The patch was rebased to be able to apply on top of latest version of >>>> certs in idoverrides patch. As before, it requires patches NN 0049 and >>>> 0059 to apply >>>> >>>> On 08/10/2016 01:46 PM, Oleg Fayans wrote: >>>>> Hi Martin, >>>>> >>>>> I am sorry, yes it depends on my patches 0049 and 0050. >>>>> >>>>> >>>>> On 08/10/2016 12:27 PM, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 10.08.2016 10:38, Oleg Fayans wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>> Hello, >>>>>> >>>>>> I cannot apply this patch >>>>>> error: ipatests/test_integration/test_certs_in_idoverrides.py: does >>>>>> not >>>>>> exist in index >>>>>> It probably depends on another patch (which one?) >>>>>> >>>>>> Please, use human readable subjects in email, I do not remember from >>>>>> top >>>>>> of my head what #6146 is. >>>>>> >>>>>> Martin^2 >>>>>> >>>>>> >>>>> >>>> >>>> >>>> >>> >> > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From freeipa-github-notification at redhat.com Thu Nov 10 10:13:50 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 10 Nov 2016 11:13:50 +0100 Subject: [Freeipa-devel] [freeipa PR#220][+ack] Build: fix make clean to remove build artifacts from top-level directory In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/220 Title: #220: Build: fix make clean to remove build artifacts from top-level directory Label: +ack From freeipa-github-notification at redhat.com Thu Nov 10 10:24:31 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 10 Nov 2016 11:24:31 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context tiran commented: """ No, env vars are **the** standard way to change the behavior of a program for a local session. They are used all over the place: MIT KRB5 as KRB5_CONFIG, Python has PYTHONHOME and more, OpenSSL has SSL_CERT_FILE/DIR, Freedesktop has XDG_DATA_HOME, XDG_CONFIG_HOME... I could bring up the same argument against your proposal to use a shell alias. Shell aliases are even worse because they work only in shells and not for ```execve()``` calls. Env vars are common to change the environment of a program (hence the name) while shell aliases are a hack. It is not only a good idea, it's required to make integration of FreeIPA's client libraries in 3rd party applications feasible. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-259654400 From freeipa-github-notification at redhat.com Thu Nov 10 11:04:20 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 10 Nov 2016 12:04:20 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context jcholast commented: """ "Everyone else does it" is not really a good argument to anything. Just saying. Also you still haven't provided a single example of where explicitly setting confdir can't be used and thus the environment variable must be used, and just keep repeating how required it is, so sorry I'm a little bit sceptical. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-259662631 From freeipa-github-notification at redhat.com Thu Nov 10 11:09:31 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 10 Nov 2016 12:09:31 +0100 Subject: [Freeipa-devel] [freeipa PR#143][comment] Issue6386 nss dir In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/143 Title: #143: Issue6386 nss dir jcholast commented: """ OK, but you should at least make sure that where the code depends on hard-coded paths, the API is bootstrapped with a hard coded `confdir` as well, otherwise things might break. """ See the full comment at https://github.com/freeipa/freeipa/pull/143#issuecomment-259663631 From mbasti at redhat.com Thu Nov 10 11:09:45 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 10 Nov 2016 12:09:45 +0100 Subject: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964 In-Reply-To: <8429464f-c6e2-5152-1bef-2188e1478f76@redhat.com> References: <5762BBDD.4010502@redhat.com> <8ada929c-ebff-b8ce-6f1f-ae65fb8b1ba2@redhat.com> <577FAD77.7080504@redhat.com> <9149be7c-ee3d-42e5-16fb-fd0c0f351bb8@redhat.com> <57A1E76F.9@redhat.com> <478f33da-10d4-0994-e588-b28ca002b3b4@redhat.com> <36a2eba5-a03d-131e-0042-46f0d4f0299a@redhat.com> <80d2ccd8-8e1b-52a7-df76-087c72f21a12@redhat.com> <8caa3b3a-54a6-e168-6304-09ce8fb60a7f@redhat.com> <5b666684-ada4-8721-0671-a6a0424e115b@redhat.com> <847c5b3d-f43b-7381-a8a2-2fcacc343afc@redhat.com> <72c34ab8-5076-0d70-73dd-f6143ac62569@redhat.com> <6cb87374-7c34-47f7-8ba1-0b8f241b9af0@redhat.com> <2deed6db-92df-867a-b03d-862df369ee8d@redhat.com> <417e7796-c017-cf0a-be6c-e1e0b9d4ac90@redhat.com> <8429464f-c6e2-5152-1bef-2188e1478f76@redhat.com> Message-ID: On 10.11.2016 10:06, Oleg Fayans wrote: > > > On 11/10/2016 09:43 AM, Martin Basti wrote: >> >> >>>>> ACK >>>>> >>>> On the other hand, make it a conditional one. The link in the comment >>>> does not work. Please fix that. >>>>> >>>>> -- >>>>> Milan Kubik >>>>> >>>>> >>>> >>>> >>>> -- >>>> Milan Kubik >>>> >>>> >>> After offline discussion and some clarification, the comment is >>> right. ACK >>> >>> -- >>> Milan Kubik >> >> Because patches are scattered over this thread, am I right that those >> versions should be pushed? >> >> freeipa-ofayans-0047.7-Automated-clean-ruv-subcommand-tests.patch >> freeipa-ofayans-0048.4-Automated-ipa-replica-manage-del-tests.patch > > Precisely! > >> >> Martin^2 > Pushed to: master: dc58f8f2a17adc642ae6f32fe9c9eb05d993c9d0 ipa-4-4: ddfa173488aa903b3e028f7e6328dbb4dcc21695 From freeipa-github-notification at redhat.com Thu Nov 10 11:10:20 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 10 Nov 2016 12:10:20 +0100 Subject: [Freeipa-devel] [freeipa PR#180][comment] Make api.env.nss_dir relative to api.env.confdir In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/180 Title: #180: Make api.env.nss_dir relative to api.env.confdir jcholast commented: """ See my comment on #143. """ See the full comment at https://github.com/freeipa/freeipa/pull/180#issuecomment-259663799 From freeipa-github-notification at redhat.com Thu Nov 10 11:27:09 2016 From: freeipa-github-notification at redhat.com (apophys) Date: Thu, 10 Nov 2016 12:27:09 +0100 Subject: [Freeipa-devel] [freeipa PR#196][comment] ipatests: unresolvable nested netgroups In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/196 Title: #196: ipatests: unresolvable nested netgroups apophys commented: """ Ping for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/196#issuecomment-259666959 From freeipa-github-notification at redhat.com Thu Nov 10 11:31:23 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 10 Nov 2016 12:31:23 +0100 Subject: [Freeipa-devel] [freeipa PR#143][comment] Issue6386 nss dir In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/143 Title: #143: Issue6386 nss dir tiran commented: """ The other locations are used for FreeIPA installation and therefore out of scope for this change. """ See the full comment at https://github.com/freeipa/freeipa/pull/143#issuecomment-259667729 From freeipa-github-notification at redhat.com Thu Nov 10 11:35:47 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Thu, 10 Nov 2016 12:35:47 +0100 Subject: [Freeipa-devel] [freeipa PR#226][opened] Build refactoring phase 5 Message-ID: URL: https://github.com/freeipa/freeipa/pull/226 Author: pspacek Title: #226: Build refactoring phase 5 Action: opened PR body: """ This PR fixes IPA_VERSION_IS_GIT_SNAPSHOT option and vendor version passing from SPEC to configure. At also contains minor cleanup and srpm target which is used by Coverity. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/226/head:pr226 git checkout pr226 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-226.patch Type: text/x-diff Size: 15089 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 10 11:36:58 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Thu, 10 Nov 2016 12:36:58 +0100 Subject: [Freeipa-devel] [freeipa PR#227][opened] cert-request: match names against principal alises Message-ID: URL: https://github.com/freeipa/freeipa/pull/227 Author: frasertweedale Title: #227: cert-request: match names against principal alises Action: opened PR body: """ Currently we do not check Kerberos principal aliases when validating a CSR. Enhance cert-request to accept the following scenarios: - for hosts and services: CN and SAN dnsNames match a principal alias (realm and service name must be same as nominated principal) - for all principal types: UPN or KRB5PrincipalName othername match any principal alias. Fixes: https://fedorahosted.org/freeipa/ticket/6295 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/227/head:pr227 git checkout pr227 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-227.patch Type: text/x-diff Size: 13164 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 10 11:37:17 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 10 Nov 2016 12:37:17 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context tiran commented: """ Everyone else does it is a very good argument. Standards and common practices provide a good user and developer experience. I detest _Not Invented Here_ solutions. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-259668716 From freeipa-github-notification at redhat.com Thu Nov 10 11:39:05 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 10 Nov 2016 12:39:05 +0100 Subject: [Freeipa-devel] [freeipa PR#220][+pushed] Build: fix make clean to remove build artifacts from top-level directory In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/220 Title: #220: Build: fix make clean to remove build artifacts from top-level directory Label: +pushed From freeipa-github-notification at redhat.com Thu Nov 10 11:39:07 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 10 Nov 2016 12:39:07 +0100 Subject: [Freeipa-devel] [freeipa PR#220][comment] Build: fix make clean to remove build artifacts from top-level directory In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/220 Title: #220: Build: fix make clean to remove build artifacts from top-level directory mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/d20f6a5ef2467e780026f1040f5a11a7a77594ca """ See the full comment at https://github.com/freeipa/freeipa/pull/220#issuecomment-259669055 From freeipa-github-notification at redhat.com Thu Nov 10 11:39:08 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 10 Nov 2016 12:39:08 +0100 Subject: [Freeipa-devel] [freeipa PR#220][closed] Build: fix make clean to remove build artifacts from top-level directory In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/220 Author: pspacek Title: #220: Build: fix make clean to remove build artifacts from top-level directory Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/220/head:pr220 git checkout pr220 From freeipa-github-notification at redhat.com Thu Nov 10 11:43:55 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 10 Nov 2016 12:43:55 +0100 Subject: [Freeipa-devel] [freeipa PR#173][comment] Ensure correct IPA CA nickname in DS and HTTP NSSDBs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/173 Title: #173: Ensure correct IPA CA nickname in DS and HTTP NSSDBs tomaskrizek commented: """ Works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/173#issuecomment-259669927 From freeipa-github-notification at redhat.com Thu Nov 10 11:44:01 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 10 Nov 2016 12:44:01 +0100 Subject: [Freeipa-devel] [freeipa PR#173][+ack] Ensure correct IPA CA nickname in DS and HTTP NSSDBs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/173 Title: #173: Ensure correct IPA CA nickname in DS and HTTP NSSDBs Label: +ack From freeipa-github-notification at redhat.com Thu Nov 10 11:44:26 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 10 Nov 2016 12:44:26 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context tiran commented: """ Everyone else does it is a very good argument. Standards and common practices provide a good user and developer experience. I detest _Not Invented Here_ solutions. By the way did you read my integration improvement proposal? I haven't released it yet because it's not finished. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-259668716 From freeipa-github-notification at redhat.com Thu Nov 10 11:45:05 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 10 Nov 2016 12:45:05 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context jcholast commented: """ Care to point me to some actual standard which recommends this? Using explicit configuration via library initialization arguments is no NIH, everyone else does it as well and it is a solution we already have in place. Still zero examples to support you claim that environment variable is a must. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-259670126 From freeipa-github-notification at redhat.com Thu Nov 10 11:46:02 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 10 Nov 2016 12:46:02 +0100 Subject: [Freeipa-devel] [freeipa PR#143][comment] Issue6386 nss dir In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/143 Title: #143: Issue6386 nss dir jcholast commented: """ Sure, just please keep this in mind for your other changes. """ See the full comment at https://github.com/freeipa/freeipa/pull/143#issuecomment-259670294 From freeipa-github-notification at redhat.com Thu Nov 10 11:49:28 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 10 Nov 2016 12:49:28 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context jcholast commented: """ Care to point me to some actual standard which recommends this? Using explicit configuration via library initialization arguments is no NIH, everyone else does it as well and it is a solution we already have in place. Still zero examples to support you claim that environment variable is a must. EDIT: There is no link to your proposal here nor is there a thread on freeipa-devel. I would be glad to read it but please follow our process for new feature designs. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-259670126 From freeipa-github-notification at redhat.com Thu Nov 10 11:52:31 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 10 Nov 2016 12:52:31 +0100 Subject: [Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/219 Title: #219: Refactor installer code requesting certificates jcholast commented: """ Can we fix this in a separate PR to unblock the merge of this one? """ See the full comment at https://github.com/freeipa/freeipa/pull/219#issuecomment-259671468 From freeipa-github-notification at redhat.com Thu Nov 10 11:53:56 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Thu, 10 Nov 2016 12:53:56 +0100 Subject: [Freeipa-devel] [freeipa PR#228][opened] cert-request: allow directoryName in SAN extension Message-ID: URL: https://github.com/freeipa/freeipa/pull/228 Author: frasertweedale Title: #228: cert-request: allow directoryName in SAN extension Action: opened PR body: """ Allow directoryName in SAN extension if the value matches the subject principal's DN in the IPA directory. Fixes: https://fedorahosted.org/freeipa/ticket/6112 --- A bit of commentary about this feature: it was just a drive-by case of "hey I could implement this in a way that I think makes sense". Noone actually asked for it (yet). Also, there is not agreement that using directoryName to carry the DN of the subject is valid. On my part, I think it is obviously valid, but see the original review thread for discussion: https://www.redhat.com/archives/freeipa-devel/2016-August/msg00714.html I had to rebase this commit and resolve conflicts, so now it is a PR and it can age in oak on GitHub instead of the mailing list :) """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/228/head:pr228 git checkout pr228 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-228.patch Type: text/x-diff Size: 1587 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 10 11:54:27 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 10 Nov 2016 12:54:27 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context tiran commented: """ Let me google that for you: * https://specifications.freedesktop.org/basedir-spec/latest/ar01s03.html * https://web.mit.edu/kerberos/krb5-1.14/doc/admin/env_variables.html * https://docs.python.org/2/using/cmdline.html#environment-variables * https://pip.pypa.io/en/stable/user_guide/#environment-variables https://en.wikipedia.org/wiki/Environment_variable defines env vars as > Environment variables are a set of dynamic named values that can affect the way running processes will behave on a computer. Examples * local installation in a virtual environment * unified experience for non-root configuration * user shell session with custom KRB5 and IPA settings * Ansible playbook modules * application in a root-less container that cannot write to /etc (OpenShift) * unit and integration tests with custom config file location You can find more detailed examples in my integration document. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-259671810 From freeipa-github-notification at redhat.com Thu Nov 10 11:54:52 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Thu, 10 Nov 2016 12:54:52 +0100 Subject: [Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-177.patch Type: text/x-diff Size: 13476 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 10 11:56:34 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 10 Nov 2016 12:56:34 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context tiran commented: """ Let me google that for you: * https://specifications.freedesktop.org/basedir-spec/latest/ar01s03.html * https://web.mit.edu/kerberos/krb5-1.14/doc/admin/env_variables.html * https://docs.python.org/2/using/cmdline.html#environment-variables * https://pip.pypa.io/en/stable/user_guide/#environment-variables https://en.wikipedia.org/wiki/Environment_variable defines env vars as > Environment variables are a set of dynamic named values that can affect the way running processes will behave on a computer. Examples * local installation in a virtual environment * unified experience for non-root configuration * user shell session with custom KRB5 and IPA settings * Ansible playbook modules * application in a root-less container that cannot write to /etc (OpenShift) * unit and integration tests with custom config file location You can find more detailed examples in my integration document. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-259671810 From freeipa-github-notification at redhat.com Thu Nov 10 11:58:42 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Thu, 10 Nov 2016 12:58:42 +0100 Subject: [Freeipa-devel] [freeipa PR#227][synchronized] cert-request: match names against principal alises In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/227 Author: frasertweedale Title: #227: cert-request: match names against principal alises Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/227/head:pr227 git checkout pr227 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-227.patch Type: text/x-diff Size: 13191 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 10 12:00:07 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 10 Nov 2016 13:00:07 +0100 Subject: [Freeipa-devel] [freeipa PR#143][comment] Issue6386 nss dir In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/143 Title: #143: Issue6386 nss dir tiran commented: """ I don't understand your comment. """ See the full comment at https://github.com/freeipa/freeipa/pull/143#issuecomment-259672798 From freeipa-github-notification at redhat.com Thu Nov 10 12:03:27 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Thu, 10 Nov 2016 13:03:27 +0100 Subject: [Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/219 Title: #219: Refactor installer code requesting certificates frasertweedale commented: """ @jcholast sure, especially if it is related to renewal locks or some other tangential matter. ( @flo-renaud I have not yet confirmed the cause; will get to it tomorrow ) """ See the full comment at https://github.com/freeipa/freeipa/pull/219#issuecomment-259673472 From freeipa-github-notification at redhat.com Thu Nov 10 12:16:23 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Thu, 10 Nov 2016 13:16:23 +0100 Subject: [Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/219 Title: #219: Refactor installer code requesting certificates frasertweedale commented: """ Well I couldn't wait 'til tomorrow so I checked just then. I could not reproduce the issue :) """ See the full comment at https://github.com/freeipa/freeipa/pull/219#issuecomment-259675725 From freeipa-github-notification at redhat.com Thu Nov 10 12:23:18 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 10 Nov 2016 13:23:18 +0100 Subject: [Freeipa-devel] [freeipa PR#168][comment] Update cli.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/168 Title: #168: Update cli.py tomaskrizek commented: """ I was not able to find the issue and reproduce the error. Both unicode and ascii strings seem to be printed correctly. Closing for missing issue/reproducer. """ See the full comment at https://github.com/freeipa/freeipa/pull/168#issuecomment-259676938 From freeipa-github-notification at redhat.com Thu Nov 10 12:23:20 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 10 Nov 2016 13:23:20 +0100 Subject: [Freeipa-devel] [freeipa PR#168][closed] Update cli.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/168 Author: Garont Title: #168: Update cli.py Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/168/head:pr168 git checkout pr168 From freeipa-github-notification at redhat.com Thu Nov 10 12:26:22 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 10 Nov 2016 13:26:22 +0100 Subject: [Freeipa-devel] [freeipa PR#205][+pushed] Support DAL version 5 and version 6 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/205 Title: #205: Support DAL version 5 and version 6 Label: +pushed From freeipa-github-notification at redhat.com Thu Nov 10 12:26:24 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 10 Nov 2016 13:26:24 +0100 Subject: [Freeipa-devel] [freeipa PR#205][comment] Support DAL version 5 and version 6 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/205 Title: #205: Support DAL version 5 and version 6 mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/2775042787be4ea236c0b99dd75337414e24b89d """ See the full comment at https://github.com/freeipa/freeipa/pull/205#issuecomment-259677514 From freeipa-github-notification at redhat.com Thu Nov 10 12:26:26 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 10 Nov 2016 13:26:26 +0100 Subject: [Freeipa-devel] [freeipa PR#205][closed] Support DAL version 5 and version 6 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/205 Author: simo5 Title: #205: Support DAL version 5 and version 6 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/205/head:pr205 git checkout pr205 From freeipa-github-notification at redhat.com Thu Nov 10 12:31:22 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Thu, 10 Nov 2016 13:31:22 +0100 Subject: [Freeipa-devel] [freeipa PR#229][opened] Remove the renewal lock file upon uninstall Message-ID: URL: https://github.com/freeipa/freeipa/pull/229 Author: flo-renaud Title: #229: Remove the renewal lock file upon uninstall Action: opened PR body: """ Make sure that the file /var/run/ipa/renewal.lock is deleted upon uninstallation, in order to avoid subsequent installation issues. Part of the refactoring effort, certificates sub-effort. https://fedorahosted.org/freeipa/ticket/6433 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/229/head:pr229 git checkout pr229 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-229.patch Type: text/x-diff Size: 1000 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 10 12:32:35 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Thu, 10 Nov 2016 13:32:35 +0100 Subject: [Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/219 Title: #219: Refactor installer code requesting certificates flo-renaud commented: """ Thanks Fraser! The patch for renewal lock file deletion is available at https://github.com/freeipa/freeipa/pull/229 """ See the full comment at https://github.com/freeipa/freeipa/pull/219#issuecomment-259678689 From freeipa-github-notification at redhat.com Thu Nov 10 12:35:37 2016 From: freeipa-github-notification at redhat.com (apophys) Date: Thu, 10 Nov 2016 13:35:37 +0100 Subject: [Freeipa-devel] [freeipa PR#225][comment] tests: Added basic tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/225 Title: #225: tests: Added basic tests for certs in idoverrides apophys commented: """ Please address the inline comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/225#issuecomment-259679240 From freeipa-github-notification at redhat.com Thu Nov 10 12:39:12 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 10 Nov 2016 13:39:12 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context jcholast commented: """ Sorry, but I just don't see an explanation in the comment you linked, just that you think it's easier to set an environment variable rather than an argument. Yes, it is easier, but it also make the configuration implicit - say this PR was merged, now look at this: ``` $ ipa ping ``` Can you tell me which configuration directory will this command use? The fact is you can't, as opposed to: ``` $ ipa -e confdir=/path/to/confdir ``` where it is clear just by looking at the command. This is the part I have a problem with. The links you posted only show that environment variables are used to override configuration in a few pieces of software, not that it is a standard like you say. I could as easily compile a list of software which _doesn't_ do it. All of the examples are doable by setting `confdir` explicitly in `ipa -e` or `api.bootstrap()` as well. I would like to see something more concrete. I will read your proposal once you send it to freeipa-devel for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-259679930 From freeipa-github-notification at redhat.com Thu Nov 10 12:45:43 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 10 Nov 2016 13:45:43 +0100 Subject: [Freeipa-devel] [freeipa PR#143][comment] Issue6386 nss dir In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/143 Title: #143: Issue6386 nss dir jcholast commented: """ For example, if your `IPA_CONFDIR` PR was merged, setting the variable could break `ipa-client-install`, because the hard coded half of it assumes that the configuration directory is always `/etc/ipa`, but the API half would use something else. """ See the full comment at https://github.com/freeipa/freeipa/pull/143#issuecomment-259681181 From freeipa-github-notification at redhat.com Thu Nov 10 12:46:32 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 10 Nov 2016 13:46:32 +0100 Subject: [Freeipa-devel] [freeipa PR#168][+rejected] Update cli.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/168 Title: #168: Update cli.py Label: +rejected From freeipa-github-notification at redhat.com Thu Nov 10 12:48:20 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 10 Nov 2016 13:48:20 +0100 Subject: [Freeipa-devel] [freeipa PR#172][+rejected] fix pki-tomcat error after uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/172 Title: #172: fix pki-tomcat error after uninstall Label: +rejected From freeipa-github-notification at redhat.com Thu Nov 10 12:56:30 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 10 Nov 2016 13:56:30 +0100 Subject: [Freeipa-devel] [freeipa PR#229][comment] Remove the renewal lock file upon uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/229 Title: #229: Remove the renewal lock file upon uninstall jcholast commented: """ The file is owned by the server, not the client, so it should be deleted in `ipa-server-install --uninstall`, not in `ipa-client-install --uninstall`. """ See the full comment at https://github.com/freeipa/freeipa/pull/229#issuecomment-259683231 From freeipa-github-notification at redhat.com Thu Nov 10 13:13:39 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 10 Nov 2016 14:13:39 +0100 Subject: [Freeipa-devel] [freeipa PR#219][+ack] Refactor installer code requesting certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/219 Title: #219: Refactor installer code requesting certificates Label: +ack From freeipa-github-notification at redhat.com Thu Nov 10 13:15:28 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 10 Nov 2016 14:15:28 +0100 Subject: [Freeipa-devel] [freeipa PR#182][synchronized] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Author: tiran Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/182/head:pr182 git checkout pr182 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-182.patch Type: text/x-diff Size: 4266 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 10 13:16:22 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 10 Nov 2016 14:16:22 +0100 Subject: [Freeipa-devel] [freeipa PR#219][+pushed] Refactor installer code requesting certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/219 Title: #219: Refactor installer code requesting certificates Label: +pushed From freeipa-github-notification at redhat.com Thu Nov 10 13:16:24 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 10 Nov 2016 14:16:24 +0100 Subject: [Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/219 Title: #219: Refactor installer code requesting certificates dkupka commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/7462adec13c5b25b6868d2863dc38062c97d0ff7 https://fedorahosted.org/freeipa/changeset/808b1436b4158cb6f926ac2b5bd0979df6ea7e9f """ See the full comment at https://github.com/freeipa/freeipa/pull/219#issuecomment-259687145 From freeipa-github-notification at redhat.com Thu Nov 10 13:16:25 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 10 Nov 2016 14:16:25 +0100 Subject: [Freeipa-devel] [freeipa PR#219][closed] Refactor installer code requesting certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/219 Author: flo-renaud Title: #219: Refactor installer code requesting certificates Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/219/head:pr219 git checkout pr219 From freeipa-github-notification at redhat.com Thu Nov 10 13:19:00 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 10 Nov 2016 14:19:00 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context mbasti-rh commented: """ For the long history of IPA we haven't had need for our own environment variables. I agree with Honza, why we should have the another way how to pass config dir to IPA commands. Also handling env variables in IPA is inconsistent, so this should be fixed as well, see #204 somewhere environ variables are not passed to subprocesses at all. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-259687668 From freeipa-github-notification at redhat.com Thu Nov 10 13:19:31 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 10 Nov 2016 14:19:31 +0100 Subject: [Freeipa-devel] [freeipa PR#187][comment] Register entry points of Custodia plugins In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/187 Title: #187: Register entry points of Custodia plugins tiran commented: """ @simo5 wrote the code. He should know why he did not follow PEP8 naming conventions for the class. """ See the full comment at https://github.com/freeipa/freeipa/pull/187#issuecomment-259687787 From freeipa-github-notification at redhat.com Thu Nov 10 13:26:37 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Thu, 10 Nov 2016 14:26:37 +0100 Subject: [Freeipa-devel] [freeipa PR#230][opened] cert-request: accept CSRs with extraneous data Message-ID: URL: https://github.com/freeipa/freeipa/pull/230 Author: frasertweedale Title: #230: cert-request: accept CSRs with extraneous data Action: opened PR body: """ The cert-request command used to accept CSRs that had extra data surrounding the PEM data, e.g. commentary about the contents of the CSR. Recent commits that switch to using python-cryptography for cert and CSR handling broke this. Our acceptance tests use such CSRs, hence the tests are now failing. To avoid the issue, freshly encode the python-cryptography CertificateSigningRequest object as PEM. This avoids re-using the user-supplied data, in case it has extraneous data. Fixes: https://fedorahosted.org/freeipa/ticket/6472 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/230/head:pr230 git checkout pr230 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-230.patch Type: text/x-diff Size: 2363 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 10 13:26:51 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 10 Nov 2016 14:26:51 +0100 Subject: [Freeipa-devel] [freeipa PR#231][opened] Do not log DM password in ca/kra installation logs Message-ID: URL: https://github.com/freeipa/freeipa/pull/231 Author: stlaz Title: #231: Do not log DM password in ca/kra installation logs Action: opened PR body: """ We can merge this after refactoring merges not to mess the rebases. https://fedorahosted.org/freeipa/ticket/6461 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/231/head:pr231 git checkout pr231 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-231.patch Type: text/x-diff Size: 1515 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 10 13:27:38 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Thu, 10 Nov 2016 14:27:38 +0100 Subject: [Freeipa-devel] [freeipa PR#229][synchronized] Remove the renewal lock file upon uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/229 Author: flo-renaud Title: #229: Remove the renewal lock file upon uninstall Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/229/head:pr229 git checkout pr229 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-229.patch Type: text/x-diff Size: 1183 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 10 13:28:36 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Thu, 10 Nov 2016 14:28:36 +0100 Subject: [Freeipa-devel] [freeipa PR#229][comment] Remove the renewal lock file upon uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/229 Title: #229: Remove the renewal lock file upon uninstall flo-renaud commented: """ You are right, I updated the PR to put the code at the end of server uninstallation. """ See the full comment at https://github.com/freeipa/freeipa/pull/229#issuecomment-259689730 From freeipa-github-notification at redhat.com Thu Nov 10 13:28:58 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 10 Nov 2016 14:28:58 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context tiran commented: """ For a long time FreeIPA ignored Python packaging guidelines. It did neither support pip and wheels nor virtual envs or local configuration. There is pressing demand from multiple projects like OpenStack and Ansible to support proper Python packages. Ask @rcritten, @admiyo @mbasti-rh the proposal is **not** just about command line scripts. It's for Python applications that use ipalib, too. You are free to come up with another solution that works for all use cases. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-259689791 From freeipa-github-notification at redhat.com Thu Nov 10 13:41:00 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 10 Nov 2016 14:41:00 +0100 Subject: [Freeipa-devel] [freeipa PR#182][synchronized] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Author: tiran Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/182/head:pr182 git checkout pr182 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-182.patch Type: text/x-diff Size: 4283 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 10 13:42:27 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 10 Nov 2016 14:42:27 +0100 Subject: [Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/219 Title: #219: Refactor installer code requesting certificates jcholast commented: """ Turns out the request does not time out in certmonger, but the 60 seconds wait in `request_and_wait_for_cert()` it too short. """ See the full comment at https://github.com/freeipa/freeipa/pull/219#issuecomment-259692618 From freeipa-github-notification at redhat.com Thu Nov 10 13:46:20 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 10 Nov 2016 14:46:20 +0100 Subject: [Freeipa-devel] [freeipa PR#143][comment] Issue6386 nss dir In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/143 Title: #143: Issue6386 nss dir tiran commented: """ No, #182 does not break ```ipa-client-install ``` in a bad way. The command simply refuses to work in the presence of ```IPA_CONFDIR```. ```api.bootstrap()``` does not support ```IPA_CONFDIR``` for some contexts in order to prevent this kind of issue. I just pushed another change to #182 that raises an exception when ```IPA_CONFDIR``` is set in a reserved context (server, installer, updater etc.). """ See the full comment at https://github.com/freeipa/freeipa/pull/143#issuecomment-259693470 From freeipa-github-notification at redhat.com Thu Nov 10 13:49:45 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Thu, 10 Nov 2016 14:49:45 +0100 Subject: [Freeipa-devel] [freeipa PR#226][synchronized] Build refactoring phase 5 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/226 Author: pspacek Title: #226: Build refactoring phase 5 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/226/head:pr226 git checkout pr226 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-226.patch Type: text/x-diff Size: 15333 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 10 13:50:11 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Thu, 10 Nov 2016 14:50:11 +0100 Subject: [Freeipa-devel] [freeipa PR#226][comment] Build refactoring phase 5 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/226 Title: #226: Build refactoring phase 5 pspacek commented: """ I've added missing files to .gitignore. """ See the full comment at https://github.com/freeipa/freeipa/pull/226#issuecomment-259694249 From freeipa-github-notification at redhat.com Thu Nov 10 13:51:28 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Thu, 10 Nov 2016 14:51:28 +0100 Subject: [Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 tiran commented: """ memo for me: - [ ] /freeipa*.tar.gz is not removed - [ ] ```MOSTLYCLEANFILES``` only cleans ipasetup.py[co] but keeps __pycache__ and other pyc/pyo. add ```clean-local: rm -rf *.pyc *.pyc __pycache__``` - [x] ```Makefile.python.am``` clean-local has ```-delete``` and ```-exec```. AFAIK only one action is supported. - [ ] neither clean nor distclean removes ```/dist``` and ```/rpmbuild``` - [x] autoconf and automake files are not removed (Makefile.in, /config.sub ...) - [x] add ```ipasetup.py``` to ```dist_noinst_SCRIPTS``` ? """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259371190 From freeipa-github-notification at redhat.com Thu Nov 10 13:52:00 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Thu, 10 Nov 2016 14:52:00 +0100 Subject: [Freeipa-devel] [freeipa PR#213][edited] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Author: pspacek Title: #213: Build system refactoring phase 3 Action: edited Changed field: body Original value: """ This monster patch-set refactors most of build system and moves most of the logic from SPEC file to build system. It is not yet complete, missing parts are: - [ ] Python 3 support - [ ] Client-only build is not supported - [ ] IPA_VERSION_IS_GIT_SNAPSHOT does not work These will be sorted out later on but the review of the patch set can begin. """ From freeipa-github-notification at redhat.com Thu Nov 10 13:54:22 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Thu, 10 Nov 2016 14:54:22 +0100 Subject: [Freeipa-devel] [freeipa PR#226][synchronized] Build refactoring phase 5 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/226 Author: pspacek Title: #226: Build refactoring phase 5 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/226/head:pr226 git checkout pr226 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-226.patch Type: text/x-diff Size: 13990 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 10 13:54:31 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Thu, 10 Nov 2016 14:54:31 +0100 Subject: [Freeipa-devel] [freeipa PR#226][comment] Build refactoring phase 5 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/226 Title: #226: Build refactoring phase 5 pspacek commented: """ Rebased on top of current master. """ See the full comment at https://github.com/freeipa/freeipa/pull/226#issuecomment-259695270 From freeipa-github-notification at redhat.com Thu Nov 10 14:49:04 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 10 Nov 2016 15:49:04 +0100 Subject: [Freeipa-devel] [freeipa PR#226][comment] Build refactoring phase 5 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/226 Title: #226: Build refactoring phase 5 tomaskrizek commented: """ I don't understand Makefiles, but I tested building the git snapshots and srpms and it works. Just a few notes: - `make clean` removes only the most recently created tarball - there is not much of a time difference when building with `IPA_VERSION_IS_GIT_SNAPSHOT` - it takes about 1m50s instead of 1m35s when it's turned off. Is this expected? """ See the full comment at https://github.com/freeipa/freeipa/pull/226#issuecomment-259708799 From freeipa-github-notification at redhat.com Thu Nov 10 15:35:41 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 10 Nov 2016 16:35:41 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context tiran commented: """ The argument is mood. Even now you can't tell which config file ```ipa ping``` is going to load. There are tons of ways to modify behavior, e.g. mount binds, LD_PRELOAD, a ```sitecustomize.py``` or a ```.pth``` file in the users site-packages which mokey-patches ```ipaplatform.paths.paths```... """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-259721448 From freeipa-github-notification at redhat.com Thu Nov 10 16:21:33 2016 From: freeipa-github-notification at redhat.com (jumitche) Date: Thu, 10 Nov 2016 17:21:33 +0100 Subject: [Freeipa-devel] [freeipa PR#215][synchronized] Add script to setup krb5 NFS exports In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/215 Author: jumitche Title: #215: Add script to setup krb5 NFS exports Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/215/head:pr215 git checkout pr215 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-215.patch Type: text/x-diff Size: 44858 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 10 16:26:55 2016 From: freeipa-github-notification at redhat.com (rcritten) Date: Thu, 10 Nov 2016 17:26:55 +0100 Subject: [Freeipa-devel] [freeipa PR#215][comment] Add script to setup krb5 NFS exports In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/215 Title: #215: Add script to setup krb5 NFS exports rcritten commented: """ Quite a lot of this code can be eliminated if you use ipalib instead of manually reading configuration files, forking out to ipa, doing a kinit, etc or do you expect/anticipate that this can be executed on non-IPA-enrolled clients? """ See the full comment at https://github.com/freeipa/freeipa/pull/215#issuecomment-259736364 From freeipa-github-notification at redhat.com Thu Nov 10 16:28:33 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Thu, 10 Nov 2016 17:28:33 +0100 Subject: [Freeipa-devel] [freeipa PR#224][comment] Integration tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/224 Title: #224: Integration tests for certs in idoverrides mirielka commented: """ Functionally OK. Please extend commit message for the first commit and add links to tickets if applicable. Also ticket https://fedorahosted.org/freeipa/ticket/6146 is in closed milestone, please request update to open milestone. I did not do code review yet, will provide next week. """ See the full comment at https://github.com/freeipa/freeipa/pull/224#issuecomment-259736844 From freeipa-github-notification at redhat.com Thu Nov 10 16:40:21 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 10 Nov 2016 17:40:21 +0100 Subject: [Freeipa-devel] [freeipa PR#214][+ack] ipaldap: remove do_bind from LDAPClient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/214 Title: #214: ipaldap: remove do_bind from LDAPClient Label: +ack From freeipa-github-notification at redhat.com Thu Nov 10 16:41:14 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 10 Nov 2016 17:41:14 +0100 Subject: [Freeipa-devel] [freeipa PR#214][+pushed] ipaldap: remove do_bind from LDAPClient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/214 Title: #214: ipaldap: remove do_bind from LDAPClient Label: +pushed From freeipa-github-notification at redhat.com Thu Nov 10 16:41:16 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 10 Nov 2016 17:41:16 +0100 Subject: [Freeipa-devel] [freeipa PR#214][comment] ipaldap: remove do_bind from LDAPClient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/214 Title: #214: ipaldap: remove do_bind from LDAPClient mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a68c95d11612108375877ff45bdb53ce6fc8fbe4 """ See the full comment at https://github.com/freeipa/freeipa/pull/214#issuecomment-259740460 From freeipa-github-notification at redhat.com Thu Nov 10 16:41:17 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 10 Nov 2016 17:41:17 +0100 Subject: [Freeipa-devel] [freeipa PR#214][closed] ipaldap: remove do_bind from LDAPClient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/214 Author: tomaskrizek Title: #214: ipaldap: remove do_bind from LDAPClient Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/214/head:pr214 git checkout pr214 From freeipa-github-notification at redhat.com Thu Nov 10 17:06:35 2016 From: freeipa-github-notification at redhat.com (jumitche) Date: Thu, 10 Nov 2016 18:06:35 +0100 Subject: [Freeipa-devel] [freeipa PR#215][comment] Add script to setup krb5 NFS exports In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/215 Title: #215: Add script to setup krb5 NFS exports jumitche commented: """ The idea was to produce a script to simplify the setup of kerberos encrypted NFS exports, to make something that was as simple to use as ipa-*-install is, including the configuration of the automount parameters that would be needed to utilise ipa-client-automount. The script calls the IPA external programs instead of using the library functions to make it easier to substitute AD versions if required. """ See the full comment at https://github.com/freeipa/freeipa/pull/215#issuecomment-259747784 From pvoborni at redhat.com Thu Nov 10 17:59:31 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 10 Nov 2016 18:59:31 +0100 Subject: [Freeipa-devel] [PATCH] webui: Fix coverity bugs In-Reply-To: <8c539d0a-29ee-30ba-33eb-90aa0698f583@redhat.com> References: <17dedc13-dab5-4ae2-5a7b-d7921458a46f@redhat.com> <20160729132534.sdsdlda5c2gtvqj6@redhat.com> <8c539d0a-29ee-30ba-33eb-90aa0698f583@redhat.com> Message-ID: <5fa6db6e-98f8-4e66-95ba-2226015772d9@redhat.com> Commenting only on top, it's too long. ACK for everything. I've rebased patch 90. pushed to master master: * a2525ff64518038eaa64b0d855154a984030f7f3 Coverity - null pointer exception * d4ad0ca04c0ae445c784787a675ac84d2cbfd766 Coverity - null pointer exception * fa3982c7c82add3d201aec860cb981a595f10be9 Coverity - not initialized variable * de8cb7585b652fd1a61e3020e37192cb1db74f46 Coverity - identical code for different branches * 4b63ce26ebbef8ef1538aecb3cff8032df3357a7 Coverity - Accesing attribute of null * ed74e14ab4a17c83cf6782e4b6fd41a2ce79594d Coverity - removed dead code * 7be585dbb206ed12b25d09bfb2f5452ee9c125ae Coverity - true branch can't be executed * d94a2aa185defba38f2bbe2c5ee28f9b9defc0f2 Coverity - true branch can't be executed * cad9f9b682d9bcc33fdfb1112e4cfb1a2c66a498 Coverity - null pointer dereference * 4af31c70c57fc223920b71fedfb40d1de27622b2 Coverity - iterating over variable which could be null * cd74f78ed74f8898c492024d0901cef9778df067 Coverity - opens dialog which might not be created * aa8a904c4a3953e799278de192d1613d21cde42a Coverity - accessing attribute of variable which can point to null * 2644c955489ee5b22ecc0227c5cd8ed1e90ee648 Coverity - null pointer dereference On 08/05/2016 02:33 PM, Pavel Vomacka wrote: > > > On 08/01/2016 05:53 PM, Petr Vobornik wrote: >> On 07/29/2016 03:25 PM, Alexander Bokovoy wrote: >>> On Fri, 29 Jul 2016, Pavel Vomacka wrote: >>>> Hello, >>>> >>>> please review attached patches which fixes errors from Coverity. >>>> >>>> -- >>>> Pavel^3 Vomacka >>>> >>>> From 0391289b3f6844897e2a9f3ae549bd4c33233ffc Mon Sep 17 00:00:00 2001 >>>> From: Pavel Vomacka >>>> Date: Mon, 25 Jul 2016 10:36:47 +0200 >>>> Subject: [PATCH 01/13] Coverity - null pointer exception >>>> >>>> Variable 'option' can be null and there will be error of reading >>>> property of null. >>>> --- >>>> install/ui/src/freeipa/widget.js | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/install/ui/src/freeipa/widget.js >>>> b/install/ui/src/freeipa/widget.js >>>> index >>>> 9151ebac9438e9e674f81bfb1ccfe7a63872b1ae..cfdf5d4750951e4549c16a2b9b9c355f61e90c39 >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/widget.js >>>> +++ b/install/ui/src/freeipa/widget.js >>>> @@ -2249,7 +2249,7 @@ IPA.option_widget_base = function(spec, that) { >>>> var child_values = []; >>>> var option = that.get_option(value); >>>> >>>> - if (option.widget) { >>>> + if (option && option.widget) { >>>> child_values = option.widget.save(); >>>> values.push.apply(values, child_values); >>>> } >>>> -- >>>> 2.5.5 >>>> >>> ACK >> ACK >> >>>> From 6df8e608232e25daa9aefe4fccbdeca4dbaf1998 Mon Sep 17 00:00:00 2001 >>>> From: Pavel Vomacka >>>> Date: Mon, 25 Jul 2016 10:43:00 +0200 >>>> Subject: [PATCH 02/13] Coverity - null pointer exception >>>> >>>> Variable 'row' could be null in some cases. And set css to variable >>>> which is pointing to null >>>> causes error. Therefore there is new check. >>>> --- >>>> install/ui/src/freeipa/widget.js | 2 ++ >>>> 1 file changed, 2 insertions(+) >>>> >>>> diff --git a/install/ui/src/freeipa/widget.js >>>> b/install/ui/src/freeipa/widget.js >>>> index >>>> cfdf5d4750951e4549c16a2b9b9c355f61e90c39..5844436abf090f12d5a9d65efe7a1aaee14097e2 >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/widget.js >>>> +++ b/install/ui/src/freeipa/widget.js >>>> @@ -5766,6 +5766,8 @@ exp.fluid_layout = IPA.fluid_layout = >>>> function(spec) { >>>> that.on_visible_change = function(event) { >>>> >>>> var row = that._get_row(event); >>>> + if (!row) return; >>>> + >>>> if (event.visible) { >>>> row.css('display', ''); >>>> } else { >>>> -- >>>> 2.5.5 >>>> >>> ACK >> >> ACK >> >>> >>>> From 6f2ddc9e1c5323a640bdf744d2da00bfee7ab766 Mon Sep 17 00:00:00 2001 >>>> From: Pavel Vomacka >>>> Date: Mon, 25 Jul 2016 13:48:16 +0200 >>>> Subject: [PATCH 03/13] Coverity - not initialized variable >>>> >>>> The variable hasn't been initialized, now it is set to null by default. >>>> --- >>>> install/ui/src/freeipa/widget.js | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/install/ui/src/freeipa/widget.js >>>> b/install/ui/src/freeipa/widget.js >>>> index >>>> 5844436abf090f12d5a9d65efe7a1aaee14097e2..43804c5ea524ca741017d02f6e12ccf60d50b5df >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/widget.js >>>> +++ b/install/ui/src/freeipa/widget.js >>>> @@ -1047,7 +1047,7 @@ IPA.multivalued_widget = function(spec) { >>>> >>>> that.child_spec = spec.child_spec; >>>> that.size = spec.size || 30; >>>> - that.undo_control; >>>> + that.undo_control = null; >>>> that.initialized = true; >>>> that.updating = false; >>>> >>>> -- >>>> 2.5.5 >>>> >>> ACK >> ACK >> >>> >>>> From b9ddd32ec45aadae5a79e372c3e1b70990071e60 Mon Sep 17 00:00:00 2001 >>>> From: Pavel Vomacka >>>> Date: Mon, 25 Jul 2016 14:42:50 +0200 >>>> Subject: [PATCH 04/13] Coverity - identical code for different branches >>>> >>>> In both cases when the condition is true or false ut is set the same >>>> value. >>>> Changed to assign the value directly. >>>> --- >>>> install/ui/src/freeipa/topology_graph.js | 4 ++-- >>>> 1 file changed, 2 insertions(+), 2 deletions(-) >>>> >>>> diff --git a/install/ui/src/freeipa/topology_graph.js >>>> b/install/ui/src/freeipa/topology_graph.js >>>> index >>>> ce2ebeaff611987ae27f2655b5da80bdcd1b4f8a..712d38fbe67e87ffa773e0a3a1f8937e9595c9a6 >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/topology_graph.js >>>> +++ b/install/ui/src/freeipa/topology_graph.js >>>> @@ -325,8 +325,8 @@ topology_graph.TopoGraph = declare([Evented], { >>>> off = dir ? -1 : 1, // determines shift direction of >>>> curve >>>> ns = 5, // shift on normal vector >>>> s = target_count > 1 ? 1 : 0, // shift from center? >>>> - spad = d.left ? 18 : 18, // source padding >>>> - tpad = d.right ? 18 : 18, // target padding >>>> + spad = d.left = 18, // source padding >>>> + tpad = d.right = 18, // target padding >>>> sourceX = d.source.x + (spad * ux) + off * nx * ns >>>> * s, >>>> sourceY = d.source.y + (spad * uy) + off * ny * ns >>>> * s, >>>> targetX = d.target.x - (tpad * ux) + off * nx * ns >>>> * s, >>>> -- >>>> 2.5.5 >>>> >>> ACK >> NACK >> >> following lines are not equivalent >> spad = d.left ? 18 : 18 >> spad = d.left = 18 >> >> same with tpad > Fixed >>>> From f1f2b55247d6c7f41f8053f372a47945c93fc8a4 Mon Sep 17 00:00:00 2001 >>>> From: Pavel Vomacka >>>> Date: Mon, 25 Jul 2016 14:52:15 +0200 >>>> Subject: [PATCH 05/13] Coverity - Accesing attribute of null >>>> >>>> There is a possibility that widget is null and then there could be an >>>> error. >>>> Therefore there is new check of widget variable. >>>> --- >>>> install/ui/src/freeipa/widgets/APIBrowserWidget.js | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/install/ui/src/freeipa/widgets/APIBrowserWidget.js >>>> b/install/ui/src/freeipa/widgets/APIBrowserWidget.js >>>> index >>>> 1a3726190d4a5d628a8f7c2b564c4c9f6e7cea1f..50c2989fcc126585787df61cdd19493632ed37b9 >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/widgets/APIBrowserWidget.js >>>> +++ b/install/ui/src/freeipa/widgets/APIBrowserWidget.js >>>> @@ -252,7 +252,7 @@ widgets.APIBrowserWidget = declare([Stateful, >>>> Evented], { >>>> } >>>> >>>> // switch widget >>>> - if (!widget.el) widget.render(); >>>> + if (widget && !widget.el) widget.render(); >>>> if (this.current_details_w !== widget) { >>>> this.details_el.empty(); >>>> this.details_el.append(widget.el); >>>> -- >>>> 2.5.5 >>>> >>> ACK >> ACK >> >>>> From 1476b5ed3ab5c4ec55f3ed20ad07a5b88cfd45f2 Mon Sep 17 00:00:00 2001 >>>> From: Pavel Vomacka >>>> Date: Mon, 25 Jul 2016 16:47:22 +0200 >>>> Subject: [PATCH 06/13] Coverity - removed dead code >>>> >>>> There cannot be string value because of previous checks. >>>> --- >>>> install/ui/src/freeipa/dns.js | 12 ++++-------- >>>> 1 file changed, 4 insertions(+), 8 deletions(-) >>>> >>>> diff --git a/install/ui/src/freeipa/dns.js >>>> b/install/ui/src/freeipa/dns.js >>>> index >>>> 2d424aeae8ef735d02426a0f08b6261ec2f04c19..822c0b3cedb3988563c0a1f83862f56e95eed21b >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/dns.js >>>> +++ b/install/ui/src/freeipa/dns.js >>>> @@ -1509,14 +1509,10 @@ IPA.dns.record_prepare_editor_for_type = >>>> function(type, fields, widgets, update) >>>> >>>> //create editor widget >>>> var widget = {}; >>>> - if (typeof attribute === 'string') { >>>> - widget.name = attribute; >>>> - } else { >>>> - widget.name = attribute.name; >>>> - set_defined(attribute.$type, widget, '$type'); >>>> - set_defined(attribute.options, widget, 'options'); >>>> - copy_obj(widget, attribute.widget_opt); >>>> - } >>>> + widget.name = attribute.name; >>>> + set_defined(attribute.$type, widget, '$type'); >>>> + set_defined(attribute.options, widget, 'options'); >>>> + copy_obj(widget, attribute.widget_opt); >>>> section.widgets.push(widget); >>>> } >>>> }; >>>> -- >>>> 2.5.5 >>>> >>> ACK >> ACK >> >>> >>>> From b1dd66f3b08889b51430d9176035366cb055324e Mon Sep 17 00:00:00 2001 >>>> From: Pavel Vomacka >>>> Date: Mon, 25 Jul 2016 17:44:56 +0200 >>>> Subject: [PATCH 07/13] Coverity - true branch can't be executed >>>> >>>> The 'data' variable is always false because of previous condition. >>>> Therefore there is direct assignment. >>>> --- >>>> install/ui/src/freeipa/rpc.js | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/install/ui/src/freeipa/rpc.js >>>> b/install/ui/src/freeipa/rpc.js >>>> index >>>> a185585f4176658e299e7e92434522c936cc36b4..88aaf6ede72ea69495c369dd74c657d0419a3605 >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/rpc.js >>>> +++ b/install/ui/src/freeipa/rpc.js >>>> @@ -372,7 +372,7 @@ rpc.command = function(spec) { >>>> error_handler.call(this, xhr, text_status, /* >>>> error_thrown */ { >>>> name: text.get('@i18n:errors.http_error', 'HTTP >>>> Error')+' '+xhr.status, >>>> url: this.url, >>>> - message: data ? xhr.statusText : >>>> text.get('@i18n:errors.no_response', 'No response') >>>> + message: text.get('@i18n:errors.no_response', 'No >>>> response') >>>> }); >>>> >>>> } else if (IPA.version && data.version && IPA.version !== >>>> data.version) { >>>> -- >>>> 2.5.5 >>>> >>> ACK >> >> ACK - patch fixes the issue. >> >> But I wonder if it should be rather: >> message: xhr ? xhr.statusText : text.get('@i18n:errors.no_response', >> 'No response') >> >> don't remember. > That's true, fixed. >>> >>>> From 463f24936469d87890b666dfd7edabbe90541491 Mon Sep 17 00:00:00 2001 >>>> From: Pavel Vomacka >>>> Date: Mon, 25 Jul 2016 17:49:50 +0200 >>>> Subject: [PATCH 08/13] Coverity - true branch can't be executed >>>> >>>> The 'result' variable is always false because of previous condition. >>>> Therefore there is direct assignment. >>>> --- >>>> install/ui/src/freeipa/rpc.js | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/install/ui/src/freeipa/rpc.js >>>> b/install/ui/src/freeipa/rpc.js >>>> index >>>> 88aaf6ede72ea69495c369dd74c657d0419a3605..30a5366787974b2d127114f7683d0589ed332f5a >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/rpc.js >>>> +++ b/install/ui/src/freeipa/rpc.js >>>> @@ -628,7 +628,7 @@ rpc.batch_command = function(spec) { >>>> >>>> if (!result) { >>>> name = text.get('@i18n:errors.internal_error', >>>> 'Internal Error')+' '+xhr.status; >>>> - message = result ? xhr.statusText : >>>> text.get('@i18n:errors.internal_error', 'Internal Error'); >>>> + message = text.get('@i18n:errors.internal_error', >>>> 'Internal Error'); >>>> >>>> that.errors.add(command, name, message, text_status); >>>> >>>> -- >>>> 2.5.5 >>>> >>> ACK >> same as previous > Fixed as well. >>>> From c0ba1c141b6191e2a7ef33bc9eaaad5c970f9d0e Mon Sep 17 00:00:00 2001 >>>> From: Pavel Vomacka >>>> Date: Mon, 25 Jul 2016 18:25:36 +0200 >>>> Subject: [PATCH 09/13] Coverity - null pointer dereference >>>> >>>> The 'obj' variable could be null, so there could be error when it is >>>> used. >>>> A new check that 'obj' is not false is added. >>>> --- >>>> install/ui/src/freeipa/widgets/browser_widgets.js | 6 +++--- >>>> 1 file changed, 3 insertions(+), 3 deletions(-) >>>> >>>> diff --git a/install/ui/src/freeipa/widgets/browser_widgets.js >>>> b/install/ui/src/freeipa/widgets/browser_widgets.js >>>> index >>>> 57ad2bd984ea35f03b302b59fc1d014def162bd8..91bb850a638fd6f16f207b1111d126fbb4fe2dd8 >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/widgets/browser_widgets.js >>>> +++ b/install/ui/src/freeipa/widgets/browser_widgets.js >>>> @@ -427,11 +427,11 @@ widgets.browser_widgets.CommandDetailWidget = >>>> declare([base], { >>>> if (i>0) { >>>> out_params_cnt.append(', '); >>>> } >>>> - if (!param) { >>>> - out_params_cnt.append(param_name); >>>> - } else { >>>> + if (param && obj) { >>>> var link = this.render_param_link(obj.name, >>>> param_name); >>>> out_params_cnt.append(link); >>>> + } else { >>>> + out_params_cnt.append(param_name); >>>> } >>>> } >>>> out_params_cnt.appendTo(this.el); >>>> -- >>>> 2.5.5 >>>> >>> ACK >> ACK >> >>>> From a9f7ecf5833db379fe9731184aa4f7aef8845995 Mon Sep 17 00:00:00 2001 >>>> From: Pavel Vomacka >>>> Date: Tue, 26 Jul 2016 09:48:32 +0200 >>>> Subject: [PATCH 10/13] Coverity - iterating over variable which could >>>> be null >>>> >>>> Change condition to check also variable which could be null. >>>> --- >>>> install/ui/src/freeipa/widgets/APIBrowserWidget.js | 8 ++++---- >>>> 1 file changed, 4 insertions(+), 4 deletions(-) >>>> >>>> diff --git a/install/ui/src/freeipa/widgets/APIBrowserWidget.js >>>> b/install/ui/src/freeipa/widgets/APIBrowserWidget.js >>>> index >>>> 50c2989fcc126585787df61cdd19493632ed37b9..18773536d3587cdeb9e5fecedcc5e42c05bfe120 >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/widgets/APIBrowserWidget.js >>>> +++ b/install/ui/src/freeipa/widgets/APIBrowserWidget.js >>>> @@ -135,7 +135,7 @@ widgets.APIBrowserWidget = declare([Stateful, >>>> Evented], { >>>> groups = this._get_params(parts[0]); >>>> } >>>> >>>> - if (filter) { >>>> + if (filter && groups) { >>>> filter = filter.toLowerCase(); >>>> var new_groups = []; >>>> for (var i=0,l=groups.length; i>>> @@ -153,10 +153,10 @@ widgets.APIBrowserWidget = declare([Stateful, >>>> Evented], { >>>> new_groups.push(groups[i]); >>>> } >>>> } >>>> - return new_groups; >>>> - } else { >>>> - return groups; >>>> + groups = new_groups; >>>> } >>>> + >>>> + return groups; >>>> }, >>>> >>>> /** >>>> -- >>>> 2.5.5 >>>> >>> ACK >> ACK >> >>> >>>> From 3d63ca1d5cb7a7b84cf20c26d4b1ea5b657c44c4 Mon Sep 17 00:00:00 2001 >>>> From: Pavel Vomacka >>>> Date: Tue, 26 Jul 2016 12:03:28 +0200 >>>> Subject: [PATCH 11/13] Coverity - opens dialog which might not be >>>> created >>>> >>>> Check whether dialog object is created before opening it. >>>> --- >>>> install/ui/src/freeipa/search.js | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/install/ui/src/freeipa/search.js >>>> b/install/ui/src/freeipa/search.js >>>> index >>>> 25f21e70db170daf0d45a6862ee9adb528ad03bc..fee1bc7523d6afdb3e2b23db2833a415febb85ec >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/search.js >>>> +++ b/install/ui/src/freeipa/search.js >>>> @@ -221,7 +221,7 @@ IPA.search_facet = function(spec, no_init) { >>>> that.show_remove_dialog = function() { >>>> >>>> var dialog = that.create_remove_dialog(); >>>> - dialog.open(); >>>> + if (dialog) dialog.open(); >>>> }; >>>> >>>> that.find = function() { >>>> -- >>>> 2.5.5 >>>> >>> ACK >> >> ACK but question is whether we should laso log to console that dialog is >> not defined because it just hides an issue which may be harder to debug. >> > It's a good idea, logging added. >>>> From 7819293fc546de31cc5eea246242742af3be094e Mon Sep 17 00:00:00 2001 >>>> From: Pavel Vomacka >>>> Date: Tue, 26 Jul 2016 13:07:30 +0200 >>>> Subject: [PATCH 12/13] Coverity - accessing attribute of variable >>>> which can >>>> point to null >>>> >>>> Added check whether variable is pointing to null or not. >>>> --- >>>> install/ui/src/freeipa/widget.js | 4 ++-- >>>> 1 file changed, 2 insertions(+), 2 deletions(-) >>>> >>>> diff --git a/install/ui/src/freeipa/widget.js >>>> b/install/ui/src/freeipa/widget.js >>>> index >>>> 43804c5ea524ca741017d02f6e12ccf60d50b5df..1f61ce7341b1b8e13d4df5acea1f8901a63a290a >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/widget.js >>>> +++ b/install/ui/src/freeipa/widget.js >>>> @@ -4938,7 +4938,7 @@ IPA.combobox_widget = function(spec) { >>>> var value = that.list.val(); >>>> var option = $('option[value="'+value+'"]', that.list); >>>> var next = option.next(); >>>> - if (!next.length) return; >>>> + if (!next || !next.length) return; >>>> that.select(next.val()); >>>> }; >>>> >>>> @@ -4946,7 +4946,7 @@ IPA.combobox_widget = function(spec) { >>>> var value = that.list.val(); >>>> var option = $('option[value="'+value+'"]', that.list); >>>> var prev = option.prev(); >>>> - if (!prev.length) return; >>>> + if (!prev || !prev.length) return; >>>> that.select(prev.val()); >>>> }; >>>> >>>> -- >>>> 2.5.5 >>>> >>> ACK >> ACK, but IMO the situation cannot happen. .next() and .prev() should not >> return null ever. >> > There are condition which return null in next() and prev() functions. > So, it could happen. >>>> From 3ba5110fa8b2255b83fa3e7a4135ec33b85a7fd8 Mon Sep 17 00:00:00 2001 >>>> From: Pavel Vomacka >>>> Date: Fri, 29 Jul 2016 10:13:21 +0200 >>>> Subject: [PATCH 13/13] Coverity - null pointer dereference >>>> >>>> Add check which protect from calling method of null. >>>> --- >>>> install/ui/src/freeipa/widgets/APIBrowserWidget.js | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/install/ui/src/freeipa/widgets/APIBrowserWidget.js >>>> b/install/ui/src/freeipa/widgets/APIBrowserWidget.js >>>> index >>>> 18773536d3587cdeb9e5fecedcc5e42c05bfe120..2164df2f5ffa00edf9ac41fd4cf6254f6d4eb9a3 >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/widgets/APIBrowserWidget.js >>>> +++ b/install/ui/src/freeipa/widgets/APIBrowserWidget.js >>>> @@ -264,7 +264,7 @@ widgets.APIBrowserWidget = declare([Stateful, >>>> Evented], { >>>> this.list_w.select(item); >>>> >>>> // set item >>>> - widget.set('item', item); >>>> + if (widget) widget.set('item', item); >>>> this.set('current', { >>>> item: item, >>>> type: type, >>>> -- >>>> 2.5.5 >>>> >>> ACK >>> >> Does it fix the issue? There is a line before this one which also uses >> `widget` >> >> if (!widget.el) widget.render(); >> >> maybe we miss `return;` in: >> >> } else { >> IPA.notify("Invalid type", 'error'); >> this.show_default(); >> } >> >> >> >> >> > There is another patch, which fixes the line above this one (0089). Or > we can add return to the and of else branch. > -- Petr Vobornik From pvoborni at redhat.com Thu Nov 10 18:47:38 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 10 Nov 2016 19:47:38 +0100 Subject: [Freeipa-devel] [PATCH] webui: 0084, 0101: refactoring rpc module In-Reply-To: References: Message-ID: <9c4a9170-6465-3597-ae7c-709100109a7d@redhat.com> On 08/09/2016 01:29 PM, Pavel Vomacka wrote: > Hello, > > please review attached patches. > > The rpc module is now separated from display layer > and changing activity text while loading metadata. > > https://fedorahosted.org/freeipa/ticket/6144 > > > patch 84: Looks good, works fine, it just needed rebase(I could provide that). Idea, but that doesn't have to be implemented, or sometime in future, right now it is not useful: What about providing the rpc object in the event, and having unique id for each rpc call so that we could track all rpc which are executed. patch 101: 1. It's event name but the property name looks like that it contains a text: that.change_text = 'change-activity-text'; Should it be rather: that.change_text_event. Or even, why does it compare previous text? Does it matter? Wouldn't be better to have 'set-activity' event. And then the handler would call something new set_text method: set_text(new_activity) that.dots = 0 that.text = new_activity that.make_step() -- Petr Vobornik From freeipa-github-notification at redhat.com Thu Nov 10 20:45:10 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Thu, 10 Nov 2016 21:45:10 +0100 Subject: [Freeipa-devel] [freeipa PR#229][synchronized] Remove the renewal lock file upon uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/229 Author: flo-renaud Title: #229: Remove the renewal lock file upon uninstall Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/229/head:pr229 git checkout pr229 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-229.patch Type: text/x-diff Size: 3875 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 10 20:49:02 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Thu, 10 Nov 2016 21:49:02 +0100 Subject: [Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/219 Title: #219: Refactor installer code requesting certificates flo-renaud commented: """ I updated the patch for renewal lock with a new fix. The timeout needs to be increased, but the lock may also happen because the renewal scripts are run by certmonger during the cert request and should not (for instance for http cert the renewal script restarts httpd while the service is not completely configured). """ See the full comment at https://github.com/freeipa/freeipa/pull/219#issuecomment-259803269 From freeipa-github-notification at redhat.com Fri Nov 11 01:57:31 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Fri, 11 Nov 2016 02:57:31 +0100 Subject: [Freeipa-devel] [freeipa PR#173][synchronized] Ensure correct IPA CA nickname in DS and HTTP NSSDBs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/173 Author: frasertweedale Title: #173: Ensure correct IPA CA nickname in DS and HTTP NSSDBs Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/173/head:pr173 git checkout pr173 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-173.patch Type: text/x-diff Size: 2532 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 11 05:18:29 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Fri, 11 Nov 2016 06:18:29 +0100 Subject: [Freeipa-devel] [freeipa PR#229][comment] Remove the renewal lock file upon uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/229 Title: #229: Remove the renewal lock file upon uninstall frasertweedale commented: """ Works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/229#issuecomment-259883307 From freeipa-github-notification at redhat.com Fri Nov 11 06:01:21 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 11 Nov 2016 07:01:21 +0100 Subject: [Freeipa-devel] [freeipa PR#173][+pushed] Ensure correct IPA CA nickname in DS and HTTP NSSDBs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/173 Title: #173: Ensure correct IPA CA nickname in DS and HTTP NSSDBs Label: +pushed From freeipa-github-notification at redhat.com Fri Nov 11 06:01:23 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 11 Nov 2016 07:01:23 +0100 Subject: [Freeipa-devel] [freeipa PR#173][comment] Ensure correct IPA CA nickname in DS and HTTP NSSDBs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/173 Title: #173: Ensure correct IPA CA nickname in DS and HTTP NSSDBs jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/cdd41e06e6ef97efafd36ee9e4c8d3be9e4099e7 """ See the full comment at https://github.com/freeipa/freeipa/pull/173#issuecomment-259887677 From freeipa-github-notification at redhat.com Fri Nov 11 06:01:24 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 11 Nov 2016 07:01:24 +0100 Subject: [Freeipa-devel] [freeipa PR#173][closed] Ensure correct IPA CA nickname in DS and HTTP NSSDBs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/173 Author: frasertweedale Title: #173: Ensure correct IPA CA nickname in DS and HTTP NSSDBs Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/173/head:pr173 git checkout pr173 From freeipa-github-notification at redhat.com Fri Nov 11 09:12:33 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 11 Nov 2016 10:12:33 +0100 Subject: [Freeipa-devel] [freeipa PR#226][synchronized] Build refactoring phase 5 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/226 Author: pspacek Title: #226: Build refactoring phase 5 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/226/head:pr226 git checkout pr226 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-226.patch Type: text/x-diff Size: 15026 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 11 09:26:42 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 11 Nov 2016 10:26:42 +0100 Subject: [Freeipa-devel] [freeipa PR#214][comment] ipaldap: remove do_bind from LDAPClient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/214 Title: #214: ipaldap: remove do_bind from LDAPClient jcholast commented: """ DM password may be `None` in `dns_container_exists()` and `dnssec_container_exists()` (for example in `BindInstance.setup()`), so you can't simple bind unconditionally. """ See the full comment at https://github.com/freeipa/freeipa/pull/214#issuecomment-259916767 From freeipa-github-notification at redhat.com Fri Nov 11 09:26:43 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 11 Nov 2016 10:26:43 +0100 Subject: [Freeipa-devel] [freeipa PR#214][reopened] ipaldap: remove do_bind from LDAPClient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/214 Author: tomaskrizek Title: #214: ipaldap: remove do_bind from LDAPClient Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/214/head:pr214 git checkout pr214 From freeipa-github-notification at redhat.com Fri Nov 11 09:39:49 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 11 Nov 2016 10:39:49 +0100 Subject: [Freeipa-devel] [freeipa PR#226][+ack] Build refactoring phase 5 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/226 Title: #226: Build refactoring phase 5 Label: +ack From freeipa-github-notification at redhat.com Fri Nov 11 09:42:00 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 11 Nov 2016 10:42:00 +0100 Subject: [Freeipa-devel] [freeipa PR#226][+pushed] Build refactoring phase 5 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/226 Title: #226: Build refactoring phase 5 Label: +pushed From freeipa-github-notification at redhat.com Fri Nov 11 09:42:01 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 11 Nov 2016 10:42:01 +0100 Subject: [Freeipa-devel] [freeipa PR#226][comment] Build refactoring phase 5 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/226 Title: #226: Build refactoring phase 5 mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/394edf5f055766fa0cdf70afab6d263f75d0d065 https://fedorahosted.org/freeipa/changeset/f6f5708a5ac56392f7a4b82f63c5e16cc1f1fd99 https://fedorahosted.org/freeipa/changeset/3dc5d2c6f9a0fc134616c615634ae505ef753f77 https://fedorahosted.org/freeipa/changeset/a691b7d1837595fecd37bf88a875cb0753f7e698 https://fedorahosted.org/freeipa/changeset/0023fb59240cb53a541763a89db038c186312154 https://fedorahosted.org/freeipa/changeset/8c81c6c5b8ea62addbc175308a4e357c75d65ef0 https://fedorahosted.org/freeipa/changeset/961773bd0455e6fc723dbbed4f53e4b483360c32 """ See the full comment at https://github.com/freeipa/freeipa/pull/226#issuecomment-259919596 From freeipa-github-notification at redhat.com Fri Nov 11 09:42:03 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 11 Nov 2016 10:42:03 +0100 Subject: [Freeipa-devel] [freeipa PR#226][closed] Build refactoring phase 5 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/226 Author: pspacek Title: #226: Build refactoring phase 5 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/226/head:pr226 git checkout pr226 From freeipa-github-notification at redhat.com Fri Nov 11 10:59:13 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 11 Nov 2016 11:59:13 +0100 Subject: [Freeipa-devel] [freeipa PR#232][opened] Installer refactoring Message-ID: URL: https://github.com/freeipa/freeipa/pull/232 Author: jcholast Title: #232: Installer refactoring Action: opened PR body: """ This PR contains the installer refactoring work we (@jcholast, @martbab, @mbasti-rh, @stlaz) did in the last 6 weeks. What is included: - Replica install workflows were updated to more closely resemble each other. - Some classic replica installation and replica promotion code was merged. - Client installer was turned into a module. - Command line options shared between multiple installers are now defined in one place. What is missing: - Use GSSAPI authentication for initial replication on domain level 0 (jcholast/freeipa#22). - Merge the rest of classic replica installation and replica promotion code. - Call into the client installer module instead of executing `ipa-client-install` in server installers. - Update the remaining installers (`ipa-replica-prepare`, `ipa-ca-install`, `ipa-kra-install`, `ipa-dns-install`) to make use of the single option definition. Known issues: - Ugly help in `ipa-server-install`, `ipa-replica-install` and `ipa-client-install`. https://fedorahosted.org/freeipa/ticket/6392 Note that the commits in this PR were already reviewed and ACKed over at [jcholast/freeipa](https://github.com/jcholast/freeipa) ([list of PRs](https://github.com/jcholast/freeipa/pulls?q=is%3Aclosed+label%3Ainstaller-refactoring)). If you find any issues, please file a Trac ticket or leave a comment in this PR. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/232/head:pr232 git checkout pr232 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-232.patch Type: text/x-diff Size: 774572 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 11 10:59:18 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 11 Nov 2016 11:59:18 +0100 Subject: [Freeipa-devel] [freeipa PR#232][+ack] Installer refactoring In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/232 Title: #232: Installer refactoring Label: +ack From freeipa-github-notification at redhat.com Fri Nov 11 11:03:58 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 11 Nov 2016 12:03:58 +0100 Subject: [Freeipa-devel] [freeipa PR#232][comment] Installer refactoring In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/232 Title: #232: Installer refactoring mbasti-rh commented: """ ACK, we may ignore those minor PEP8 issues, it is mainly caused by copying code to other parts. """ See the full comment at https://github.com/freeipa/freeipa/pull/232#issuecomment-259934428 From freeipa-github-notification at redhat.com Fri Nov 11 11:13:22 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 11 Nov 2016 12:13:22 +0100 Subject: [Freeipa-devel] [freeipa PR#232][+pushed] Installer refactoring In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/232 Title: #232: Installer refactoring Label: +pushed From freeipa-github-notification at redhat.com Fri Nov 11 11:15:38 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 11 Nov 2016 12:15:38 +0100 Subject: [Freeipa-devel] [freeipa PR#232][comment] Installer refactoring In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/232 Title: #232: Installer refactoring jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/eac6f52957c361c219ad6048b515ddb62da31154 https://fedorahosted.org/freeipa/changeset/83e72d704630b9cc5a1f713dfee30601950eb5e9 https://fedorahosted.org/freeipa/changeset/7279ef1d0f28dae9f3203362ca9e2245e56e111f https://fedorahosted.org/freeipa/changeset/2fdc2d0cb7fa98992fe6c2070cb5dc34c500ac09 https://fedorahosted.org/freeipa/changeset/b1283c1e56976a3019c81c3be88fa821431ac6a6 https://fedorahosted.org/freeipa/changeset/8a7e79a7a6fad8dc87c8f148cb5098434f988ea3 https://fedorahosted.org/freeipa/changeset/0e232b5f526168af6bb0b52244f79dfacb43a9b7 https://fedorahosted.org/freeipa/changeset/dc38d53de1eff71570ec5ef55db6de2c6f9b5bbd https://fedorahosted.org/freeipa/changeset/0933e080aa9635bba12efc53d904d524b309027f https://fedorahosted.org/freeipa/changeset/f98faec47847022879b8bceb63839fcfd6e45402 https://fedorahosted.org/freeipa/changeset/5c16608a0d5d4abe98319a077917f5424b72d031 https://fedorahosted.org/freeipa/changeset/49f201e2b2523c83fa2b20fe91c91733e2ee947f https://fedorahosted.org/freeipa/changeset/cc6efb97985bb93e3cdb2a6c2943d45e1132e122 https://fedorahosted.org/freeipa/changeset/c30b45ab157f611312c0cd0f4f7c3a12d7a02c11 https://fedorahosted.org/freeipa/changeset/1c9267803c6f41cc7d7485024f8864fbd62c9128 https://fedorahosted.org/freeipa/changeset/31a9ef4f8b8e2d6bb11f68ce34a7575ced9816aa https://fedorahosted.org/freeipa/changeset/2dedfe5d33062fc7121bf36be12d7b423b62120a https://fedorahosted.org/freeipa/changeset/cf1c4e84e74ea15fe5cf7219872cf131bd53281e https://fedorahosted.org/freeipa/changeset/bddd4fac462c07458297d1cea5272bde97fb3707 https://fedorahosted.org/freeipa/changeset/822e1bc82af3a6c1556546c4fbe96eeafad45762 https://fedorahosted.org/freeipa/changeset/89bb5ed1ebc0b5952a1d5eae34e0f39c5ba540d7 https://fedorahosted.org/freeipa/changeset/8e36e030910a4a6ec5ddb37cc19824f37b25ab51 https://fedorahosted.org/freeipa/changeset/3d5161d7e943fc6d4d092d18fc980fd40d21a59f https://fedorahosted.org/freeipa/changeset/a6ec37255441294285fac58c9bf08129db110fac https://fedorahosted.org/freeipa/changeset/19912796edf5d6427920ff67c33e6288223e0466 https://fedorahosted.org/freeipa/changeset/33537f555636db935dd809b62498e2415d765e8e https://fedorahosted.org/freeipa/changeset/2c226ebc27e2a4e2677549003c4c70a777794296 https://fedorahosted.org/freeipa/changeset/3f690a0a3a7e039183eca1578a3cb13f2c0632ef https://fedorahosted.org/freeipa/changeset/fcea3b3fb88ede0e9414f83ac2372e000e728587 https://fedorahosted.org/freeipa/changeset/83fe6b626fd2fb7f43ddf3568aaffca1ce569079 https://fedorahosted.org/freeipa/changeset/1f65c07524c8cf80996de9f6250a4e19c3a043c9 https://fedorahosted.org/freeipa/changeset/8cbbb5359155446be22a5efb1e2372e527d2d745 https://fedorahosted.org/freeipa/changeset/bbad08900bbe8f76e59b159cd2af800f5c089ca1 https://fedorahosted.org/freeipa/changeset/b3786730e50080fa4dadeffa86388592c10b3a62 https://fedorahosted.org/freeipa/changeset/c38ce49e8d280e52c61f722b0e5ad7aa9f53cc1a https://fedorahosted.org/freeipa/changeset/5249eb817efbb5708d097173a8d5f1e322fb201e https://fedorahosted.org/freeipa/changeset/847b6eddab00973740413b4c46f86940cb73d25a https://fedorahosted.org/freeipa/changeset/0914a3aeb778986dea4020ddf8ca550ebef02bad https://fedorahosted.org/freeipa/changeset/990e1acb1a667b90619e7799bb96e2cd81e97e61 https://fedorahosted.org/freeipa/changeset/b068d3336ad65748881d0dc74505f41dac9f0f13 https://fedorahosted.org/freeipa/changeset/a3c9def4e982bcc90e9ece0900993ace53777906 https://fedorahosted.org/freeipa/changeset/8cb315af627d712dd21396164cfa2b5d03ccb466 https://fedorahosted.org/freeipa/changeset/87c3c1abecdfb8b5eb227239eeacfbee386a7ed7 https://fedorahosted.org/freeipa/changeset/bde1d82ebe32be339c30c85048fd18e1ce99867d https://fedorahosted.org/freeipa/changeset/ba4df6449aaa0843ab43a1a2b3cb1df8bb022c24 https://fedorahosted.org/freeipa/changeset/1fc128b05fd13a3f400346cc6d2e7fb5f66875ac https://fedorahosted.org/freeipa/changeset/500327b7754e032738ab88ae19fad287f2d8cdab https://fedorahosted.org/freeipa/changeset/2de43e7aca7d4d4873ad3e5053ad75311e81dc68 https://fedorahosted.org/freeipa/changeset/e40d6a2a53a931b4d2be3e45c84da99950e60a84 https://fedorahosted.org/freeipa/changeset/0b68899779e4500d231e974f11e428f8a3577538 https://fedorahosted.org/freeipa/changeset/928a4aa6f281df55e0f655d5cbf5a327794507b6 https://fedorahosted.org/freeipa/changeset/606cac1c9e85633f54b1cc1c9fc1351e6d1a545f https://fedorahosted.org/freeipa/changeset/835923750bff4f26d9b90df9870a961d16728488 https://fedorahosted.org/freeipa/changeset/bc2e3386e7fa30211a46c0c2284d901cc2509147 https://fedorahosted.org/freeipa/changeset/37578cfc2bbec99d75b19c94c337c406bf6a6ef7 https://fedorahosted.org/freeipa/changeset/1e6366bc9f10de66de84b9506341f021fb3650d9 https://fedorahosted.org/freeipa/changeset/15f282cf2c4a5315aa3e259bd923718685d88245 https://fedorahosted.org/freeipa/changeset/81bf72dc350b9c7daab669aaa796e96aee6ecbb8 https://fedorahosted.org/freeipa/changeset/32599987fdc998e104846e8a176f70399cca2af2 https://fedorahosted.org/freeipa/changeset/4286f3885b173da9ceeb2d13d66f90336b9ef094 https://fedorahosted.org/freeipa/changeset/6181844c0ce62b8d7d35554032346396b20ad3c0 https://fedorahosted.org/freeipa/changeset/3129b874a2c222ff207f1302e5d85ae12df2eac9 https://fedorahosted.org/freeipa/changeset/4e97a0171a862e20089863e4bf0ec88d0ba98a53 https://fedorahosted.org/freeipa/changeset/73fc15556d28706b0b9a10480fee8d56b2be9ab7 https://fedorahosted.org/freeipa/changeset/7cd3b1bfa76c846b7ffec18e380b71a6617d97ec https://fedorahosted.org/freeipa/changeset/8c742b1539591b49474fe8ec871e1b523e9898bd https://fedorahosted.org/freeipa/changeset/a641e279ff76e09f59c4d5fef1dc1f9355dbacf7 https://fedorahosted.org/freeipa/changeset/be0c1afa74cdf9a6e7640cd4110519e61250ae93 https://fedorahosted.org/freeipa/changeset/9fd1981ae8abf720f5234b6049c9beabbb1f2211 https://fedorahosted.org/freeipa/changeset/a929ac333833a5cbf503d1fcbdee150658d933a4 https://fedorahosted.org/freeipa/changeset/043c262ce48a0d667e914c315e21e6e1b3862202 https://fedorahosted.org/freeipa/changeset/269ca6c4547fc017bb3a88e994ca770047122b3e https://fedorahosted.org/freeipa/changeset/08a446a6bc516936497c1e0f278a699148f6330c https://fedorahosted.org/freeipa/changeset/a8fdb8de8248fe24f382e44b05293405b0b309ac https://fedorahosted.org/freeipa/changeset/225fae841882832668c0842479ab11c89dfcd1a5 https://fedorahosted.org/freeipa/changeset/714699a81fa377e6033cbc7564f0f0fd10cd9f1a https://fedorahosted.org/freeipa/changeset/09423acb6574a3773d7783f9ddec022bed3539c8 """ See the full comment at https://github.com/freeipa/freeipa/pull/232#issuecomment-259936336 From freeipa-github-notification at redhat.com Fri Nov 11 11:15:40 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 11 Nov 2016 12:15:40 +0100 Subject: [Freeipa-devel] [freeipa PR#232][closed] Installer refactoring In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/232 Author: jcholast Title: #232: Installer refactoring Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/232/head:pr232 git checkout pr232 From freeipa-github-notification at redhat.com Fri Nov 11 11:23:35 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 11 Nov 2016 12:23:35 +0100 Subject: [Freeipa-devel] [freeipa PR#233][opened] Build phase 6: %install cleanup Message-ID: URL: https://github.com/freeipa/freeipa/pull/233 Author: pspacek Title: #233: Build phase 6: %install cleanup Action: opened PR body: """ This patch set is based on phase 5 - PR #226. Now all the installation steps (except Python2/3) are handled by make install. Python 2/3 support will deserve separate PR. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/233/head:pr233 git checkout pr233 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-233.patch Type: text/x-diff Size: 24009 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 11 11:25:10 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 11 Nov 2016 12:25:10 +0100 Subject: [Freeipa-devel] [freeipa PR#233][synchronized] Build phase 6: %install cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/233 Author: pspacek Title: #233: Build phase 6: %install cleanup Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/233/head:pr233 git checkout pr233 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-233.patch Type: text/x-diff Size: 8960 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 11 11:25:33 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 11 Nov 2016 12:25:33 +0100 Subject: [Freeipa-devel] [freeipa PR#233][comment] Build phase 6: %install cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/233 Title: #233: Build phase 6: %install cleanup pspacek commented: """ Rebased on top of current master. """ See the full comment at https://github.com/freeipa/freeipa/pull/233#issuecomment-259937908 From freeipa-github-notification at redhat.com Fri Nov 11 11:28:44 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 11 Nov 2016 12:28:44 +0100 Subject: [Freeipa-devel] [freeipa PR#207][comment] Provide user hint about IP address in IPA install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/207 Title: #207: Provide user hint about IP address in IPA install mbasti-rh commented: """ LGTM, I'll test later """ See the full comment at https://github.com/freeipa/freeipa/pull/207#issuecomment-259938389 From freeipa-github-notification at redhat.com Fri Nov 11 11:30:56 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 11 Nov 2016 12:30:56 +0100 Subject: [Freeipa-devel] [freeipa PR#234][opened] Always use GSSAPI to set up initial replication Message-ID: URL: https://github.com/freeipa/freeipa/pull/234 Author: martbab Title: #234: Always use GSSAPI to set up initial replication Action: opened PR body: """ This PR makes DS replica use common method to set up initial replication in both domain levels, namely GSSAPI. Since the workflow was introduced during replica promotion work, I have take a special care to make it work also against old (think ipa 3.0.0) masters that may still be in production. https://fedorahosted.org/freeipa/ticket/6406 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/234/head:pr234 git checkout pr234 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-234.patch Type: text/x-diff Size: 15570 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 11 11:34:14 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 11 Nov 2016 12:34:14 +0100 Subject: [Freeipa-devel] [freeipa PR#233][comment] Build phase 6: %install cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/233 Title: #233: Build phase 6: %install cleanup mbasti-rh commented: """ Build failed ``` Failed to open: 'freeipa.spec.in', not a valid spec file. ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/233#issuecomment-259939261 From freeipa-github-notification at redhat.com Fri Nov 11 11:36:48 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 11 Nov 2016 12:36:48 +0100 Subject: [Freeipa-devel] [freeipa PR#174][comment] add log module In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/174 Title: #174: add log module mbasti-rh commented: """ @shanyin Did centralized logging meet your requirements? """ See the full comment at https://github.com/freeipa/freeipa/pull/174#issuecomment-259939617 From freeipa-github-notification at redhat.com Fri Nov 11 11:48:06 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 11 Nov 2016 12:48:06 +0100 Subject: [Freeipa-devel] [freeipa PR#213][edited] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Author: pspacek Title: #213: Build system refactoring phase 3 Action: edited Changed field: body Original value: """ This monster patch-set refactors most of build system and moves most of the logic from SPEC file to build system. It is not yet complete, missing parts are: - [ ] Python 3 support - [ ] Client-only build is not supported - [ ] IPA_VERSION_IS_GIT_SNAPSHOT does not work (fix in #226) These will be sorted out later on but the review of the patch set can begin. """ From freeipa-github-notification at redhat.com Fri Nov 11 11:51:14 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 11 Nov 2016 12:51:14 +0100 Subject: [Freeipa-devel] [freeipa PR#214][synchronized] ipaldap: remove do_bind from LDAPClient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/214 Author: tomaskrizek Title: #214: ipaldap: remove do_bind from LDAPClient Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/214/head:pr214 git checkout pr214 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-214.patch Type: text/x-diff Size: 14521 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 11 11:56:25 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 11 Nov 2016 12:56:25 +0100 Subject: [Freeipa-devel] [freeipa PR#214][synchronized] ipaldap: remove do_bind from LDAPClient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/214 Author: tomaskrizek Title: #214: ipaldap: remove do_bind from LDAPClient Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/214/head:pr214 git checkout pr214 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-214.patch Type: text/x-diff Size: 9896 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 11 12:21:18 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 11 Nov 2016 13:21:18 +0100 Subject: [Freeipa-devel] [freeipa PR#196][comment] ipatests: unresolvable nested netgroups In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/196 Title: #196: ipatests: unresolvable nested netgroups martbab commented: """ Is there any particular reason why this is among XML RPC tests and not a separate integration test? IMHO it should be a CI test as it tests integration with SSSD. I get that it is easier to re-use existing fixtures but this is clearly out of scope of XML RPC test suites. """ See the full comment at https://github.com/freeipa/freeipa/pull/196#issuecomment-259946270 From freeipa-github-notification at redhat.com Fri Nov 11 12:24:03 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 11 Nov 2016 13:24:03 +0100 Subject: [Freeipa-devel] [freeipa PR#234][comment] Always use GSSAPI to set up initial replication In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/234 Title: #234: Always use GSSAPI to set up initial replication mbasti-rh commented: """ ``` Traceback (most recent call last): File "/sbin/ipa-server-install", line 23, in from ipaserver.install import ipa_server_install File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_install.py", line 8, in from ipaserver.install.server import ServerMasterInstall File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 31, in from .install import validate_admin_password, validate_dm_password File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 34, in from ipaserver.install import ( File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 19, in from ipaserver.install import (cainstance, File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 64, in from ipaserver.install import dsinstance File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 41, in from ipaserver.install import replication File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 54, in api.env.container_sysaccounts, api.env.basedn) AttributeError: 'Env' object has no attribute 'container_sysaccounts' ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/234#issuecomment-259946715 From freeipa-github-notification at redhat.com Fri Nov 11 12:29:33 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 11 Nov 2016 13:29:33 +0100 Subject: [Freeipa-devel] [freeipa PR#214][comment] ipaldap: remove do_bind from LDAPClient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/214 Title: #214: ipaldap: remove do_bind from LDAPClient mbasti-rh commented: """ ``` ipaserver/install/ca.py:226: [W0612(unused-variable), install_step_1] Unused variable 'dm_password') ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/214#issuecomment-259947581 From freeipa-github-notification at redhat.com Fri Nov 11 12:31:51 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 11 Nov 2016 13:31:51 +0100 Subject: [Freeipa-devel] [freeipa PR#212][comment] KRA: don't add KRA container when KRA replica In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/212 Title: #212: KRA: don't add KRA container when KRA replica stlaz commented: """ configure_instance and configure_replica codes were merged, you'll need to check for self.clone value instead. """ See the full comment at https://github.com/freeipa/freeipa/pull/212#issuecomment-259947987 From freeipa-github-notification at redhat.com Fri Nov 11 12:40:29 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 11 Nov 2016 13:40:29 +0100 Subject: [Freeipa-devel] [freeipa PR#214][synchronized] ipaldap: remove do_bind from LDAPClient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/214 Author: tomaskrizek Title: #214: ipaldap: remove do_bind from LDAPClient Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/214/head:pr214 git checkout pr214 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-214.patch Type: text/x-diff Size: 29457 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 11 12:41:30 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 11 Nov 2016 13:41:30 +0100 Subject: [Freeipa-devel] [freeipa PR#233][comment] Build phase 6: %install cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/233 Title: #233: Build phase 6: %install cleanup pspacek commented: """ > Failed to open: 'freeipa.spec.in', not a valid spec file. Damn it! I added the last commit with comment in SPEC file and did not run tests on that. Surprise surprise, RPM is PARSIN TEXT INSIDE COMMENTS and if you put %install into comment, guess what: It will blow up! Grrrr. (Another joke is that DNF builddep is throwing away error descrption from RPM SPEC file parser.) """ See the full comment at https://github.com/freeipa/freeipa/pull/233#issuecomment-259949443 From freeipa-github-notification at redhat.com Fri Nov 11 12:46:27 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 11 Nov 2016 13:46:27 +0100 Subject: [Freeipa-devel] [freeipa PR#214][synchronized] ipaldap: remove do_bind from LDAPClient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/214 Author: tomaskrizek Title: #214: ipaldap: remove do_bind from LDAPClient Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/214/head:pr214 git checkout pr214 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-214.patch Type: text/x-diff Size: 10141 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 11 12:50:36 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 11 Nov 2016 13:50:36 +0100 Subject: [Freeipa-devel] [freeipa PR#207][+ack] Provide user hint about IP address in IPA install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/207 Title: #207: Provide user hint about IP address in IPA install Label: +ack From freeipa-github-notification at redhat.com Fri Nov 11 12:51:12 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 11 Nov 2016 13:51:12 +0100 Subject: [Freeipa-devel] [freeipa PR#207][comment] Provide user hint about IP address in IPA install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/207 Title: #207: Provide user hint about IP address in IPA install mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/28bc54f91dfbd76887180fa67ceecb46977a4fb8 """ See the full comment at https://github.com/freeipa/freeipa/pull/207#issuecomment-259950894 From freeipa-github-notification at redhat.com Fri Nov 11 12:51:13 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 11 Nov 2016 13:51:13 +0100 Subject: [Freeipa-devel] [freeipa PR#207][+pushed] Provide user hint about IP address in IPA install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/207 Title: #207: Provide user hint about IP address in IPA install Label: +pushed From freeipa-github-notification at redhat.com Fri Nov 11 12:51:14 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 11 Nov 2016 13:51:14 +0100 Subject: [Freeipa-devel] [freeipa PR#207][closed] Provide user hint about IP address in IPA install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/207 Author: Akasurde Title: #207: Provide user hint about IP address in IPA install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/207/head:pr207 git checkout pr207 From freeipa-github-notification at redhat.com Fri Nov 11 12:59:40 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 11 Nov 2016 13:59:40 +0100 Subject: [Freeipa-devel] [freeipa PR#223][synchronized] LDAP refactoring: remove admin_conn In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/223 Author: tomaskrizek Title: #223: LDAP refactoring: remove admin_conn Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/223/head:pr223 git checkout pr223 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-223.patch Type: text/x-diff Size: 48075 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 11 12:59:54 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 11 Nov 2016 13:59:54 +0100 Subject: [Freeipa-devel] [freeipa PR#233][synchronized] Build phase 6: %install cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/233 Author: pspacek Title: #233: Build phase 6: %install cleanup Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/233/head:pr233 git checkout pr233 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-233.patch Type: text/x-diff Size: 9191 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 11 13:00:43 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 11 Nov 2016 14:00:43 +0100 Subject: [Freeipa-devel] [freeipa PR#233][comment] Build phase 6: %install cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/233 Title: #233: Build phase 6: %install cleanup pspacek commented: """ This version fixes the fixable issues, i.e. everything mentioned above except changing file ownership. """ See the full comment at https://github.com/freeipa/freeipa/pull/233#issuecomment-259952399 From freeipa-github-notification at redhat.com Fri Nov 11 13:20:58 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 11 Nov 2016 14:20:58 +0100 Subject: [Freeipa-devel] [freeipa PR#233][comment] Build phase 6: %install cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/233 Title: #233: Build phase 6: %install cleanup pspacek commented: """ @tiran Please re-review and set review status accordingly. Thanks! """ See the full comment at https://github.com/freeipa/freeipa/pull/233#issuecomment-259955838 From freeipa-github-notification at redhat.com Fri Nov 11 13:43:55 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 11 Nov 2016 14:43:55 +0100 Subject: [Freeipa-devel] [freeipa PR#233][synchronized] Build phase 6: %install cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/233 Author: pspacek Title: #233: Build phase 6: %install cleanup Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/233/head:pr233 git checkout pr233 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-233.patch Type: text/x-diff Size: 9188 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 11 13:47:29 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 11 Nov 2016 14:47:29 +0100 Subject: [Freeipa-devel] [freeipa PR#233][synchronized] Build phase 6: %install cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/233 Author: pspacek Title: #233: Build phase 6: %install cleanup Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/233/head:pr233 git checkout pr233 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-233.patch Type: text/x-diff Size: 9164 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 11 13:47:45 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 11 Nov 2016 14:47:45 +0100 Subject: [Freeipa-devel] [freeipa PR#233][comment] Build phase 6: %install cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/233 Title: #233: Build phase 6: %install cleanup pspacek commented: """ I've fixed incorrect use of `-D` in `install` calls above. """ See the full comment at https://github.com/freeipa/freeipa/pull/233#issuecomment-259960522 From freeipa-github-notification at redhat.com Fri Nov 11 13:56:54 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 11 Nov 2016 14:56:54 +0100 Subject: [Freeipa-devel] [freeipa PR#214][comment] ipaldap: remove do_bind from LDAPClient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/214 Title: #214: ipaldap: remove do_bind from LDAPClient martbab commented: """ The fix works as expected. ACK. Fixed upstream master: https://fedorahosted.org/freeipa/changeset/f183f70e0183e51d569ada972bd3ec73cad76a30 """ See the full comment at https://github.com/freeipa/freeipa/pull/214#issuecomment-259962089 From freeipa-github-notification at redhat.com Fri Nov 11 13:56:56 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 11 Nov 2016 14:56:56 +0100 Subject: [Freeipa-devel] [freeipa PR#214][closed] ipaldap: remove do_bind from LDAPClient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/214 Author: tomaskrizek Title: #214: ipaldap: remove do_bind from LDAPClient Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/214/head:pr214 git checkout pr214 From freeipa-github-notification at redhat.com Fri Nov 11 14:01:50 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 11 Nov 2016 15:01:50 +0100 Subject: [Freeipa-devel] [freeipa PR#187][comment] Register entry points of Custodia plugins In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/187 Title: #187: Register entry points of Custodia plugins simo5 commented: """ Forgot the reasons, I was probably not thinking about PEP8 back then. """ See the full comment at https://github.com/freeipa/freeipa/pull/187#issuecomment-259963079 From freeipa-github-notification at redhat.com Fri Nov 11 14:24:55 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 11 Nov 2016 15:24:55 +0100 Subject: [Freeipa-devel] [freeipa PR#234][synchronized] Always use GSSAPI to set up initial replication In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/234 Author: martbab Title: #234: Always use GSSAPI to set up initial replication Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/234/head:pr234 git checkout pr234 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-234.patch Type: text/x-diff Size: 15954 bytes Desc: not available URL: From cheimes at redhat.com Fri Nov 11 14:25:05 2016 From: cheimes at redhat.com (Christian Heimes) Date: Fri, 11 Nov 2016 15:25:05 +0100 Subject: [Freeipa-devel] Design document: Integration Improvements Message-ID: <228f2a0e-a3a6-92ec-8e59-c45f4283999d@redhat.com> Hello, I have released the first version of a new design document. It describes how I'm going to improve integration of FreeIPA's client libraries (ipalib, ipapython, ipaclient, ipaplatform) for third party developers. http://www.freeipa.org/page/V4/Integration_Improvements Regards, Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Fri Nov 11 14:25:49 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 11 Nov 2016 15:25:49 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context tiran commented: """ http://www.freeipa.org/page/V4/Integration_Improvements#API_for_local_configuration_directory """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-259967841 From freeipa-github-notification at redhat.com Fri Nov 11 14:41:26 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 11 Nov 2016 15:41:26 +0100 Subject: [Freeipa-devel] [freeipa PR#230][+ack] cert-request: accept CSRs with extraneous data In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/230 Title: #230: cert-request: accept CSRs with extraneous data Label: +ack From freeipa-github-notification at redhat.com Fri Nov 11 14:42:47 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 11 Nov 2016 15:42:47 +0100 Subject: [Freeipa-devel] [freeipa PR#230][+pushed] cert-request: accept CSRs with extraneous data In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/230 Title: #230: cert-request: accept CSRs with extraneous data Label: +pushed From freeipa-github-notification at redhat.com Fri Nov 11 14:42:49 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 11 Nov 2016 15:42:49 +0100 Subject: [Freeipa-devel] [freeipa PR#230][closed] cert-request: accept CSRs with extraneous data In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/230 Author: frasertweedale Title: #230: cert-request: accept CSRs with extraneous data Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/230/head:pr230 git checkout pr230 From freeipa-github-notification at redhat.com Fri Nov 11 14:42:50 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 11 Nov 2016 15:42:50 +0100 Subject: [Freeipa-devel] [freeipa PR#230][comment] cert-request: accept CSRs with extraneous data In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/230 Title: #230: cert-request: accept CSRs with extraneous data martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/e1df2e0792a6a423563c4787215b284948f51582 """ See the full comment at https://github.com/freeipa/freeipa/pull/230#issuecomment-259971259 From freeipa-github-notification at redhat.com Fri Nov 11 14:46:39 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 11 Nov 2016 15:46:39 +0100 Subject: [Freeipa-devel] [freeipa PR#212][synchronized] KRA: don't add KRA container when KRA replica In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/212 Author: mbasti-rh Title: #212: KRA: don't add KRA container when KRA replica Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/212/head:pr212 git checkout pr212 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-212.patch Type: text/x-diff Size: 2425 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 11 14:55:32 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 11 Nov 2016 15:55:32 +0100 Subject: [Freeipa-devel] [freeipa PR#209][comment] Enumerate available options in IPA installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/209 Title: #209: Enumerate available options in IPA installer mbasti-rh commented: """ Hi, we changed a lot of code during refactoring, PR doesn't apply. IMO list of choices shown in --help should be handled in knob() if metavar is not specified and type is choice """ See the full comment at https://github.com/freeipa/freeipa/pull/209#issuecomment-259974015 From freeipa-github-notification at redhat.com Fri Nov 11 15:13:09 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 11 Nov 2016 16:13:09 +0100 Subject: [Freeipa-devel] [freeipa PR#235][opened] Make Knob function deprecated Message-ID: URL: https://github.com/freeipa/freeipa/pull/235 Author: mbasti-rh Title: #235: Make Knob function deprecated Action: opened PR body: """ `Knob` function is outdated and was replaced by `knob`. Make explicit note in code about this. https://fedorahosted.org/freeipa/ticket/6392 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/235/head:pr235 git checkout pr235 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-235.patch Type: text/x-diff Size: 1110 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 11 15:26:43 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 11 Nov 2016 16:26:43 +0100 Subject: [Freeipa-devel] [freeipa PR#235][comment] Make Knob function deprecated In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/235 Title: #235: Make Knob function deprecated stlaz commented: """ ACK, there should be note about this deprecation somewhere. Deleting Knob might be worth a ticket as well. """ See the full comment at https://github.com/freeipa/freeipa/pull/235#issuecomment-259981300 From freeipa-github-notification at redhat.com Fri Nov 11 15:26:47 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 11 Nov 2016 16:26:47 +0100 Subject: [Freeipa-devel] [freeipa PR#235][+ack] Make Knob function deprecated In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/235 Title: #235: Make Knob function deprecated Label: +ack From freeipa-github-notification at redhat.com Fri Nov 11 15:30:18 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 11 Nov 2016 16:30:18 +0100 Subject: [Freeipa-devel] [freeipa PR#235][comment] Make Knob function deprecated In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/235 Title: #235: Make Knob function deprecated mbasti-rh commented: """ I would wait with ACK, I realized that Knobs with capital K are not used anymore, so we can remove it instead of deprecating """ See the full comment at https://github.com/freeipa/freeipa/pull/235#issuecomment-259982115 From freeipa-github-notification at redhat.com Fri Nov 11 15:30:27 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 11 Nov 2016 16:30:27 +0100 Subject: [Freeipa-devel] [freeipa PR#235][-ack] Make Knob function deprecated In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/235 Title: #235: Make Knob function deprecated Label: -ack From freeipa-github-notification at redhat.com Fri Nov 11 15:41:27 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 11 Nov 2016 16:41:27 +0100 Subject: [Freeipa-devel] [freeipa PR#236][opened] Build phase 7: cleanup Message-ID: URL: https://github.com/freeipa/freeipa/pull/236 Author: pspacek Title: #236: Build phase 7: cleanup Action: opened PR body: """ Depends on PR #233. - Clean-up ancient leftovers and clean minor bugs here and there. - Support --enable-silent-rules and V=0 variable for make to make the build less verbose and warnings more visible. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/236/head:pr236 git checkout pr236 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-236.patch Type: text/x-diff Size: 76080 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 11 16:01:23 2016 From: freeipa-github-notification at redhat.com (lslebodn) Date: Fri, 11 Nov 2016 17:01:23 +0100 Subject: [Freeipa-devel] [freeipa PR#236][comment] Build phase 7: cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/236 Title: #236: Build phase 7: cleanup lslebodn commented: """ You should the opposite of the last patch "Build: clean-up spurious NULL variables from Makefile.am files". The NULL should be added to each list. NACK to the last patch. It does not simplify anything and it makes diff more complicated for adding new entries """ See the full comment at https://github.com/freeipa/freeipa/pull/236#issuecomment-259989321 From freeipa-github-notification at redhat.com Fri Nov 11 16:17:33 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 11 Nov 2016 17:17:33 +0100 Subject: [Freeipa-devel] [freeipa PR#235][synchronized] Make Knob function deprecated In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/235 Author: mbasti-rh Title: #235: Make Knob function deprecated Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/235/head:pr235 git checkout pr235 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-235.patch Type: text/x-diff Size: 4490 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 11 16:18:08 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 11 Nov 2016 17:18:08 +0100 Subject: [Freeipa-devel] [freeipa PR#235][edited] Remove unused Knob function In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/235 Author: mbasti-rh Title: #235: Remove unused Knob function Action: edited Changed field: title Original value: """ Make Knob function deprecated """ From mbasti at redhat.com Fri Nov 11 16:46:39 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 11 Nov 2016 17:46:39 +0100 Subject: [Freeipa-devel] Design document: Integration Improvements In-Reply-To: <228f2a0e-a3a6-92ec-8e59-c45f4283999d@redhat.com> References: <228f2a0e-a3a6-92ec-8e59-c45f4283999d@redhat.com> Message-ID: On 11.11.2016 15:25, Christian Heimes wrote: > Hello, > > I have released the first version of a new design document. It describes > how I'm going to improve integration of FreeIPA's client libraries > (ipalib, ipapython, ipaclient, ipaplatform) for third party developers. > > http://www.freeipa.org/page/V4/Integration_Improvements > > Regards, > Christian > > > Hello, I have a few questions: 1) dynamic platform files Currently all RHEL/fedora-derived platforms work with the same rhel/fedora packages. How do you want to achieve this with dynamic platform files, do you want to keep mappings between platforms and platform file? What about distributions that have in /etc/release just mess? 2) if I understand correctly, you want to separate client installer code and client CLI code. In past we had freeipa-admintools but it was removed because it was really tightly bounded to installed client. Do you want to revive it and make it independent? 3) why instead of environ variable we cannot have specified paths with priority where IPA config can be located? For example: 1) ./.ipa.conf 2) ~/.ipa.conf 3) /etc/ipa/default.conf <-- as last resort -------------- next part -------------- An HTML attachment was scrubbed... URL: From cheimes at redhat.com Fri Nov 11 17:28:24 2016 From: cheimes at redhat.com (Christian Heimes) Date: Fri, 11 Nov 2016 18:28:24 +0100 Subject: [Freeipa-devel] Design document: Integration Improvements In-Reply-To: References: <228f2a0e-a3a6-92ec-8e59-c45f4283999d@redhat.com> Message-ID: On 2016-11-11 17:46, Martin Basti wrote: > > > On 11.11.2016 15:25, Christian Heimes wrote: >> Hello, >> >> I have released the first version of a new design document. It describes >> how I'm going to improve integration of FreeIPA's client libraries >> (ipalib, ipapython, ipaclient, ipaplatform) for third party developers. >> >> http://www.freeipa.org/page/V4/Integration_Improvements >> >> Regards, >> Christian >> >> >> > > Hello, I have a few questions: > > 1) dynamic platform files > > Currently all RHEL/fedora-derived platforms work with the same > rhel/fedora packages. How do you want to achieve this with dynamic > platform files, do you want to keep mappings between platforms and > platform file? What about distributions that have in /etc/release just mess? I don't use /etc/releases but /etc/os-release. There is no mapping involved. If a distribution has no /etc/os-release or a messed up /etc/os-release, then it needs to be fixed by the distribution. It's a common standard and all relevant distributions support this standard. RHEL has ID=rhel and no ID_LIKE -> ipaplatform.rhel Fedora has ID=fedora and no ID_LIKE -> ipaplatform.fedora CentOS has ID=centos and ID_LIKE="rhel fedora" -> ipaplatform.rhel Even my Raspberry has an /etc/os-release with ID=raspbian and ID_LIKE=debian -> error, soon ipaplatform.debian > 2) if I understand correctly, you want to separate client installer code > and client CLI code. In past we had freeipa-admintools but it was > removed because it was really tightly bounded to installed client. Do > you want to revive it and make it independent? My proposal does not affect distribution packaging (rpm, deb) at all. It is purely about Python packaging. The client installer and client CLI code are already separated. The Python wheels will only contain what 'python setup.py bdist_wheel' spits out for ipaclient, ipalib, ipaplatform and ipapython. The 'ipa' CLI is part of the ipaclient Python package. > 3) why instead of environ variable we cannot have specified paths with > priority where IPA config can be located? > For example: > 1) ./.ipa.conf > 2) ~/.ipa.conf > 3) /etc/ipa/default.conf <-- as last resort For Ansible, testing etc. I need an arbitrary amount of config *directories* and full control. I don't like the idea that the current working directory affects how commands work. It has too many security implications, e.g. we have to verify that the file belongs to the current user. The check must be TOCTOU safe, too. Env vars are easier to control, more secure and less fragile. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From rcritten at redhat.com Fri Nov 11 17:33:37 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Nov 2016 12:33:37 -0500 Subject: [Freeipa-devel] Design document: Integration Improvements In-Reply-To: References: <228f2a0e-a3a6-92ec-8e59-c45f4283999d@redhat.com> Message-ID: <582600F1.3000608@redhat.com> Martin Basti wrote: > > > On 11.11.2016 15:25, Christian Heimes wrote: >> Hello, >> >> I have released the first version of a new design document. It describes >> how I'm going to improve integration of FreeIPA's client libraries >> (ipalib, ipapython, ipaclient, ipaplatform) for third party developers. >> >> http://www.freeipa.org/page/V4/Integration_Improvements >> >> Regards, >> Christian >> >> >> > > Hello, I have a few questions: > > 1) dynamic platform files > > Currently all RHEL/fedora-derived platforms work with the same > rhel/fedora packages. How do you want to achieve this with dynamic > platform files, do you want to keep mappings between platforms and > platform file? What about distributions that have in /etc/release just mess? He is proposing using /etc/os-release which is a more structured file. I don't think he's proposing a mapping so much as walking through the ID and ID_LIKE values to find a match. It is unclear what would happen in the case no match was found. On CentOS it looks like: ID="centos" ID_LIKE="rhel fedora" So it would try to open the centos platform file and fail, then the rhel platform file and succeed and then proceed with initialization. > 2) if I understand correctly, you want to separate client installer code > and client CLI code. In past we had freeipa-admintools but it was > removed because it was really tightly bounded to installed client. Do > you want to revive it and make it independent? The admintools package consisted only of the ipa command so I don't see the relevance. This should have no impact on the installers. I think the only proposal is to ignore the IPA_CONFDIR variable in all installer contexts. I think I'd prefer it if it were simply wiped from the environment on startup of *install commands prior to bootstrap so it can't leak it at all. > 3) why instead of environ variable we cannot have specified paths with > priority where IPA config can be located? > For example: > 1) ./.ipa.conf > 2) ~/.ipa.conf > 3) /etc/ipa/default.conf <-- as last resort Because it's not flexible enough. Just consider all the places that KRB5_CONFIG is used and imagine having only a few, fixed places to use instead. An environment variable is a standard way of configuring a library, which for all intents and purposes ipalib/ipapython are. rob From cheimes at redhat.com Fri Nov 11 17:45:11 2016 From: cheimes at redhat.com (Christian Heimes) Date: Fri, 11 Nov 2016 18:45:11 +0100 Subject: [Freeipa-devel] Design document: Integration Improvements In-Reply-To: <582600F1.3000608@redhat.com> References: <228f2a0e-a3a6-92ec-8e59-c45f4283999d@redhat.com> <582600F1.3000608@redhat.com> Message-ID: <468f5bc5-7207-6883-14b6-f181b9692114@redhat.com> On 2016-11-11 18:33, Rob Crittenden wrote: > Martin Basti wrote: >> 2) if I understand correctly, you want to separate client installer code >> and client CLI code. In past we had freeipa-admintools but it was >> removed because it was really tightly bounded to installed client. Do >> you want to revive it and make it independent? > > The admintools package consisted only of the ipa command so I don't see > the relevance. > > This should have no impact on the installers. I think the only proposal > is to ignore the IPA_CONFDIR variable in all installer contexts. I think > I'd prefer it if it were simply wiped from the environment on startup of > *install commands prior to bootstrap so it can't leak it at all. With the latest patch, all installers, updaters and similar tools with an exception when a IPA_CONFDIR env var is present. I have also considered to fail for geteuid() == 0. On the other hand the env var is useful for containered application and people sure love to run all their containers as root. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Sun Nov 13 08:39:27 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Sun, 13 Nov 2016 09:39:27 +0100 Subject: [Freeipa-devel] [freeipa PR#235][comment] Remove unused Knob function In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/235 Title: #235: Remove unused Knob function stlaz commented: """ From our offline discussion I got the impression the Knob function was still used somewhere, therefore the ACK. I'm not sure what was the reason of keeping Knob there even if unused, you may need checking with @jcholast. """ See the full comment at https://github.com/freeipa/freeipa/pull/235#issuecomment-260173516 From freeipa-github-notification at redhat.com Mon Nov 14 00:59:49 2016 From: freeipa-github-notification at redhat.com (shanyin) Date: Mon, 14 Nov 2016 01:59:49 +0100 Subject: [Freeipa-devel] [freeipa PR#174][comment] add log module In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/174 Title: #174: add log module shanyin commented: """ I tried to use the centralized logging, but My system is Ubuntu, and the ipa-log-config tool is only supported by RHEL 7 / CentOS 7 currently. So, the centralized logging is not configured successfully. ------------------ ?? ?????????? -------------------------- ?????? ?? ???18684703229 ???zhenglei at kylinos.cn ??????????????? ?????????????????????? ------------------ Original ------------------ From: "mbasti-rh"; Date: Fri, Nov 11, 2016 07:36 PM To: "freeipa/freeipa"; Cc: "shanyin"; "Mention"; Subject: Re: [freeipa/freeipa] add log module (#174) @shanyin Did centralized logging meet your requirements? ? You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread. """ See the full comment at https://github.com/freeipa/freeipa/pull/174#issuecomment-260226824 From freeipa-github-notification at redhat.com Mon Nov 14 01:15:46 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Mon, 14 Nov 2016 02:15:46 +0100 Subject: [Freeipa-devel] [freeipa PR#227][synchronized] cert-request: match names against principal alises In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/227 Author: frasertweedale Title: #227: cert-request: match names against principal alises Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/227/head:pr227 git checkout pr227 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-227.patch Type: text/x-diff Size: 13192 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 14 01:43:07 2016 From: freeipa-github-notification at redhat.com (shanyin) Date: Mon, 14 Nov 2016 02:43:07 +0100 Subject: [Freeipa-devel] [freeipa PR#174][comment] add log module In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/174 Title: #174: add log module shanyin commented: """ @mbasti-rh I've already finished my translation basically On Zanata. The URL is https://fedora.zanata.org/webtrans/translate?project=freeipa&iteration=master&localeId=zh-CN&locale=en-US&dswid=9896#view:doc;doc:po/ipa """ See the full comment at https://github.com/freeipa/freeipa/pull/174#issuecomment-260230505 From freeipa-github-notification at redhat.com Mon Nov 14 06:01:50 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Mon, 14 Nov 2016 07:01:50 +0100 Subject: [Freeipa-devel] [freeipa PR#227][edited] cert-request: match names against principal aliases In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/227 Author: frasertweedale Title: #227: cert-request: match names against principal aliases Action: edited Changed field: title Original value: """ cert-request: match names against principal alises """ From freeipa-github-notification at redhat.com Mon Nov 14 06:07:17 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Mon, 14 Nov 2016 07:07:17 +0100 Subject: [Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/181 Title: #181: Tests : User Tracker creation of user with minimal values mirielka commented: """ Having "None" default values for obligatory arguments does not seem to be a good idea. If the method was called with default values, it would fail. It would be best if obligatory arguments ("givenname" and "sn") were provided as positional arguments and voluntary "name" as keyword argument. Please note that such a change will cause failure of existing tests that use this tracker, therefore it's necessary to fix them as well - include this in separate commit of this PR. Also please don't forget to add testcases for which this PR was created originally - creating user without the "name" argument (both positive and negative testcases). """ See the full comment at https://github.com/freeipa/freeipa/pull/181#issuecomment-260255613 From freeipa-github-notification at redhat.com Mon Nov 14 06:07:47 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Mon, 14 Nov 2016 07:07:47 +0100 Subject: [Freeipa-devel] [freeipa PR#210][comment] Tests: Stage User Tracker implementation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/210 Title: #210: Tests: Stage User Tracker implementation mirielka commented: """ Review notes: same as in https://github.com/freeipa/freeipa/pull/181 """ See the full comment at https://github.com/freeipa/freeipa/pull/210#issuecomment-260255679 From freeipa-github-notification at redhat.com Mon Nov 14 07:57:15 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 14 Nov 2016 08:57:15 +0100 Subject: [Freeipa-devel] [freeipa PR#237][opened] Update man page for ipa-adtrust-install by removing --no-msdcs option Message-ID: URL: https://github.com/freeipa/freeipa/pull/237 Author: pspacek Title: #237: Update man page for ipa-adtrust-install by removing --no-msdcs option Action: opened PR body: """ https://bugzilla.redhat.com/show_bug.cgi?id=1392778 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/237/head:pr237 git checkout pr237 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-237.patch Type: text/x-diff Size: 1948 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 14 08:08:06 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 14 Nov 2016 09:08:06 +0100 Subject: [Freeipa-devel] [freeipa PR#237][+ack] Update man page for ipa-adtrust-install by removing --no-msdcs option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/237 Title: #237: Update man page for ipa-adtrust-install by removing --no-msdcs option Label: +ack From freeipa-github-notification at redhat.com Mon Nov 14 08:17:50 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 14 Nov 2016 09:17:50 +0100 Subject: [Freeipa-devel] [freeipa PR#237][-ack] Update man page for ipa-adtrust-install by removing --no-msdcs option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/237 Title: #237: Update man page for ipa-adtrust-install by removing --no-msdcs option Label: -ack From freeipa-github-notification at redhat.com Mon Nov 14 08:19:03 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 14 Nov 2016 09:19:03 +0100 Subject: [Freeipa-devel] [freeipa PR#237][comment] Update man page for ipa-adtrust-install by removing --no-msdcs option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/237 Title: #237: Update man page for ipa-adtrust-install by removing --no-msdcs option martbab commented: """ Please add the upstream ticket to the commit message. """ See the full comment at https://github.com/freeipa/freeipa/pull/237#issuecomment-260273833 From freeipa-github-notification at redhat.com Mon Nov 14 08:55:36 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 14 Nov 2016 09:55:36 +0100 Subject: [Freeipa-devel] [freeipa PR#237][synchronized] Update man page for ipa-adtrust-install by removing --no-msdcs option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/237 Author: pspacek Title: #237: Update man page for ipa-adtrust-install by removing --no-msdcs option Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/237/head:pr237 git checkout pr237 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-237.patch Type: text/x-diff Size: 1941 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 14 08:55:53 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 14 Nov 2016 09:55:53 +0100 Subject: [Freeipa-devel] [freeipa PR#237][comment] Update man page for ipa-adtrust-install by removing --no-msdcs option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/237 Title: #237: Update man page for ipa-adtrust-install by removing --no-msdcs option pspacek commented: """ Here you go. """ See the full comment at https://github.com/freeipa/freeipa/pull/237#issuecomment-260280769 From freeipa-github-notification at redhat.com Mon Nov 14 08:56:53 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 14 Nov 2016 09:56:53 +0100 Subject: [Freeipa-devel] [freeipa PR#236][comment] Build phase 7: cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/236 Title: #236: Build phase 7: cleanup pspacek commented: """ Hi Lukas. Given there is no technical justification to have it I'm going to remove these. Simple is better than complex. """ See the full comment at https://github.com/freeipa/freeipa/pull/236#issuecomment-260280943 From freeipa-github-notification at redhat.com Mon Nov 14 09:06:47 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Mon, 14 Nov 2016 10:06:47 +0100 Subject: [Freeipa-devel] [freeipa PR#224][synchronized] Integration tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/224 Author: ofayans Title: #224: Integration tests for certs in idoverrides Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/224/head:pr224 git checkout pr224 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-224.patch Type: text/x-diff Size: 12903 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 14 09:10:12 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Mon, 14 Nov 2016 10:10:12 +0100 Subject: [Freeipa-devel] [freeipa PR#224][synchronized] Integration tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/224 Author: ofayans Title: #224: Integration tests for certs in idoverrides Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/224/head:pr224 git checkout pr224 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-224.patch Type: text/x-diff Size: 12974 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 14 09:10:36 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Mon, 14 Nov 2016 10:10:36 +0100 Subject: [Freeipa-devel] [freeipa PR#224][comment] Integration tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/224 Title: #224: Integration tests for certs in idoverrides ofayans commented: """ @mirielka done, thank you for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/224#issuecomment-260283573 From freeipa-github-notification at redhat.com Mon Nov 14 09:22:23 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 14 Nov 2016 10:22:23 +0100 Subject: [Freeipa-devel] [freeipa PR#195][synchronized] [WIP] Make ipaclient pip install-able In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/195 Author: tiran Title: #195: [WIP] Make ipaclient pip install-able Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/195/head:pr195 git checkout pr195 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-195.patch Type: text/x-diff Size: 7568 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 14 09:34:13 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 14 Nov 2016 10:34:13 +0100 Subject: [Freeipa-devel] [freeipa PR#195][synchronized] [WIP] Make ipaclient pip install-able In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/195 Author: tiran Title: #195: [WIP] Make ipaclient pip install-able Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/195/head:pr195 git checkout pr195 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-195.patch Type: text/x-diff Size: 8254 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 14 09:37:18 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 14 Nov 2016 10:37:18 +0100 Subject: [Freeipa-devel] [freeipa PR#197][synchronized] Make setup.py files PyPI compatible In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/197 Author: tiran Title: #197: Make setup.py files PyPI compatible Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/197/head:pr197 git checkout pr197 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-197.patch Type: text/x-diff Size: 2188 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 14 09:39:53 2016 From: freeipa-github-notification at redhat.com (lslebodn) Date: Mon, 14 Nov 2016 10:39:53 +0100 Subject: [Freeipa-devel] [freeipa PR#236][comment] Build phase 7: cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/236 Title: #236: Build phase 7: cleanup lslebodn commented: """ >Hi Lukas. Given there is no technical justification to have it I'm going to remove these. Simple is better than complex. I am sorry I do not agree. The technical justification was explained in previous comments few time. The $(NULL) at the end of list makes patches much simpler and easier to read. The purpose of refactoring is make code simpler but also easier to **maintain/review** """ See the full comment at https://github.com/freeipa/freeipa/pull/236#issuecomment-260289586 From freeipa-github-notification at redhat.com Mon Nov 14 10:21:41 2016 From: freeipa-github-notification at redhat.com (jumitche) Date: Mon, 14 Nov 2016 11:21:41 +0100 Subject: [Freeipa-devel] [freeipa PR#215][synchronized] Add script to setup krb5 NFS exports In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/215 Author: jumitche Title: #215: Add script to setup krb5 NFS exports Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/215/head:pr215 git checkout pr215 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-215.patch Type: text/x-diff Size: 50556 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 14 10:57:06 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Mon, 14 Nov 2016 11:57:06 +0100 Subject: [Freeipa-devel] [freeipa PR#224][+ack] Integration tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/224 Title: #224: Integration tests for certs in idoverrides Label: +ack From freeipa-github-notification at redhat.com Mon Nov 14 11:06:21 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 14 Nov 2016 12:06:21 +0100 Subject: [Freeipa-devel] [freeipa PR#203][comment] Add sdist_list plugin to all setup.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/203 Title: #203: Add sdist_list plugin to all setup.py tiran commented: """ The feature is no longer required. @pspacek uses ``egg-info/SOURCES.txt``. """ See the full comment at https://github.com/freeipa/freeipa/pull/203#issuecomment-260308091 From freeipa-github-notification at redhat.com Mon Nov 14 11:06:23 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 14 Nov 2016 12:06:23 +0100 Subject: [Freeipa-devel] [freeipa PR#203][closed] Add sdist_list plugin to all setup.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/203 Author: tiran Title: #203: Add sdist_list plugin to all setup.py Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/203/head:pr203 git checkout pr203 From freeipa-github-notification at redhat.com Mon Nov 14 11:47:19 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 12:47:19 +0100 Subject: [Freeipa-devel] [freeipa PR#203][+rejected] Add sdist_list plugin to all setup.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/203 Title: #203: Add sdist_list plugin to all setup.py Label: +rejected From freeipa-github-notification at redhat.com Mon Nov 14 12:11:25 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 13:11:25 +0100 Subject: [Freeipa-devel] [freeipa PR#174][comment] add log module In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/174 Title: #174: add log module mbasti-rh commented: """ @shanyin great, I suppose you want those translations in IPA 4.4.x, so I could try to copy them from master. """ See the full comment at https://github.com/freeipa/freeipa/pull/174#issuecomment-260319825 From freeipa-github-notification at redhat.com Mon Nov 14 12:37:35 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 14 Nov 2016 13:37:35 +0100 Subject: [Freeipa-devel] [freeipa PR#227][comment] cert-request: match names against principal aliases In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/227 Title: #227: cert-request: match names against principal aliases martbab commented: """ @frasertweedale What is the intended semantics of the checks against principal aliases in SAN? If the requestor can use only the aliases belonging to the entry of the recieving principal, then it should be enough to retrieve the entry by searching for the 'krbprincipalname' from --principal option, retrieve it, and then checking whether all values of dnsName/KRB5PrincipalName are a subset of Kerberos principal aliases. """ See the full comment at https://github.com/freeipa/freeipa/pull/227#issuecomment-260324521 From freeipa-github-notification at redhat.com Mon Nov 14 12:39:57 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 14 Nov 2016 13:39:57 +0100 Subject: [Freeipa-devel] [freeipa PR#227][comment] cert-request: match names against principal aliases In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/227 Title: #227: cert-request: match names against principal aliases martbab commented: """ Also, the current execution flow of the command is very confusing (retrieving objects based on intended principal types etc.). As a part of the ticket I was planning to do a sneaky refactoring of the flow which IMHO should look like this: 1.) you search entries by krbprincipalname extracted from 'principal' option (or from bind principal) 2.) If not found, you error out that such entry could not be found 3.) due to syntax overrides in ipaldap, all returned principals will be converted to Principal objects so *after you retrieve the entry and ensure that it exists* you can test whether it is service, user, etc. 4.) for values in SAN, you check whether the value is already container in the entries principals (as you do in this PR). If the principal is not there, you can try to retrieve the entry from ldap and either error out if not found, or check CA ACLs against it when present. 5.) if all is OK, forward the request to RA backend and issue the certificate. Do you think that this would extend the scope of the ticket too much? If yes, I can open a separate ticket for this cleanup and do it on top of your work. """ See the full comment at https://github.com/freeipa/freeipa/pull/227#issuecomment-260324953 From freeipa-github-notification at redhat.com Mon Nov 14 12:57:48 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 13:57:48 +0100 Subject: [Freeipa-devel] [freeipa PR#143][comment] Issue6386 nss dir In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/143 Title: #143: Issue6386 nss dir mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a22a5dd676f581910ac7872c1a20322278fc7d4a """ See the full comment at https://github.com/freeipa/freeipa/pull/143#issuecomment-260328232 From freeipa-github-notification at redhat.com Mon Nov 14 12:57:49 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 13:57:49 +0100 Subject: [Freeipa-devel] [freeipa PR#143][closed] Issue6386 nss dir In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/143 Author: tiran Title: #143: Issue6386 nss dir Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/143/head:pr143 git checkout pr143 From freeipa-github-notification at redhat.com Mon Nov 14 12:57:50 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 13:57:50 +0100 Subject: [Freeipa-devel] [freeipa PR#143][+pushed] Issue6386 nss dir In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/143 Title: #143: Issue6386 nss dir Label: +pushed From freeipa-github-notification at redhat.com Mon Nov 14 12:59:34 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 14 Nov 2016 13:59:34 +0100 Subject: [Freeipa-devel] [freeipa PR#197][edited] Make setup.py files PyPI compatible In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/197 Author: tiran Title: #197: Make setup.py files PyPI compatible Action: edited Changed field: body Original value: """ - Use PEP 440 compatible version schema - Use correct classifiers Signed-off-by: Christian Heimes """ From freeipa-github-notification at redhat.com Mon Nov 14 13:12:55 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 14:12:55 +0100 Subject: [Freeipa-devel] [freeipa PR#157][+ack] git: Add commit template In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/157 Title: #157: git: Add commit template Label: +ack From freeipa-github-notification at redhat.com Mon Nov 14 13:13:25 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 14:13:25 +0100 Subject: [Freeipa-devel] [freeipa PR#158][comment] WebUI: update Patternfly and Bootstrap In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/158 Title: #158: WebUI: update Patternfly and Bootstrap mbasti-rh commented: """ Bump for review """ See the full comment at https://github.com/freeipa/freeipa/pull/158#issuecomment-260331171 From freeipa-github-notification at redhat.com Mon Nov 14 13:13:52 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 14 Nov 2016 14:13:52 +0100 Subject: [Freeipa-devel] [freeipa PR#227][comment] cert-request: match names against principal aliases In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/227 Title: #227: cert-request: match names against principal aliases martbab commented: """ Also one of the tests in caacl_profile_enforcement suite fails: https://paste.fedoraproject.org/481011/12920714/ """ See the full comment at https://github.com/freeipa/freeipa/pull/227#issuecomment-260331265 From freeipa-github-notification at redhat.com Mon Nov 14 13:18:16 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 14:18:16 +0100 Subject: [Freeipa-devel] [freeipa PR#178][comment] ipatests: Fix assert_deepequal outside of pytest process In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/178 Title: #178: ipatests: Fix assert_deepequal outside of pytest process mbasti-rh commented: """ ACK, because fixing PEP8 makes readability worse in this case and it is against PEP8 :) """ See the full comment at https://github.com/freeipa/freeipa/pull/178#issuecomment-260332117 From freeipa-github-notification at redhat.com Mon Nov 14 13:18:30 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 14:18:30 +0100 Subject: [Freeipa-devel] [freeipa PR#178][+ack] ipatests: Fix assert_deepequal outside of pytest process In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/178 Title: #178: ipatests: Fix assert_deepequal outside of pytest process Label: +ack From freeipa-github-notification at redhat.com Mon Nov 14 13:24:14 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 14:24:14 +0100 Subject: [Freeipa-devel] [freeipa PR#185][+ack] TESTS: Update group type name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/185 Title: #185: TESTS: Update group type name Label: +ack From freeipa-github-notification at redhat.com Mon Nov 14 13:31:10 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 14 Nov 2016 14:31:10 +0100 Subject: [Freeipa-devel] [freeipa PR#164][+ack] Trust AD cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/164 Title: #164: Trust AD cleanup Label: +ack From freeipa-github-notification at redhat.com Mon Nov 14 13:32:30 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 14 Nov 2016 14:32:30 +0100 Subject: [Freeipa-devel] [freeipa PR#164][+pushed] Trust AD cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/164 Title: #164: Trust AD cleanup Label: +pushed From freeipa-github-notification at redhat.com Mon Nov 14 13:32:32 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 14 Nov 2016 14:32:32 +0100 Subject: [Freeipa-devel] [freeipa PR#164][comment] Trust AD cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/164 Title: #164: Trust AD cleanup martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/8a177732afc404a830b75cab03fb420af93fa441 https://fedorahosted.org/freeipa/changeset/3938698e07404acfd7ae84fcaae9c02850d1afa7 https://fedorahosted.org/freeipa/changeset/46aa41444521a1746d584b703054e2a971915dc6 ipa-4-4: https://fedorahosted.org/freeipa/changeset/244287a497a23e4d4d0b929d8311214f3ba4d571 https://fedorahosted.org/freeipa/changeset/546382f3a64b3627e72497253bfb229d55e882cc https://fedorahosted.org/freeipa/changeset/1bb9b102edb57068028a97510c469640e6cf6268 """ See the full comment at https://github.com/freeipa/freeipa/pull/164#issuecomment-260335007 From freeipa-github-notification at redhat.com Mon Nov 14 13:32:33 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 14 Nov 2016 14:32:33 +0100 Subject: [Freeipa-devel] [freeipa PR#164][closed] Trust AD cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/164 Author: mirielka Title: #164: Trust AD cleanup Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/164/head:pr164 git checkout pr164 From freeipa-github-notification at redhat.com Mon Nov 14 13:34:01 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 14 Nov 2016 14:34:01 +0100 Subject: [Freeipa-devel] [freeipa PR#237][+ack] Update man page for ipa-adtrust-install by removing --no-msdcs option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/237 Title: #237: Update man page for ipa-adtrust-install by removing --no-msdcs option Label: +ack From freeipa-github-notification at redhat.com Mon Nov 14 13:52:01 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 14 Nov 2016 14:52:01 +0100 Subject: [Freeipa-devel] [freeipa PR#231][comment] Do not log DM password in ca/kra installation logs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/231 Title: #231: Do not log DM password in ca/kra installation logs martbab commented: """ I would rather hide the password by default in the `spawn_instance` method in the same manner as is done for admin_password, see https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/dogtaginstance.py?id=f183f70e0183e51d569ada972bd3ec73cad76a30#n166 """ See the full comment at https://github.com/freeipa/freeipa/pull/231#issuecomment-260339196 From freeipa-github-notification at redhat.com Mon Nov 14 13:52:40 2016 From: freeipa-github-notification at redhat.com (gkaihorodova) Date: Mon, 14 Nov 2016 14:52:40 +0100 Subject: [Freeipa-devel] [freeipa PR#119][+ack] Tests: Providing trust tests with tree root domain In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/119 Title: #119: Tests: Providing trust tests with tree root domain Label: +ack From freeipa-github-notification at redhat.com Mon Nov 14 13:59:19 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 14 Nov 2016 14:59:19 +0100 Subject: [Freeipa-devel] [freeipa PR#231][closed] Do not log DM password in ca/kra installation logs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/231 Author: stlaz Title: #231: Do not log DM password in ca/kra installation logs Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/231/head:pr231 git checkout pr231 From freeipa-github-notification at redhat.com Mon Nov 14 14:05:14 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 14 Nov 2016 15:05:14 +0100 Subject: [Freeipa-devel] [freeipa PR#238][opened] Build system refactoring phase 8: update translation system Message-ID: URL: https://github.com/freeipa/freeipa/pull/238 Author: pspacek Title: #238: Build system refactoring phase 8: update translation system Action: opened PR body: """ This patch set moves IPA translation system towards standard Makefiles produced by gettextize framework. Depends on #233 . """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/238/head:pr238 git checkout pr238 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-238.patch Type: text/x-diff Size: 300810 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 14 16:26:01 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 17:26:01 +0100 Subject: [Freeipa-devel] [freeipa PR#197][comment] Make setup.py files PyPI compatible In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/197 Title: #197: Make setup.py files PyPI compatible mbasti-rh commented: """ I have some inline questions """ See the full comment at https://github.com/freeipa/freeipa/pull/197#issuecomment-260383809 From freeipa-github-notification at redhat.com Mon Nov 14 16:30:26 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 17:30:26 +0100 Subject: [Freeipa-devel] [freeipa PR#194][+ack] Tests: Verify that validity info is present in cert-show and cert-find command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/194 Title: #194: Tests: Verify that validity info is present in cert-show and cert-find command Label: +ack From freeipa-github-notification at redhat.com Mon Nov 14 16:31:09 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 17:31:09 +0100 Subject: [Freeipa-devel] [freeipa PR#194][+pushed] Tests: Verify that validity info is present in cert-show and cert-find command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/194 Title: #194: Tests: Verify that validity info is present in cert-show and cert-find command Label: +pushed From freeipa-github-notification at redhat.com Mon Nov 14 16:31:10 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 17:31:10 +0100 Subject: [Freeipa-devel] [freeipa PR#194][comment] Tests: Verify that validity info is present in cert-show and cert-find command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/194 Title: #194: Tests: Verify that validity info is present in cert-show and cert-find command mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/414ed0d182e55dfe18f31ebbbc97095b989fc162 ipa-4-4: https://fedorahosted.org/freeipa/changeset/118d455027beee158a934d3f25b15d0e262fc5a6 """ See the full comment at https://github.com/freeipa/freeipa/pull/194#issuecomment-260385336 From freeipa-github-notification at redhat.com Mon Nov 14 16:31:11 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 17:31:11 +0100 Subject: [Freeipa-devel] [freeipa PR#194][closed] Tests: Verify that validity info is present in cert-show and cert-find command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/194 Author: mirielka Title: #194: Tests: Verify that validity info is present in cert-show and cert-find command Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/194/head:pr194 git checkout pr194 From freeipa-github-notification at redhat.com Mon Nov 14 16:32:11 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 14 Nov 2016 17:32:11 +0100 Subject: [Freeipa-devel] [freeipa PR#239][opened] cainstance: use correct certificate for replica install check Message-ID: URL: https://github.com/freeipa/freeipa/pull/239 Author: tomaskrizek Title: #239: cainstance: use correct certificate for replica install check Action: opened PR body: """ Incorrect certificate file extension caused DL0 replica install to fail. https://fedorahosted.org/freeipa/ticket/6461 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/239/head:pr239 git checkout pr239 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-239.patch Type: text/x-diff Size: 1084 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 14 16:33:57 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 17:33:57 +0100 Subject: [Freeipa-devel] [freeipa PR#237][+pushed] Update man page for ipa-adtrust-install by removing --no-msdcs option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/237 Title: #237: Update man page for ipa-adtrust-install by removing --no-msdcs option Label: +pushed From freeipa-github-notification at redhat.com Mon Nov 14 16:33:58 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 17:33:58 +0100 Subject: [Freeipa-devel] [freeipa PR#237][comment] Update man page for ipa-adtrust-install by removing --no-msdcs option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/237 Title: #237: Update man page for ipa-adtrust-install by removing --no-msdcs option mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/623cc428cfd79ea228bda6e88dc48bad9aaf61aa """ See the full comment at https://github.com/freeipa/freeipa/pull/237#issuecomment-260386154 From freeipa-github-notification at redhat.com Mon Nov 14 16:34:00 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 17:34:00 +0100 Subject: [Freeipa-devel] [freeipa PR#237][closed] Update man page for ipa-adtrust-install by removing --no-msdcs option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/237 Author: pspacek Title: #237: Update man page for ipa-adtrust-install by removing --no-msdcs option Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/237/head:pr237 git checkout pr237 From freeipa-github-notification at redhat.com Mon Nov 14 16:37:48 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 14 Nov 2016 17:37:48 +0100 Subject: [Freeipa-devel] [freeipa PR#190][+ack] [4.4] Fix tests install dom0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/190 Title: #190: [4.4] Fix tests install dom0 Label: +ack From freeipa-github-notification at redhat.com Mon Nov 14 16:58:17 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 14 Nov 2016 17:58:17 +0100 Subject: [Freeipa-devel] [freeipa PR#239][+ack] cainstance: use correct certificate for replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/239 Title: #239: cainstance: use correct certificate for replica install check Label: +ack From freeipa-github-notification at redhat.com Mon Nov 14 16:58:31 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 14 Nov 2016 17:58:31 +0100 Subject: [Freeipa-devel] [freeipa PR#239][comment] cainstance: use correct certificate for replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/239 Title: #239: cainstance: use correct certificate for replica install check flo-renaud commented: """ Hi, works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/239#issuecomment-260393542 From freeipa-github-notification at redhat.com Mon Nov 14 17:01:46 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 18:01:46 +0100 Subject: [Freeipa-devel] [freeipa PR#239][+pushed] cainstance: use correct certificate for replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/239 Title: #239: cainstance: use correct certificate for replica install check Label: +pushed From freeipa-github-notification at redhat.com Mon Nov 14 17:01:48 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 18:01:48 +0100 Subject: [Freeipa-devel] [freeipa PR#239][comment] cainstance: use correct certificate for replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/239 Title: #239: cainstance: use correct certificate for replica install check mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/d6300dca285acaad296f6271421c23999e3c1071 """ See the full comment at https://github.com/freeipa/freeipa/pull/239#issuecomment-260394466 From freeipa-github-notification at redhat.com Mon Nov 14 17:01:49 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 18:01:49 +0100 Subject: [Freeipa-devel] [freeipa PR#239][closed] cainstance: use correct certificate for replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/239 Author: tomaskrizek Title: #239: cainstance: use correct certificate for replica install check Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/239/head:pr239 git checkout pr239 From freeipa-github-notification at redhat.com Mon Nov 14 17:01:54 2016 From: freeipa-github-notification at redhat.com (jumitche) Date: Mon, 14 Nov 2016 18:01:54 +0100 Subject: [Freeipa-devel] [freeipa PR#215][comment] Add script to setup krb5 NFS exports In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/215 Title: #215: Add script to setup krb5 NFS exports jumitche commented: """ @mbasti-rh This is my first python script so apologies for it being a bit rough around the edges, i tried to emulate the stylings of the other ipa-scripts,i recall that the user_input method is very similar, and there is some boilerplate top level exception handling, but no direct cut and paste afair. It does not attempt to install any packages, it just suggests which ones you might need if it finds commands it relies upon are missing. The brief was to make an easy to use script in the style of ipa-client-install that sets up kerberos encrypted NFS exports on a host, it calls out to the cli commands where possible so that it could potentially be reused with AD in the future. It tries to retrieve as much information from an already configured system as possible, and if IPA is already setup, configured, and a session in progress it will ask very little. When the setup is not there it gracefully falls back, asking more and more questions as required, attempting to initiate authentications where needed, until a final level where if critical components are missing it will suggest which packages may be missing before giving up. I have made changes to pass all the pylint tests cleanly, as i hfailed to notice them originally, is there any further modifications i should be making ? """ See the full comment at https://github.com/freeipa/freeipa/pull/215#issuecomment-260394525 From freeipa-github-notification at redhat.com Mon Nov 14 17:07:16 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 18:07:16 +0100 Subject: [Freeipa-devel] [freeipa PR#190][closed] [4.4] Fix tests install dom0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/190 Author: mbasti-rh Title: #190: [4.4] Fix tests install dom0 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/190/head:pr190 git checkout pr190 From freeipa-github-notification at redhat.com Mon Nov 14 17:07:18 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 18:07:18 +0100 Subject: [Freeipa-devel] [freeipa PR#190][comment] [4.4] Fix tests install dom0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/190 Title: #190: [4.4] Fix tests install dom0 mbasti-rh commented: """ Fixed upstream ipa-4-4: https://fedorahosted.org/freeipa/changeset/bf799988137769c4d0cbd16b988d4afca5d85042 https://fedorahosted.org/freeipa/changeset/7bb2742901ac926f47463ce9216483290684055c https://fedorahosted.org/freeipa/changeset/c036dda89f1381ab43c1d1362bec34b0b190b3c0 """ See the full comment at https://github.com/freeipa/freeipa/pull/190#issuecomment-260396111 From freeipa-github-notification at redhat.com Mon Nov 14 17:07:19 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 18:07:19 +0100 Subject: [Freeipa-devel] [freeipa PR#190][+pushed] [4.4] Fix tests install dom0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/190 Title: #190: [4.4] Fix tests install dom0 Label: +pushed From freeipa-github-notification at redhat.com Mon Nov 14 17:08:33 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 18:08:33 +0100 Subject: [Freeipa-devel] [freeipa PR#185][+pushed] TESTS: Update group type name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/185 Title: #185: TESTS: Update group type name Label: +pushed From freeipa-github-notification at redhat.com Mon Nov 14 17:08:35 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 18:08:35 +0100 Subject: [Freeipa-devel] [freeipa PR#185][comment] TESTS: Update group type name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/185 Title: #185: TESTS: Update group type name mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/6e475988e1ec1b89d44b495cd667a444526733a7 """ See the full comment at https://github.com/freeipa/freeipa/pull/185#issuecomment-260396497 From freeipa-github-notification at redhat.com Mon Nov 14 17:08:36 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 18:08:36 +0100 Subject: [Freeipa-devel] [freeipa PR#185][closed] TESTS: Update group type name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/185 Author: pvomacka Title: #185: TESTS: Update group type name Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/185/head:pr185 git checkout pr185 From freeipa-github-notification at redhat.com Mon Nov 14 17:15:33 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 18:15:33 +0100 Subject: [Freeipa-devel] [freeipa PR#157][closed] git: Add commit template In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/157 Author: mzidek-rh Title: #157: git: Add commit template Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/157/head:pr157 git checkout pr157 From freeipa-github-notification at redhat.com Mon Nov 14 17:15:39 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 18:15:39 +0100 Subject: [Freeipa-devel] [freeipa PR#157][comment] git: Add commit template In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/157 Title: #157: git: Add commit template mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/2df709838905dec3ee2c2eaec47f506336d85a6e """ See the full comment at https://github.com/freeipa/freeipa/pull/157#issuecomment-260398394 From freeipa-github-notification at redhat.com Mon Nov 14 17:15:41 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 18:15:41 +0100 Subject: [Freeipa-devel] [freeipa PR#157][+pushed] git: Add commit template In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/157 Title: #157: git: Add commit template Label: +pushed From freeipa-github-notification at redhat.com Mon Nov 14 17:19:38 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 18:19:38 +0100 Subject: [Freeipa-devel] [freeipa PR#178][+pushed] ipatests: Fix assert_deepequal outside of pytest process In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/178 Title: #178: ipatests: Fix assert_deepequal outside of pytest process Label: +pushed From freeipa-github-notification at redhat.com Mon Nov 14 17:19:40 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 18:19:40 +0100 Subject: [Freeipa-devel] [freeipa PR#178][comment] ipatests: Fix assert_deepequal outside of pytest process In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/178 Title: #178: ipatests: Fix assert_deepequal outside of pytest process mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/e54109c167526ae6b1cd4c977915da884482891b """ See the full comment at https://github.com/freeipa/freeipa/pull/178#issuecomment-260399510 From freeipa-github-notification at redhat.com Mon Nov 14 17:23:57 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 18:23:57 +0100 Subject: [Freeipa-devel] [freeipa PR#119][comment] Tests: Providing trust tests with tree root domain In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/119 Title: #119: Tests: Providing trust tests with tree root domain mbasti-rh commented: """ Needs rebase for 4.4 branch ``` error: ipatests/pytest_plugins/integration.py: patch does not apply ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/119#issuecomment-260400687 From freeipa-github-notification at redhat.com Mon Nov 14 17:24:23 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 18:24:23 +0100 Subject: [Freeipa-devel] [freeipa PR#119][comment] Tests: Providing trust tests with tree root domain In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/119 Title: #119: Tests: Providing trust tests with tree root domain mbasti-rh commented: """ And master too """ See the full comment at https://github.com/freeipa/freeipa/pull/119#issuecomment-260400800 From freeipa-github-notification at redhat.com Mon Nov 14 17:30:18 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 18:30:18 +0100 Subject: [Freeipa-devel] [freeipa PR#224][+pushed] Integration tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/224 Title: #224: Integration tests for certs in idoverrides Label: +pushed From freeipa-github-notification at redhat.com Mon Nov 14 17:30:20 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 18:30:20 +0100 Subject: [Freeipa-devel] [freeipa PR#224][comment] Integration tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/224 Title: #224: Integration tests for certs in idoverrides mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/f1c9c56f40b542068b512e2010d40e87a2dd83df https://fedorahosted.org/freeipa/changeset/91c8911a9efc32024cb8bf29af26f61cf3a24e28 https://fedorahosted.org/freeipa/changeset/232a0391d33429a71da865c55be582ebdbc5b3db ipa-4-4: https://fedorahosted.org/freeipa/changeset/7931a26b95218c02eb7433f76a52e17c889e337f https://fedorahosted.org/freeipa/changeset/0e5a228475bdb5bf73c800eeca30d7cb6df96ed7 https://fedorahosted.org/freeipa/changeset/b9083bf8379a4ca65ce4a7127601400dab68b834 """ See the full comment at https://github.com/freeipa/freeipa/pull/224#issuecomment-260402333 From freeipa-github-notification at redhat.com Mon Nov 14 17:30:24 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 18:30:24 +0100 Subject: [Freeipa-devel] [freeipa PR#224][closed] Integration tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/224 Author: ofayans Title: #224: Integration tests for certs in idoverrides Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/224/head:pr224 git checkout pr224 From freeipa-github-notification at redhat.com Mon Nov 14 17:56:35 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 18:56:35 +0100 Subject: [Freeipa-devel] [freeipa PR#174][comment] add log module In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/174 Title: #174: add log module mbasti-rh commented: """ Hello, we agreed on devel meeting that this is not the right way how to audit/log inspection should be done with FreeIPA: - centralized logging is preferred solution However we would like to merge some parts of your PR: - fix for missing translation strings - improvement of logging that might help you and can improve value of logs for users Would be awesome if you can send them as separate PR. Also we endorse you to create an IPA httpd log parser as separate CLI project from this PR which may be helpful for other users as lightweight solution compared to centralized logging. Thank you! """ See the full comment at https://github.com/freeipa/freeipa/pull/174#issuecomment-260409768 From freeipa-github-notification at redhat.com Mon Nov 14 17:56:36 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 18:56:36 +0100 Subject: [Freeipa-devel] [freeipa PR#174][closed] add log module In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/174 Author: shanyin Title: #174: add log module Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/174/head:pr174 git checkout pr174 From freeipa-github-notification at redhat.com Mon Nov 14 17:56:40 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 18:56:40 +0100 Subject: [Freeipa-devel] [freeipa PR#174][+rejected] add log module In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/174 Title: #174: add log module Label: +rejected From freeipa-github-notification at redhat.com Mon Nov 14 19:29:24 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 14 Nov 2016 20:29:24 +0100 Subject: [Freeipa-devel] [freeipa PR#197][synchronized] Make setup.py files PyPI compatible In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/197 Author: tiran Title: #197: Make setup.py files PyPI compatible Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/197/head:pr197 git checkout pr197 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-197.patch Type: text/x-diff Size: 2208 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 14 20:11:08 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 21:11:08 +0100 Subject: [Freeipa-devel] [freeipa PR#197][+ack] Make setup.py files PyPI compatible In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/197 Title: #197: Make setup.py files PyPI compatible Label: +ack From freeipa-github-notification at redhat.com Mon Nov 14 20:21:40 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 14 Nov 2016 21:21:40 +0100 Subject: [Freeipa-devel] [freeipa PR#229][synchronized] Remove the renewal lock file upon uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/229 Author: flo-renaud Title: #229: Remove the renewal lock file upon uninstall Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/229/head:pr229 git checkout pr229 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-229.patch Type: text/x-diff Size: 5617 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 14 20:23:36 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 14 Nov 2016 21:23:36 +0100 Subject: [Freeipa-devel] [freeipa PR#229][comment] Remove the renewal lock file upon uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/229 Title: #229: Remove the renewal lock file upon uninstall flo-renaud commented: """ Hi, I implemented @jcholast suggestions and finally found the origin of the lock. """ See the full comment at https://github.com/freeipa/freeipa/pull/229#issuecomment-260451388 From freeipa-github-notification at redhat.com Mon Nov 14 20:28:18 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 14 Nov 2016 21:28:18 +0100 Subject: [Freeipa-devel] [freeipa PR#238][comment] Build system refactoring phase 8: update translation system In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/238 Title: #238: Build system refactoring phase 8: update translation system mbasti-rh commented: """ Lint failed ``` cd .; ./makeaci --validate ./makeaci: ipaserver/plugins/dogtag.py:244: ignoring ImportError: No module named backports_abc cd .; ./makeapi --validate ./makeapi: ipaserver/plugins/dogtag.py:244: ignoring ImportError: No module named backports_abc make -C ./po validate-src-strings make[1]: Entering directory '/freeipa/po' make[1]: Leaving directory '/freeipa/po' make[1]: *** No rule to make target 'validate-src-strings'. Stop. make: *** [polint] Error 2 Makefile:1098: recipe for target 'polint' failed ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/238#issuecomment-260452692 From freeipa-github-notification at redhat.com Tue Nov 15 01:48:23 2016 From: freeipa-github-notification at redhat.com (shanyin) Date: Tue, 15 Nov 2016 02:48:23 +0100 Subject: [Freeipa-devel] [freeipa PR#174][comment] add log module In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/174 Title: #174: add log module shanyin commented: """ What do you mean is that I should send the log codes as separate PR? If so, I will do it later. ------------------ ?? ?????????? -------------------------- ?????? ?? ???18684703229 ???zhenglei at kylinos.cn ??????????????? ?????????????????????? ------------------ Original ------------------ From: "mbasti-rh"; Date: Tue, Nov 15, 2016 01:56 AM To: "freeipa/freeipa"; Cc: "shanyin"; "Mention"; Subject: Re: [freeipa/freeipa] add log module (#174) Hello, we agreed on devel meeting that this is not the right way how to audit/log inspection should be done with FreeIPA: centralized logging is preferred solution However we would like to merge some parts of your PR: fix for missing translation strings improvement of logging that might help you and can improve value of logs for users Would be awesome if you can send them as separate PR. Also we endorse you to create an IPA httpd log parser as separate CLI project from this PR which may be helpful for other users as lightweight solution compared to centralized logging. Thank you! ? You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread. """ See the full comment at https://github.com/freeipa/freeipa/pull/174#issuecomment-260522728 From freeipa-github-notification at redhat.com Tue Nov 15 06:36:50 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Tue, 15 Nov 2016 07:36:50 +0100 Subject: [Freeipa-devel] [freeipa PR#240][opened] Document make_delete_command method in UserTracker Message-ID: URL: https://github.com/freeipa/freeipa/pull/240 Author: mirielka Title: #240: Document make_delete_command method in UserTracker Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6485 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/240/head:pr240 git checkout pr240 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-240.patch Type: text/x-diff Size: 1770 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 15 08:31:14 2016 From: freeipa-github-notification at redhat.com (apophys) Date: Tue, 15 Nov 2016 09:31:14 +0100 Subject: [Freeipa-devel] [freeipa PR#240][+ack] Document make_delete_command method in UserTracker In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/240 Title: #240: Document make_delete_command method in UserTracker Label: +ack From freeipa-github-notification at redhat.com Tue Nov 15 08:47:58 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Tue, 15 Nov 2016 09:47:58 +0100 Subject: [Freeipa-devel] [freeipa PR#237][comment] Update man page for ipa-adtrust-install by removing --no-msdcs option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/237 Title: #237: Update man page for ipa-adtrust-install by removing --no-msdcs option pspacek commented: """ Given the code change went to ipa-4-4 branch, I would merge it to ipa-4-4 as well. It does not make sense to keep it only in 4.5 and have incorrect documentation in 4.4. """ See the full comment at https://github.com/freeipa/freeipa/pull/237#issuecomment-260582003 From freeipa-github-notification at redhat.com Tue Nov 15 08:48:02 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Tue, 15 Nov 2016 09:48:02 +0100 Subject: [Freeipa-devel] [freeipa PR#237][reopened] Update man page for ipa-adtrust-install by removing --no-msdcs option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/237 Author: pspacek Title: #237: Update man page for ipa-adtrust-install by removing --no-msdcs option Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/237/head:pr237 git checkout pr237 From freeipa-github-notification at redhat.com Tue Nov 15 08:49:21 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Tue, 15 Nov 2016 09:49:21 +0100 Subject: [Freeipa-devel] [freeipa PR#215][comment] Add script to setup krb5 NFS exports In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/215 Title: #215: Add script to setup krb5 NFS exports pspacek commented: """ It sounds to me that it could be an useful plugin for ipa-advise tool. This is the tool which is supposed to given advies like 'install this and that' and so on. """ See the full comment at https://github.com/freeipa/freeipa/pull/215#issuecomment-260582312 From freeipa-github-notification at redhat.com Tue Nov 15 10:02:50 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 15 Nov 2016 11:02:50 +0100 Subject: [Freeipa-devel] [freeipa PR#237][comment] Update man page for ipa-adtrust-install by removing --no-msdcs option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/237 Title: #237: Update man page for ipa-adtrust-install by removing --no-msdcs option mbasti-rh commented: """ So please re-triage it today, yesterday was only 4.5 milestone agreed """ See the full comment at https://github.com/freeipa/freeipa/pull/237#issuecomment-260598751 From freeipa-github-notification at redhat.com Tue Nov 15 11:08:33 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Tue, 15 Nov 2016 12:08:33 +0100 Subject: [Freeipa-devel] [freeipa PR#197][comment] Make setup.py files PyPI compatible In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/197 Title: #197: Make setup.py files PyPI compatible pvoborni commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/2dd66c6366454f9edd9b89861530e97c75b2d869 """ See the full comment at https://github.com/freeipa/freeipa/pull/197#issuecomment-260613545 From freeipa-github-notification at redhat.com Tue Nov 15 11:08:35 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Tue, 15 Nov 2016 12:08:35 +0100 Subject: [Freeipa-devel] [freeipa PR#197][closed] Make setup.py files PyPI compatible In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/197 Author: tiran Title: #197: Make setup.py files PyPI compatible Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/197/head:pr197 git checkout pr197 From freeipa-github-notification at redhat.com Tue Nov 15 11:08:36 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Tue, 15 Nov 2016 12:08:36 +0100 Subject: [Freeipa-devel] [freeipa PR#197][+pushed] Make setup.py files PyPI compatible In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/197 Title: #197: Make setup.py files PyPI compatible Label: +pushed From freeipa-github-notification at redhat.com Tue Nov 15 11:21:06 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 15 Nov 2016 12:21:06 +0100 Subject: [Freeipa-devel] [freeipa PR#195][synchronized] [WIP] Make ipaclient pip install-able In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/195 Author: tiran Title: #195: [WIP] Make ipaclient pip install-able Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/195/head:pr195 git checkout pr195 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-195.patch Type: text/x-diff Size: 8254 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 15 12:05:57 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 15 Nov 2016 13:05:57 +0100 Subject: [Freeipa-devel] [freeipa PR#241][opened] Port ipapython.dnssec.odsmgr to xml.etree Message-ID: URL: https://github.com/freeipa/freeipa/pull/241 Author: tiran Title: #241: Port ipapython.dnssec.odsmgr to xml.etree Action: opened PR body: """ The module ipapython.dnssec.odsmgr is the only module in ipalib, ipaclient, ipapython and ipaplatform that uses lxml.etree. https://fedorahosted.org/freeipa/ticket/6469 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/241/head:pr241 git checkout pr241 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-241.patch Type: text/x-diff Size: 6078 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 15 12:14:06 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Tue, 15 Nov 2016 13:14:06 +0100 Subject: [Freeipa-devel] [freeipa PR#119][edited] [ipa-4-4] Tests: Providing trust tests with tree root domain In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/119 Author: mirielka Title: #119: [ipa-4-4] Tests: Providing trust tests with tree root domain Action: edited Changed field: title Original value: """ Tests: Providing trust tests with tree root domain """ From freeipa-github-notification at redhat.com Tue Nov 15 12:18:12 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Tue, 15 Nov 2016 13:18:12 +0100 Subject: [Freeipa-devel] [freeipa PR#242][opened] [master] Tests: Providing trust tests with tree root domain Message-ID: URL: https://github.com/freeipa/freeipa/pull/242 Author: mirielka Title: #242: [master] Tests: Providing trust tests with tree root domain Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6347 Note: This PR is rebased version of https://github.com/freeipa/freeipa/pull/119 for master """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/242/head:pr242 git checkout pr242 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-242.patch Type: text/x-diff Size: 7025 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 15 12:20:22 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 15 Nov 2016 13:20:22 +0100 Subject: [Freeipa-devel] [freeipa PR#119][+pushed] [ipa-4-4] Tests: Providing trust tests with tree root domain In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/119 Title: #119: [ipa-4-4] Tests: Providing trust tests with tree root domain Label: +pushed From freeipa-github-notification at redhat.com Tue Nov 15 12:20:24 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 15 Nov 2016 13:20:24 +0100 Subject: [Freeipa-devel] [freeipa PR#119][comment] [ipa-4-4] Tests: Providing trust tests with tree root domain In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/119 Title: #119: [ipa-4-4] Tests: Providing trust tests with tree root domain mbasti-rh commented: """ Fixed upstream ipa-4-4: https://fedorahosted.org/freeipa/changeset/949e67692c427e0082ed32b729875b4fcffe631e """ See the full comment at https://github.com/freeipa/freeipa/pull/119#issuecomment-260626855 From freeipa-github-notification at redhat.com Tue Nov 15 12:20:25 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 15 Nov 2016 13:20:25 +0100 Subject: [Freeipa-devel] [freeipa PR#119][closed] [ipa-4-4] Tests: Providing trust tests with tree root domain In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/119 Author: mirielka Title: #119: [ipa-4-4] Tests: Providing trust tests with tree root domain Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/119/head:pr119 git checkout pr119 From freeipa-github-notification at redhat.com Tue Nov 15 12:34:22 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 15 Nov 2016 13:34:22 +0100 Subject: [Freeipa-devel] [freeipa PR#242][+ack] [master] Tests: Providing trust tests with tree root domain In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/242 Title: #242: [master] Tests: Providing trust tests with tree root domain Label: +ack From freeipa-github-notification at redhat.com Tue Nov 15 12:34:55 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 15 Nov 2016 13:34:55 +0100 Subject: [Freeipa-devel] [freeipa PR#242][+pushed] [master] Tests: Providing trust tests with tree root domain In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/242 Title: #242: [master] Tests: Providing trust tests with tree root domain Label: +pushed From freeipa-github-notification at redhat.com Tue Nov 15 12:34:56 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 15 Nov 2016 13:34:56 +0100 Subject: [Freeipa-devel] [freeipa PR#242][comment] [master] Tests: Providing trust tests with tree root domain In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/242 Title: #242: [master] Tests: Providing trust tests with tree root domain mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/4df1d9d1a566af57b23d45ca4377ab77ed9e4d60 """ See the full comment at https://github.com/freeipa/freeipa/pull/242#issuecomment-260629717 From freeipa-github-notification at redhat.com Tue Nov 15 12:34:58 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 15 Nov 2016 13:34:58 +0100 Subject: [Freeipa-devel] [freeipa PR#242][closed] [master] Tests: Providing trust tests with tree root domain In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/242 Author: mirielka Title: #242: [master] Tests: Providing trust tests with tree root domain Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/242/head:pr242 git checkout pr242 From freeipa-github-notification at redhat.com Tue Nov 15 13:07:33 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 15 Nov 2016 14:07:33 +0100 Subject: [Freeipa-devel] [freeipa PR#241][synchronized] Port ipapython.dnssec.odsmgr to xml.etree In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/241 Author: tiran Title: #241: Port ipapython.dnssec.odsmgr to xml.etree Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/241/head:pr241 git checkout pr241 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-241.patch Type: text/x-diff Size: 6413 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 15 13:21:41 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Tue, 15 Nov 2016 14:21:41 +0100 Subject: [Freeipa-devel] [freeipa PR#236][synchronized] Build phase 7: cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/236 Author: pspacek Title: #236: Build phase 7: cleanup Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/236/head:pr236 git checkout pr236 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-236.patch Type: text/x-diff Size: 40369 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 15 13:24:06 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 15 Nov 2016 14:24:06 +0100 Subject: [Freeipa-devel] [freeipa PR#241][comment] Port ipapython.dnssec.odsmgr to xml.etree In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/241 Title: #241: Port ipapython.dnssec.odsmgr to xml.etree mbasti-rh commented: """ I wrote some inline comments, I will test it later, DNSSEC is very hard to debug when an issue occurs, so review must be perfect. """ See the full comment at https://github.com/freeipa/freeipa/pull/241#issuecomment-260639942 From freeipa-github-notification at redhat.com Tue Nov 15 13:24:47 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Tue, 15 Nov 2016 14:24:47 +0100 Subject: [Freeipa-devel] [freeipa PR#236][comment] Build phase 7: cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/236 Title: #236: Build phase 7: cleanup pspacek commented: """ @lslebodn I've dropped the controversial patch which removes NULLs to allow you to send PR which adds it everywhere as you proposed. I'm going to wait till deadline at end of this working week. If your PR is not revied by then I'm going to push the removal so things are at least consistent. """ See the full comment at https://github.com/freeipa/freeipa/pull/236#issuecomment-260640084 From freeipa-github-notification at redhat.com Tue Nov 15 14:04:03 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 15 Nov 2016 15:04:03 +0100 Subject: [Freeipa-devel] [freeipa PR#241][comment] Port ipapython.dnssec.odsmgr to xml.etree In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/241 Title: #241: Port ipapython.dnssec.odsmgr to xml.etree tiran commented: """ I just replaced the XML parser with a slightly different code. I even included unit test to ensure that the XML parser works. Feel free to add more XML files or a real world example. I couldn't find one. """ See the full comment at https://github.com/freeipa/freeipa/pull/241#issuecomment-260649241 From freeipa-github-notification at redhat.com Tue Nov 15 14:29:30 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 15 Nov 2016 15:29:30 +0100 Subject: [Freeipa-devel] [freeipa PR#222][synchronized] Fix ipa-replica-install when upgrade from ca-less to ca-full In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/222 Author: flo-renaud Title: #222: Fix ipa-replica-install when upgrade from ca-less to ca-full Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/222/head:pr222 git checkout pr222 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-222.patch Type: text/x-diff Size: 3781 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 15 14:47:33 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 15 Nov 2016 15:47:33 +0100 Subject: [Freeipa-devel] [freeipa PR#241][synchronized] Port ipapython.dnssec.odsmgr to xml.etree In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/241 Author: tiran Title: #241: Port ipapython.dnssec.odsmgr to xml.etree Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/241/head:pr241 git checkout pr241 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-241.patch Type: text/x-diff Size: 5351 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 15 14:56:43 2016 From: freeipa-github-notification at redhat.com (lslebodn) Date: Tue, 15 Nov 2016 15:56:43 +0100 Subject: [Freeipa-devel] [freeipa PR#238][comment] Build system refactoring phase 8: update translation system In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/238 Title: #238: Build system refactoring phase 8: update translation system lslebodn commented: """ and also ``` Making install in po make[1]: Entering directory '/home/user/freeipa/po' make[1]: *** No rule to make target 'install'. Stop. make[1]: Leaving directory '/home/user/freeipa/po' make: *** [Makefile:595: install-recursive] Error 1 ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/238#issuecomment-260662849 From freeipa-github-notification at redhat.com Tue Nov 15 14:59:43 2016 From: freeipa-github-notification at redhat.com (lslebodn) Date: Tue, 15 Nov 2016 15:59:43 +0100 Subject: [Freeipa-devel] [freeipa PR#238][comment] Build system refactoring phase 8: update translation system In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/238 Title: #238: Build system refactoring phase 8: update translation system lslebodn commented: """ The following files should be removed from git `m4/gettext.m4 m4/iconv.m4 m4/lib-ld.m4 m4/lib-link.m4 m4/lib-prefix.m4 m4/nls.m4 m4/po.m4`. The latest versions should be used by autoreconf after installing build dependency `gettext-devel`. Otherwise it's possible that tarball might contain outdated versions in future. """ See the full comment at https://github.com/freeipa/freeipa/pull/238#issuecomment-260663677 From freeipa-github-notification at redhat.com Tue Nov 15 15:08:45 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 15 Nov 2016 16:08:45 +0100 Subject: [Freeipa-devel] [freeipa PR#233][comment] Build phase 6: %install cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/233 Title: #233: Build phase 6: %install cleanup mbasti-rh commented: """ @tiran do you agree with changes? """ See the full comment at https://github.com/freeipa/freeipa/pull/233#issuecomment-260666363 From freeipa-github-notification at redhat.com Tue Nov 15 15:13:21 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 15 Nov 2016 16:13:21 +0100 Subject: [Freeipa-devel] [freeipa PR#187][synchronized] Register entry points of Custodia plugins In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/187 Author: tiran Title: #187: Register entry points of Custodia plugins Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/187/head:pr187 git checkout pr187 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-187.patch Type: text/x-diff Size: 1625 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 15 15:17:05 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 15 Nov 2016 16:17:05 +0100 Subject: [Freeipa-devel] [freeipa PR#180][comment] Make api.env.nss_dir relative to api.env.confdir In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/180 Title: #180: Make api.env.nss_dir relative to api.env.confdir tiran commented: """ #143 has been merged. I made sure that consumers of hard-coded NSS directory will fail in the presence of ```IPA_CONFDIR```. """ See the full comment at https://github.com/freeipa/freeipa/pull/180#issuecomment-260668802 From freeipa-github-notification at redhat.com Tue Nov 15 15:31:50 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 15 Nov 2016 16:31:50 +0100 Subject: [Freeipa-devel] [freeipa PR#223][comment] LDAP refactoring: remove admin_conn In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/223 Title: #223: LDAP refactoring: remove admin_conn tomaskrizek commented: """ Bump for review. I forgot about this PR, it's a final change from the refactoring effort. """ See the full comment at https://github.com/freeipa/freeipa/pull/223#issuecomment-260673039 From freeipa-github-notification at redhat.com Tue Nov 15 16:01:03 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 15 Nov 2016 17:01:03 +0100 Subject: [Freeipa-devel] [freeipa PR#233][+pushed] Build phase 6: %install cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/233 Title: #233: Build phase 6: %install cleanup Label: +pushed From freeipa-github-notification at redhat.com Tue Nov 15 16:01:05 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 15 Nov 2016 17:01:05 +0100 Subject: [Freeipa-devel] [freeipa PR#233][closed] Build phase 6: %install cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/233 Author: pspacek Title: #233: Build phase 6: %install cleanup Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/233/head:pr233 git checkout pr233 From freeipa-github-notification at redhat.com Tue Nov 15 16:01:14 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 15 Nov 2016 17:01:14 +0100 Subject: [Freeipa-devel] [freeipa PR#233][comment] Build phase 6: %install cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/233 Title: #233: Build phase 6: %install cleanup mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/636aaa7dbc649e685233f382cb8dd424345bebd3 https://fedorahosted.org/freeipa/changeset/20918579acb43391d5d04ee8050b37142a55df76 https://fedorahosted.org/freeipa/changeset/1fa0ed954bb45b6e3858c1c54470b1d16ab204d9 https://fedorahosted.org/freeipa/changeset/5a5373464fa67289c9a178b1c0569f585dc6dc34 """ See the full comment at https://github.com/freeipa/freeipa/pull/233#issuecomment-260681881 From freeipa-github-notification at redhat.com Tue Nov 15 16:02:42 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 15 Nov 2016 17:02:42 +0100 Subject: [Freeipa-devel] [freeipa PR#240][+pushed] Document make_delete_command method in UserTracker In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/240 Title: #240: Document make_delete_command method in UserTracker Label: +pushed From freeipa-github-notification at redhat.com Tue Nov 15 16:02:43 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 15 Nov 2016 17:02:43 +0100 Subject: [Freeipa-devel] [freeipa PR#240][comment] Document make_delete_command method in UserTracker In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/240 Title: #240: Document make_delete_command method in UserTracker mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/4b3bd5424246d8386a33a73f9a98c6958823093e ipa-4-4: https://fedorahosted.org/freeipa/changeset/150731e6ef5bb35e287bac4dfd4733c753072cc3 ipa-4-3: https://fedorahosted.org/freeipa/changeset/a825540932d8fc2bf7f7e799be2fda0b61763ec3 """ See the full comment at https://github.com/freeipa/freeipa/pull/240#issuecomment-260682386 From freeipa-github-notification at redhat.com Tue Nov 15 16:02:45 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 15 Nov 2016 17:02:45 +0100 Subject: [Freeipa-devel] [freeipa PR#240][closed] Document make_delete_command method in UserTracker In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/240 Author: mirielka Title: #240: Document make_delete_command method in UserTracker Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/240/head:pr240 git checkout pr240 From freeipa-github-notification at redhat.com Tue Nov 15 16:04:56 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 15 Nov 2016 17:04:56 +0100 Subject: [Freeipa-devel] [freeipa PR#234][comment] Always use GSSAPI to set up initial replication In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/234 Title: #234: Always use GSSAPI to set up initial replication martbab commented: """ @mbasti-rh will you continue reviewing this PR or should I defer it to some other time? """ See the full comment at https://github.com/freeipa/freeipa/pull/234#issuecomment-260683112 From freeipa-github-notification at redhat.com Tue Nov 15 16:06:09 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 15 Nov 2016 17:06:09 +0100 Subject: [Freeipa-devel] [freeipa PR#234][comment] Always use GSSAPI to set up initial replication In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/234 Title: #234: Always use GSSAPI to set up initial replication mbasti-rh commented: """ @martbab Working on it """ See the full comment at https://github.com/freeipa/freeipa/pull/234#issuecomment-260683430 From freeipa-github-notification at redhat.com Tue Nov 15 17:15:43 2016 From: freeipa-github-notification at redhat.com (lslebodn) Date: Tue, 15 Nov 2016 18:15:43 +0100 Subject: [Freeipa-devel] [freeipa PR#236][comment] Build phase 7: cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/236 Title: #236: Build phase 7: cleanup lslebodn commented: """ Thank you very much for removing problematic patch. Do not forget to remove it from "Build phase 8" :-) as well A) there are few conflicts => patch need to be rebased B) I do not think that @tiran objection about rpm in makerpms.sh is valid but he should reply. Otherwise ACK after rebase Nice work and thank you very much for it. BTW is there a plan to have "make dictcheck" functional? """ See the full comment at https://github.com/freeipa/freeipa/pull/236#issuecomment-260704741 From freeipa-github-notification at redhat.com Tue Nov 15 17:36:47 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 15 Nov 2016 18:36:47 +0100 Subject: [Freeipa-devel] [freeipa PR#223][comment] LDAP refactoring: remove admin_conn In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/223 Title: #223: LDAP refactoring: remove admin_conn mbasti-rh commented: """ Works for me, I'll check code tomorrow """ See the full comment at https://github.com/freeipa/freeipa/pull/223#issuecomment-260710722 From freeipa-github-notification at redhat.com Tue Nov 15 17:39:46 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 15 Nov 2016 18:39:46 +0100 Subject: [Freeipa-devel] [freeipa PR#234][comment] Always use GSSAPI to set up initial replication In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/234 Title: #234: Always use GSSAPI to set up initial replication mbasti-rh commented: """ Works for me, but because to test this against IPA 3.x is not my destiny because "issues" I cannot add ACK yet """ See the full comment at https://github.com/freeipa/freeipa/pull/234#issuecomment-260711513 From freeipa-github-notification at redhat.com Tue Nov 15 17:40:57 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 15 Nov 2016 18:40:57 +0100 Subject: [Freeipa-devel] [freeipa PR#229][comment] Remove the renewal lock file upon uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/229 Title: #229: Remove the renewal lock file upon uninstall mbasti-rh commented: """ Works for me on both domain levels, I'd ACK this if nobody is against """ See the full comment at https://github.com/freeipa/freeipa/pull/229#issuecomment-260711834 From freeipa-github-notification at redhat.com Tue Nov 15 17:41:48 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 15 Nov 2016 18:41:48 +0100 Subject: [Freeipa-devel] [freeipa PR#229][+ack] Remove the renewal lock file upon uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/229 Title: #229: Remove the renewal lock file upon uninstall Label: +ack From freeipa-github-notification at redhat.com Tue Nov 15 21:09:51 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Tue, 15 Nov 2016 22:09:51 +0100 Subject: [Freeipa-devel] [freeipa PR#236][synchronized] Build phase 7: cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/236 Author: pspacek Title: #236: Build phase 7: cleanup Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/236/head:pr236 git checkout pr236 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-236.patch Type: text/x-diff Size: 29228 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 15 21:10:54 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Tue, 15 Nov 2016 22:10:54 +0100 Subject: [Freeipa-devel] [freeipa PR#236][comment] Build phase 7: cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/236 Title: #236: Build phase 7: cleanup pspacek commented: """ Rebased. """ See the full comment at https://github.com/freeipa/freeipa/pull/236#issuecomment-260769221 From freeipa-github-notification at redhat.com Tue Nov 15 21:11:43 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Tue, 15 Nov 2016 22:11:43 +0100 Subject: [Freeipa-devel] [freeipa PR#236][comment] Build phase 7: cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/236 Title: #236: Build phase 7: cleanup pspacek commented: """ @lslebodn There is currently no plan to support distcheck: Python setuptools do not support VPATH builds as AFAIK it is impossible to do that without patching setuptools heavily. """ See the full comment at https://github.com/freeipa/freeipa/pull/236#issuecomment-260769449 From freeipa-github-notification at redhat.com Tue Nov 15 21:36:57 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Tue, 15 Nov 2016 22:36:57 +0100 Subject: [Freeipa-devel] [freeipa PR#236][comment] Build phase 7: cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/236 Title: #236: Build phase 7: cleanup pspacek commented: """ ACKing on behalf of Lukas. """ See the full comment at https://github.com/freeipa/freeipa/pull/236#issuecomment-260776818 From freeipa-github-notification at redhat.com Tue Nov 15 21:37:01 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Tue, 15 Nov 2016 22:37:01 +0100 Subject: [Freeipa-devel] [freeipa PR#236][+ack] Build phase 7: cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/236 Title: #236: Build phase 7: cleanup Label: +ack From ftweedal at redhat.com Wed Nov 16 03:24:15 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 16 Nov 2016 13:24:15 +1000 Subject: [Freeipa-devel] cannot edit freeipa.org wiki Message-ID: <20161116032415.GY8861@dhcp-40-8.bne.redhat.com> Hi, I can no longer create or edit pages on the FreeIPA wiki. Could someone who administers the wiki help out? (Please follow up off-list.) Thanks, Fraser From freeipa-github-notification at redhat.com Wed Nov 16 08:10:48 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 09:10:48 +0100 Subject: [Freeipa-devel] [freeipa PR#229][comment] Remove the renewal lock file upon uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/229 Title: #229: Remove the renewal lock file upon uninstall mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/198cd5fab3937fd8948bea4b4949e30db4e490a4 """ See the full comment at https://github.com/freeipa/freeipa/pull/229#issuecomment-260880856 From freeipa-github-notification at redhat.com Wed Nov 16 08:10:49 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 09:10:49 +0100 Subject: [Freeipa-devel] [freeipa PR#229][+pushed] Remove the renewal lock file upon uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/229 Title: #229: Remove the renewal lock file upon uninstall Label: +pushed From freeipa-github-notification at redhat.com Wed Nov 16 08:10:51 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 09:10:51 +0100 Subject: [Freeipa-devel] [freeipa PR#229][closed] Remove the renewal lock file upon uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/229 Author: flo-renaud Title: #229: Remove the renewal lock file upon uninstall Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/229/head:pr229 git checkout pr229 From freeipa-github-notification at redhat.com Wed Nov 16 08:12:29 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 09:12:29 +0100 Subject: [Freeipa-devel] [freeipa PR#236][+pushed] Build phase 7: cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/236 Title: #236: Build phase 7: cleanup Label: +pushed From freeipa-github-notification at redhat.com Wed Nov 16 08:12:30 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 09:12:30 +0100 Subject: [Freeipa-devel] [freeipa PR#236][comment] Build phase 7: cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/236 Title: #236: Build phase 7: cleanup mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/27e7a89a6289d0d3009f5f7feb9802b7db171a15 https://fedorahosted.org/freeipa/changeset/46b6b9e3091d08412912c37f46af497ddd0b8afb https://fedorahosted.org/freeipa/changeset/1cbd823990da0e931b666c4bc5c72f10d9de8115 https://fedorahosted.org/freeipa/changeset/d5683726d290b71eb44ab3b3150381f062e74df1 https://fedorahosted.org/freeipa/changeset/e2060e8e5562ed6a4fe760eba1babb5c1761576a https://fedorahosted.org/freeipa/changeset/6b9977f04199bf161d7171aedae9f97648c415c8 """ See the full comment at https://github.com/freeipa/freeipa/pull/236#issuecomment-260881124 From freeipa-github-notification at redhat.com Wed Nov 16 08:12:31 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 09:12:31 +0100 Subject: [Freeipa-devel] [freeipa PR#236][closed] Build phase 7: cleanup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/236 Author: pspacek Title: #236: Build phase 7: cleanup Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/236/head:pr236 git checkout pr236 From freeipa-github-notification at redhat.com Wed Nov 16 09:40:32 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 16 Nov 2016 10:40:32 +0100 Subject: [Freeipa-devel] [freeipa PR#243][opened] Don't modify redhat_system_units Message-ID: URL: https://github.com/freeipa/freeipa/pull/243 Author: tiran Title: #243: Don't modify redhat_system_units Action: opened PR body: """ ipaplatform.fedora.services used to modify the redhat_system_units dict. It now creates a proper shallow copy. Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/243/head:pr243 git checkout pr243 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-243.patch Type: text/x-diff Size: 1048 bytes Desc: not available URL: From rajat.linux at gmail.com Wed Nov 16 09:41:30 2016 From: rajat.linux at gmail.com (rajat gupta) Date: Wed, 16 Nov 2016 10:41:30 +0100 Subject: [Freeipa-devel] pam_winbind(sshd:auth): pam_get_item returned a password Message-ID: I am using FreeIPA version 4.4.0 and Active Directory trust setup. on Active Directory side I am using UPN suffix. Following are my setup. AD DOMANIN :- corp.addomain.com UPN suffix :- username at mydomain.com IPA DOMAIN :- ipa.ipadomain.local IPA server hostname:- ilt-gif-ipa01.ipa.ipadomain.local I am able to login with AD user on IPA server. But on IPA clinet i am not able to login i am getting the login message "Access denied". I have enabled the debug_level on sssd.conf on ipa client. below are some logs.. ================ /var/log/secure Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=rg1989 Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_sss(sshd:auth): received for user e600336: 6 (Permission denied) Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): getting password (0x00000010) Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): pam_get_item returned a password Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): internal module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'rg1989') Nov 16 09:00:52 ipa-clinet1 sshd[3752]: Failed password for rg1989 from x.x.x.x. port 48842 ssh2 ================ ================ krb5_child.log (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4836]]]] [k5c_send_data] (0x4000): Response sent. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4836]]]] [main] (0x0400): krb5_child completed successfully (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x0400): krb5_child started. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [unpack_buffer] (0x1000): total buffer size: [159] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [unpack_buffer] (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] enterprise principal [false] offline [false] UPN [Rajat.Gupta at MYDOMAIN.COM] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname: [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [switch_creds] (0x0200): Switch user to [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [KEYRING:persistent:1007656917] and is not active and TGT is valid. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_precreate_ccache] (0x4000): Recreating ccache (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [find_principal_in_keytab] (0x4000): Trying to find principal host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL in keytab. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [match_principal] (0x1000): Principal matched to the sample (host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL). (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [become_user] (0x0200): Trying to become user [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x2000): Running as [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_setup] (0x2000): Running as [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x0400): Will perform online auth (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [MYDOMAIN.COM] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.416687: Getting initial credentials for Rajat.Gupta at MYDOMAIN.COM (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.418641: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.418698: Retrieving host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL -> krb5_ccache_conf_data/fast_avail/krbtgt\/MYDOMAIN.COM \@MYDOMAIN.COM at X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result: -1765328243/Matching credential not found (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.418756: Sending request (164 bytes) to MYDOMAIN.COM (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419718: Retrying AS request with master KDC (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419752: Getting initial credentials for Rajat.Gupta at MYDOMAIN.COM (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419778: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419821: Retrieving host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL -> krb5_ccache_conf_data/fast_avail/krbtgt\/MYDOMAIN.COM \@MYDOMAIN.COM at X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result: -1765328243/Matching credential not found (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419859: Sending request (164 bytes) to MYDOMAIN.COM (master) (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [get_and_save_tgt] (0x0020): 1296: [-1765328230][Cannot find KDC for realm "MYDOMAIN.COM"] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [map_krb5_error] (0x0020): 1365: [-1765328230][Cannot find KDC for realm "MYDOMAIN.COM"] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_send_data] (0x0200): Received error code 1432158228 (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [pack_response_packet] (0x2000): response packet size: [4] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_send_data] (0x4000): Response sent. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x0400): krb5_child completed successfully (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x0400): krb5_child started. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [unpack_buffer] (0x1000): total buffer size: [159] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [unpack_buffer] (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] enterprise principal [false] offline [false] UPN [Rajat.Gupta at MYDOMAIN.COM] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname: [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [switch_creds] (0x0200): Switch user to [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [KEYRING:persistent:1007656917] and is not active and TGT is valid. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_precreate_ccache] (0x4000): Recreating ccache (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [find_principal_in_keytab] (0x4000): Trying to find principal host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL in keytab. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [match_principal] (0x1000): Principal matched to the sample (host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL). (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [become_user] (0x0200): Trying to become user [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x2000): Running as [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_setup] (0x2000): Running as [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x0400): Will perform online auth (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [MYDOMAIN.COM] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.426870: Getting initial credentials for Rajat.Gupta at MYDOMAIN.COM (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.428706: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.428762: Retrieving host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL -> krb5_ccache_conf_data/fast_avail/krbtgt\/MYDOMAIN.COM \@MYDOMAIN.COM at X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result: -1765328243/Matching credential not found (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.428825: Sending request (164 bytes) to MYDOMAIN.COM (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429706: Retrying AS request with master KDC (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429740: Getting initial credentials for Rajat.Gupta at MYDOMAIN.COM (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429767: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429812: Retrieving host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL -> krb5_ccache_conf_data/fast_avail/krbtgt\/MYDOMAIN.COM \@MYDOMAIN.COM at X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result: -1765328243/Matching credential not found (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429854: Sending request (164 bytes) to MYDOMAIN.COM (master) (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [get_and_save_tgt] (0x0020): 1296: [-1765328230][Cannot find KDC for realm "MYDOMAIN.COM"] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [map_krb5_error] (0x0020): 1365: [-1765328230][Cannot find KDC for realm "MYDOMAIN.COM"] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_send_data] (0x0200): Received error code 1432158228 (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [pack_response_packet] (0x2000): response packet size: [4] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_send_data] (0x4000): Response sent. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x0400): krb5_child completed successfully (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x0400): krb5_child started. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [unpack_buffer] (0x1000): total buffer size: [159] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [unpack_buffer] (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] enterprise principal [false] offline [true] UPN [Rajat.Gupta at MYDOMAIN.COM] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname: [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [switch_creds] (0x0200): Switch user to [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [KEYRING:persistent:1007656917] and is not active and TGT is valid. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [become_user] (0x0200): Trying to become user [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x2000): Running as [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [become_user] (0x0200): Trying to become user [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [become_user] (0x0200): Already user [1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [k5c_setup] (0x2000): Running as [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x0400): Will perform offline auth (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [create_empty_ccache] (0x1000): Existing ccache still valid, reusing (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [k5c_send_data] (0x0200): Received error code 0 (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [pack_response_packet] (0x2000): response packet size: [53] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [k5c_send_data] (0x4000): Response sent. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x0400): krb5_child completed successfully (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x0400): krb5_child started. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [unpack_buffer] (0x1000): total buffer size: [52] (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [unpack_buffer] (0x0100): cmd [249] uid [1007656917] gid [1007656917] validate [true] enterprise principal [false] offline [true] UPN [Rajat.Gupta at MYDOMAIN.COM] (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [become_user] (0x0200): Trying to become user [1007656917][1007656917]. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x2000): Running as [1007656917][1007656917]. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [become_user] (0x0200): Trying to become user [1007656917][1007656917]. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [become_user] (0x0200): Already user [1007656917]. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [k5c_setup] (0x2000): Running as [1007656917][1007656917]. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x0400): Will perform pre-auth (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [MYDOMAIN.COM] (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.766694: Getting initial credentials for Rajat.Gupta at MYDOMAIN.COM (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.769074: Sending request (164 bytes) to MYDOMAIN.COM (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.770020: Retrying AS request with master KDC (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.770051: Getting initial credentials for Rajat.Gupta at MYDOMAIN.COM (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.770091: Sending request (164 bytes) to MYDOMAIN.COM (master) (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [get_and_save_tgt] (0x0400): krb5_get_init_creds_password returned [-1765328230} during pre-auth. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [k5c_send_data] (0x0200): Received error code 0 (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [pack_response_packet] (0x2000): response packet size: [4] (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [k5c_send_data] (0x4000): Response sent. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x0400): krb5_child completed successfully (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x0400): krb5_child started. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [unpack_buffer] (0x1000): total buffer size: [160] (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [unpack_buffer] (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] enterprise principal [false] offline [true] UPN [Rajat.Gupta at MYDOMAIN.COM] (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname: [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab] (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [switch_creds] (0x0200): Switch user to [1007656917][1007656917]. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [KEYRING:persistent:1007656917] and is not active and TGT is valid. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [become_user] (0x0200): Trying to become user [1007656917][1007656917]. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x2000): Running as [1007656917][1007656917]. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [become_user] (0x0200): Trying to become user [1007656917][1007656917]. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [become_user] (0x0200): Already user [1007656917]. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [k5c_setup] (0x2000): Running as [1007656917][1007656917]. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x0400): Will perform offline auth (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [create_empty_ccache] (0x1000): Existing ccache still valid, reusing (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [k5c_send_data] (0x0200): Received error code 0 (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [pack_response_packet] (0x2000): response packet size: [53] (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [k5c_send_data] (0x4000): Response sent. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x0400): krb5_child completed successfully ======================= Can you please help me to fix this, /Rajat -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Wed Nov 16 09:43:12 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 10:43:12 +0100 Subject: [Freeipa-devel] [freeipa PR#223][comment] LDAP refactoring: remove admin_conn In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/223 Title: #223: LDAP refactoring: remove admin_conn mbasti-rh commented: """ ACK: removing admin_conn connections - just for future, python doesn't like to have too many dereference from performance point fo view. So you should in future use ldap = api.Backend.ldap2 and then just use ldap.find_entries() - it is not issue with this patch as it was done in this way before, but can be improved in future NACK: upgrade commit - you turned DS on earlier than it actually needs to be. In one of first steps of LDAP upgrade is DS turned off, so I don't see a reason for a such change """ See the full comment at https://github.com/freeipa/freeipa/pull/223#issuecomment-260899937 From freeipa-github-notification at redhat.com Wed Nov 16 10:14:41 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 16 Nov 2016 11:14:41 +0100 Subject: [Freeipa-devel] [freeipa PR#241][synchronized] Port ipapython.dnssec.odsmgr to xml.etree In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/241 Author: tiran Title: #241: Port ipapython.dnssec.odsmgr to xml.etree Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/241/head:pr241 git checkout pr241 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-241.patch Type: text/x-diff Size: 8583 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 16 10:16:08 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 16 Nov 2016 11:16:08 +0100 Subject: [Freeipa-devel] [freeipa PR#241][comment] Port ipapython.dnssec.odsmgr to xml.etree In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/241 Title: #241: Port ipapython.dnssec.odsmgr to xml.etree tiran commented: """ client/ipa-client-automount also used ```lxml.etree```. I replaced the implementation with simpler ```xml.etree``` based code. ``` $ find . \( -type f -and -executable \) -or -name '*.py' | xargs grep lxml ./ipaserver/plugins/dogtag.py:To parse the XML documents we use the Python lxml package which is a Python ./ipaserver/plugins/dogtag.py:for many projects. One of the features in lxml and libxml2 that is particularly ./ipaserver/plugins/dogtag.py:namespaces. The regular expression name space identifier is 're:' In lxml we ./ipaserver/plugins/dogtag.py:from lxml import etree ./ipaserver/install/ipa_otptoken_import.py:from lxml import etree ./config.status:S["XMLRPC_LIBS"]="-lxmlrpc_client" ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/241#issuecomment-260907499 From freeipa-github-notification at redhat.com Wed Nov 16 10:17:52 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 16 Nov 2016 11:17:52 +0100 Subject: [Freeipa-devel] [freeipa PR#244][opened] Add templating to ipaplatform path [RFC] Message-ID: URL: https://github.com/freeipa/freeipa/pull/244 Author: tiran Title: #244: Add templating to ipaplatform path [RFC] Action: opened PR body: """ Please comment The ipaplatform.base.paths module contains a lot of repetitions. The path class now uses recursive format calls for common prefixes. The SO/SO_64 hack is replaced by platform detection. Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/244/head:pr244 git checkout pr244 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-244.patch Type: text/x-diff Size: 16422 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 16 10:59:42 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 16 Nov 2016 11:59:42 +0100 Subject: [Freeipa-devel] [freeipa PR#195][synchronized] [WIP] Make ipaclient pip install-able In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/195 Author: tiran Title: #195: [WIP] Make ipaclient pip install-able Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/195/head:pr195 git checkout pr195 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-195.patch Type: text/x-diff Size: 8298 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 16 11:00:22 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 16 Nov 2016 12:00:22 +0100 Subject: [Freeipa-devel] [freeipa PR#182][synchronized] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Author: tiran Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/182/head:pr182 git checkout pr182 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-182.patch Type: text/x-diff Size: 4283 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 16 11:01:16 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 16 Nov 2016 12:01:16 +0100 Subject: [Freeipa-devel] [freeipa PR#195][edited] Make ipaclient pip install-able In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/195 Author: tiran Title: #195: Make ipaclient pip install-able Action: edited Changed field: title Original value: """ [WIP] Make ipaclient pip install-able """ From freeipa-github-notification at redhat.com Wed Nov 16 11:01:55 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 16 Nov 2016 12:01:55 +0100 Subject: [Freeipa-devel] [freeipa PR#195][edited] Make ipaclient pip install-able In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/195 Author: tiran Title: #195: Make ipaclient pip install-able Action: edited Changed field: body Original value: """ ## proof of concept This makes ipaclient and dependencies pip install-able by adding install requirements to all `setup.py`. A new make target `bdist_wheel` creates wheel distributions. ## example ``` $ make bdist_wheel $ cp ../custodia/dist/custodia-0.2-py2.py3-none-any.whl dist/ $ virtualenv /tmp/ipaenv New python executable in /tmp/ipaenv/bin/python2 Also creating executable in /tmp/ipaenv/bin/python Installing setuptools, pip, wheel...done. $ /tmp/ipaenv/bin/pip install dist/*.whl Processing ./dist/custodia-0.2-py2.py3-none-any.whl Processing ./dist/ipaclient-4.4.90.201610271437GITd812266-py2.py3-none-any.whl Processing ./dist/ipalib-4.4.90.201610271437GITd812266-py2.py3-none-any.whl Processing ./dist/ipaplatform-4.4.90.201610271437GITd812266-py2.py3-none-any.whl Processing ./dist/ipapython-4.4.90.201610271437GITd812266-py2.py3-none-any.whl ... Installing collected packages: configparser, requests, six, idna, pycparser, cffi, pyasn1, enum34, ipaddress, cryptography, jwcrypto, custodia, qrcode, python-nss, ipaplatform, netaddr, lxml, pyldap, netifaces, decorator, gssapi, dnspython, ipapython, ipalib, ipaclient Running setup.py install for python-nss ... done Successfully installed cffi-1.8.3 configparser-3.5.0 cryptography-1.5.2 custodia-0.2 decorator-4.0.10 dnspython-1.15.0 enum34-1.1.6 gssapi-1.2.0 idna-2.1 ipaclient-4.4.90.201610271437GITd812266 ipaddress-1.0.17 ipalib-4.4.90.201610271437GITd812266 ipaplatform-4.4.90.201610271437GITd812266 ipapython-4.4.90.201610271437GITd812266 jwcrypto-0.3.1 lxml-3.6.4 netaddr-0.7.18 netifaces-0.10.5 pyasn1-0.1.9 pycparser-2.16 pyldap-2.4.25.1 python-nss-1.0.0 qrcode-5.3 requests-2.11.1 six-1.10.0 ``` ## open problems - [x] Custodia is not yet released on PyPI (to be released soon) - [ ] dependencies are duplicated in setup.py and RPM spec - [ ] ipaplatform hard-codes the distribution on build time ## tickets https://fedorahosted.org/freeipa/ticket/6468 https://fedorahosted.org/freeipa/ticket/6469 """ From freeipa-github-notification at redhat.com Wed Nov 16 11:08:17 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 16 Nov 2016 12:08:17 +0100 Subject: [Freeipa-devel] [freeipa PR#245][opened] Allow full customisability of IPA CA subject DN Message-ID: URL: https://github.com/freeipa/freeipa/pull/245 Author: frasertweedale Title: #245: Allow full customisability of IPA CA subject DN Action: opened PR body: """ This patchset adds full customisability of CA subject DN apart from subject base, via the ipa-server-install `--ca-subject` option. It also renames ipa-server-install `--subject` option to `--subject-base`, and adds `--ca-subject` and `--subject-base` options to ipa-ca-install. Earlier version of this patchset was previously reviewed by @jcholast on freeipa-devel: https://www.redhat.com/archives/freeipa-devel/2016-August/msg00570.html All review items have been addressed, except for item 9. The suggestion will not work because a fair bit of code besides what's in `ipaserver.install.ca` requires knowing the CA Subject DN and/or subject base. So the defaults must be applied close to the "entry points". I also carved a few smaller commits out of the main patch (but it is still pretty big and hairy to review). https://fedorahosted.org/freeipa/ticket/2614 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/245/head:pr245 git checkout pr245 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-245.patch Type: text/x-diff Size: 55230 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 16 11:12:19 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 16 Nov 2016 12:12:19 +0100 Subject: [Freeipa-devel] [freeipa PR#113][comment] ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/113 Title: #113: ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri tiran commented: """ Please create a default basedn from realm with ```ipapython.ipautil.realm_to_suffix()```. """ See the full comment at https://github.com/freeipa/freeipa/pull/113#issuecomment-260919587 From mbabinsk at redhat.com Wed Nov 16 11:20:33 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 16 Nov 2016 12:20:33 +0100 Subject: [Freeipa-devel] pam_winbind(sshd:auth): pam_get_item returned a password In-Reply-To: References: Message-ID: <65e02b93-dc4e-0569-9ac0-322226f07439@redhat.com> On 11/16/2016 10:41 AM, rajat gupta wrote: > > I am using FreeIPA version 4.4.0 and Active Directory trust setup. on > Active Directory side I am using UPN suffix. > > Following are my setup. > > AD DOMANIN :- corp.addomain.com > UPN suffix :- username at mydomain.com > IPA DOMAIN :- ipa.ipadomain.local > IPA server hostname:- ilt-gif-ipa01.ipa.ipadomain.local > > > I am able to login with AD user on IPA server. But on IPA clinet i am > not able to login i am getting the login message "Access denied". I have > enabled the debug_level on sssd.conf on ipa client. > > below are some logs.. > ================ > /var/log/secure > > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_sss(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=x.x.x.x user=rg1989 > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_sss(sshd:auth): received for > user e600336: 6 (Permission denied) > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): getting > password (0x00000010) > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): > pam_get_item returned a password > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): internal > module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'rg1989') > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: Failed password for rg1989 from > x.x.x.x. port 48842 ssh2 > ================ > > ================ > krb5_child.log > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4836]]]] [k5c_send_data] > (0x4000): Response sent. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4836]]]] [main] (0x0400): > krb5_child completed successfully > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x0400): > krb5_child started. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [unpack_buffer] > (0x1000): total buffer size: [159] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [unpack_buffer] > (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] > enterprise principal [false] offline [false] UPN > [Rajat.Gupta at MYDOMAIN.COM ] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [unpack_buffer] > (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname: > [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [switch_creds] > (0x0200): Switch user to [1007656917][1007656917]. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [switch_creds] > (0x0200): Switch user to [0][0]. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > [k5c_check_old_ccache] (0x4000): Ccache_file is > [KEYRING:persistent:1007656917] and is not active and TGT is valid. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > [k5c_precreate_ccache] (0x4000): Recreating ccache > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_setup_fast] > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to > [host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > [find_principal_in_keytab] (0x4000): Trying to find principal > host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL in keytab. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [match_principal] > (0x1000): Principal matched to the sample > (host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL). > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > [check_fast_ccache] (0x0200): FAST TGT is still valid. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [become_user] > (0x0200): Trying to become user [1007656917][1007656917]. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x2000): > Running as [1007656917][1007656917]. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_setup] > (0x2000): Running as [1007656917][1007656917]. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > [set_lifetime_options] (0x0100): Cannot read > [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x0400): > Will perform online auth > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [tgt_req_child] > (0x1000): Attempting to get a TGT > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [MYDOMAIN.COM ] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.416687: Getting > initial credentials for Rajat.Gupta at MYDOMAIN.COM > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.418641: FAST armor > ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.418698: Retrieving > host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL -> > krb5_ccache_conf_data/fast_avail/krbtgt\/MYDOMAIN.COM > \@MYDOMAIN.COM at X-CACHECONF: from > MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result: > -1765328243/Matching credential not found > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.418756: Sending > request (164 bytes) to MYDOMAIN.COM > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419718: Retrying > AS request with master KDC > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419752: Getting > initial credentials for Rajat.Gupta at MYDOMAIN.COM > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419778: FAST armor > ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419821: Retrieving > host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL -> > krb5_ccache_conf_data/fast_avail/krbtgt\/MYDOMAIN.COM > \@MYDOMAIN.COM at X-CACHECONF: from > MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result: > -1765328243/Matching credential not found > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419859: Sending > request (164 bytes) to MYDOMAIN.COM (master) > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [get_and_save_tgt] > (0x0020): 1296: [-1765328230][Cannot find KDC for realm "MYDOMAIN.COM > "] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [map_krb5_error] > (0x0020): 1365: [-1765328230][Cannot find KDC for realm "MYDOMAIN.COM > "] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_send_data] > (0x0200): Received error code 1432158228 > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > [pack_response_packet] (0x2000): response packet size: [4] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_send_data] > (0x4000): Response sent. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x0400): > krb5_child completed successfully > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x0400): > krb5_child started. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [unpack_buffer] > (0x1000): total buffer size: [159] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [unpack_buffer] > (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] > enterprise principal [false] offline [false] UPN > [Rajat.Gupta at MYDOMAIN.COM ] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [unpack_buffer] > (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname: > [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [switch_creds] > (0x0200): Switch user to [1007656917][1007656917]. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [switch_creds] > (0x0200): Switch user to [0][0]. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > [k5c_check_old_ccache] (0x4000): Ccache_file is > [KEYRING:persistent:1007656917] and is not active and TGT is valid. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > [k5c_precreate_ccache] (0x4000): Recreating ccache > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_setup_fast] > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to > [host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > [find_principal_in_keytab] (0x4000): Trying to find principal > host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL in keytab. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [match_principal] > (0x1000): Principal matched to the sample > (host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL). > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > [check_fast_ccache] (0x0200): FAST TGT is still valid. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [become_user] > (0x0200): Trying to become user [1007656917][1007656917]. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x2000): > Running as [1007656917][1007656917]. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_setup] > (0x2000): Running as [1007656917][1007656917]. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > [set_lifetime_options] (0x0100): Cannot read > [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x0400): > Will perform online auth > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [tgt_req_child] > (0x1000): Attempting to get a TGT > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [MYDOMAIN.COM ] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.426870: Getting > initial credentials for Rajat.Gupta at MYDOMAIN.COM > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.428706: FAST armor > ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.428762: Retrieving > host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL -> > krb5_ccache_conf_data/fast_avail/krbtgt\/MYDOMAIN.COM > \@MYDOMAIN.COM at X-CACHECONF: from > MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result: > -1765328243/Matching credential not found > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.428825: Sending > request (164 bytes) to MYDOMAIN.COM > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429706: Retrying > AS request with master KDC > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429740: Getting > initial credentials for Rajat.Gupta at MYDOMAIN.COM > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429767: FAST armor > ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429812: Retrieving > host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL -> > krb5_ccache_conf_data/fast_avail/krbtgt\/MYDOMAIN.COM > \@MYDOMAIN.COM at X-CACHECONF: from > MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result: > -1765328243/Matching credential not found > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429854: Sending > request (164 bytes) to MYDOMAIN.COM (master) > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [get_and_save_tgt] > (0x0020): 1296: [-1765328230][Cannot find KDC for realm "MYDOMAIN.COM > "] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [map_krb5_error] > (0x0020): 1365: [-1765328230][Cannot find KDC for realm "MYDOMAIN.COM > "] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_send_data] > (0x0200): Received error code 1432158228 > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > [pack_response_packet] (0x2000): response packet size: [4] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_send_data] > (0x4000): Response sent. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x0400): > krb5_child completed successfully > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x0400): > krb5_child started. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [unpack_buffer] > (0x1000): total buffer size: [159] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [unpack_buffer] > (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] > enterprise principal [false] offline [true] UPN > [Rajat.Gupta at MYDOMAIN.COM ] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [unpack_buffer] > (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname: > [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [switch_creds] > (0x0200): Switch user to [1007656917][1007656917]. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] > [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [switch_creds] > (0x0200): Switch user to [0][0]. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] > [k5c_check_old_ccache] (0x4000): Ccache_file is > [KEYRING:persistent:1007656917] and is not active and TGT is valid. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [become_user] > (0x0200): Trying to become user [1007656917][1007656917]. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x2000): > Running as [1007656917][1007656917]. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [become_user] > (0x0200): Trying to become user [1007656917][1007656917]. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [become_user] > (0x0200): Already user [1007656917]. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [k5c_setup] > (0x2000): Running as [1007656917][1007656917]. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] > [set_lifetime_options] (0x0100): Cannot read > [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x0400): > Will perform offline auth > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] > [create_empty_ccache] (0x1000): Existing ccache still valid, reusing > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [k5c_send_data] > (0x0200): Received error code 0 > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] > [pack_response_packet] (0x2000): response packet size: [53] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [k5c_send_data] > (0x4000): Response sent. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x0400): > krb5_child completed successfully > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x0400): > krb5_child started. > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [unpack_buffer] > (0x1000): total buffer size: [52] > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [unpack_buffer] > (0x0100): cmd [249] uid [1007656917] gid [1007656917] validate [true] > enterprise principal [false] offline [true] UPN > [Rajat.Gupta at MYDOMAIN.COM ] > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [become_user] > (0x0200): Trying to become user [1007656917][1007656917]. > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x2000): > Running as [1007656917][1007656917]. > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [become_user] > (0x0200): Trying to become user [1007656917][1007656917]. > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [become_user] > (0x0200): Already user [1007656917]. > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [k5c_setup] > (0x2000): Running as [1007656917][1007656917]. > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > [set_lifetime_options] (0x0100): Cannot read > [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x0400): > Will perform pre-auth > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [tgt_req_child] > (0x1000): Attempting to get a TGT > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [MYDOMAIN.COM ] > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.766694: Getting > initial credentials for Rajat.Gupta at MYDOMAIN.COM > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.769074: Sending > request (164 bytes) to MYDOMAIN.COM > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.770020: Retrying > AS request with master KDC > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.770051: Getting > initial credentials for Rajat.Gupta at MYDOMAIN.COM > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.770091: Sending > request (164 bytes) to MYDOMAIN.COM (master) > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [get_and_save_tgt] > (0x0400): krb5_get_init_creds_password returned [-1765328230} during > pre-auth. > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [k5c_send_data] > (0x0200): Received error code 0 > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > [pack_response_packet] (0x2000): response packet size: [4] > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [k5c_send_data] > (0x4000): Response sent. > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x0400): > krb5_child completed successfully > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x0400): > krb5_child started. > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [unpack_buffer] > (0x1000): total buffer size: [160] > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [unpack_buffer] > (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] > enterprise principal [false] offline [true] UPN > [Rajat.Gupta at MYDOMAIN.COM ] > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [unpack_buffer] > (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname: > [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab] > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [switch_creds] > (0x0200): Switch user to [1007656917][1007656917]. > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] > [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [switch_creds] > (0x0200): Switch user to [0][0]. > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] > [k5c_check_old_ccache] (0x4000): Ccache_file is > [KEYRING:persistent:1007656917] and is not active and TGT is valid. > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [become_user] > (0x0200): Trying to become user [1007656917][1007656917]. > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x2000): > Running as [1007656917][1007656917]. > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [become_user] > (0x0200): Trying to become user [1007656917][1007656917]. > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [become_user] > (0x0200): Already user [1007656917]. > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [k5c_setup] > (0x2000): Running as [1007656917][1007656917]. > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] > [set_lifetime_options] (0x0100): Cannot read > [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x0400): > Will perform offline auth > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] > [create_empty_ccache] (0x1000): Existing ccache still valid, reusing > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [k5c_send_data] > (0x0200): Received error code 0 > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] > [pack_response_packet] (0x2000): response packet size: [53] > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [k5c_send_data] > (0x4000): Response sent. > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x0400): > krb5_child completed successfully > > ======================= > > Can you please help me to fix this, > > /Rajat > > Hi Rajat, Please subscribe to and use freeipa-users at redhat.com for requesting help/troubleshooting assistance. freeipa-devel list is focused mainly on technical discussions involving FreeIPA developers and community contributors to FreeIPA source code. -- Martin^3 Babinsky From freeipa-github-notification at redhat.com Wed Nov 16 11:55:12 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 16 Nov 2016 12:55:12 +0100 Subject: [Freeipa-devel] [freeipa PR#244][synchronized] Add templating to ipaplatform path [RFC] In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/244 Author: tiran Title: #244: Add templating to ipaplatform path [RFC] Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/244/head:pr244 git checkout pr244 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-244.patch Type: text/x-diff Size: 18091 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 16 11:57:02 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 16 Nov 2016 12:57:02 +0100 Subject: [Freeipa-devel] [freeipa PR#246][opened] Build: ignore rpmbuild for lint target Message-ID: URL: https://github.com/freeipa/freeipa/pull/246 Author: tomaskrizek Title: #246: Build: ignore rpmbuild for lint target Action: opened PR body: """ Exclude rpmbuild from pylint checks when make lint is executed. Clean up the current find expression. https://fedorahosted.org/freeipa/ticket/6418 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/246/head:pr246 git checkout pr246 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-246.patch Type: text/x-diff Size: 1494 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 16 11:57:05 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 12:57:05 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context mbasti-rh commented: """ This should have test because it is completely new so it is not part of any current test suites. However final review will wait for @jcholast """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-260928457 From freeipa-github-notification at redhat.com Wed Nov 16 11:58:27 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Wed, 16 Nov 2016 12:58:27 +0100 Subject: [Freeipa-devel] [freeipa PR#225][synchronized] tests: Added basic tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/225 Author: ofayans Title: #225: tests: Added basic tests for certs in idoverrides Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/225/head:pr225 git checkout pr225 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-225.patch Type: text/x-diff Size: 9025 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 16 12:35:41 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 16 Nov 2016 13:35:41 +0100 Subject: [Freeipa-devel] [freeipa PR#238][synchronized] Build system refactoring phase 8: update translation system In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/238 Author: pspacek Title: #238: Build system refactoring phase 8: update translation system Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/238/head:pr238 git checkout pr238 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-238.patch Type: text/x-diff Size: 2064769 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 16 12:37:22 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 16 Nov 2016 13:37:22 +0100 Subject: [Freeipa-devel] [freeipa PR#238][synchronized] Build system refactoring phase 8: update translation system In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/238 Author: pspacek Title: #238: Build system refactoring phase 8: update translation system Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/238/head:pr238 git checkout pr238 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-238.patch Type: text/x-diff Size: 2035515 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 16 12:38:29 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 16 Nov 2016 13:38:29 +0100 Subject: [Freeipa-devel] [freeipa PR#238][comment] Build system refactoring phase 8: update translation system In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/238 Title: #238: Build system refactoring phase 8: update translation system pspacek commented: """ This is rebased and fixed version. It should work including linters. Missing things: - [ ] use fresh gettext files generated by autoreconf """ See the full comment at https://github.com/freeipa/freeipa/pull/238#issuecomment-260936269 From freeipa-github-notification at redhat.com Wed Nov 16 12:43:04 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 13:43:04 +0100 Subject: [Freeipa-devel] [freeipa PR#244][comment] Add templating to ipaplatform path [RFC] In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/244 Title: #244: Add templating to ipaplatform path [RFC] mbasti-rh commented: """ It has missing ticket """ See the full comment at https://github.com/freeipa/freeipa/pull/244#issuecomment-260937077 From freeipa-github-notification at redhat.com Wed Nov 16 12:53:52 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 13:53:52 +0100 Subject: [Freeipa-devel] [freeipa PR#241][comment] Port ipapython.dnssec.odsmgr to xml.etree In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/241 Title: #241: Port ipapython.dnssec.odsmgr to xml.etree mbasti-rh commented: """ Commit has no ticket `Use xml.etree in ipa-client-automount script` """ See the full comment at https://github.com/freeipa/freeipa/pull/241#issuecomment-260939141 From freeipa-github-notification at redhat.com Wed Nov 16 13:00:08 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 16 Nov 2016 14:00:08 +0100 Subject: [Freeipa-devel] [freeipa PR#187][comment] Register entry points of Custodia plugins In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/187 Title: #187: Register entry points of Custodia plugins martbab commented: """ LGTM but we will need upstream ticket for this to triage. """ See the full comment at https://github.com/freeipa/freeipa/pull/187#issuecomment-260940379 From pspacek at redhat.com Wed Nov 16 13:01:12 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 16 Nov 2016 14:01:12 +0100 Subject: [Freeipa-devel] Design document: Integration Improvements: ipaplatform In-Reply-To: <228f2a0e-a3a6-92ec-8e59-c45f4283999d@redhat.com> References: <228f2a0e-a3a6-92ec-8e59-c45f4283999d@redhat.com> Message-ID: <65fef037-05c5-bb6e-04a8-685f055a24d1@redhat.com> On 11.11.2016 15:25, Christian Heimes wrote: > Hello, > > I have released the first version of a new design document. It describes > how I'm going to improve integration of FreeIPA's client libraries > (ipalib, ipapython, ipaclient, ipaplatform) for third party developers. > > http://www.freeipa.org/page/V4/Integration_Improvements Looking at http://www.freeipa.org/page/V4/Integration_Improvements#Scope the first step is to make ipalib functional. I think that correct approach is to inspect ipalib and its dependencies and reshuffle code in a way which will allow us to remove ipaplatform dependency from ipalib. That way we can have platform-independent ipalib and at the same time use configure phase to auto-generate platform stuff. In long-term we should be able to get rid of explicit ipaplatform definitions and have these generated at build time for particular platform the build is running on. That will make porting to other distros way easier and remove implicit dependency on particular paths hard-coded in platform files. -- Petr^2 Spacek From freeipa-github-notification at redhat.com Wed Nov 16 13:03:45 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 16 Nov 2016 14:03:45 +0100 Subject: [Freeipa-devel] [freeipa PR#247][opened] Add 'ipa show_env' subcommand Message-ID: URL: https://github.com/freeipa/freeipa/pull/247 Author: tiran Title: #247: Add 'ipa show_env' subcommand Action: opened PR body: """ ipa show_env simply dumps all values from api.env as sorted key="value" pairs. It's a convenient helper for debugging and to write tests for e.g. PR #182. https://fedorahosted.org/freeipa/ticket/6490 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/247/head:pr247 git checkout pr247 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-247.patch Type: text/x-diff Size: 3094 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 16 13:04:21 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 16 Nov 2016 14:04:21 +0100 Subject: [Freeipa-devel] [freeipa PR#195][edited] Make ipaclient pip install-able In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/195 Author: tiran Title: #195: Make ipaclient pip install-able Action: edited Changed field: body Original value: """ This makes ipaclient and dependencies pip install-able by adding install requirements to all `setup.py`. A new make target `bdist_wheel` creates wheel distributions. ## example ``` $ make bdist_wheel $ cp ../custodia/dist/custodia-0.2-py2.py3-none-any.whl dist/ $ virtualenv /tmp/ipaenv New python executable in /tmp/ipaenv/bin/python2 Also creating executable in /tmp/ipaenv/bin/python Installing setuptools, pip, wheel...done. $ /tmp/ipaenv/bin/pip install dist/wheels/*.whl Processing ./dist/custodia-0.2-py2.py3-none-any.whl Processing ./dist/ipaclient-4.4.90.201610271437GITd812266-py2.py3-none-any.whl Processing ./dist/ipalib-4.4.90.201610271437GITd812266-py2.py3-none-any.whl Processing ./dist/ipaplatform-4.4.90.201610271437GITd812266-py2.py3-none-any.whl Processing ./dist/ipapython-4.4.90.201610271437GITd812266-py2.py3-none-any.whl ... Installing collected packages: configparser, requests, six, idna, pycparser, cffi, pyasn1, enum34, ipaddress, cryptography, jwcrypto, custodia, qrcode, python-nss, ipaplatform, netaddr, lxml, pyldap, netifaces, decorator, gssapi, dnspython, ipapython, ipalib, ipaclient Running setup.py install for python-nss ... done Successfully installed cffi-1.8.3 configparser-3.5.0 cryptography-1.5.2 custodia-0.2 decorator-4.0.10 dnspython-1.15.0 enum34-1.1.6 gssapi-1.2.0 idna-2.1 ipaclient-4.4.90.201610271437GITd812266 ipaddress-1.0.17 ipalib-4.4.90.201610271437GITd812266 ipaplatform-4.4.90.201610271437GITd812266 ipapython-4.4.90.201610271437GITd812266 jwcrypto-0.3.1 lxml-3.6.4 netaddr-0.7.18 netifaces-0.10.5 pyasn1-0.1.9 pycparser-2.16 pyldap-2.4.25.1 python-nss-1.0.0 qrcode-5.3 requests-2.11.1 six-1.10.0 ``` ## open problems - [x] Custodia is not yet released on PyPI (to be released soon) - [ ] dependencies are duplicated in setup.py and RPM spec - [ ] ipaplatform hard-codes the distribution on build time ## tickets https://fedorahosted.org/freeipa/ticket/6468 https://fedorahosted.org/freeipa/ticket/6469 """ From freeipa-github-notification at redhat.com Wed Nov 16 13:04:49 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 16 Nov 2016 14:04:49 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context tiran commented: """ Integration test will be fairly easy after #247 has landed. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-260941372 From freeipa-github-notification at redhat.com Wed Nov 16 13:06:20 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 16 Nov 2016 14:06:20 +0100 Subject: [Freeipa-devel] [freeipa PR#244][comment] Add templating to ipaplatform path [RFC] In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/244 Title: #244: Add templating to ipaplatform path [RFC] tiran commented: """ It's a RFC patch. """ See the full comment at https://github.com/freeipa/freeipa/pull/244#issuecomment-260941678 From freeipa-github-notification at redhat.com Wed Nov 16 13:10:11 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 16 Nov 2016 14:10:11 +0100 Subject: [Freeipa-devel] [freeipa PR#247][comment] Add 'ipa show_env' subcommand In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/247 Title: #247: Add 'ipa show_env' subcommand martbab commented: """ Maybe I am missing something, but we have `ipa env` command for a long time that does exactly the same thing: ``` # ipa env api_version: 2.216 basedn: dc=ipa,dc=test bin: / ca_agent_install_port: None ca_agent_port: 443 ca_ee_install_port: None ca_ee_port: 443 ca_host: master1.ipa.test ca_install_port: None ca_port: 80 conf: /etc/ipa/server.conf conf_default: /etc/ipa/default.conf confdir: /etc/ipa config_loaded: True container_accounts: cn=accounts container_adtrusts: cn=ad,cn=trusts container_applications: cn=applications,cn=configs,cn=policies container_automember: cn=automember,cn=etc container_automount: cn=automount container_ca: cn=cas,cn=ca container_caacl: cn=caacls,cn=ca container_certprofile: cn=certprofiles,cn=ca container_cifsdomains: cn=ad,cn=etc container_configs: cn=configs,cn=policies container_custodia: cn=custodia,cn=ipa,cn=etc container_deleteuser: cn=deleted users,cn=accounts,cn=provisioning container_dna: cn=dna,cn=ipa,cn=etc container_dna_posix_ids: cn=posix-ids,cn=dna,cn=ipa,cn=etc container_dns: cn=dns ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/247#issuecomment-260942400 From freeipa-github-notification at redhat.com Wed Nov 16 13:22:35 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 14:22:35 +0100 Subject: [Freeipa-devel] [freeipa PR#244][comment] Add templating to ipaplatform path [RFC] In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/244 Title: #244: Add templating to ipaplatform path [RFC] mbasti-rh commented: """ LGTM then, I'll wait for final version for testing """ See the full comment at https://github.com/freeipa/freeipa/pull/244#issuecomment-260944914 From freeipa-github-notification at redhat.com Wed Nov 16 13:24:00 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 16 Nov 2016 14:24:00 +0100 Subject: [Freeipa-devel] [freeipa PR#241][edited] Port ipapython.dnssec.odsmgr to xml.etree In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/241 Author: tiran Title: #241: Port ipapython.dnssec.odsmgr to xml.etree Action: edited Changed field: body Original value: """ The module ipapython.dnssec.odsmgr is the only module in ipalib, ipaclient, ipapython and ipaplatform that uses lxml.etree. https://fedorahosted.org/freeipa/ticket/6469 Signed-off-by: Christian Heimes """ From freeipa-github-notification at redhat.com Wed Nov 16 13:28:05 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 16 Nov 2016 14:28:05 +0100 Subject: [Freeipa-devel] [freeipa PR#187][edited] Register entry points of Custodia plugins In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/187 Author: tiran Title: #187: Register entry points of Custodia plugins Action: edited Changed field: body Original value: """ With setuptools in place FreeIPA is able to register its Custodia plugins. Custodia 0.1 ignores the plugins directives. Custodia 0.2 uses the entry points to discover plugins. Signed-off-by: Christian Heimes cheimes at redhat.com """ From freeipa-github-notification at redhat.com Wed Nov 16 13:32:29 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 14:32:29 +0100 Subject: [Freeipa-devel] [freeipa PR#247][comment] Add 'ipa show_env' subcommand In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/247 Title: #247: Add 'ipa show_env' subcommand mbasti-rh commented: """ So then it should be called `local-env` to be clear what does it do """ See the full comment at https://github.com/freeipa/freeipa/pull/247#issuecomment-260947102 From freeipa-github-notification at redhat.com Wed Nov 16 13:38:40 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 16 Nov 2016 14:38:40 +0100 Subject: [Freeipa-devel] [freeipa PR#247][synchronized] Add 'ipa show_env' subcommand In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/247 Author: tiran Title: #247: Add 'ipa show_env' subcommand Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/247/head:pr247 git checkout pr247 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-247.patch Type: text/x-diff Size: 3104 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 16 13:39:49 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 16 Nov 2016 14:39:49 +0100 Subject: [Freeipa-devel] [freeipa PR#247][edited] Add 'ipa local-env' subcommand In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/247 Author: tiran Title: #247: Add 'ipa local-env' subcommand Action: edited Changed field: title Original value: """ Add 'ipa show_env' subcommand """ From freeipa-github-notification at redhat.com Wed Nov 16 13:39:57 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 16 Nov 2016 14:39:57 +0100 Subject: [Freeipa-devel] [freeipa PR#247][edited] Add 'ipa local-env' subcommand In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/247 Author: tiran Title: #247: Add 'ipa local-env' subcommand Action: edited Changed field: body Original value: """ ipa show_env simply dumps all values from api.env as sorted key="value" pairs. It's a convenient helper for debugging and to write tests for e.g. PR #182. https://fedorahosted.org/freeipa/ticket/6490 Signed-off-by: Christian Heimes """ From freeipa-github-notification at redhat.com Wed Nov 16 13:40:20 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 16 Nov 2016 14:40:20 +0100 Subject: [Freeipa-devel] [freeipa PR#247][comment] Add 'ipa local-env' subcommand In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/247 Title: #247: Add 'ipa local-env' subcommand tiran commented: """ Good point! I changed the name to local-env. """ See the full comment at https://github.com/freeipa/freeipa/pull/247#issuecomment-260948743 From freeipa-github-notification at redhat.com Wed Nov 16 13:41:59 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 16 Nov 2016 14:41:59 +0100 Subject: [Freeipa-devel] [freeipa PR#180][comment] Make api.env.nss_dir relative to api.env.confdir In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/180 Title: #180: Make api.env.nss_dir relative to api.env.confdir tomaskrizek commented: """ ACK. The only issue is the ticket is already closed. """ See the full comment at https://github.com/freeipa/freeipa/pull/180#issuecomment-260949114 From freeipa-github-notification at redhat.com Wed Nov 16 13:43:43 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 16 Nov 2016 14:43:43 +0100 Subject: [Freeipa-devel] [freeipa PR#243][+ack] Don't modify redhat_system_units In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/243 Title: #243: Don't modify redhat_system_units Label: +ack From freeipa-github-notification at redhat.com Wed Nov 16 13:44:12 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 16 Nov 2016 14:44:12 +0100 Subject: [Freeipa-devel] [freeipa PR#243][+pushed] Don't modify redhat_system_units In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/243 Title: #243: Don't modify redhat_system_units Label: +pushed From freeipa-github-notification at redhat.com Wed Nov 16 13:44:13 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 16 Nov 2016 14:44:13 +0100 Subject: [Freeipa-devel] [freeipa PR#243][comment] Don't modify redhat_system_units In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/243 Title: #243: Don't modify redhat_system_units martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/94a9dfb9d72ecd25a01316febbf2ffec50912e2e """ See the full comment at https://github.com/freeipa/freeipa/pull/243#issuecomment-260949595 From freeipa-github-notification at redhat.com Wed Nov 16 13:44:14 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 16 Nov 2016 14:44:14 +0100 Subject: [Freeipa-devel] [freeipa PR#243][closed] Don't modify redhat_system_units In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/243 Author: tiran Title: #243: Don't modify redhat_system_units Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/243/head:pr243 git checkout pr243 From freeipa-github-notification at redhat.com Wed Nov 16 13:45:06 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 14:45:06 +0100 Subject: [Freeipa-devel] [freeipa PR#180][+ack] Make api.env.nss_dir relative to api.env.confdir In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/180 Title: #180: Make api.env.nss_dir relative to api.env.confdir Label: +ack From freeipa-github-notification at redhat.com Wed Nov 16 13:45:30 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 14:45:30 +0100 Subject: [Freeipa-devel] [freeipa PR#180][comment] Make api.env.nss_dir relative to api.env.confdir In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/180 Title: #180: Make api.env.nss_dir relative to api.env.confdir mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/9006ed34bb1edfaafc3345c1128800dc802c14ff """ See the full comment at https://github.com/freeipa/freeipa/pull/180#issuecomment-260949852 From freeipa-github-notification at redhat.com Wed Nov 16 13:45:31 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 14:45:31 +0100 Subject: [Freeipa-devel] [freeipa PR#180][closed] Make api.env.nss_dir relative to api.env.confdir In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/180 Author: tiran Title: #180: Make api.env.nss_dir relative to api.env.confdir Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/180/head:pr180 git checkout pr180 From freeipa-github-notification at redhat.com Wed Nov 16 13:45:32 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 14:45:32 +0100 Subject: [Freeipa-devel] [freeipa PR#180][+pushed] Make api.env.nss_dir relative to api.env.confdir In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/180 Title: #180: Make api.env.nss_dir relative to api.env.confdir Label: +pushed From freeipa-github-notification at redhat.com Wed Nov 16 13:49:17 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Wed, 16 Nov 2016 14:49:17 +0100 Subject: [Freeipa-devel] [freeipa PR#225][synchronized] tests: Added basic tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/225 Author: ofayans Title: #225: tests: Added basic tests for certs in idoverrides Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/225/head:pr225 git checkout pr225 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-225.patch Type: text/x-diff Size: 9038 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 16 14:21:38 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Wed, 16 Nov 2016 15:21:38 +0100 Subject: [Freeipa-devel] [freeipa PR#225][synchronized] tests: Added basic tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/225 Author: ofayans Title: #225: tests: Added basic tests for certs in idoverrides Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/225/head:pr225 git checkout pr225 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-225.patch Type: text/x-diff Size: 9022 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 16 14:42:52 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 15:42:52 +0100 Subject: [Freeipa-devel] [freeipa PR#244][comment] Add templating to ipaplatform path [RFC] In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/244 Title: #244: Add templating to ipaplatform path [RFC] mbasti-rh commented: """ You have PEP8 error there ``` ./ipalib/cli.py:57:1: E402 module level import not at top of file ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/244#issuecomment-260964435 From freeipa-github-notification at redhat.com Wed Nov 16 14:43:25 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 15:43:25 +0100 Subject: [Freeipa-devel] [freeipa PR#244][comment] Add templating to ipaplatform path [RFC] In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/244 Title: #244: Add templating to ipaplatform path [RFC] mbasti-rh commented: """ Edit: wrong PR """ See the full comment at https://github.com/freeipa/freeipa/pull/244#issuecomment-260964435 From freeipa-github-notification at redhat.com Wed Nov 16 14:43:40 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 15:43:40 +0100 Subject: [Freeipa-devel] [freeipa PR#247][comment] Add 'ipa local-env' subcommand In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/247 Title: #247: Add 'ipa local-env' subcommand mbasti-rh commented: """ You have PEP8 error there ``` ./ipalib/cli.py:57:1: E402 module level import not at top of file ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/247#issuecomment-260964677 From freeipa-github-notification at redhat.com Wed Nov 16 14:51:57 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 16 Nov 2016 15:51:57 +0100 Subject: [Freeipa-devel] [freeipa PR#247][comment] Add 'ipa local-env' subcommand In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/247 Title: #247: Add 'ipa local-env' subcommand tiran commented: """ The PEP8 error can't be fixed. The evil ```reload(sys)``` hack must come before the remaining imports of ipalib and ipapython. """ See the full comment at https://github.com/freeipa/freeipa/pull/247#issuecomment-260966027 From freeipa-github-notification at redhat.com Wed Nov 16 15:14:02 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 16 Nov 2016 16:14:02 +0100 Subject: [Freeipa-devel] [freeipa PR#246][+ack] Build: ignore rpmbuild for lint target In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/246 Title: #246: Build: ignore rpmbuild for lint target Label: +ack From freeipa-github-notification at redhat.com Wed Nov 16 15:34:21 2016 From: freeipa-github-notification at redhat.com (alichbox) Date: Wed, 16 Nov 2016 16:34:21 +0100 Subject: [Freeipa-devel] [freeipa PR#196][comment] ipatests: unresolvable nested netgroups In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/196 Title: #196: ipatests: unresolvable nested netgroups alichbox commented: """ Hello, Martin, I got your point about bigger suite that should be definitely an integration module. For smaller parts we use singlehost test (XMLRPC) because they are faster and resource friendly. I suggest to keep this test as it is (XMLRPC) and file a new issue - RFE for test coverage. """ See the full comment at https://github.com/freeipa/freeipa/pull/196#issuecomment-260976689 From freeipa-github-notification at redhat.com Wed Nov 16 15:41:59 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Wed, 16 Nov 2016 16:41:59 +0100 Subject: [Freeipa-devel] [freeipa PR#225][synchronized] tests: Added basic tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/225 Author: ofayans Title: #225: tests: Added basic tests for certs in idoverrides Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/225/head:pr225 git checkout pr225 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-225.patch Type: text/x-diff Size: 9022 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 16 15:59:11 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 16:59:11 +0100 Subject: [Freeipa-devel] [freeipa PR#246][closed] Build: ignore rpmbuild for lint target In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/246 Author: tomaskrizek Title: #246: Build: ignore rpmbuild for lint target Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/246/head:pr246 git checkout pr246 From freeipa-github-notification at redhat.com Wed Nov 16 15:59:12 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 16:59:12 +0100 Subject: [Freeipa-devel] [freeipa PR#246][comment] Build: ignore rpmbuild for lint target In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/246 Title: #246: Build: ignore rpmbuild for lint target mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/28c5e128c823f32787a4bde87e6b248928a2cd0a """ See the full comment at https://github.com/freeipa/freeipa/pull/246#issuecomment-260984476 From freeipa-github-notification at redhat.com Wed Nov 16 15:59:14 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 16:59:14 +0100 Subject: [Freeipa-devel] [freeipa PR#246][+pushed] Build: ignore rpmbuild for lint target In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/246 Title: #246: Build: ignore rpmbuild for lint target Label: +pushed From freeipa-github-notification at redhat.com Wed Nov 16 16:30:19 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 16 Nov 2016 17:30:19 +0100 Subject: [Freeipa-devel] [freeipa PR#223][synchronized] LDAP refactoring: remove admin_conn In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/223 Author: tomaskrizek Title: #223: LDAP refactoring: remove admin_conn Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/223/head:pr223 git checkout pr223 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-223.patch Type: text/x-diff Size: 48394 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 16 16:31:58 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 16 Nov 2016 17:31:58 +0100 Subject: [Freeipa-devel] [freeipa PR#223][comment] LDAP refactoring: remove admin_conn In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/223 Title: #223: LDAP refactoring: remove admin_conn tomaskrizek commented: """ Fixed the issue + rebased. Only the second commit has changed. """ See the full comment at https://github.com/freeipa/freeipa/pull/223#issuecomment-260995772 From freeipa-github-notification at redhat.com Wed Nov 16 17:24:43 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 16 Nov 2016 18:24:43 +0100 Subject: [Freeipa-devel] [freeipa PR#248][opened] Fix the naming of ipa-dnskeysyncd service principal Message-ID: URL: https://github.com/freeipa/freeipa/pull/248 Author: martbab Title: #248: Fix the naming of ipa-dnskeysyncd service principal Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6405 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/248/head:pr248 git checkout pr248 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-248.patch Type: text/x-diff Size: 962 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 16 17:37:23 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 18:37:23 +0100 Subject: [Freeipa-devel] [freeipa PR#248][+ack] Fix the naming of ipa-dnskeysyncd service principal In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/248 Title: #248: Fix the naming of ipa-dnskeysyncd service principal Label: +ack From freeipa-github-notification at redhat.com Wed Nov 16 17:38:02 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 18:38:02 +0100 Subject: [Freeipa-devel] [freeipa PR#248][+pushed] Fix the naming of ipa-dnskeysyncd service principal In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/248 Title: #248: Fix the naming of ipa-dnskeysyncd service principal Label: +pushed From freeipa-github-notification at redhat.com Wed Nov 16 17:38:03 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 18:38:03 +0100 Subject: [Freeipa-devel] [freeipa PR#248][comment] Fix the naming of ipa-dnskeysyncd service principal In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/248 Title: #248: Fix the naming of ipa-dnskeysyncd service principal mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/6ca96b3db03d4f3c5dbf465ca3d36bd563771c47 """ See the full comment at https://github.com/freeipa/freeipa/pull/248#issuecomment-261015557 From freeipa-github-notification at redhat.com Wed Nov 16 17:38:05 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 18:38:05 +0100 Subject: [Freeipa-devel] [freeipa PR#248][closed] Fix the naming of ipa-dnskeysyncd service principal In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/248 Author: martbab Title: #248: Fix the naming of ipa-dnskeysyncd service principal Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/248/head:pr248 git checkout pr248 From freeipa-github-notification at redhat.com Wed Nov 16 17:53:24 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 16 Nov 2016 18:53:24 +0100 Subject: [Freeipa-devel] [freeipa PR#238][synchronized] Build system refactoring phase 8: update translation system In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/238 Author: pspacek Title: #238: Build system refactoring phase 8: update translation system Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/238/head:pr238 git checkout pr238 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-238.patch Type: text/x-diff Size: 1914006 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 16 17:54:40 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 16 Nov 2016 18:54:40 +0100 Subject: [Freeipa-devel] [freeipa PR#238][comment] Build system refactoring phase 8: update translation system In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/238 Title: #238: Build system refactoring phase 8: update translation system pspacek commented: """ As far as I can tell all the nits mentioned below are addressed in the last version. Enjoy review :-) """ See the full comment at https://github.com/freeipa/freeipa/pull/238#issuecomment-261020281 From freeipa-github-notification at redhat.com Wed Nov 16 17:54:44 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 16 Nov 2016 18:54:44 +0100 Subject: [Freeipa-devel] [freeipa PR#238][comment] Build system refactoring phase 8: update translation system In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/238 Title: #238: Build system refactoring phase 8: update translation system pspacek commented: """ This is rebased and fixed version. It should work including linters. Missing things: - [x] use fresh gettext files generated by autoreconf """ See the full comment at https://github.com/freeipa/freeipa/pull/238#issuecomment-260936269 From freeipa-github-notification at redhat.com Wed Nov 16 17:54:56 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 16 Nov 2016 18:54:56 +0100 Subject: [Freeipa-devel] [freeipa PR#238][comment] Build system refactoring phase 8: update translation system In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/238 Title: #238: Build system refactoring phase 8: update translation system pspacek commented: """ As far as I can tell all the nits mentioned *above* are addressed in the last version. Enjoy review :-) """ See the full comment at https://github.com/freeipa/freeipa/pull/238#issuecomment-261020281 From freeipa-github-notification at redhat.com Wed Nov 16 21:58:13 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 22:58:13 +0100 Subject: [Freeipa-devel] [freeipa PR#195][+ack] Make ipaclient pip install-able In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/195 Title: #195: Make ipaclient pip install-able Label: +ack From freeipa-github-notification at redhat.com Wed Nov 16 21:59:16 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 22:59:16 +0100 Subject: [Freeipa-devel] [freeipa PR#195][+pushed] Make ipaclient pip install-able In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/195 Title: #195: Make ipaclient pip install-able Label: +pushed From freeipa-github-notification at redhat.com Wed Nov 16 21:59:18 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 22:59:18 +0100 Subject: [Freeipa-devel] [freeipa PR#195][comment] Make ipaclient pip install-able In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/195 Title: #195: Make ipaclient pip install-able mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/8346e1b067483d4d836627a267805bbe8d6e7efa """ See the full comment at https://github.com/freeipa/freeipa/pull/195#issuecomment-261085781 From freeipa-github-notification at redhat.com Wed Nov 16 21:59:19 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 22:59:19 +0100 Subject: [Freeipa-devel] [freeipa PR#195][closed] Make ipaclient pip install-able In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/195 Author: tiran Title: #195: Make ipaclient pip install-able Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/195/head:pr195 git checkout pr195 From freeipa-github-notification at redhat.com Wed Nov 16 22:35:27 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 23:35:27 +0100 Subject: [Freeipa-devel] [freeipa PR#241][+ack] Port ipapython.dnssec.odsmgr to xml.etree In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/241 Title: #241: Port ipapython.dnssec.odsmgr to xml.etree Label: +ack From freeipa-github-notification at redhat.com Wed Nov 16 22:36:09 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 23:36:09 +0100 Subject: [Freeipa-devel] [freeipa PR#241][comment] Port ipapython.dnssec.odsmgr to xml.etree In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/241 Title: #241: Port ipapython.dnssec.odsmgr to xml.etree mbasti-rh commented: """ There is already DNSSEC issue that is not caused by this PR https://fedorahosted.org/freeipa/ticket/6495 """ See the full comment at https://github.com/freeipa/freeipa/pull/241#issuecomment-261094982 From freeipa-github-notification at redhat.com Wed Nov 16 22:38:24 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 23:38:24 +0100 Subject: [Freeipa-devel] [freeipa PR#241][+pushed] Port ipapython.dnssec.odsmgr to xml.etree In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/241 Title: #241: Port ipapython.dnssec.odsmgr to xml.etree Label: +pushed From freeipa-github-notification at redhat.com Wed Nov 16 22:38:26 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 23:38:26 +0100 Subject: [Freeipa-devel] [freeipa PR#241][closed] Port ipapython.dnssec.odsmgr to xml.etree In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/241 Author: tiran Title: #241: Port ipapython.dnssec.odsmgr to xml.etree Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/241/head:pr241 git checkout pr241 From freeipa-github-notification at redhat.com Wed Nov 16 22:38:27 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 23:38:27 +0100 Subject: [Freeipa-devel] [freeipa PR#241][comment] Port ipapython.dnssec.odsmgr to xml.etree In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/241 Title: #241: Port ipapython.dnssec.odsmgr to xml.etree mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/64af88fee4a482b3f393d38ff2c7f9494e689a7b https://fedorahosted.org/freeipa/changeset/9fbd29cc106660865bc6cda225d6a8a338a78d31 """ See the full comment at https://github.com/freeipa/freeipa/pull/241#issuecomment-261095522 From freeipa-github-notification at redhat.com Wed Nov 16 22:48:55 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 23:48:55 +0100 Subject: [Freeipa-devel] [freeipa PR#187][comment] Register entry points of Custodia plugins In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/187 Title: #187: Register entry points of Custodia plugins mbasti-rh commented: """ Rebased, ticket added to commit message, pushed Fixed upstream master: https://fedorahosted.org/freeipa/changeset/9102fb3b02fbe55480428e60fb8df4fd668d7753 """ See the full comment at https://github.com/freeipa/freeipa/pull/187#issuecomment-261098027 From freeipa-github-notification at redhat.com Wed Nov 16 22:48:57 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 23:48:57 +0100 Subject: [Freeipa-devel] [freeipa PR#187][closed] Register entry points of Custodia plugins In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/187 Author: tiran Title: #187: Register entry points of Custodia plugins Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/187/head:pr187 git checkout pr187 From freeipa-github-notification at redhat.com Wed Nov 16 22:48:58 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 23:48:58 +0100 Subject: [Freeipa-devel] [freeipa PR#187][+ack] Register entry points of Custodia plugins In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/187 Title: #187: Register entry points of Custodia plugins Label: +ack From freeipa-github-notification at redhat.com Wed Nov 16 22:49:00 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 16 Nov 2016 23:49:00 +0100 Subject: [Freeipa-devel] [freeipa PR#187][+pushed] Register entry points of Custodia plugins In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/187 Title: #187: Register entry points of Custodia plugins Label: +pushed From freeipa-github-notification at redhat.com Wed Nov 16 23:39:01 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 17 Nov 2016 00:39:01 +0100 Subject: [Freeipa-devel] [freeipa PR#234][+ack] Always use GSSAPI to set up initial replication In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/234 Title: #234: Always use GSSAPI to set up initial replication Label: +ack From freeipa-github-notification at redhat.com Wed Nov 16 23:39:45 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 17 Nov 2016 00:39:45 +0100 Subject: [Freeipa-devel] [freeipa PR#234][+pushed] Always use GSSAPI to set up initial replication In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/234 Title: #234: Always use GSSAPI to set up initial replication Label: +pushed From freeipa-github-notification at redhat.com Wed Nov 16 23:39:48 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 17 Nov 2016 00:39:48 +0100 Subject: [Freeipa-devel] [freeipa PR#234][closed] Always use GSSAPI to set up initial replication In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/234 Author: martbab Title: #234: Always use GSSAPI to set up initial replication Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/234/head:pr234 git checkout pr234 From freeipa-github-notification at redhat.com Wed Nov 16 23:39:49 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 17 Nov 2016 00:39:49 +0100 Subject: [Freeipa-devel] [freeipa PR#234][comment] Always use GSSAPI to set up initial replication In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/234 Title: #234: Always use GSSAPI to set up initial replication mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/9d7943f3da7fb84975cc8f45047aafee13bf85dc https://fedorahosted.org/freeipa/changeset/3dc9ab162141c7d2e4affe73f520e1599e9f8c30 https://fedorahosted.org/freeipa/changeset/cf6048a3ba9998a65858993e52bd4895749f2a79 https://fedorahosted.org/freeipa/changeset/8378e1e39f44d49c2c90d2d0e7acd75a4fa95787 https://fedorahosted.org/freeipa/changeset/ce2bb47cca03eda1ff85f4725abb92c639f34ecc """ See the full comment at https://github.com/freeipa/freeipa/pull/234#issuecomment-261108554 From freeipa-github-notification at redhat.com Wed Nov 16 23:47:13 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 17 Nov 2016 00:47:13 +0100 Subject: [Freeipa-devel] [freeipa PR#237][comment] Update man page for ipa-adtrust-install by removing --no-msdcs option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/237 Title: #237: Update man page for ipa-adtrust-install by removing --no-msdcs option mbasti-rh commented: """ Fixed upstream ipa-4-4: https://fedorahosted.org/freeipa/changeset/ef988aab6c756d5fec4513c182d702fb0a1db249 """ See the full comment at https://github.com/freeipa/freeipa/pull/237#issuecomment-261109943 From freeipa-github-notification at redhat.com Wed Nov 16 23:47:15 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 17 Nov 2016 00:47:15 +0100 Subject: [Freeipa-devel] [freeipa PR#237][closed] Update man page for ipa-adtrust-install by removing --no-msdcs option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/237 Author: pspacek Title: #237: Update man page for ipa-adtrust-install by removing --no-msdcs option Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/237/head:pr237 git checkout pr237 From freeipa-github-notification at redhat.com Thu Nov 17 00:00:26 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Thu, 17 Nov 2016 01:00:26 +0100 Subject: [Freeipa-devel] [freeipa PR#245][synchronized] Allow full customisability of IPA CA subject DN In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/245 Author: frasertweedale Title: #245: Allow full customisability of IPA CA subject DN Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/245/head:pr245 git checkout pr245 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-245.patch Type: text/x-diff Size: 60686 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 17 00:00:50 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 17 Nov 2016 01:00:50 +0100 Subject: [Freeipa-devel] [freeipa PR#126][+ack] Fix ipa migrate-ds when it finds a search reference In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/126 Title: #126: Fix ipa migrate-ds when it finds a search reference Label: +ack From freeipa-github-notification at redhat.com Thu Nov 17 00:01:38 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 17 Nov 2016 01:01:38 +0100 Subject: [Freeipa-devel] [freeipa PR#126][comment] Fix ipa migrate-ds when it finds a search reference In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/126 Title: #126: Fix ipa migrate-ds when it finds a search reference mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/efb3700389ff46244189fa95779484eb099d63b4 """ See the full comment at https://github.com/freeipa/freeipa/pull/126#issuecomment-261112578 From freeipa-github-notification at redhat.com Thu Nov 17 00:01:40 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 17 Nov 2016 01:01:40 +0100 Subject: [Freeipa-devel] [freeipa PR#126][closed] Fix ipa migrate-ds when it finds a search reference In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/126 Author: flo-renaud Title: #126: Fix ipa migrate-ds when it finds a search reference Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/126/head:pr126 git checkout pr126 From freeipa-github-notification at redhat.com Thu Nov 17 00:01:41 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 17 Nov 2016 01:01:41 +0100 Subject: [Freeipa-devel] [freeipa PR#126][+pushed] Fix ipa migrate-ds when it finds a search reference In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/126 Title: #126: Fix ipa migrate-ds when it finds a search reference Label: +pushed From freeipa-github-notification at redhat.com Thu Nov 17 00:08:17 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Thu, 17 Nov 2016 01:08:17 +0100 Subject: [Freeipa-devel] [freeipa PR#227][comment] cert-request: match names against principal aliases In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/227 Title: #227: cert-request: match names against principal aliases frasertweedale commented: """ @martbab thanks for review; I will revisit this some time in next week (hopefully) """ See the full comment at https://github.com/freeipa/freeipa/pull/227#issuecomment-261113718 From freeipa-github-notification at redhat.com Thu Nov 17 00:10:30 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Thu, 17 Nov 2016 01:10:30 +0100 Subject: [Freeipa-devel] [freeipa PR#245][comment] Allow full customisability of IPA CA subject DN In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/245 Title: #245: Allow full customisability of IPA CA subject DN frasertweedale commented: """ Added a new commit to add DNs-in-ldap-order comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/245#issuecomment-261114098 From freeipa-github-notification at redhat.com Thu Nov 17 00:30:08 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 17 Nov 2016 01:30:08 +0100 Subject: [Freeipa-devel] [freeipa PR#206][comment] Properly handle multiple cookies in rpcclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/206 Title: #206: Properly handle multiple cookies in rpcclient mbasti-rh commented: """ At the end of server install many times and it is also printed by each ipa command ``` Forwarding 'ca_is_enabled' to json server 'https://vm-058-013.ipa.test/ipa/json' unable to parse cookie header '['ipa_session=d367590c2429dec4c142af0509a5f96a; Domain=vm-058-013.ipa.test; Path=/ipa; Expires=Thu, 17 Nov 2016 00:43:55 GMT; Secure; HttpOnly']': expected string or buffer ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/206#issuecomment-261117515 From freeipa-github-notification at redhat.com Thu Nov 17 00:55:02 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Thu, 17 Nov 2016 01:55:02 +0100 Subject: [Freeipa-devel] [freeipa PR#249][opened] Remove references to ds_newinst.pl Message-ID: URL: https://github.com/freeipa/freeipa/pull/249 Author: frasertweedale Title: #249: Remove references to ds_newinst.pl Action: opened PR body: """ ds_newinst.pl was removed from 389 DS over 9 years ago. Remove references to it. Fixes: https://fedorahosted.org/freeipa/ticket/6496 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/249/head:pr249 git checkout pr249 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-249.patch Type: text/x-diff Size: 1969 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 17 05:15:17 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Thu, 17 Nov 2016 06:15:17 +0100 Subject: [Freeipa-devel] [freeipa PR#227][comment] cert-request: match names against principal aliases In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/227 Title: #227: cert-request: match names against principal aliases frasertweedale commented: """ @martbab Semantics: 0. *Subject principal* is looked up by `--principal` option, via `{PRINCIPAL_TYPE}_show` command. If you think this should be extended to allow `--principal` to use an alias, I am cool with that. 1. For host and service principals, CN must match[dns] (described below) a principal alias. 2. For host and service principals, SAN dnsNames must match[dns] a principal alias, **or** match an alternative principal. 3. For all principals, SAN KRB5PrincipalName and UPN values must match[exact] a principal alias. **match[dns]**: iterate principal aliases. Matches if: alias has same realm as `--principal` **and** alias has same service name as `--principal` **and** alias hostname equals (case insensitively) the SAN dnsName value. (If we generalise `--principal` to search all aliases then I would recommend restricting the search to principals with same realm and service name as the `krbcanonicalname` of the returned principal). ----- w.r.t. test failure, I cannot reproduce with this patch rebased on latest master. """ See the full comment at https://github.com/freeipa/freeipa/pull/227#issuecomment-261157548 From freeipa-github-notification at redhat.com Thu Nov 17 09:08:19 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 17 Nov 2016 10:08:19 +0100 Subject: [Freeipa-devel] [freeipa PR#250][opened] ipapython and ipatest no longer require lxml Message-ID: URL: https://github.com/freeipa/freeipa/pull/250 Author: tiran Title: #250: ipapython and ipatest no longer require lxml Action: opened PR body: """ Commits 64af88fe and 9fbd29cc have removed dependency on lxml. Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/250/head:pr250 git checkout pr250 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-250.patch Type: text/x-diff Size: 1086 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 17 09:14:25 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 17 Nov 2016 10:14:25 +0100 Subject: [Freeipa-devel] [freeipa PR#249][+ack] Remove references to ds_newinst.pl In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/249 Title: #249: Remove references to ds_newinst.pl Label: +ack From freeipa-github-notification at redhat.com Thu Nov 17 09:37:22 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 17 Nov 2016 10:37:22 +0100 Subject: [Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file tiran commented: """ pylint fails: ``` Pylint is running, please wait ... ************* Module ipalib.x509 ipalib/x509.py:161: [E0602(undefined-variable), pkcs7_to_pems] Undefined variable 'paths') make: *** [pylint] Error 2 Makefile:1040: recipe for target 'pylint' failed ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-261199258 From freeipa-github-notification at redhat.com Thu Nov 17 10:02:52 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 17 Nov 2016 11:02:52 +0100 Subject: [Freeipa-devel] [freeipa PR#238][comment] Build system refactoring phase 8: update translation system In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/238 Title: #238: Build system refactoring phase 8: update translation system tiran commented: """ Build is failing: ``` Can't exec "autopoint": No such file or directory at /usr/share/autoconf/Autom4te/FileUtils.pm line 345. autoreconf: failed to run autopoint: No such file or directory autoreconf: autopoint is needed because this package uses Gettext ``` The command is provided by gettext-devel: ``` BuildRequires: gettext-devel ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/238#issuecomment-261205116 From freeipa-github-notification at redhat.com Thu Nov 17 10:29:18 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 17 Nov 2016 11:29:18 +0100 Subject: [Freeipa-devel] [freeipa PR#250][+ack] ipapython and ipatest no longer require lxml In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/250 Title: #250: ipapython and ipatest no longer require lxml Label: +ack From freeipa-github-notification at redhat.com Thu Nov 17 10:30:04 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 17 Nov 2016 11:30:04 +0100 Subject: [Freeipa-devel] [freeipa PR#250][comment] ipapython and ipatest no longer require lxml In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/250 Title: #250: ipapython and ipatest no longer require lxml mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/c93bfda594723357f3ff9f4eb8191f3d76df680f """ See the full comment at https://github.com/freeipa/freeipa/pull/250#issuecomment-261211561 From freeipa-github-notification at redhat.com Thu Nov 17 10:30:06 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 17 Nov 2016 11:30:06 +0100 Subject: [Freeipa-devel] [freeipa PR#250][+pushed] ipapython and ipatest no longer require lxml In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/250 Title: #250: ipapython and ipatest no longer require lxml Label: +pushed From freeipa-github-notification at redhat.com Thu Nov 17 10:30:07 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 17 Nov 2016 11:30:07 +0100 Subject: [Freeipa-devel] [freeipa PR#250][closed] ipapython and ipatest no longer require lxml In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/250 Author: tiran Title: #250: ipapython and ipatest no longer require lxml Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/250/head:pr250 git checkout pr250 From freeipa-github-notification at redhat.com Thu Nov 17 10:35:47 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 17 Nov 2016 11:35:47 +0100 Subject: [Freeipa-devel] [freeipa PR#250][comment] ipapython and ipatest no longer require lxml In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/250 Title: #250: ipapython and ipatest no longer require lxml tiran commented: """ @mbasti-rh, thx for the quick merge but please enjoy your freedom day instead! """ See the full comment at https://github.com/freeipa/freeipa/pull/250#issuecomment-261212854 From freeipa-github-notification at redhat.com Thu Nov 17 12:03:28 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 17 Nov 2016 13:03:28 +0100 Subject: [Freeipa-devel] [freeipa PR#251][opened] Add rebuild rule for template files Message-ID: URL: https://github.com/freeipa/freeipa/pull/251 Author: tiran Title: #251: Add rebuild rule for template files Action: opened PR body: """ CONFIG_STATUS_DEPENDENCIES ensure that 'make' will re-run configure after any of the template files (freeipa.spec.in, ipasetup.py.in...) have been altered. Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/251/head:pr251 git checkout pr251 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-251.patch Type: text/x-diff Size: 937 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 17 12:05:19 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 17 Nov 2016 13:05:19 +0100 Subject: [Freeipa-devel] [freeipa PR#252][opened] Use namespace-aware meta importer for ipaplatform Message-ID: URL: https://github.com/freeipa/freeipa/pull/252 Author: tiran Title: #252: Use namespace-aware meta importer for ipaplatform Action: opened PR body: """ Instead of symlinks and build-time configuration the ipaplatform module is now able to auto-detect platforms on import time. The meta importer uses the platform 'ID' from /etc/os-releases. It falls back to 'ID_LIKE' on platforms like CentOS, which has ID=centos and ID_LIKE="rhel fedora". The meta importer is able to handle namespace packages and the ipaplatform package has been turned into a namespace package in order to support external platform specifications. https://fedorahosted.org/freeipa/ticket/6474 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/252/head:pr252 git checkout pr252 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-252.patch Type: text/x-diff Size: 13002 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 17 13:25:28 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 17 Nov 2016 14:25:28 +0100 Subject: [Freeipa-devel] [freeipa PR#252][synchronized] Use namespace-aware meta importer for ipaplatform In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/252 Author: tiran Title: #252: Use namespace-aware meta importer for ipaplatform Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/252/head:pr252 git checkout pr252 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-252.patch Type: text/x-diff Size: 13393 bytes Desc: not available URL: From mrniranjan at fedoraproject.org Thu Nov 17 13:39:52 2016 From: mrniranjan at fedoraproject.org (Niranjan) Date: Thu, 17 Nov 2016 19:09:52 +0530 Subject: [Freeipa-devel] [patch]pytest-multihost: Add external_ip parameter to specify external_ip when using openstack Message-ID: <20161117133952.GA27078@mniranja.pnq.csb> Greetings, When using pytest multihost to connect with hosts provisioned in openstack, it's required to have ability for the test to use floating ip[external ip]. This patch adds another attribute external_ip parameter under hosts . Regards Niranjan -------------- next part -------------- From d9285c75a2ff9545bdac13018156b40d06432cbd Mon Sep 17 00:00:00 2001 From: Niranjan MR Date: Thu, 13 Oct 2016 20:38:12 +0530 Subject: [PATCH 1/2] Add external_ip parameter Used in cases where openstack is used and where there are 2 sets of ip's: internal and external ip(floating). Signed-off-by: Niranjan MR --- pytest_multihost/host.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/pytest_multihost/host.py b/pytest_multihost/host.py index 826372d8a6a6ff80a4f07660298568be6e74435d..32f632b81eaa511fa7011d5aa99ae3170f745bf1 100644 --- a/pytest_multihost/host.py +++ b/pytest_multihost/host.py @@ -28,7 +28,8 @@ class BaseHost(object): command_prelude = '' def __init__(self, domain, hostname, role, ip=None, - external_hostname=None, username=None, password=None, + external_hostname=None, external_ip=None, + username=None, password=None, test_dir=None, host_type=None): self.host_type = host_type self.domain = domain @@ -58,6 +59,7 @@ class BaseHost(object): self.external_hostname = str(external_hostname or hostname) self.netbios = self.domain.name.split('.')[0].upper() + self.external_ip = str(external_ip) self.logger_name = '%s.%s.%s' % ( self.__module__, type(self).__name__, shortname) @@ -81,7 +83,6 @@ class BaseHost(object): if not self.ip: raise RuntimeError('Could not determine IP address of %s' % self.external_hostname) - self.host_key = None self.ssh_port = 22 @@ -126,12 +127,14 @@ class BaseHost(object): username = dct.pop('username', None) password = dct.pop('password', None) host_type = dct.pop('host_type', 'default') + external_ip = dct.pop('external_ip', None) check_config_dict_empty(dct, 'host %s' % hostname) return cls(domain, hostname, role, ip=ip, external_hostname=external_hostname, + external_ip=external_ip, username=username, password=password, host_type=host_type) -- 1.8.3.1 -------------- next part -------------- From 96cf1cd68ab7ba8ce30a64fbc0725624e1014b00 Mon Sep 17 00:00:00 2001 From: Niranjan MR Date: Mon, 17 Oct 2016 09:21:30 +0530 Subject: [PATCH 2/2] Add external_ip parameter for tests Signed-off-by: Niranjan MR --- test_pytestmultihost/test_localhost.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test_pytestmultihost/test_localhost.py b/test_pytestmultihost/test_localhost.py index c51a2eaa66d15fcd631f2c15a4347ff39094396e..7658da09a386db92c6be4771f54b403189cf223a 100644 --- a/test_pytestmultihost/test_localhost.py +++ b/test_pytestmultihost/test_localhost.py @@ -30,6 +30,7 @@ def get_conf_dict(): 'external_hostname': 'localhost', 'ip': '127.0.0.1', 'role': 'local', + 'external_ip': '127.0.0.1' }, { 'name': 'localhost', @@ -37,6 +38,7 @@ def get_conf_dict(): 'ip': '127.0.0.1', 'username': '__nonexisting_test_username__', 'role': 'badusername', + 'external_ip': '127.0.0.1' }, { 'name': 'localhost', @@ -45,6 +47,7 @@ def get_conf_dict(): 'username': 'root', 'password': 'BAD PASSWORD', 'role': 'badpassword', + 'external_ip': '127.0.0.1' }, ], }, -- 1.8.3.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 328 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 18 00:14:57 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Fri, 18 Nov 2016 01:14:57 +0100 Subject: [Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-177.patch Type: text/x-diff Size: 16706 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 18 07:26:01 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 18 Nov 2016 08:26:01 +0100 Subject: [Freeipa-devel] [freeipa PR#238][synchronized] Build system refactoring phase 8: update translation system In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/238 Author: pspacek Title: #238: Build system refactoring phase 8: update translation system Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/238/head:pr238 git checkout pr238 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-238.patch Type: text/x-diff Size: 1914446 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 18 07:31:30 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 18 Nov 2016 08:31:30 +0100 Subject: [Freeipa-devel] [freeipa PR#253][opened] Add .eggs to Gitignore Message-ID: URL: https://github.com/freeipa/freeipa/pull/253 Author: pspacek Title: #253: Add .eggs to Gitignore Action: opened PR body: """ These are result of new Python builds. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/253/head:pr253 git checkout pr253 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-253.patch Type: text/x-diff Size: 481 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 18 07:32:19 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 18 Nov 2016 08:32:19 +0100 Subject: [Freeipa-devel] [freeipa PR#253][comment] Add .eggs to Gitignore In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/253 Title: #253: Add .eggs to Gitignore pspacek commented: """ @tiran Please provide me a ticket number which is linked to the commits which caused creation of .eggs. Thanks. """ See the full comment at https://github.com/freeipa/freeipa/pull/253#issuecomment-261467061 From freeipa-github-notification at redhat.com Fri Nov 18 07:33:23 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 18 Nov 2016 08:33:23 +0100 Subject: [Freeipa-devel] [freeipa PR#238][comment] Build system refactoring phase 8: update translation system In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/238 Title: #238: Build system refactoring phase 8: update translation system pspacek commented: """ Good catch, fixed & rebased on top of current master. """ See the full comment at https://github.com/freeipa/freeipa/pull/238#issuecomment-261467199 From freeipa-github-notification at redhat.com Fri Nov 18 07:56:01 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 18 Nov 2016 08:56:01 +0100 Subject: [Freeipa-devel] [freeipa PR#251][comment] Add rebuild rule for template files In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/251 Title: #251: Add rebuild rule for template files pspacek commented: """ NACK: - the variable is defined incorrectly, it should be in configure.ac (see Automake manual chapter [16 Rebuilding Makefiles](https://www.gnu.org/software/automake/manual/html_node/Rebuilding.html)) - file `install/ui/src/libs/loader.js` is missing in the list - please reference build system refactoring ticket in the commit message - even more importantly, there is a conceptual problem: I'm not even sure that this is the right approach. CONFIG_STATUS_DEPEDENCIES is intended for re-building Makefiles and related infrastructure, not individual files generated from templates. With this patch it will re-run configure and config.status for the whole tree. The correct way to do this is to re-run config.status only for particular file. (config.status is the script which is doing actual variable substitution into templates.) Fixing this might require moving these particular template substitutions from `AC_CONFIG_FILES` to Makefile.am in particular directories. """ See the full comment at https://github.com/freeipa/freeipa/pull/251#issuecomment-261470338 From freeipa-github-notification at redhat.com Fri Nov 18 08:31:04 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 09:31:04 +0100 Subject: [Freeipa-devel] [freeipa PR#254][opened] Replace LooseVersion with pkg_resources.parse_version Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Author: tiran Title: #254: Replace LooseVersion with pkg_resources.parse_version Action: opened PR body: """ pylint is having a hard time with distutils.version in tox's virtual envs. virtualenv uses some tricks to provide a virtual distutils package, pylint can't cope with. https://github.com/PyCQA/pylint/issues/73 suggests to use pkg_resources instead. pkg_resources' version parser has some more benefits, e.g. PEP 440 conformity. Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/254/head:pr254 git checkout pr254 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-254.patch Type: text/x-diff Size: 7315 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 18 08:32:41 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 09:32:41 +0100 Subject: [Freeipa-devel] [freeipa PR#254][comment] Replace LooseVersion with pkg_resources.parse_version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Title: #254: Replace LooseVersion with pkg_resources.parse_version tiran commented: """ The PR is related to integration improvements and pip-installable effort, https://fedorahosted.org/freeipa/ticket/6468. """ See the full comment at https://github.com/freeipa/freeipa/pull/254#issuecomment-261476303 From freeipa-github-notification at redhat.com Fri Nov 18 08:42:06 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 09:42:06 +0100 Subject: [Freeipa-devel] [freeipa PR#253][comment] Add .eggs to Gitignore In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/253 Title: #253: Add .eggs to Gitignore tiran commented: """ I can't reproduce the issue locally. What's inside your .eggs directory? It's used by setuptools.dist to cache install, build and test dependencies. It should not be generated in the first place. """ See the full comment at https://github.com/freeipa/freeipa/pull/253#issuecomment-261477882 From freeipa-github-notification at redhat.com Fri Nov 18 08:53:26 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 18 Nov 2016 09:53:26 +0100 Subject: [Freeipa-devel] [freeipa PR#254][comment] Replace LooseVersion with pkg_resources.parse_version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Title: #254: Replace LooseVersion with pkg_resources.parse_version martbab commented: """ I have a sneaky suspicion that the parse_version couldn't cope correctly with some of the downstream versioning schemes like RHEL z-stream releases and such. That should be OK with API version, but client/server versions can pose a problem. There is are some examples in the ipatests/test_ipaserver/test_version_comparison.py I made when solving a bug that was caused by incorrect version comparison. Can you check if parse_version can handle them correctly? """ See the full comment at https://github.com/freeipa/freeipa/pull/254#issuecomment-261479903 From freeipa-github-notification at redhat.com Fri Nov 18 09:18:46 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 18 Nov 2016 10:18:46 +0100 Subject: [Freeipa-devel] [freeipa PR#253][comment] Add .eggs to Gitignore In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/253 Title: #253: Add .eggs to Gitignore pspacek commented: """ I'm using this script to build IPA: ~~~ rm -rvf ~/rpmbuild/{BUILD,BUILDROOT,SPECS,SOURCES,RPMS,SRPMS} mkdir -pv ~/rpmbuild/{BUILD,BUILDROOT,SPECS,SOURCES,RPMS,SRPMS} autoreconf -i ./configure make dist cp freeipa-*.tar.gz ~/rpmbuild/SOURCES/ cp freeipa.spec ~/rpmbuild/SPECS/ rpmbuild --noclean -ba ~/rpmbuild/SPECS/freeipa.spec ~~~ The ipapython/.eggs directory contains this: ~~~ ipapython/.eggs ipapython/.eggs/wheel-0.30.0a0-py2.7.egg ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/pep425tags.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/install.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/test_keys.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/simple.dist ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/simple.dist/setup.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/simple.dist/simpledist ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/simple.dist/simpledist/__init__.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/simple.dist/simpledist/__init__.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/simple.dist/setup.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/test_paths.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/test_signatures.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/test_wheelfile.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/test_keys.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/test-1.0-py2.py3-none-win32.whl ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/test_wheelfile.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/headers.dist ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/headers.dist/header.h ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/headers.dist/setup.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/headers.dist/headersdist.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/headers.dist/headersdist.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/headers.dist/setup.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/test_basic.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/test_install.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/__init__.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/test_tool.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/test_paths.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/test_ranking.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/conftest.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/test_ranking.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/test_signatures.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/test_tagopt.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/test_basic.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/conftest.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/test_install.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/pydist-schema.json ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/complex-dist ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/complex-dist/setup.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/complex-dist/setup.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/complex-dist/complexdist ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/complex-dist/complexdist/__init__.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/complex-dist/complexdist/__init__.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/extension.dist ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/extension.dist/setup.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/extension.dist/setup.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/test_tool.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/__init__.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/test/test_tagopt.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/install.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/decorator.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/pkginfo.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/pep425tags.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/eggnames.txt ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/paths.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/bdist_wheel.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/decorator.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/egg2wheel.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/__main__.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/signatures ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/signatures/keys.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/signatures/ed25519py.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/signatures/djbec.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/signatures/__init__.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/signatures/keys.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/signatures/djbec.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/signatures/ed25519py.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/signatures/__init__.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/archive.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/__init__.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/tool ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/tool/__init__.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/tool/__init__.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/paths.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/pkginfo.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/__main__.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/wininst2wheel.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/egg2wheel.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/metadata.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/wininst2wheel.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/bdist_wheel.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/metadata.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/archive.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/util.py ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/util.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/wheel/__init__.pyc ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/EGG-INFO ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/EGG-INFO/not-zip-safe ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/EGG-INFO/top_level.txt ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/EGG-INFO/requires.txt ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/EGG-INFO/PKG-INFO ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/EGG-INFO/dependency_links.txt ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/EGG-INFO/entry_points.txt ipapython/.eggs/wheel-0.30.0a0-py2.7.egg/EGG-INFO/SOURCES.txt ipapython/.eggs/README.txt ~~~ """ See the full comment at https://github.com/freeipa/freeipa/pull/253#issuecomment-261484677 From freeipa-github-notification at redhat.com Fri Nov 18 09:22:04 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 10:22:04 +0100 Subject: [Freeipa-devel] [freeipa PR#251][comment] Add rebuild rule for template files In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/251 Title: #251: Add rebuild rule for template files tiran commented: """ I created a ticket for you, https://fedorahosted.org/freeipa/ticket/6498 . This **exact (!)** AC_SUBST works for me. Additional newlines cause CONFIG_STATUS_DEPENDENCIES to be an empty rule. ``` # re-run configure after templates have been altered AC_SUBST([CONFIG_STATUS_DEPENDENCIES], ['$(top_srcdir)/daemons/ipa-version.h.in $(top_srcdir)/freeipa.spec.in $(top_srcdir)/ipapython/version.py.in $(top_srcdir)/ipasetup.py.in $(top_srcdir)/install/ui/src/libs/loader.js.in']) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/251#issuecomment-261485319 From freeipa-github-notification at redhat.com Fri Nov 18 09:35:23 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 10:35:23 +0100 Subject: [Freeipa-devel] [freeipa PR#253][comment] Add .eggs to Gitignore In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/253 Title: #253: Add .eggs to Gitignore tiran commented: """ Ah, you don't have python-wheel installed. The package download is triggered by ```setup_requires=["wheel"]```. I assumed that Fedora installs the wheel package with pip. Apparently it does not. Since RHEL and CentOS do not have a python-wheel package, we can't work fix the problem with a build requirement. I have to remove ```setup_requires```. """ See the full comment at https://github.com/freeipa/freeipa/pull/253#issuecomment-261488060 From freeipa-github-notification at redhat.com Fri Nov 18 09:51:58 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 10:51:58 +0100 Subject: [Freeipa-devel] [freeipa PR#254][comment] Replace LooseVersion with pkg_resources.parse_version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Title: #254: Replace LooseVersion with pkg_resources.parse_version tiran commented: """ sigh, you are right, parse_version does not handle one version comparison as we expect: ```4.2.0-15.el7 < 4.2.0-15.el7_2.3``` ``` from __future__ import print_function import operator import pkg_resources version_strings = [ ("3.0.0-1.el6", "3.0.0-2.el6", operator.lt), ("3.0.0-1.el6_8", "3.0.0-1.el6_8.1", operator.lt), ("3.0.0-42.el6", "3.0.0-1.el6", operator.gt), ("3.0.0-1.el6", "3.0.0-42.el6", operator.lt), ("3.0.0-42.el6", "3.3.3-1.fc20", operator.lt), ("4.2.0-15.el7", "4.2.0-15.el7_2.3", operator.lt), ("4.2.0-15.el7_2", "4.2.0-15.el7_2.3", operator.lt), ("4.2.0-15.el7_2.3", "4.2.0-15.el7_2.3", operator.eq), ("4.2.0-15.el7_2.3", "4.2.0-15.el7_2.2", operator.gt), ("4.2.0-1.fc23", "4.2.1-1.fc23", operator.lt), ("4.2.3-alpha1.fc23", "4.2.3-2.fc23", operator.lt), ("4.3.90.201601080923GIT55aeea7-0.fc23", "4.3.0-1.fc23", operator.gt) ] for v1, v2, op in version_strings: v1 = pkg_resources.parse_version(v1) v2 = pkg_resources.parse_version(v2) if not op(v1, v2): print("failure: ", v1, op.__name__, v2) ``` ``` $ python v.py failure: 4.2.0-15.el7 lt 4.2.0-15.el7_2.3 ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/254#issuecomment-261491515 From freeipa-github-notification at redhat.com Fri Nov 18 10:06:42 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 11:06:42 +0100 Subject: [Freeipa-devel] [freeipa PR#254][comment] Replace LooseVersion with pkg_resources.parse_version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Title: #254: Replace LooseVersion with pkg_resources.parse_version tiran commented: """ In case you wonder what is going on, LooseVersion is both loose and dumb. ``` >>> ('el7',) < ('el7_2',) True ``` The legacy version parser parses the version strings differently: ``` (-1, ('00000004', '00000002', '*final-', '00000015', '*el', '00000007', '*final')) (-1, ('00000004', '00000002', '*final-', '00000015', '*el', '00000007', '*_', '00000002', '00000003', '*final')) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/254#issuecomment-261494587 From freeipa-github-notification at redhat.com Fri Nov 18 10:09:36 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 11:09:36 +0100 Subject: [Freeipa-devel] [freeipa PR#255][opened] Adjustments for setup requirements Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Author: tiran Title: #255: Adjustments for setup requirements Action: opened PR body: """ Fix some typos, missing or surplus dependencies. ipatests is now installable. Tests need further changes to be runable. https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/255/head:pr255 git checkout pr255 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-255.patch Type: text/x-diff Size: 3538 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 18 10:12:42 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 11:12:42 +0100 Subject: [Freeipa-devel] [freeipa PR#255][synchronized] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Author: tiran Title: #255: Adjustments for setup requirements Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/255/head:pr255 git checkout pr255 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-255.patch Type: text/x-diff Size: 4439 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 18 10:16:25 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 11:16:25 +0100 Subject: [Freeipa-devel] [freeipa PR#253][+rejected] Add .eggs to Gitignore In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/253 Title: #253: Add .eggs to Gitignore Label: +rejected From freeipa-github-notification at redhat.com Fri Nov 18 10:16:28 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 11:16:28 +0100 Subject: [Freeipa-devel] [freeipa PR#253][comment] Add .eggs to Gitignore In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/253 Title: #253: Add .eggs to Gitignore tiran commented: """ #255 takes care of .eggs and some other minor issues in setup.py. """ See the full comment at https://github.com/freeipa/freeipa/pull/253#issuecomment-261496632 From freeipa-github-notification at redhat.com Fri Nov 18 10:16:29 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 11:16:29 +0100 Subject: [Freeipa-devel] [freeipa PR#253][closed] Add .eggs to Gitignore In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/253 Author: pspacek Title: #253: Add .eggs to Gitignore Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/253/head:pr253 git checkout pr253 From freeipa-github-notification at redhat.com Fri Nov 18 10:33:36 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 18 Nov 2016 11:33:36 +0100 Subject: [Freeipa-devel] [freeipa PR#254][comment] Replace LooseVersion with pkg_resources.parse_version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Title: #254: Replace LooseVersion with pkg_resources.parse_version martbab commented: """ Yes that's why we resorted to a direct CFFI call to RPM libs during server version check in upgrade. We simply could not win aside from re-implementing parsing of Z-stream versions etc. from scratch. """ See the full comment at https://github.com/freeipa/freeipa/pull/254#issuecomment-261500197 From freeipa-github-notification at redhat.com Fri Nov 18 10:35:13 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 11:35:13 +0100 Subject: [Freeipa-devel] [freeipa PR#256][opened] Pylint: whitelist packages with extension modules Message-ID: URL: https://github.com/freeipa/freeipa/pull/256 Author: tiran Title: #256: Pylint: whitelist packages with extension modules Action: opened PR body: """ Pylint refuses to load extension modules from unsafe places. This triggers import-error failures for pylint runs inside a tox virtualenv. Any module or package in extension-pkg-whitelist is whitelisted and pylint imports extension modules. https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/256/head:pr256 git checkout pr256 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-256.patch Type: text/x-diff Size: 1000 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 18 10:47:17 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 11:47:17 +0100 Subject: [Freeipa-devel] [freeipa PR#257][opened] Don't ship install subpackages with wheels Message-ID: URL: https://github.com/freeipa/freeipa/pull/257 Author: tiran Title: #257: Don't ship install subpackages with wheels Action: opened PR body: """ The install subpackages of ipaclient, ipalib and ipapython contain helper code for installers such as ipa-client-install. They also depend on external modules that are not available on PyPI, e.g. SSSDConfig. Since PyPI wheel packages do not support client installation, the install subpackages contain dead and unsupported code. The custom build_py plugin removes the subpackages from bdist_wheel builds. It's not enough to just remove 'ipaclient.install' from the 'packages' list. Surplus files have to be removed from build/lib, too. https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/257/head:pr257 git checkout pr257 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-257.patch Type: text/x-diff Size: 3388 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 18 10:53:18 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 11:53:18 +0100 Subject: [Freeipa-devel] [freeipa PR#245][comment] Allow full customisability of IPA CA subject DN In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/245 Title: #245: Allow full customisability of IPA CA subject DN tiran commented: """ flake8 violation: ```./ipaserver/plugins/migration.py:750:80: E501 line too long (83 > 79 characters)``` """ See the full comment at https://github.com/freeipa/freeipa/pull/245#issuecomment-261504171 From bind-dyndb-ldap-github-notification at redhat.com Fri Nov 18 10:54:14 2016 From: bind-dyndb-ldap-github-notification at redhat.com (pspacek) Date: Fri, 18 Nov 2016 11:54:14 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#1][+ack] Port bind-dyndb-ldap to BIND 9.11 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/1 Title: #1: Port bind-dyndb-ldap to BIND 9.11 Label: +ack From bind-dyndb-ldap-github-notification at redhat.com Fri Nov 18 10:54:51 2016 From: bind-dyndb-ldap-github-notification at redhat.com (pspacek) Date: Fri, 18 Nov 2016 11:54:51 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#1][comment] Port bind-dyndb-ldap to BIND 9.11 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/1 Title: #1: Port bind-dyndb-ldap to BIND 9.11 pspacek commented: """ @stutiredboy There is probably a issue in path overriding logic. I will take care of this in separate PR because it works when you have BIND 9.11 installed in default paths. """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/1#issuecomment-261504482 From freeipa-github-notification at redhat.com Fri Nov 18 10:56:38 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 11:56:38 +0100 Subject: [Freeipa-devel] [freeipa PR#238][comment] Build system refactoring phase 8: update translation system In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/238 Title: #238: Build system refactoring phase 8: update translation system tiran commented: """ Your patch adds ```config.rpath```. Is it necessary to include the file in source control? certmonger and sssd use the file but don't have it in git. """ See the full comment at https://github.com/freeipa/freeipa/pull/238#issuecomment-261504800 From freeipa-github-notification at redhat.com Fri Nov 18 11:50:23 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 12:50:23 +0100 Subject: [Freeipa-devel] [freeipa PR#254][synchronized] Replace LooseVersion with pkg_resources.parse_version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Author: tiran Title: #254: Replace LooseVersion with pkg_resources.parse_version Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/254/head:pr254 git checkout pr254 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-254.patch Type: text/x-diff Size: 10547 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 18 11:53:24 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 12:53:24 +0100 Subject: [Freeipa-devel] [freeipa PR#254][synchronized] Replace LooseVersion with pkg_resources.parse_version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Author: tiran Title: #254: Replace LooseVersion with pkg_resources.parse_version Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/254/head:pr254 git checkout pr254 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-254.patch Type: text/x-diff Size: 10535 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 18 11:55:19 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 12:55:19 +0100 Subject: [Freeipa-devel] [freeipa PR#254][edited] Replace LooseVersion with parse_ipa_version() In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Author: tiran Title: #254: Replace LooseVersion with parse_ipa_version() Action: edited Changed field: title Original value: """ Replace LooseVersion with pkg_resources.parse_version """ From freeipa-github-notification at redhat.com Fri Nov 18 11:57:22 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 12:57:22 +0100 Subject: [Freeipa-devel] [freeipa PR#254][comment] Replace LooseVersion with parse_ipa_version() In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Title: #254: Replace LooseVersion with parse_ipa_version() tiran commented: """ I reworked my PR to use ```tasks.parse_ipa_version()``` for all version number checks. Of course I ran into the import cycle of death. I broke the cycle with a local import. It's not perfect but a completely fine solution. The function isn't called regularly. """ See the full comment at https://github.com/freeipa/freeipa/pull/254#issuecomment-261515550 From freeipa-github-notification at redhat.com Fri Nov 18 12:03:02 2016 From: freeipa-github-notification at redhat.com (lslebodn) Date: Fri, 18 Nov 2016 13:03:02 +0100 Subject: [Freeipa-devel] [freeipa PR#238][comment] Build system refactoring phase 8: update translation system In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/238 Title: #238: Build system refactoring phase 8: update translation system lslebodn commented: """ >Your patch adds `config.rpath`. Is it necessary to include the file in source control? certmonger and sssd use the file but don't have it in git. Following patch fixes this issue http://paste.fedoraproject.org/484212/47049414/ """ See the full comment at https://github.com/freeipa/freeipa/pull/238#issuecomment-261516489 From freeipa-github-notification at redhat.com Fri Nov 18 12:09:34 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 18 Nov 2016 13:09:34 +0100 Subject: [Freeipa-devel] [freeipa PR#254][comment] Replace LooseVersion with parse_ipa_version() In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Title: #254: Replace LooseVersion with parse_ipa_version() martbab commented: """ I was thinking about this a bit, and was wondering whether the platform-specific idiosyncracies of the version handling could be safely confined to the platform-specific code. I.E ipaplatform.base would define version comparisons via standard `pkg_resources` parser and fedora/redhat would override this with their platform-specific quirks. The one thing that could be broken by this would be scenarios like Fedora clients talking to RHEL masters etc., but I think those sceniarios are not handled correctly by the current implementation anyway. Another thing I was thinking about is whether we could use some proxy object in ipalib/ipaclient/ipapython libs which would use version comparison from ipaplatform if present, and if not use standard Python algorithms. What I am aiming at that we should reduce the dependency of the PyPI candidate code on ipaplatform madness as much as is humanly possible. IMHO if we really want to use these modules in PyPI, then they ideally should not depend on ipaplatform at all. """ See the full comment at https://github.com/freeipa/freeipa/pull/254#issuecomment-261517612 From freeipa-github-notification at redhat.com Fri Nov 18 12:21:27 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 18 Nov 2016 13:21:27 +0100 Subject: [Freeipa-devel] [freeipa PR#254][comment] Replace LooseVersion with parse_ipa_version() In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Title: #254: Replace LooseVersion with parse_ipa_version() martbab commented: """ Upon closer inspection of the affected code it seems that all the code in ipalib/ipaclient/ipapython actually parses and compares API versions, which are sane and parseable by `pkg_resources`. Since client code should be concerned by API versions and not by platform-specific package versions (that is server's job) it seems that you do not even need to use ipaplatform hammer in this case. """ See the full comment at https://github.com/freeipa/freeipa/pull/254#issuecomment-261519559 From freeipa-github-notification at redhat.com Fri Nov 18 13:39:40 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 14:39:40 +0100 Subject: [Freeipa-devel] [freeipa PR#254][comment] Replace LooseVersion with parse_ipa_version() In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Title: #254: Replace LooseVersion with parse_ipa_version() tiran commented: """ > I was thinking about this a bit, and was wondering whether the platform-specific idiosyncracies of the version handling could be safely confined to the platform-specific code. I.E ipaplatform.base would define version comparisons via standard pkg_resources parser and fedora/redhat would override this with their platform-specific quirks. Somebody used a time machine and implemented your proposal already. ```tasks.parse_ipa_version()``` is a generic version parsing function. On RPM platforms it returns an object that uses ```librpm```. IMHO it's ok to use ```tasks.parse_ipa_version()``` everywhere. """ See the full comment at https://github.com/freeipa/freeipa/pull/254#issuecomment-261533679 From freeipa-github-notification at redhat.com Fri Nov 18 13:42:01 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 14:42:01 +0100 Subject: [Freeipa-devel] [freeipa PR#254][synchronized] Replace LooseVersion with parse_ipa_version() In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Author: tiran Title: #254: Replace LooseVersion with parse_ipa_version() Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/254/head:pr254 git checkout pr254 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-254.patch Type: text/x-diff Size: 10658 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 18 13:45:16 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 18 Nov 2016 14:45:16 +0100 Subject: [Freeipa-devel] [freeipa PR#254][comment] Replace LooseVersion with parse_ipa_version() In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Title: #254: Replace LooseVersion with parse_ipa_version() martbab commented: """ Oh right, ok. My code reading skills are sub-par today. """ See the full comment at https://github.com/freeipa/freeipa/pull/254#issuecomment-261534814 From freeipa-github-notification at redhat.com Fri Nov 18 13:48:25 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 18 Nov 2016 14:48:25 +0100 Subject: [Freeipa-devel] [freeipa PR#247][+ack] Add 'ipa local-env' subcommand In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/247 Title: #247: Add 'ipa local-env' subcommand Label: +ack From freeipa-github-notification at redhat.com Fri Nov 18 13:49:45 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 18 Nov 2016 14:49:45 +0100 Subject: [Freeipa-devel] [freeipa PR#247][+pushed] Add 'ipa local-env' subcommand In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/247 Title: #247: Add 'ipa local-env' subcommand Label: +pushed From freeipa-github-notification at redhat.com Fri Nov 18 13:49:46 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 18 Nov 2016 14:49:46 +0100 Subject: [Freeipa-devel] [freeipa PR#247][comment] Add 'ipa local-env' subcommand In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/247 Title: #247: Add 'ipa local-env' subcommand martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/1166fbc4946596fcc2ed51a1ec6990fc7dae8964 """ See the full comment at https://github.com/freeipa/freeipa/pull/247#issuecomment-261535708 From freeipa-github-notification at redhat.com Fri Nov 18 13:49:48 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 18 Nov 2016 14:49:48 +0100 Subject: [Freeipa-devel] [freeipa PR#247][closed] Add 'ipa local-env' subcommand In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/247 Author: tiran Title: #247: Add 'ipa local-env' subcommand Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/247/head:pr247 git checkout pr247 From freeipa-github-notification at redhat.com Fri Nov 18 14:48:48 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 15:48:48 +0100 Subject: [Freeipa-devel] [freeipa PR#258][opened] Break ipaplatform / ipalib import cycle of hell Message-ID: URL: https://github.com/freeipa/freeipa/pull/258 Author: tiran Title: #258: Break ipaplatform / ipalib import cycle of hell Action: opened PR body: """ Here is an attempt to break the import cycle of hell between ipaplatform and ipalib. All services now pass an ipalib.api object to services.service(). RedHatServices.__init__() still needs to do a local import because it initializes its wellknown service dict with service instances. Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/258/head:pr258 git checkout pr258 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-258.patch Type: text/x-diff Size: 23361 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 18 14:54:06 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 18 Nov 2016 15:54:06 +0100 Subject: [Freeipa-devel] [freeipa PR#231][comment] Do not log DM password in ca/kra installation logs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/231 Title: #231: Do not log DM password in ca/kra installation logs stlaz commented: """ I must have misclicked "close" when viewing this PR on my phone. I believe we may rather add admin and DM passwords to the nolog_list at the point where the disclosed credentials file is created so that we avoid problems like this one in the future. """ See the full comment at https://github.com/freeipa/freeipa/pull/231#issuecomment-261550522 From freeipa-github-notification at redhat.com Fri Nov 18 14:54:08 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 18 Nov 2016 15:54:08 +0100 Subject: [Freeipa-devel] [freeipa PR#231][reopened] Do not log DM password in ca/kra installation logs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/231 Author: stlaz Title: #231: Do not log DM password in ca/kra installation logs Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/231/head:pr231 git checkout pr231 From freeipa-github-notification at redhat.com Fri Nov 18 15:23:35 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 16:23:35 +0100 Subject: [Freeipa-devel] [freeipa PR#182][synchronized] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Author: tiran Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/182/head:pr182 git checkout pr182 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-182.patch Type: text/x-diff Size: 6947 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 18 15:27:21 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 16:27:21 +0100 Subject: [Freeipa-devel] [freeipa PR#254][synchronized] Replace LooseVersion with parse_ipa_version() In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Author: tiran Title: #254: Replace LooseVersion with parse_ipa_version() Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/254/head:pr254 git checkout pr254 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-254.patch Type: text/x-diff Size: 10768 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 18 15:36:01 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 18 Nov 2016 16:36:01 +0100 Subject: [Freeipa-devel] [freeipa PR#255][synchronized] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Author: tiran Title: #255: Adjustments for setup requirements Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/255/head:pr255 git checkout pr255 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-255.patch Type: text/x-diff Size: 4618 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 18 18:52:00 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 18 Nov 2016 19:52:00 +0100 Subject: [Freeipa-devel] [freeipa PR#254][comment] Replace LooseVersion with parse_ipa_version() In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Title: #254: Replace LooseVersion with parse_ipa_version() mbasti-rh commented: """ > > I was thinking about this a bit, and was wondering whether the platform-specific idiosyncracies of the version handling could be safely confined to the platform-specific code. I.E ipaplatform.base would define version comparisons via standard pkg_resources parser and fedora/redhat would override this with their platform-specific quirks. > Somebody used a time machine and implemented your proposal already. tasks.parse_ipa_version() is a generic version parsing function. On RPM platforms it returns an object that uses librpm. > Yeah, I did. > IMHO it's ok to use tasks.parse_ipa_version() everywhere. As Martin said, we have two versions: package released version and API version. For released package version we need RPM/platform specific parser, but API version is just 2 numbers and standard python function can be used. It is the same accross platforms. API version is less important now, because we have versions of commads that scales better, and one day we may drop this overall API version completely. If you want to avoid importing platform then is fine to use standard python functions to compare API versions. Actually that rpmlib scares me. """ See the full comment at https://github.com/freeipa/freeipa/pull/254#issuecomment-261610708 From freeipa-github-notification at redhat.com Fri Nov 18 18:56:19 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 18 Nov 2016 19:56:19 +0100 Subject: [Freeipa-devel] [freeipa PR#254][comment] Replace LooseVersion with parse_ipa_version() In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Title: #254: Replace LooseVersion with parse_ipa_version() mbasti-rh commented: """ Thank you for PY3 fix, it actually belongs to this ticket https://fedorahosted.org/freeipa/ticket/6473 """ See the full comment at https://github.com/freeipa/freeipa/pull/254#issuecomment-261611874 From freeipa-github-notification at redhat.com Sun Nov 20 23:19:57 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Mon, 21 Nov 2016 00:19:57 +0100 Subject: [Freeipa-devel] [freeipa PR#245][comment] Allow full customisability of IPA CA subject DN In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/245 Title: #245: Allow full customisability of IPA CA subject DN frasertweedale commented: """ @tiran I haven't a clue about that pep8 error... my commits don't even touch that file. """ See the full comment at https://github.com/freeipa/freeipa/pull/245#issuecomment-261814250 From freeipa-github-notification at redhat.com Mon Nov 21 05:32:19 2016 From: freeipa-github-notification at redhat.com (splashx) Date: Mon, 21 Nov 2016 06:32:19 +0100 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install splashx commented: """ For those running 4.4.2, is there a workaround to enable ANONYMOUS support? We are not yet using client certs, we actually use a third-party OTP provider via RADIUS, so this is kind of a deal breaker :( """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-261847458 From freeipa-github-notification at redhat.com Mon Nov 21 08:25:50 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 21 Nov 2016 09:25:50 +0100 Subject: [Freeipa-devel] [freeipa PR#209][comment] Enumerate available options in IPA installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/209 Title: #209: Enumerate available options in IPA installer jcholast commented: """ @mbasti-rh: `knob()` already handles choices, it's the built-in `optparse` module which does not display them. Once the installer code is migrated to `argparse`, this problem will go away. """ See the full comment at https://github.com/freeipa/freeipa/pull/209#issuecomment-261873288 From freeipa-github-notification at redhat.com Mon Nov 21 08:31:13 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 21 Nov 2016 09:31:13 +0100 Subject: [Freeipa-devel] [freeipa PR#245][comment] Allow full customisability of IPA CA subject DN In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/245 Title: #245: Allow full customisability of IPA CA subject DN tiran commented: """ @frasertweedale I don't have a clue, either. Let's ignore the message. """ See the full comment at https://github.com/freeipa/freeipa/pull/245#issuecomment-261874375 From freeipa-github-notification at redhat.com Mon Nov 21 08:32:16 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 21 Nov 2016 09:32:16 +0100 Subject: [Freeipa-devel] [freeipa PR#209][comment] Enumerate available options in IPA installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/209 Title: #209: Enumerate available options in IPA installer mbasti-rh commented: """ @jcholast I know, but it doesn't fill `metavar` with choices. I don't know when we will migrate to argparse, so I think until that we can extend it to show choices with optparse too """ See the full comment at https://github.com/freeipa/freeipa/pull/209#issuecomment-261874595 From freeipa-github-notification at redhat.com Mon Nov 21 08:38:34 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 21 Nov 2016 09:38:34 +0100 Subject: [Freeipa-devel] [freeipa PR#113][comment] ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/113 Title: #113: ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri jcholast commented: """ Actually it should be created from domain name, which is the primary identifier of an IPA domain, not from realm name. """ See the full comment at https://github.com/freeipa/freeipa/pull/113#issuecomment-261875920 From freeipa-github-notification at redhat.com Mon Nov 21 08:52:01 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 21 Nov 2016 09:52:01 +0100 Subject: [Freeipa-devel] [freeipa PR#247][comment] Add 'ipa local-env' subcommand In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/247 Title: #247: Add 'ipa local-env' subcommand jcholast commented: """ Sorry, but this is wrong. `ipa env` is supposed to return local settings unless run with `--server`. Why was it not fixed instead of adding a new redundant command? """ See the full comment at https://github.com/freeipa/freeipa/pull/247#issuecomment-261878779 From freeipa-github-notification at redhat.com Mon Nov 21 08:56:30 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 21 Nov 2016 09:56:30 +0100 Subject: [Freeipa-devel] [freeipa PR#247][comment] Add 'ipa local-env' subcommand In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/247 Title: #247: Add 'ipa local-env' subcommand tiran commented: """ @jcholast Please open a ticket. """ See the full comment at https://github.com/freeipa/freeipa/pull/247#issuecomment-261879797 From freeipa-github-notification at redhat.com Mon Nov 21 09:03:51 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 21 Nov 2016 10:03:51 +0100 Subject: [Freeipa-devel] [freeipa PR#259][opened] Minor fixes for IPAVersion class Message-ID: URL: https://github.com/freeipa/freeipa/pull/259 Author: tiran Title: #259: Minor fixes for IPAVersion class Action: opened PR body: """ Py3: classes with __eq__ must provide __hash__ function or set __hash__ to None. Comparison function like __eq__ must signal unsupported types by returning NotImplemented. Python turns this in a proper TypeError. Make the version member read-only and cache _bytes represention. https://fedorahosted.org/freeipa/ticket/6473 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/259/head:pr259 git checkout pr259 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-259.patch Type: text/x-diff Size: 1781 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 21 09:03:58 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 21 Nov 2016 10:03:58 +0100 Subject: [Freeipa-devel] [freeipa PR#259][comment] Minor fixes for IPAVersion class In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/259 Title: #259: Minor fixes for IPAVersion class tiran commented: """ I pulled the fix from PR #254 """ See the full comment at https://github.com/freeipa/freeipa/pull/259#issuecomment-261881543 From freeipa-github-notification at redhat.com Mon Nov 21 09:05:12 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 21 Nov 2016 10:05:12 +0100 Subject: [Freeipa-devel] [freeipa PR#247][comment] Add 'ipa local-env' subcommand In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/247 Title: #247: Add 'ipa local-env' subcommand jcholast commented: """ Reopened 6490. """ See the full comment at https://github.com/freeipa/freeipa/pull/247#issuecomment-261881844 From jcholast at redhat.com Mon Nov 21 09:26:33 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 21 Nov 2016 10:26:33 +0100 Subject: [Freeipa-devel] Design document: Integration Improvements In-Reply-To: References: <228f2a0e-a3a6-92ec-8e59-c45f4283999d@redhat.com> Message-ID: On 11.11.2016 18:28, Christian Heimes wrote: > On 2016-11-11 17:46, Martin Basti wrote: >> >> >> On 11.11.2016 15:25, Christian Heimes wrote: >>> Hello, >>> >>> I have released the first version of a new design document. It describes >>> how I'm going to improve integration of FreeIPA's client libraries >>> (ipalib, ipapython, ipaclient, ipaplatform) for third party developers. >>> >>> http://www.freeipa.org/page/V4/Integration_Improvements >>> >>> Regards, >>> Christian >>> >>> >>> >> >> Hello, I have a few questions: >> >> 1) dynamic platform files >> >> Currently all RHEL/fedora-derived platforms work with the same >> rhel/fedora packages. How do you want to achieve this with dynamic >> platform files, do you want to keep mappings between platforms and >> platform file? What about distributions that have in /etc/release just mess? > > I don't use /etc/releases but /etc/os-release. There is no mapping > involved. If a distribution has no /etc/os-release or a messed up > /etc/os-release, then it needs to be fixed by the distribution. It's a > common standard and all relevant distributions support this standard. > > RHEL has ID=rhel and no ID_LIKE -> ipaplatform.rhel > > Fedora has ID=fedora and no ID_LIKE -> ipaplatform.fedora > > CentOS has ID=centos and ID_LIKE="rhel fedora" > -> ipaplatform.rhel > > Even my Raspberry has an /etc/os-release with ID=raspbian and > ID_LIKE=debian -> error, soon ipaplatform.debian There is more to ipaplatform than /etc/os-release offers. How do you differentiate between e.g. "Debian with SysV init" and "Debian with systemd"? > >> 2) if I understand correctly, you want to separate client installer code >> and client CLI code. In past we had freeipa-admintools but it was >> removed because it was really tightly bounded to installed client. Do >> you want to revive it and make it independent? > > My proposal does not affect distribution packaging (rpm, deb) at all. It > is purely about Python packaging. > > The client installer and client CLI code are already separated. The > Python wheels will only contain what 'python setup.py bdist_wheel' spits > out for ipaclient, ipalib, ipaplatform and ipapython. The 'ipa' CLI is > part of the ipaclient Python package. > >> 3) why instead of environ variable we cannot have specified paths with >> priority where IPA config can be located? >> For example: >> 1) ./.ipa.conf >> 2) ~/.ipa.conf >> 3) /etc/ipa/default.conf <-- as last resort > > For Ansible, testing etc. I need an arbitrary amount of config > *directories* and full control. I don't like the idea that the current > working directory affects how commands work. It has too many security > implications, e.g. we have to verify that the file belongs to the > current user. The check must be TOCTOU safe, too. Env vars are easier to > control, more secure and less fragile. > > Christian > > > -- Jan Cholasta From freeipa-github-notification at redhat.com Mon Nov 21 09:26:18 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 21 Nov 2016 10:26:18 +0100 Subject: [Freeipa-devel] [freeipa PR#254][synchronized] Replace LooseVersion with parse_ipa_version() In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Author: tiran Title: #254: Replace LooseVersion with parse_ipa_version() Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/254/head:pr254 git checkout pr254 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-254.patch Type: text/x-diff Size: 8447 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 21 09:26:38 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 21 Nov 2016 10:26:38 +0100 Subject: [Freeipa-devel] [freeipa PR#254][edited] Replace LooseVersion with pkg_resource.parse_version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Author: tiran Title: #254: Replace LooseVersion with pkg_resource.parse_version Action: edited Changed field: title Original value: """ Replace LooseVersion with parse_ipa_version() """ From freeipa-github-notification at redhat.com Mon Nov 21 09:27:00 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 21 Nov 2016 10:27:00 +0100 Subject: [Freeipa-devel] [freeipa PR#254][comment] Replace LooseVersion with pkg_resource.parse_version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Title: #254: Replace LooseVersion with pkg_resource.parse_version tiran commented: """ Back to ```parse_version```! """ See the full comment at https://github.com/freeipa/freeipa/pull/254#issuecomment-261886678 From cheimes at redhat.com Mon Nov 21 09:32:18 2016 From: cheimes at redhat.com (Christian Heimes) Date: Mon, 21 Nov 2016 10:32:18 +0100 Subject: [Freeipa-devel] Design document: Integration Improvements In-Reply-To: References: <228f2a0e-a3a6-92ec-8e59-c45f4283999d@redhat.com> Message-ID: <1bb84565-1988-43bd-0d0f-434eaf3e3471@redhat.com> On 2016-11-21 10:26, Jan Cholasta wrote: > On 11.11.2016 18:28, Christian Heimes wrote: >> On 2016-11-11 17:46, Martin Basti wrote: >>> >>> >>> On 11.11.2016 15:25, Christian Heimes wrote: >>>> Hello, >>>> >>>> I have released the first version of a new design document. It >>>> describes >>>> how I'm going to improve integration of FreeIPA's client libraries >>>> (ipalib, ipapython, ipaclient, ipaplatform) for third party developers. >>>> >>>> http://www.freeipa.org/page/V4/Integration_Improvements >>>> >>>> Regards, >>>> Christian >>>> >>>> >>>> >>> >>> Hello, I have a few questions: >>> >>> 1) dynamic platform files >>> >>> Currently all RHEL/fedora-derived platforms work with the same >>> rhel/fedora packages. How do you want to achieve this with dynamic >>> platform files, do you want to keep mappings between platforms and >>> platform file? What about distributions that have in /etc/release >>> just mess? >> >> I don't use /etc/releases but /etc/os-release. There is no mapping >> involved. If a distribution has no /etc/os-release or a messed up >> /etc/os-release, then it needs to be fixed by the distribution. It's a >> common standard and all relevant distributions support this standard. >> >> RHEL has ID=rhel and no ID_LIKE -> ipaplatform.rhel >> >> Fedora has ID=fedora and no ID_LIKE -> ipaplatform.fedora >> >> CentOS has ID=centos and ID_LIKE="rhel fedora" >> -> ipaplatform.rhel >> >> Even my Raspberry has an /etc/os-release with ID=raspbian and >> ID_LIKE=debian -> error, soon ipaplatform.debian > > There is more to ipaplatform than /etc/os-release offers. How do you > differentiate between e.g. "Debian with SysV init" and "Debian with > systemd"? Timo, do you support FreeIPA on Debian variants with SysV init? Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Mon Nov 21 09:39:38 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 21 Nov 2016 10:39:38 +0100 Subject: [Freeipa-devel] [freeipa PR#258][synchronized] Break ipaplatform / ipalib import cycle of hell In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/258 Author: tiran Title: #258: Break ipaplatform / ipalib import cycle of hell Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/258/head:pr258 git checkout pr258 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-258.patch Type: text/x-diff Size: 22836 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 21 09:40:45 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 21 Nov 2016 10:40:45 +0100 Subject: [Freeipa-devel] [freeipa PR#258][comment] Break ipaplatform / ipalib import cycle of hell In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/258 Title: #258: Break ipaplatform / ipalib import cycle of hell tiran commented: """ thx @mbasti-rh . I took care of it. """ See the full comment at https://github.com/freeipa/freeipa/pull/258#issuecomment-261889771 From jcholast at redhat.com Mon Nov 21 09:46:48 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 21 Nov 2016 10:46:48 +0100 Subject: [Freeipa-devel] Design document: Integration Improvements In-Reply-To: <1bb84565-1988-43bd-0d0f-434eaf3e3471@redhat.com> References: <228f2a0e-a3a6-92ec-8e59-c45f4283999d@redhat.com> <1bb84565-1988-43bd-0d0f-434eaf3e3471@redhat.com> Message-ID: <9ddd42e8-51d8-6dd7-27b3-0b74cfaac1f9@redhat.com> On 21.11.2016 10:32, Christian Heimes wrote: > On 2016-11-21 10:26, Jan Cholasta wrote: >> On 11.11.2016 18:28, Christian Heimes wrote: >>> On 2016-11-11 17:46, Martin Basti wrote: >>>> >>>> >>>> On 11.11.2016 15:25, Christian Heimes wrote: >>>>> Hello, >>>>> >>>>> I have released the first version of a new design document. It >>>>> describes >>>>> how I'm going to improve integration of FreeIPA's client libraries >>>>> (ipalib, ipapython, ipaclient, ipaplatform) for third party developers. >>>>> >>>>> http://www.freeipa.org/page/V4/Integration_Improvements >>>>> >>>>> Regards, >>>>> Christian >>>>> >>>>> >>>>> >>>> >>>> Hello, I have a few questions: >>>> >>>> 1) dynamic platform files >>>> >>>> Currently all RHEL/fedora-derived platforms work with the same >>>> rhel/fedora packages. How do you want to achieve this with dynamic >>>> platform files, do you want to keep mappings between platforms and >>>> platform file? What about distributions that have in /etc/release >>>> just mess? >>> >>> I don't use /etc/releases but /etc/os-release. There is no mapping >>> involved. If a distribution has no /etc/os-release or a messed up >>> /etc/os-release, then it needs to be fixed by the distribution. It's a >>> common standard and all relevant distributions support this standard. >>> >>> RHEL has ID=rhel and no ID_LIKE -> ipaplatform.rhel >>> >>> Fedora has ID=fedora and no ID_LIKE -> ipaplatform.fedora >>> >>> CentOS has ID=centos and ID_LIKE="rhel fedora" >>> -> ipaplatform.rhel >>> >>> Even my Raspberry has an /etc/os-release with ID=raspbian and >>> ID_LIKE=debian -> error, soon ipaplatform.debian >> >> There is more to ipaplatform than /etc/os-release offers. How do you >> differentiate between e.g. "Debian with SysV init" and "Debian with >> systemd"? > > Timo, > > do you support FreeIPA on Debian variants with SysV init? This is not an issue of what is supported now, but rather what is supportable in the future. Even if Debian with SysV init is not supported ATM, someone might want to add support for it in the future, and the design should not prevent them from doing so. -- Jan Cholasta From freeipa-github-notification at redhat.com Mon Nov 21 09:42:41 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 21 Nov 2016 10:42:41 +0100 Subject: [Freeipa-devel] [freeipa PR#212][comment] KRA: don't add KRA container when KRA replica In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/212 Title: #212: KRA: don't add KRA container when KRA replica stlaz commented: """ ACK, works on both DLs. """ See the full comment at https://github.com/freeipa/freeipa/pull/212#issuecomment-261890178 From freeipa-github-notification at redhat.com Mon Nov 21 09:42:46 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 21 Nov 2016 10:42:46 +0100 Subject: [Freeipa-devel] [freeipa PR#212][+ack] KRA: don't add KRA container when KRA replica In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/212 Title: #212: KRA: don't add KRA container when KRA replica Label: +ack From tjaalton at ubuntu.com Mon Nov 21 09:43:06 2016 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Mon, 21 Nov 2016 11:43:06 +0200 Subject: [Freeipa-devel] Design document: Integration Improvements In-Reply-To: <1bb84565-1988-43bd-0d0f-434eaf3e3471@redhat.com> References: <228f2a0e-a3a6-92ec-8e59-c45f4283999d@redhat.com> <1bb84565-1988-43bd-0d0f-434eaf3e3471@redhat.com> Message-ID: <507ac711-b614-1478-b127-cc05811225c9@ubuntu.com> On 21.11.2016 11:32, Christian Heimes wrote: > On 2016-11-21 10:26, Jan Cholasta wrote: >> On 11.11.2016 18:28, Christian Heimes wrote: >>> On 2016-11-11 17:46, Martin Basti wrote: >>>> >>>> >>>> On 11.11.2016 15:25, Christian Heimes wrote: >>>>> Hello, >>>>> >>>>> I have released the first version of a new design document. It >>>>> describes >>>>> how I'm going to improve integration of FreeIPA's client libraries >>>>> (ipalib, ipapython, ipaclient, ipaplatform) for third party developers. >>>>> >>>>> http://www.freeipa.org/page/V4/Integration_Improvements >>>>> >>>>> Regards, >>>>> Christian >>>>> >>>>> >>>>> >>>> >>>> Hello, I have a few questions: >>>> >>>> 1) dynamic platform files >>>> >>>> Currently all RHEL/fedora-derived platforms work with the same >>>> rhel/fedora packages. How do you want to achieve this with dynamic >>>> platform files, do you want to keep mappings between platforms and >>>> platform file? What about distributions that have in /etc/release >>>> just mess? >>> >>> I don't use /etc/releases but /etc/os-release. There is no mapping >>> involved. If a distribution has no /etc/os-release or a messed up >>> /etc/os-release, then it needs to be fixed by the distribution. It's a >>> common standard and all relevant distributions support this standard. >>> >>> RHEL has ID=rhel and no ID_LIKE -> ipaplatform.rhel >>> >>> Fedora has ID=fedora and no ID_LIKE -> ipaplatform.fedora >>> >>> CentOS has ID=centos and ID_LIKE="rhel fedora" >>> -> ipaplatform.rhel >>> >>> Even my Raspberry has an /etc/os-release with ID=raspbian and >>> ID_LIKE=debian -> error, soon ipaplatform.debian >> >> There is more to ipaplatform than /etc/os-release offers. How do you >> differentiate between e.g. "Debian with SysV init" and "Debian with >> systemd"? > > Timo, > > do you support FreeIPA on Debian variants with SysV init? No, it shouldn't be possible to run it with SysV either because at least 389 depends on systemd and doesn't ship sysvinit scripts. -- t -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Mon Nov 21 09:44:03 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 21 Nov 2016 10:44:03 +0100 Subject: [Freeipa-devel] [freeipa PR#223][synchronized] LDAP refactoring: remove admin_conn In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/223 Author: tomaskrizek Title: #223: LDAP refactoring: remove admin_conn Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/223/head:pr223 git checkout pr223 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-223.patch Type: text/x-diff Size: 49263 bytes Desc: not available URL: From cheimes at redhat.com Mon Nov 21 10:04:03 2016 From: cheimes at redhat.com (Christian Heimes) Date: Mon, 21 Nov 2016 11:04:03 +0100 Subject: [Freeipa-devel] Design document: Integration Improvements In-Reply-To: <9ddd42e8-51d8-6dd7-27b3-0b74cfaac1f9@redhat.com> References: <228f2a0e-a3a6-92ec-8e59-c45f4283999d@redhat.com> <1bb84565-1988-43bd-0d0f-434eaf3e3471@redhat.com> <9ddd42e8-51d8-6dd7-27b3-0b74cfaac1f9@redhat.com> Message-ID: On 2016-11-21 10:46, Jan Cholasta wrote: > On 21.11.2016 10:32, Christian Heimes wrote: >> On 2016-11-21 10:26, Jan Cholasta wrote: >>> On 11.11.2016 18:28, Christian Heimes wrote: >>>> On 2016-11-11 17:46, Martin Basti wrote: >>>>> >>>>> >>>>> On 11.11.2016 15:25, Christian Heimes wrote: >>>>>> Hello, >>>>>> >>>>>> I have released the first version of a new design document. It >>>>>> describes >>>>>> how I'm going to improve integration of FreeIPA's client libraries >>>>>> (ipalib, ipapython, ipaclient, ipaplatform) for third party >>>>>> developers. >>>>>> >>>>>> http://www.freeipa.org/page/V4/Integration_Improvements >>>>>> >>>>>> Regards, >>>>>> Christian >>>>>> >>>>>> >>>>>> >>>>> >>>>> Hello, I have a few questions: >>>>> >>>>> 1) dynamic platform files >>>>> >>>>> Currently all RHEL/fedora-derived platforms work with the same >>>>> rhel/fedora packages. How do you want to achieve this with dynamic >>>>> platform files, do you want to keep mappings between platforms and >>>>> platform file? What about distributions that have in /etc/release >>>>> just mess? >>>> >>>> I don't use /etc/releases but /etc/os-release. There is no mapping >>>> involved. If a distribution has no /etc/os-release or a messed up >>>> /etc/os-release, then it needs to be fixed by the distribution. It's a >>>> common standard and all relevant distributions support this standard. >>>> >>>> RHEL has ID=rhel and no ID_LIKE -> ipaplatform.rhel >>>> >>>> Fedora has ID=fedora and no ID_LIKE -> ipaplatform.fedora >>>> >>>> CentOS has ID=centos and ID_LIKE="rhel fedora" >>>> -> ipaplatform.rhel >>>> >>>> Even my Raspberry has an /etc/os-release with ID=raspbian and >>>> ID_LIKE=debian -> error, soon ipaplatform.debian >>> >>> There is more to ipaplatform than /etc/os-release offers. How do you >>> differentiate between e.g. "Debian with SysV init" and "Debian with >>> systemd"? >> >> Timo, >> >> do you support FreeIPA on Debian variants with SysV init? > > This is not an issue of what is supported now, but rather what is > supportable in the future. Even if Debian with SysV init is not > supported ATM, someone might want to add support for it in the future, > and the design should not prevent them from doing so. My proposal does not prevent sysv init support. In fact it makes it even easier to support it. In case Debian SysV Init does not have a distinct ID in /etc/os-release, I can easily add some additional check like if platform == 'debian' and os.path.realpath('/sbin/init') != '/usr/lib/systemd/systemd': platform = 'debian_sysvinit' Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Mon Nov 21 10:12:35 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 21 Nov 2016 11:12:35 +0100 Subject: [Freeipa-devel] [freeipa PR#254][synchronized] Replace LooseVersion with pkg_resource.parse_version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Author: tiran Title: #254: Replace LooseVersion with pkg_resource.parse_version Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/254/head:pr254 git checkout pr254 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-254.patch Type: text/x-diff Size: 8446 bytes Desc: not available URL: From jcholast at redhat.com Mon Nov 21 10:38:26 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 21 Nov 2016 11:38:26 +0100 Subject: [Freeipa-devel] Design document: Integration Improvements In-Reply-To: References: <228f2a0e-a3a6-92ec-8e59-c45f4283999d@redhat.com> <1bb84565-1988-43bd-0d0f-434eaf3e3471@redhat.com> <9ddd42e8-51d8-6dd7-27b3-0b74cfaac1f9@redhat.com> Message-ID: <781844ab-ca8e-d867-0fff-828912b0305a@redhat.com> On 21.11.2016 11:04, Christian Heimes wrote: > On 2016-11-21 10:46, Jan Cholasta wrote: >> On 21.11.2016 10:32, Christian Heimes wrote: >>> On 2016-11-21 10:26, Jan Cholasta wrote: >>>> On 11.11.2016 18:28, Christian Heimes wrote: >>>>> On 2016-11-11 17:46, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 11.11.2016 15:25, Christian Heimes wrote: >>>>>>> Hello, >>>>>>> >>>>>>> I have released the first version of a new design document. It >>>>>>> describes >>>>>>> how I'm going to improve integration of FreeIPA's client libraries >>>>>>> (ipalib, ipapython, ipaclient, ipaplatform) for third party >>>>>>> developers. >>>>>>> >>>>>>> http://www.freeipa.org/page/V4/Integration_Improvements >>>>>>> >>>>>>> Regards, >>>>>>> Christian >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> Hello, I have a few questions: >>>>>> >>>>>> 1) dynamic platform files >>>>>> >>>>>> Currently all RHEL/fedora-derived platforms work with the same >>>>>> rhel/fedora packages. How do you want to achieve this with dynamic >>>>>> platform files, do you want to keep mappings between platforms and >>>>>> platform file? What about distributions that have in /etc/release >>>>>> just mess? >>>>> >>>>> I don't use /etc/releases but /etc/os-release. There is no mapping >>>>> involved. If a distribution has no /etc/os-release or a messed up >>>>> /etc/os-release, then it needs to be fixed by the distribution. It's a >>>>> common standard and all relevant distributions support this standard. >>>>> >>>>> RHEL has ID=rhel and no ID_LIKE -> ipaplatform.rhel >>>>> >>>>> Fedora has ID=fedora and no ID_LIKE -> ipaplatform.fedora >>>>> >>>>> CentOS has ID=centos and ID_LIKE="rhel fedora" >>>>> -> ipaplatform.rhel >>>>> >>>>> Even my Raspberry has an /etc/os-release with ID=raspbian and >>>>> ID_LIKE=debian -> error, soon ipaplatform.debian >>>> >>>> There is more to ipaplatform than /etc/os-release offers. How do you >>>> differentiate between e.g. "Debian with SysV init" and "Debian with >>>> systemd"? >>> >>> Timo, >>> >>> do you support FreeIPA on Debian variants with SysV init? >> >> This is not an issue of what is supported now, but rather what is >> supportable in the future. Even if Debian with SysV init is not >> supported ATM, someone might want to add support for it in the future, >> and the design should not prevent them from doing so. > > My proposal does not prevent sysv init support. In fact it makes it even > easier to support it. In case Debian SysV Init does not have a distinct > ID in /etc/os-release, I can easily add some additional check like > > if platform == 'debian' and os.path.realpath('/sbin/init') != > '/usr/lib/systemd/systemd': > platform = 'debian_sysvinit' I didn't mean to say it does prevent it, just that it should be noted in the design page. -- Jan Cholasta From cheimes at redhat.com Mon Nov 21 10:51:19 2016 From: cheimes at redhat.com (Christian Heimes) Date: Mon, 21 Nov 2016 11:51:19 +0100 Subject: [Freeipa-devel] Design document: Integration Improvements In-Reply-To: <781844ab-ca8e-d867-0fff-828912b0305a@redhat.com> References: <228f2a0e-a3a6-92ec-8e59-c45f4283999d@redhat.com> <1bb84565-1988-43bd-0d0f-434eaf3e3471@redhat.com> <9ddd42e8-51d8-6dd7-27b3-0b74cfaac1f9@redhat.com> <781844ab-ca8e-d867-0fff-828912b0305a@redhat.com> Message-ID: <3677e22a-baea-d0f3-28b5-1134ce3fb655@redhat.com> On 2016-11-21 11:38, Jan Cholasta wrote: > On 21.11.2016 11:04, Christian Heimes wrote: >> On 2016-11-21 10:46, Jan Cholasta wrote: >>> On 21.11.2016 10:32, Christian Heimes wrote: >>>> On 2016-11-21 10:26, Jan Cholasta wrote: >>>>> On 11.11.2016 18:28, Christian Heimes wrote: >>>>>> On 2016-11-11 17:46, Martin Basti wrote: >>>>>>> >>>>>>> >>>>>>> On 11.11.2016 15:25, Christian Heimes wrote: >>>>>>>> Hello, >>>>>>>> >>>>>>>> I have released the first version of a new design document. It >>>>>>>> describes >>>>>>>> how I'm going to improve integration of FreeIPA's client libraries >>>>>>>> (ipalib, ipapython, ipaclient, ipaplatform) for third party >>>>>>>> developers. >>>>>>>> >>>>>>>> http://www.freeipa.org/page/V4/Integration_Improvements >>>>>>>> >>>>>>>> Regards, >>>>>>>> Christian >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> Hello, I have a few questions: >>>>>>> >>>>>>> 1) dynamic platform files >>>>>>> >>>>>>> Currently all RHEL/fedora-derived platforms work with the same >>>>>>> rhel/fedora packages. How do you want to achieve this with dynamic >>>>>>> platform files, do you want to keep mappings between platforms and >>>>>>> platform file? What about distributions that have in /etc/release >>>>>>> just mess? >>>>>> >>>>>> I don't use /etc/releases but /etc/os-release. There is no mapping >>>>>> involved. If a distribution has no /etc/os-release or a messed up >>>>>> /etc/os-release, then it needs to be fixed by the distribution. >>>>>> It's a >>>>>> common standard and all relevant distributions support this standard. >>>>>> >>>>>> RHEL has ID=rhel and no ID_LIKE -> ipaplatform.rhel >>>>>> >>>>>> Fedora has ID=fedora and no ID_LIKE -> ipaplatform.fedora >>>>>> >>>>>> CentOS has ID=centos and ID_LIKE="rhel fedora" >>>>>> -> ipaplatform.rhel >>>>>> >>>>>> Even my Raspberry has an /etc/os-release with ID=raspbian and >>>>>> ID_LIKE=debian -> error, soon ipaplatform.debian >>>>> >>>>> There is more to ipaplatform than /etc/os-release offers. How do you >>>>> differentiate between e.g. "Debian with SysV init" and "Debian with >>>>> systemd"? >>>> >>>> Timo, >>>> >>>> do you support FreeIPA on Debian variants with SysV init? >>> >>> This is not an issue of what is supported now, but rather what is >>> supportable in the future. Even if Debian with SysV init is not >>> supported ATM, someone might want to add support for it in the future, >>> and the design should not prevent them from doing so. >> >> My proposal does not prevent sysv init support. In fact it makes it even >> easier to support it. In case Debian SysV Init does not have a distinct >> ID in /etc/os-release, I can easily add some additional check like >> >> if platform == 'debian' and os.path.realpath('/sbin/init') != >> '/usr/lib/systemd/systemd': >> platform = 'debian_sysvinit' > > I didn't mean to say it does prevent it, just that it should be noted in > the design page. I have updated http://www.freeipa.org/page/V4/Integration_Improvements#Scope Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Mon Nov 21 11:34:03 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 21 Nov 2016 12:34:03 +0100 Subject: [Freeipa-devel] [freeipa PR#260][opened] Build: fix path in ipa-ods-exporter.socket unit file Message-ID: URL: https://github.com/freeipa/freeipa/pull/260 Author: pspacek Title: #260: Build: fix path in ipa-ods-exporter.socket unit file Action: opened PR body: """ This fixes regression caused by incorrect daemons/dnssec/ipa-ods-exporter.socket.in path template introduced in commit 312e780041fc9025ca3c189e6c9fcb54c7340714. https://fedorahosted.org/freeipa/ticket/6495 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/260/head:pr260 git checkout pr260 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-260.patch Type: text/x-diff Size: 927 bytes Desc: not available URL: From jcholast at redhat.com Mon Nov 21 12:31:57 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 21 Nov 2016 13:31:57 +0100 Subject: [Freeipa-devel] Design document: Integration Improvements In-Reply-To: <228f2a0e-a3a6-92ec-8e59-c45f4283999d@redhat.com> References: <228f2a0e-a3a6-92ec-8e59-c45f4283999d@redhat.com> Message-ID: <665a0612-1f5f-0e88-0e69-e85fa6e21479@redhat.com> Hi, On 11.11.2016 15:25, Christian Heimes wrote: > Hello, > > I have released the first version of a new design document. It describes > how I'm going to improve integration of FreeIPA's client libraries > (ipalib, ipapython, ipaclient, ipaplatform) for third party developers. > > http://www.freeipa.org/page/V4/Integration_Improvements 3.1 API for local configuration directory "Both approaches have some disadvantages. A user must repeat the -e option in every call to ipa or create a shell alias. It's both tedious and error-prone." This is pretty subjective. I don't think it's error-prone at all, since it is explicit and you always know what confdir value will be used in the ipa command just by looking at its arguments, as opposed to the environment variable, which makes the configuration implicit and depending on *sane* environment and is equivalent to preferring global variables to function arguments in Python code. That being said, this whole section is filled with one-sided "facts" and simply ignores everything else, which might lead the reader to believe that the environment variable is something required, while it is in fact just a nice-to-have convenience feature. A good design should include both sides of an argument, even if you don't agree with one. BTW, shell alias works perfectly fine in your virtualenv example above in the design. 3.2.1 Build and runtime requirements How are we going to detect and report missing runtime dependencies? Currently if they are not installed, the code will fail at random places during execution with an often cryptic error message. I think this is unacceptable, and since there is no way specify external dependencies using setuptools (right?), it needs to be done in our code during package import (or other suitable place). 3.3 ipaplatform auto-configuration I'm not sure if guessing platform from ID_LIKE is really a good idea. It might work fine for centos -> rhel, but in general we can't really assume it will always work, as the platforms listed in ID_LIKE might not be similar enough to the one in ID. I would rather add an ipaplatform subpackage for every supported platform (including CentOS) than depend on error-prone guesswork. Honza -- Jan Cholasta From freeipa-github-notification at redhat.com Mon Nov 21 12:27:17 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 21 Nov 2016 13:27:17 +0100 Subject: [Freeipa-devel] [freeipa PR#260][+ack] Build: fix path in ipa-ods-exporter.socket unit file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/260 Title: #260: Build: fix path in ipa-ods-exporter.socket unit file Label: +ack From freeipa-github-notification at redhat.com Mon Nov 21 12:45:39 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 21 Nov 2016 13:45:39 +0100 Subject: [Freeipa-devel] [freeipa PR#238][synchronized] Build system refactoring phase 8: update translation system In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/238 Author: pspacek Title: #238: Build system refactoring phase 8: update translation system Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/238/head:pr238 git checkout pr238 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-238.patch Type: text/x-diff Size: 1895070 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 21 12:47:46 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 21 Nov 2016 13:47:46 +0100 Subject: [Freeipa-devel] [freeipa PR#238][comment] Build system refactoring phase 8: update translation system In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/238 Title: #238: Build system refactoring phase 8: update translation system pspacek commented: """ @tiran You are right, I forgot to remove the `config.rpath` when `AM_GNU_GETTEXT_VERSION` macro was introduced. This version fixes this problem by removing `config.rpath` from Git. @lslebodn We can do this change in some later PR. I do not want to mix it with translation system changes. """ See the full comment at https://github.com/freeipa/freeipa/pull/238#issuecomment-261927883 From freeipa-github-notification at redhat.com Mon Nov 21 12:57:07 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 21 Nov 2016 13:57:07 +0100 Subject: [Freeipa-devel] [freeipa PR#261][opened] upgrade: do not set HTTP and DS principals explicitly Message-ID: URL: https://github.com/freeipa/freeipa/pull/261 Author: martbab Title: #261: upgrade: do not set HTTP and DS principals explicitly Action: opened PR body: """ In ipa-server-upgrade, HTTP and DS principals are explicitly constructed from realm, fqdn, and service prefix. This is no neither required nor desirable, since the principal is now a read-only property which constructs the principal name in the same way. https://fedorahosted.org/freeipa/ticket/6500 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/261/head:pr261 git checkout pr261 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-261.patch Type: text/x-diff Size: 1361 bytes Desc: not available URL: From cheimes at redhat.com Mon Nov 21 13:15:48 2016 From: cheimes at redhat.com (Christian Heimes) Date: Mon, 21 Nov 2016 14:15:48 +0100 Subject: [Freeipa-devel] Design document: Integration Improvements In-Reply-To: <665a0612-1f5f-0e88-0e69-e85fa6e21479@redhat.com> References: <228f2a0e-a3a6-92ec-8e59-c45f4283999d@redhat.com> <665a0612-1f5f-0e88-0e69-e85fa6e21479@redhat.com> Message-ID: On 2016-11-21 13:31, Jan Cholasta wrote: > Hi, > > On 11.11.2016 15:25, Christian Heimes wrote: >> Hello, >> >> I have released the first version of a new design document. It describes >> how I'm going to improve integration of FreeIPA's client libraries >> (ipalib, ipapython, ipaclient, ipaplatform) for third party developers. >> >> http://www.freeipa.org/page/V4/Integration_Improvements > > 3.1 API for local configuration directory > > "Both approaches have some disadvantages. A user must repeat the -e > option in every call to ipa or create a shell alias. It's both tedious > and error-prone." > > This is pretty subjective. I don't think it's error-prone at all, since > it is explicit and you always know what confdir value will be used in > the ipa command just by looking at its arguments, as opposed to the > environment variable, which makes the configuration implicit and > depending on *sane* environment and is equivalent to preferring global > variables to function arguments in Python code. It's not implicit. The env var has to be set explicitly just like you have to use -e confdir explicitly in every call. > That being said, this whole section is filled with one-sided "facts" and > simply ignores everything else, which might lead the reader to believe > that the environment variable is something required, while it is in fact > just a nice-to-have convenience feature. A good design should include > both sides of an argument, even if you don't agree with one. > > BTW, shell alias works perfectly fine in your virtualenv example above > in the design. No, it does not work perfectly fine. By default shell aliases are limited to interactive shells. My proposal also works with Python subprocess module, a C program with execve(), Makefile, Ansible local command, non-interactive shell script... > 3.2.1 Build and runtime requirements > > How are we going to detect and report missing runtime dependencies? > Currently if they are not installed, the code will fail at random places > during execution with an often cryptic error message. I think this is > unacceptable, and since there is no way specify external dependencies > using setuptools (right?), it needs to be done in our code during > package import (or other suitable place). Instead of detecting missing dependencies, we document requirements and treat users as adults. Runtime checks are a performance issue. Since wheels don't execute code at installation time, we can't check for missing dependencies during installation. > 3.3 ipaplatform auto-configuration > > I'm not sure if guessing platform from ID_LIKE is really a good idea. It > might work fine for centos -> rhel, but in general we can't really > assume it will always work, as the platforms listed in ID_LIKE might not > be similar enough to the one in ID. I would rather add an ipaplatform > subpackage for every supported platform (including CentOS) than depend > on error-prone guesswork. Can you show me a real-world example for your statement that ID_LIKE is error-prone? Your proposal doesn't scale. There are tons of Debian spins with their own ID. For example my Raspberry Pi has ID=raspbian and ID_LIKE=debian. Do you want to maintain an exhaustive list of all Debian and Ubuntu variants? Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Mon Nov 21 13:35:50 2016 From: freeipa-github-notification at redhat.com (apophys) Date: Mon, 21 Nov 2016 14:35:50 +0100 Subject: [Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/181 Title: #181: Tests : User Tracker creation of user with minimal values apophys commented: """ I think in this case we can go with keyword arguments only. Most of the uses of the tracker in the tests do it already. What I will need in the case of keyword arguments is an explicit check for some non-empty unicode string for the required attributes in the __init__ method. All of this applies to `StageUserTracker` in #210 as well """ See the full comment at https://github.com/freeipa/freeipa/pull/181#issuecomment-261940072 From freeipa-github-notification at redhat.com Mon Nov 21 13:44:10 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 21 Nov 2016 14:44:10 +0100 Subject: [Freeipa-devel] [freeipa PR#196][comment] ipatests: unresolvable nested netgroups In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/196 Title: #196: ipatests: unresolvable nested netgroups martbab commented: """ I am strongly opposed to keeping this particular test in XMLRPC suite since it actually does not test any XMLRPC calls but is, in fact, an integration test for SSSD netgroup resolution so the semantics do not match for me. Arguments about speed and resource-friendliness do not seem to be blocker for this since you have to provision and install IPA server anyway to run our out-of-tree-tests, you just have another machine that needs to act as a controller but this one is much easier to setup that the slave itself. """ See the full comment at https://github.com/freeipa/freeipa/pull/196#issuecomment-261941920 From pspacek at redhat.com Mon Nov 21 13:44:50 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 21 Nov 2016 14:44:50 +0100 Subject: [Freeipa-devel] Design document: Integration Improvements In-Reply-To: References: <228f2a0e-a3a6-92ec-8e59-c45f4283999d@redhat.com> <665a0612-1f5f-0e88-0e69-e85fa6e21479@redhat.com> Message-ID: On 21.11.2016 14:15, Christian Heimes wrote: > On 2016-11-21 13:31, Jan Cholasta wrote: >> Hi, >> >> On 11.11.2016 15:25, Christian Heimes wrote: >>> Hello, >>> >>> I have released the first version of a new design document. It describes >>> how I'm going to improve integration of FreeIPA's client libraries >>> (ipalib, ipapython, ipaclient, ipaplatform) for third party developers. >>> >>> http://www.freeipa.org/page/V4/Integration_Improvements >> >> 3.1 API for local configuration directory >> >> "Both approaches have some disadvantages. A user must repeat the -e >> option in every call to ipa or create a shell alias. It's both tedious >> and error-prone." >> >> This is pretty subjective. I don't think it's error-prone at all, since >> it is explicit and you always know what confdir value will be used in >> the ipa command just by looking at its arguments, as opposed to the >> environment variable, which makes the configuration implicit and >> depending on *sane* environment and is equivalent to preferring global >> variables to function arguments in Python code. > > It's not implicit. The env var has to be set explicitly just like you > have to use -e confdir explicitly in every call. > >> That being said, this whole section is filled with one-sided "facts" and >> simply ignores everything else, which might lead the reader to believe >> that the environment variable is something required, while it is in fact >> just a nice-to-have convenience feature. A good design should include >> both sides of an argument, even if you don't agree with one. >> >> BTW, shell alias works perfectly fine in your virtualenv example above >> in the design. > > No, it does not work perfectly fine. By default shell aliases are > limited to interactive shells. My proposal also works with Python > subprocess module, a C program with execve(), Makefile, Ansible local > command, non-interactive shell script... > >> 3.2.1 Build and runtime requirements >> >> How are we going to detect and report missing runtime dependencies? >> Currently if they are not installed, the code will fail at random places >> during execution with an often cryptic error message. I think this is >> unacceptable, and since there is no way specify external dependencies >> using setuptools (right?), it needs to be done in our code during >> package import (or other suitable place). > > Instead of detecting missing dependencies, we document requirements and > treat users as adults. Runtime checks are a performance issue. Since > wheels don't execute code at installation time, we can't check for > missing dependencies during installation. > >> 3.3 ipaplatform auto-configuration >> >> I'm not sure if guessing platform from ID_LIKE is really a good idea. It >> might work fine for centos -> rhel, but in general we can't really >> assume it will always work, as the platforms listed in ID_LIKE might not >> be similar enough to the one in ID. I would rather add an ipaplatform >> subpackage for every supported platform (including CentOS) than depend >> on error-prone guesswork. > > Can you show me a real-world example for your statement that ID_LIKE is > error-prone? > > Your proposal doesn't scale. There are tons of Debian spins with their > own ID. For example my Raspberry Pi has ID=raspbian and ID_LIKE=debian. > Do you want to maintain an exhaustive list of all Debian and Ubuntu > variants? Can we agree that it would be much better to get rid of platform depedency in client libraries and be done with this philosophical debate? -- Petr^2 Spacek From freeipa-github-notification at redhat.com Mon Nov 21 13:47:36 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 21 Nov 2016 14:47:36 +0100 Subject: [Freeipa-devel] [freeipa PR#191][+ack] Exclude testing ipa.pot file from zanata In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/191 Title: #191: Exclude testing ipa.pot file from zanata Label: +ack From freeipa-github-notification at redhat.com Mon Nov 21 13:48:13 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 21 Nov 2016 14:48:13 +0100 Subject: [Freeipa-devel] [freeipa PR#191][+pushed] Exclude testing ipa.pot file from zanata In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/191 Title: #191: Exclude testing ipa.pot file from zanata Label: +pushed From freeipa-github-notification at redhat.com Mon Nov 21 13:48:14 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 21 Nov 2016 14:48:14 +0100 Subject: [Freeipa-devel] [freeipa PR#191][comment] Exclude testing ipa.pot file from zanata In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/191 Title: #191: Exclude testing ipa.pot file from zanata martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ad32bf147ed6996c0967bb8e8cfb803113ceaf5f ipa-4-4: https://fedorahosted.org/freeipa/changeset/76d4368ff9885a1e92bac2df75fefd49e7657c0d """ See the full comment at https://github.com/freeipa/freeipa/pull/191#issuecomment-261942763 From freeipa-github-notification at redhat.com Mon Nov 21 13:48:16 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 21 Nov 2016 14:48:16 +0100 Subject: [Freeipa-devel] [freeipa PR#191][closed] Exclude testing ipa.pot file from zanata In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/191 Author: mbasti-rh Title: #191: Exclude testing ipa.pot file from zanata Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/191/head:pr191 git checkout pr191 From freeipa-github-notification at redhat.com Mon Nov 21 13:52:54 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 21 Nov 2016 14:52:54 +0100 Subject: [Freeipa-devel] [freeipa PR#231][comment] Do not log DM password in ca/kra installation logs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/231 Title: #231: Do not log DM password in ca/kra installation logs martbab commented: """ Well that is what I was pointing at, by adding both DM and admin passwords to the parent method's default `nolog_list`, you are future-proofing the code because all spawn-instance calls will be safe. But maybe I am missing something. """ See the full comment at https://github.com/freeipa/freeipa/pull/231#issuecomment-261943789 From cheimes at redhat.com Mon Nov 21 14:07:24 2016 From: cheimes at redhat.com (Christian Heimes) Date: Mon, 21 Nov 2016 15:07:24 +0100 Subject: [Freeipa-devel] Design document: Integration Improvements In-Reply-To: References: <228f2a0e-a3a6-92ec-8e59-c45f4283999d@redhat.com> <665a0612-1f5f-0e88-0e69-e85fa6e21479@redhat.com> Message-ID: <156131ff-7fcd-21a7-d3c1-1d5679dffd5a@redhat.com> On 2016-11-21 14:44, Petr Spacek wrote: >>> 3.3 ipaplatform auto-configuration >>> >>> I'm not sure if guessing platform from ID_LIKE is really a good idea. It >>> might work fine for centos -> rhel, but in general we can't really >>> assume it will always work, as the platforms listed in ID_LIKE might not >>> be similar enough to the one in ID. I would rather add an ipaplatform >>> subpackage for every supported platform (including CentOS) than depend >>> on error-prone guesswork. >> >> Can you show me a real-world example for your statement that ID_LIKE is >> error-prone? >> >> Your proposal doesn't scale. There are tons of Debian spins with their >> own ID. For example my Raspberry Pi has ID=raspbian and ID_LIKE=debian. >> Do you want to maintain an exhaustive list of all Debian and Ubuntu >> variants? > > Can we agree that it would be much better to get rid of platform depedency in > client libraries and be done with this philosophical debate? Yes, that would be my preferable solution, too. But it's a lot of work and I don't have any spare time to work on a redesign of ipaplatform / ipalib. Who is going to do it? Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From jcholast at redhat.com Mon Nov 21 14:25:17 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 21 Nov 2016 15:25:17 +0100 Subject: [Freeipa-devel] Design document: Integration Improvements In-Reply-To: <156131ff-7fcd-21a7-d3c1-1d5679dffd5a@redhat.com> References: <228f2a0e-a3a6-92ec-8e59-c45f4283999d@redhat.com> <665a0612-1f5f-0e88-0e69-e85fa6e21479@redhat.com> <156131ff-7fcd-21a7-d3c1-1d5679dffd5a@redhat.com> Message-ID: On 21.11.2016 15:07, Christian Heimes wrote: > On 2016-11-21 14:44, Petr Spacek wrote: >>>> 3.3 ipaplatform auto-configuration >>>> >>>> I'm not sure if guessing platform from ID_LIKE is really a good idea. It >>>> might work fine for centos -> rhel, but in general we can't really >>>> assume it will always work, as the platforms listed in ID_LIKE might not >>>> be similar enough to the one in ID. I would rather add an ipaplatform >>>> subpackage for every supported platform (including CentOS) than depend >>>> on error-prone guesswork. >>> >>> Can you show me a real-world example for your statement that ID_LIKE is >>> error-prone? >>> >>> Your proposal doesn't scale. There are tons of Debian spins with their >>> own ID. For example my Raspberry Pi has ID=raspbian and ID_LIKE=debian. >>> Do you want to maintain an exhaustive list of all Debian and Ubuntu >>> variants? >> >> Can we agree that it would be much better to get rid of platform depedency in >> client libraries and be done with this philosophical debate? +1 > > Yes, that would be my preferable solution, too. But it's a lot of work > and I don't have any spare time to work on a redesign of ipaplatform / > ipalib. Who is going to do it? > > Christian -- Jan Cholasta From freeipa-github-notification at redhat.com Mon Nov 21 14:20:24 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 21 Nov 2016 15:20:24 +0100 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install simo5 commented: """ @splashx you would have to manually configure each KDC and give them certs, it is doable. """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-261950279 From jcholast at redhat.com Mon Nov 21 14:41:17 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 21 Nov 2016 15:41:17 +0100 Subject: [Freeipa-devel] Design document: Integration Improvements In-Reply-To: References: <228f2a0e-a3a6-92ec-8e59-c45f4283999d@redhat.com> <665a0612-1f5f-0e88-0e69-e85fa6e21479@redhat.com> Message-ID: On 21.11.2016 14:15, Christian Heimes wrote: > On 2016-11-21 13:31, Jan Cholasta wrote: >> Hi, >> >> On 11.11.2016 15:25, Christian Heimes wrote: >>> Hello, >>> >>> I have released the first version of a new design document. It describes >>> how I'm going to improve integration of FreeIPA's client libraries >>> (ipalib, ipapython, ipaclient, ipaplatform) for third party developers. >>> >>> http://www.freeipa.org/page/V4/Integration_Improvements >> >> 3.1 API for local configuration directory >> >> "Both approaches have some disadvantages. A user must repeat the -e >> option in every call to ipa or create a shell alias. It's both tedious >> and error-prone." >> >> This is pretty subjective. I don't think it's error-prone at all, since >> it is explicit and you always know what confdir value will be used in >> the ipa command just by looking at its arguments, as opposed to the >> environment variable, which makes the configuration implicit and >> depending on *sane* environment and is equivalent to preferring global >> variables to function arguments in Python code. > > It's not implicit. The env var has to be set explicitly just like you > have to use -e confdir explicitly in every call. Yes, you need to set it explicitly, but then it is implicitly inherited by the command. And just like with global variables, you might have a hard time tracking down where it was set and why if you din't set it yourself, especially if you are a casual user and not a developer like us. > >> That being said, this whole section is filled with one-sided "facts" and >> simply ignores everything else, which might lead the reader to believe >> that the environment variable is something required, while it is in fact >> just a nice-to-have convenience feature. A good design should include >> both sides of an argument, even if you don't agree with one. >> >> BTW, shell alias works perfectly fine in your virtualenv example above >> in the design. > > No, it does not work perfectly fine. By default shell aliases are > limited to interactive shells. Last time I checked virtualenv provided an interactive shell. > My proposal also works with Python > subprocess module, a C program with execve(), Makefile, Ansible local > command, non-interactive shell script... ... which are all more or less write-once, so the env variable provides very little benefit over the command line option. > >> 3.2.1 Build and runtime requirements >> >> How are we going to detect and report missing runtime dependencies? >> Currently if they are not installed, the code will fail at random places >> during execution with an often cryptic error message. I think this is >> unacceptable, and since there is no way specify external dependencies >> using setuptools (right?), it needs to be done in our code during >> package import (or other suitable place). > > Instead of detecting missing dependencies, we document requirements and > treat users as adults. We do all kinds of runtime checks in our commands - are you saying we should just remove them all, because the users are adults? > Runtime checks are a performance issue. Since > wheels don't execute code at installation time, we can't check for > missing dependencies during installation. In other words, we will provide broken packages in PyPI, at least compared to our downstream packages. Is this really the normal thing to do for PyPI packages with external dependencies? > >> 3.3 ipaplatform auto-configuration >> >> I'm not sure if guessing platform from ID_LIKE is really a good idea. It >> might work fine for centos -> rhel, but in general we can't really >> assume it will always work, as the platforms listed in ID_LIKE might not >> be similar enough to the one in ID. I would rather add an ipaplatform >> subpackage for every supported platform (including CentOS) than depend >> on error-prone guesswork. > > Can you show me a real-world example for your statement that ID_LIKE is > error-prone? > > Your proposal doesn't scale. There are tons of Debian spins with their > own ID. For example my Raspberry Pi has ID=raspbian and ID_LIKE=debian. > Do you want to maintain an exhaustive list of all Debian and Ubuntu > variants? Yes, I'm aware of that, I was hoping we could find some sort of compromise. > > Christian > -- Jan Cholasta From freeipa-github-notification at redhat.com Mon Nov 21 14:39:04 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 21 Nov 2016 15:39:04 +0100 Subject: [Freeipa-devel] [freeipa PR#262][opened] upgrade: do not explicitly set principal for services Message-ID: URL: https://github.com/freeipa/freeipa/pull/262 Author: tomaskrizek Title: #262: upgrade: do not explicitly set principal for services Action: opened PR body: """ After installer refactoring, principal is a property of service. https://fedorahosted.org/freeipa/ticket/6500 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/262/head:pr262 git checkout pr262 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-262.patch Type: text/x-diff Size: 1167 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 21 14:41:30 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 21 Nov 2016 15:41:30 +0100 Subject: [Freeipa-devel] [freeipa PR#223][synchronized] LDAP refactoring: remove admin_conn In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/223 Author: tomaskrizek Title: #223: LDAP refactoring: remove admin_conn Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/223/head:pr223 git checkout pr223 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-223.patch Type: text/x-diff Size: 48091 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 21 14:42:32 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 21 Nov 2016 15:42:32 +0100 Subject: [Freeipa-devel] [freeipa PR#223][comment] LDAP refactoring: remove admin_conn In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/223 Title: #223: LDAP refactoring: remove admin_conn tomaskrizek commented: """ Depends on #262 """ See the full comment at https://github.com/freeipa/freeipa/pull/223#issuecomment-261956124 From freeipa-github-notification at redhat.com Mon Nov 21 14:44:54 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 21 Nov 2016 15:44:54 +0100 Subject: [Freeipa-devel] [freeipa PR#262][comment] upgrade: do not explicitly set principal for services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/262 Title: #262: upgrade: do not explicitly set principal for services martbab commented: """ Heh, I have opened PR#261 for this same issue recently. Since you assigned yourself to the ticket and filled all required fields you win this race :). """ See the full comment at https://github.com/freeipa/freeipa/pull/262#issuecomment-261956701 From freeipa-github-notification at redhat.com Mon Nov 21 14:47:39 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 21 Nov 2016 15:47:39 +0100 Subject: [Freeipa-devel] [freeipa PR#262][comment] upgrade: do not explicitly set principal for services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/262 Title: #262: upgrade: do not explicitly set principal for services martbab commented: """ Heh, I have opened https://github.com/freeipa/freeipa/pull/262 for this same issue recently. Since you assigned yourself to the ticket and filled all required fields you win this race :). """ See the full comment at https://github.com/freeipa/freeipa/pull/262#issuecomment-261956701 From freeipa-github-notification at redhat.com Mon Nov 21 15:11:35 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 21 Nov 2016 16:11:35 +0100 Subject: [Freeipa-devel] [freeipa PR#261][comment] upgrade: do not set HTTP and DS principals explicitly In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/261 Title: #261: upgrade: do not set HTTP and DS principals explicitly martbab commented: """ Closing this as duplicate of https://github.com/freeipa/freeipa/pull/262 """ See the full comment at https://github.com/freeipa/freeipa/pull/261#issuecomment-261964093 From freeipa-github-notification at redhat.com Mon Nov 21 15:11:37 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 21 Nov 2016 16:11:37 +0100 Subject: [Freeipa-devel] [freeipa PR#261][closed] upgrade: do not set HTTP and DS principals explicitly In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/261 Author: martbab Title: #261: upgrade: do not set HTTP and DS principals explicitly Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/261/head:pr261 git checkout pr261 From freeipa-github-notification at redhat.com Mon Nov 21 15:13:02 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 21 Nov 2016 16:13:02 +0100 Subject: [Freeipa-devel] [freeipa PR#262][+ack] upgrade: do not explicitly set principal for services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/262 Title: #262: upgrade: do not explicitly set principal for services Label: +ack From freeipa-github-notification at redhat.com Mon Nov 21 15:14:19 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 21 Nov 2016 16:14:19 +0100 Subject: [Freeipa-devel] [freeipa PR#262][+pushed] upgrade: do not explicitly set principal for services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/262 Title: #262: upgrade: do not explicitly set principal for services Label: +pushed From freeipa-github-notification at redhat.com Mon Nov 21 15:14:20 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 21 Nov 2016 16:14:20 +0100 Subject: [Freeipa-devel] [freeipa PR#262][comment] upgrade: do not explicitly set principal for services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/262 Title: #262: upgrade: do not explicitly set principal for services martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/2793cdc8593c40d8318ec3685408ade6bf9a5320 """ See the full comment at https://github.com/freeipa/freeipa/pull/262#issuecomment-261964850 From freeipa-github-notification at redhat.com Mon Nov 21 15:14:22 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 21 Nov 2016 16:14:22 +0100 Subject: [Freeipa-devel] [freeipa PR#262][closed] upgrade: do not explicitly set principal for services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/262 Author: tomaskrizek Title: #262: upgrade: do not explicitly set principal for services Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/262/head:pr262 git checkout pr262 From jcholast at redhat.com Mon Nov 21 15:20:27 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 21 Nov 2016 16:20:27 +0100 Subject: [Freeipa-devel] Design document: Integration Improvements In-Reply-To: References: <228f2a0e-a3a6-92ec-8e59-c45f4283999d@redhat.com> <665a0612-1f5f-0e88-0e69-e85fa6e21479@redhat.com> <156131ff-7fcd-21a7-d3c1-1d5679dffd5a@redhat.com> Message-ID: On 21.11.2016 15:25, Jan Cholasta wrote: > On 21.11.2016 15:07, Christian Heimes wrote: >> On 2016-11-21 14:44, Petr Spacek wrote: >>>>> 3.3 ipaplatform auto-configuration >>>>> >>>>> I'm not sure if guessing platform from ID_LIKE is really a good >>>>> idea. It >>>>> might work fine for centos -> rhel, but in general we can't really >>>>> assume it will always work, as the platforms listed in ID_LIKE >>>>> might not >>>>> be similar enough to the one in ID. I would rather add an ipaplatform >>>>> subpackage for every supported platform (including CentOS) than depend >>>>> on error-prone guesswork. >>>> >>>> Can you show me a real-world example for your statement that ID_LIKE is >>>> error-prone? >>>> >>>> Your proposal doesn't scale. There are tons of Debian spins with their >>>> own ID. For example my Raspberry Pi has ID=raspbian and ID_LIKE=debian. >>>> Do you want to maintain an exhaustive list of all Debian and Ubuntu >>>> variants? >>> >>> Can we agree that it would be much better to get rid of platform >>> depedency in >>> client libraries and be done with this philosophical debate? > > +1 > >> >> Yes, that would be my preferable solution, too. But it's a lot of work >> and I don't have any spare time to work on a redesign of ipaplatform / >> ipalib. Who is going to do it? I'm going to look into this. >> >> Christian > -- Jan Cholasta From slaznick at redhat.com Mon Nov 21 16:08:26 2016 From: slaznick at redhat.com (Standa Laznicka) Date: Mon, 21 Nov 2016 17:08:26 +0100 Subject: [Freeipa-devel] [PATCH 0058] Make get_entries not ignore its size_limit argument In-Reply-To: References: <7a64f453-df5a-0691-746c-1b04c7171f8a@redhat.com> <47ac8912-1caf-bdd8-bb32-fdb29dffffb8@redhat.com> <3b23492e-17e7-13e1-1099-16cfb0963c98@redhat.com> <0a43fba5-a300-27e6-2ef3-c4f8d907cda4@redhat.com> <0eb715f5-5001-a3b2-743d-18fcd38e1a7e@redhat.com> <4c4890fc-8f13-267c-bd65-2d4475ae644a@redhat.com> <0914dd3d-899a-6cd5-9800-b9dbed818437@redhat.com> Message-ID: On 10/10/2016 08:47 AM, Standa Laznicka wrote: > On 10/10/2016 07:53 AM, Jan Cholasta wrote: >> On 7.10.2016 12:23, Standa Laznicka wrote: >>> On 10/07/2016 08:31 AM, Jan Cholasta wrote: >>>> On 17.8.2016 13:47, Stanislav Laznicka wrote: >>>>> On 08/11/2016 02:59 PM, Stanislav Laznicka wrote: >>>>>> On 08/11/2016 07:49 AM, Jan Cholasta wrote: >>>>>>> On 2.8.2016 13:47, Stanislav Laznicka wrote: >>>>>>>> On 07/19/2016 09:20 AM, Jan Cholasta wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> On 14.7.2016 14:36, Stanislav Laznicka wrote: >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> This patch fixes https://fedorahosted.org/freeipa/ticket/5640. >>>>>>>>>> >>>>>>>>>> With not so much experience with the framework, it raises >>>>>>>>>> question >>>>>>>>>> in my >>>>>>>>>> head whether ipaldap.get_entries is used properly throughout the >>>>>>>>>> system >>>>>>>>>> - does it always assume that it gets ALL the requested >>>>>>>>>> entries or >>>>>>>>>> just a >>>>>>>>>> few of those as configured by the 'ipaSearchRecordsLimit' >>>>>>>>>> attribute of >>>>>>>>>> ipaConfig.etc which it actually gets? >>>>>>>>> >>>>>>>>> That depends. If you call get_entries() on the ldap2 plugin >>>>>>>>> (which is >>>>>>>>> usually the case in the framework), then ipaSearchRecordsLimit is >>>>>>>>> used. If you call it on some arbitrary LDAPClient instance, the >>>>>>>>> hardcoded default (= unlimited) is used. >>>>>>>>> >>>>>>>>>> >>>>>>>>>> One spot that I know the get_entries method was definitely >>>>>>>>>> not used >>>>>>>>>> properly before this patch is in the >>>>>>>>>> baseldap.LDAPObject.get_memberindirect() method: >>>>>>>>>> >>>>>>>>>> 692 result = self.backend.get_entries( >>>>>>>>>> 693 self.api.env.basedn, >>>>>>>>>> 694 filter=filter, >>>>>>>>>> 695 attrs_list=['member'], >>>>>>>>>> 696 size_limit=-1, # paged search will get >>>>>>>>>> everything >>>>>>>>>> anyway >>>>>>>>>> 697 paged_search=True) >>>>>>>>>> >>>>>>>>>> which to me seems kind of important if the environment >>>>>>>>>> size_limit >>>>>>>>>> is not >>>>>>>>>> set properly :) The patch does not fix the non-propagation of >>>>>>>>>> the >>>>>>>>>> paged_search, though. >>>>>>>>> >>>>>>>>> Why do you think size_limit is not used properly here? >>>>>>>> AFAIU it is desired that the search is unlimited. However, due >>>>>>>> to the >>>>>>>> fact that neither size_limit nor paged_search are passed from >>>>>>>> ldap2.get_entries() to ldap2.find_entries() (methods inherited >>>>>>>> from >>>>>>>> LDAPClient), only the number of records specified by >>>>>>>> ipaSearchRecordsLimit is returned. That could eventually cause >>>>>>>> problems >>>>>>>> should ipaSearchRecordsLimit be set to a low value as in the >>>>>>>> ticket. >>>>>>> >>>>>>> I see. This is *not* intentional, the **kwargs of get_entries() >>>>>>> should be passed to find_entries(). This definitely needs to be >>>>>>> fixed. >>>>>>> >>>>>>>>> >>>>>>>>> Anyway, this ticket is not really easily fixable without more >>>>>>>>> profound >>>>>>>>> changes. Often, multiple LDAP searches are done during command >>>>>>>>> execution. What do you do with the size limit then? Do you >>>>>>>>> pass the >>>>>>>>> same size limit to all the searches? Do you subtract the >>>>>>>>> result size >>>>>>>>> from the size limit after each search? Do you do something >>>>>>>>> else with >>>>>>>>> it? ... The answer is that it depends on the purpose of each >>>>>>>>> individual LDAP search (like in get_memberindirect() above, we >>>>>>>>> have to >>>>>>>>> do unlimited search, otherwise the resulting entry would be >>>>>>>>> incomplete), and fixing this accross the whole framework is a >>>>>>>>> non-trivial task. >>>>>>>>> >>>>>>>> I do realize that the proposed fix for the permission plugin is >>>>>>>> not >>>>>>>> perfect, it would probably be better to subtract the number of >>>>>>>> currently >>>>>>>> loaded records from the sizelimit, although in the end the >>>>>>>> number of >>>>>>>> returned values will not be higher than the given size_limit. >>>>>>>> However, >>>>>>>> it seems reasonable that if get_entries is passed a size limit, it >>>>>>>> should apply it over current ipaSearchRecordsLimit rather than >>>>>>>> ignoring >>>>>>>> it. Then, any use of get_entries could be fixed accordingly if >>>>>>>> someone >>>>>>>> sees fit. >>>>>>>> >>>>>>> >>>>>>> Right. Anyway, this is a different issue than above, so please put >>>>>>> this into a separate commit. >>>>>>> >>>>>> Please see the attached patches, then. >>>>>> >>>>> Self-NACK, with Honza's help I found there was a mistake in the >>>>> code. I >>>>> also found an off-by-one bug which I hope I could stick to the >>>>> other two >>>>> patches (attaching only the modified and new patches). >>>> >>>> Works for me, but this bit in patch 0064 looks suspicious to me: >>>> >>>> + if max_entries > 0 and len(entries) == >>>> max_entries: >>>> >>>> Shouldn't it rather be: >>>> >>>> + if max_entries > 0 and len(entries) >= >>>> max_entries: >>>> >>>> ? >>>> >>> The length of entries list should not exceed max_entries if size_limit >>> is properly implemented. Therefore the list you get from execute() >>> should not have more then max_entries entries. You shouldn't also be >>> able to append a legacy entry to entries list if this check is the >>> first >>> thing you do. >> >> That's a lot of shoulds :-) I would expect at least an assert >> statement to make sure everything is right. >> >>> >>> That being said, >= could be used but then some popping of entries from >>> entries list would be necessary. But it's perhaps safer to do, although >>> if there's a bug, it won't be that obvious :) >> >> OK, nevermind then, just add the assert please, to make bugs *very* >> obvious. >> > An assert seems like a very good idea, attached is an asserting patch. > > > Attached is the patch rebased on the current master. Renumbered it a bit as previous numbers could've been confusing so I also omitted the revision number. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0065-Make-get_entries-not-ignore-its-limit-arguments.patch Type: text/x-patch Size: 1711 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0066-fix-permission_find-fail-on-low-search-size-limit.patch Type: text/x-patch Size: 1595 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0067-permission-find-fix-a-sizelimit-off-by-one-bug.patch Type: text/x-patch Size: 2645 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 21 16:28:23 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 21 Nov 2016 17:28:23 +0100 Subject: [Freeipa-devel] [freeipa PR#251][comment] Add rebuild rule for template files In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/251 Title: #251: Add rebuild rule for template files pspacek commented: """ I'm going to provide a proper fix as agreed on meeting today. """ See the full comment at https://github.com/freeipa/freeipa/pull/251#issuecomment-261987023 From freeipa-github-notification at redhat.com Mon Nov 21 16:28:27 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 21 Nov 2016 17:28:27 +0100 Subject: [Freeipa-devel] [freeipa PR#251][+rejected] Add rebuild rule for template files In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/251 Title: #251: Add rebuild rule for template files Label: +rejected From freeipa-github-notification at redhat.com Mon Nov 21 16:28:28 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 21 Nov 2016 17:28:28 +0100 Subject: [Freeipa-devel] [freeipa PR#251][closed] Add rebuild rule for template files In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/251 Author: tiran Title: #251: Add rebuild rule for template files Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/251/head:pr251 git checkout pr251 From freeipa-github-notification at redhat.com Mon Nov 21 16:30:36 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 21 Nov 2016 17:30:36 +0100 Subject: [Freeipa-devel] [freeipa PR#260][comment] Build: fix path in ipa-ods-exporter.socket unit file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/260 Title: #260: Build: fix path in ipa-ods-exporter.socket unit file mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/5862eaa1a0e3fbced79d6c209016c1138e692888 """ See the full comment at https://github.com/freeipa/freeipa/pull/260#issuecomment-261987837 From freeipa-github-notification at redhat.com Mon Nov 21 16:30:38 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 21 Nov 2016 17:30:38 +0100 Subject: [Freeipa-devel] [freeipa PR#260][closed] Build: fix path in ipa-ods-exporter.socket unit file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/260 Author: pspacek Title: #260: Build: fix path in ipa-ods-exporter.socket unit file Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/260/head:pr260 git checkout pr260 From freeipa-github-notification at redhat.com Mon Nov 21 16:32:26 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 21 Nov 2016 17:32:26 +0100 Subject: [Freeipa-devel] [freeipa PR#261][+rejected] upgrade: do not set HTTP and DS principals explicitly In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/261 Title: #261: upgrade: do not set HTTP and DS principals explicitly Label: +rejected From freeipa-github-notification at redhat.com Mon Nov 21 16:59:23 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 21 Nov 2016 17:59:23 +0100 Subject: [Freeipa-devel] [freeipa PR#258][comment] Break ipaplatform / ipalib import cycle of hell In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/258 Title: #258: Break ipaplatform / ipalib import cycle of hell mbasti-rh commented: """ LGTM, except the inline comment I made, I'll test it tomorrow """ See the full comment at https://github.com/freeipa/freeipa/pull/258#issuecomment-261995638 From freeipa-github-notification at redhat.com Mon Nov 21 16:59:43 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 21 Nov 2016 17:59:43 +0100 Subject: [Freeipa-devel] [freeipa PR#259][comment] Minor fixes for IPAVersion class In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/259 Title: #259: Minor fixes for IPAVersion class mbasti-rh commented: """ LGTM, I'll test tomorrow """ See the full comment at https://github.com/freeipa/freeipa/pull/259#issuecomment-261995775 From freeipa-github-notification at redhat.com Mon Nov 21 17:04:48 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 21 Nov 2016 18:04:48 +0100 Subject: [Freeipa-devel] [freeipa PR#244][comment] Add templating to ipaplatform path [RFC] In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/244 Title: #244: Add templating to ipaplatform path [RFC] mbasti-rh commented: """ Can you finish this PR? It can be tested and possibly merged """ See the full comment at https://github.com/freeipa/freeipa/pull/244#issuecomment-261997481 From freeipa-github-notification at redhat.com Mon Nov 21 17:06:04 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 21 Nov 2016 18:06:04 +0100 Subject: [Freeipa-devel] [freeipa PR#256][comment] Pylint: whitelist packages with extension modules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/256 Title: #256: Pylint: whitelist packages with extension modules mbasti-rh commented: """ LGTM, I'll test it tomorrow """ See the full comment at https://github.com/freeipa/freeipa/pull/256#issuecomment-261997895 From freeipa-github-notification at redhat.com Mon Nov 21 17:08:10 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 21 Nov 2016 18:08:10 +0100 Subject: [Freeipa-devel] [freeipa PR#212][+pushed] KRA: don't add KRA container when KRA replica In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/212 Title: #212: KRA: don't add KRA container when KRA replica Label: +pushed From freeipa-github-notification at redhat.com Mon Nov 21 17:08:12 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 21 Nov 2016 18:08:12 +0100 Subject: [Freeipa-devel] [freeipa PR#212][comment] KRA: don't add KRA container when KRA replica In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/212 Title: #212: KRA: don't add KRA container when KRA replica mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/61094a2a20f5cacdb7c87940d0db8d8593a87505 """ See the full comment at https://github.com/freeipa/freeipa/pull/212#issuecomment-261998716 From freeipa-github-notification at redhat.com Mon Nov 21 17:08:13 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 21 Nov 2016 18:08:13 +0100 Subject: [Freeipa-devel] [freeipa PR#212][closed] KRA: don't add KRA container when KRA replica In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/212 Author: mbasti-rh Title: #212: KRA: don't add KRA container when KRA replica Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/212/head:pr212 git checkout pr212 From freeipa-github-notification at redhat.com Mon Nov 21 17:12:09 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 21 Nov 2016 18:12:09 +0100 Subject: [Freeipa-devel] [freeipa PR#249][comment] Remove references to ds_newinst.pl In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/249 Title: #249: Remove references to ds_newinst.pl mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/687ebd18a1927cd6dcbb6cb884b979096c8a44aa """ See the full comment at https://github.com/freeipa/freeipa/pull/249#issuecomment-262000279 From freeipa-github-notification at redhat.com Mon Nov 21 17:12:10 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 21 Nov 2016 18:12:10 +0100 Subject: [Freeipa-devel] [freeipa PR#249][closed] Remove references to ds_newinst.pl In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/249 Author: frasertweedale Title: #249: Remove references to ds_newinst.pl Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/249/head:pr249 git checkout pr249 From freeipa-github-notification at redhat.com Mon Nov 21 17:12:12 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 21 Nov 2016 18:12:12 +0100 Subject: [Freeipa-devel] [freeipa PR#249][+pushed] Remove references to ds_newinst.pl In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/249 Title: #249: Remove references to ds_newinst.pl Label: +pushed From freeipa-github-notification at redhat.com Mon Nov 21 17:54:53 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 21 Nov 2016 18:54:53 +0100 Subject: [Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements mbasti-rh commented: """ I found some changes in versions of dependencies I don't like, because there is no explanation why it is needed and it is out of sync between specfile and setup.py """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-262015124 From freeipa-github-notification at redhat.com Mon Nov 21 18:06:43 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 21 Nov 2016 19:06:43 +0100 Subject: [Freeipa-devel] [freeipa PR#254][comment] Replace LooseVersion with pkg_resource.parse_version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Title: #254: Replace LooseVersion with pkg_resource.parse_version martbab commented: """ It seems that your changes broke IPA upgrade: ``` Done configuring the web interface (httpd). Applying LDAP updates Upgrading IPA: [1/9]: stopping directory server [2/9]: saving configuration [3/9]: disabling listeners [4/9]: enabling DS global lock [5/9]: starting directory server [6/9]: upgrading server ipa : ERROR Upgrade failed with 'SetuptoolsVersion' object has no attribute 'version' [error] RuntimeError: 'SetuptoolsVersion' object has no attribute 'version' [cleanup]: stopping directory server [cleanup]: restoring configuration ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR Update failed: 'SetuptoolsVersion' object has no attribute 'version' ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information 11-21 18:49 ipadocker.cli ERROR Command ipa-server-install -U --domain ipa.test --realm IPA.TEST -p Secret123 -a Secret123 --setup-dns --auto-forwarders failed (exit code 1) ``` Traceback in ipaserver-install.log: ``` # tail -n 50 /var/log/ipaserver-install.log File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 481, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 510, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 500, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 471, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 468, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 705, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 481, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 510, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 568, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 500, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 565, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 500, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 471, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 468, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for _nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 575, in main master_install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 265, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 851, in install ds.apply_updates() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 693, in apply_updates raise RuntimeError("Update failed: %s" % e) 2016-11-21T17:49:45Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Update failed: 'SetuptoolsVersion' object has no attribute 'version' 2016-11-21T17:49:45Z ERROR Update failed: 'SetuptoolsVersion' object has no attribute 'version' 2016-11-21T17:49:45Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/254#issuecomment-262018483 From freeipa-github-notification at redhat.com Mon Nov 21 18:08:51 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 21 Nov 2016 19:08:51 +0100 Subject: [Freeipa-devel] [freeipa PR#223][comment] LDAP refactoring: remove admin_conn In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/223 Title: #223: LDAP refactoring: remove admin_conn mbasti-rh commented: """ LGTM and Works for me, but I have to make sure that things I wrote inline didn't happen """ See the full comment at https://github.com/freeipa/freeipa/pull/223#issuecomment-262019068 From freeipa-github-notification at redhat.com Mon Nov 21 18:09:19 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 21 Nov 2016 19:09:19 +0100 Subject: [Freeipa-devel] [freeipa PR#223][comment] LDAP refactoring: remove admin_conn In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/223 Title: #223: LDAP refactoring: remove admin_conn mbasti-rh commented: """ LGTM and Works for me, but I have to make sure that things I wrote inline won''t happen """ See the full comment at https://github.com/freeipa/freeipa/pull/223#issuecomment-262019068 From freeipa-github-notification at redhat.com Mon Nov 21 18:20:39 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 21 Nov 2016 19:20:39 +0100 Subject: [Freeipa-devel] [freeipa PR#254][comment] Replace LooseVersion with pkg_resource.parse_version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Title: #254: Replace LooseVersion with pkg_resource.parse_version tiran commented: """ setuptool's version parser does not support slicing. I need to find another solution for ```verify_client_version()```. """ See the full comment at https://github.com/freeipa/freeipa/pull/254#issuecomment-262022304 From freeipa-github-notification at redhat.com Tue Nov 22 06:49:22 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 22 Nov 2016 07:49:22 +0100 Subject: [Freeipa-devel] [freeipa PR#258][comment] Break ipaplatform / ipalib import cycle of hell In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/258 Title: #258: Break ipaplatform / ipalib import cycle of hell jcholast commented: """ The original code is broken by design IMO. The API object is used only to get the configured service startup timeout and to guess our DS instance name. None of this is platform specific, so I would prefer if we removed this from `ipaplatform` altogether instead of "just" fixing the import issue. Anyway, given that the current plan is to make `ipaclient` _not_ depend on `ipaplatform`, is this change still necessary? """ See the full comment at https://github.com/freeipa/freeipa/pull/258#issuecomment-262161616 From freeipa-github-notification at redhat.com Tue Nov 22 06:55:27 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 22 Nov 2016 07:55:27 +0100 Subject: [Freeipa-devel] [freeipa PR#244][comment] Add templating to ipaplatform path [RFC] In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/244 Title: #244: Add templating to ipaplatform path [RFC] jcholast commented: """ Also LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/244#issuecomment-262162424 From freeipa-github-notification at redhat.com Tue Nov 22 07:58:41 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 22 Nov 2016 08:58:41 +0100 Subject: [Freeipa-devel] [freeipa PR#231][comment] Do not log DM password in ca/kra installation logs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/231 Title: #231: Do not log DM password in ca/kra installation logs tomaskrizek commented: """ I agree. We need to re-add `self.dm_password` to `nolog_list`, just like it was before I removed it [here](https://github.com/freeipa/freeipa/commit/9340a1417acf120fed3e9ffbe9d658d3456743a1#diff-36dfe273a301d6b5ea2bbcf89c7cd661L167) There is no reason to change it. I originally removed the line, because I thought I could remove `dm_password` from `DogtagInstance` all together, but that turned out not to be the case. """ See the full comment at https://github.com/freeipa/freeipa/pull/231#issuecomment-262171995 From freeipa-github-notification at redhat.com Tue Nov 22 08:10:18 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 22 Nov 2016 09:10:18 +0100 Subject: [Freeipa-devel] [freeipa PR#231][comment] Do not log DM password in ca/kra installation logs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/231 Title: #231: Do not log DM password in ca/kra installation logs stlaz commented: """ @martbab Oh, I thought you wanted me to re-add `dm_password` to DogtagInstance as @tomaskrizek which does not seem right as DogtagInstance is in no position to decide what to log and what not as it does not really know what's in that cfg_file it's getting. Will get it passed from the actual caller of `spawn_instance` which is either cainstance or krainstance. """ See the full comment at https://github.com/freeipa/freeipa/pull/231#issuecomment-262174051 From freeipa-github-notification at redhat.com Tue Nov 22 08:20:37 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 22 Nov 2016 09:20:37 +0100 Subject: [Freeipa-devel] [freeipa PR#223][synchronized] LDAP refactoring: remove admin_conn In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/223 Author: tomaskrizek Title: #223: LDAP refactoring: remove admin_conn Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/223/head:pr223 git checkout pr223 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-223.patch Type: text/x-diff Size: 47452 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 22 08:29:40 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 22 Nov 2016 09:29:40 +0100 Subject: [Freeipa-devel] [freeipa PR#231][comment] Do not log DM password in ca/kra installation logs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/231 Title: #231: Do not log DM password in ca/kra installation logs tomaskrizek commented: """ I didn't notice `dm_password` is no longer in `DogtagInstance`, I re-added it elsewhere. In that case, as @stlaz said, passing it to `spawn_instance()` seems like the proper way to do it. """ See the full comment at https://github.com/freeipa/freeipa/pull/231#issuecomment-262177507 From freeipa-github-notification at redhat.com Tue Nov 22 08:32:54 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 22 Nov 2016 09:32:54 +0100 Subject: [Freeipa-devel] [freeipa PR#117][comment] Make ipa-replica-install run in interactive mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/117 Title: #117: Make ipa-replica-install run in interactive mode tomaskrizek commented: """ This PR needs to be rebased to reflect installer refactoring. """ See the full comment at https://github.com/freeipa/freeipa/pull/117#issuecomment-262178290 From freeipa-github-notification at redhat.com Tue Nov 22 08:59:23 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 22 Nov 2016 09:59:23 +0100 Subject: [Freeipa-devel] [freeipa PR#231][synchronized] Do not log DM password in ca/kra installation logs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/231 Author: stlaz Title: #231: Do not log DM password in ca/kra installation logs Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/231/head:pr231 git checkout pr231 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-231.patch Type: text/x-diff Size: 3148 bytes Desc: not available URL: From dkupka at redhat.com Tue Nov 22 11:15:05 2016 From: dkupka at redhat.com (David Kupka) Date: Tue, 22 Nov 2016 12:15:05 +0100 Subject: [Freeipa-devel] NTP in FreeIPA Message-ID: Hello everyone! Is it worth to keep configuring NTP in FreeIPA? In usual environment there're no special requirements for time synchronization and the distribution default (be it ntpd, chrony or anything else) will just work. Any tampering with the configuration can't make it any better. In environment with special requirements (network disconnected from public internet, nodes disconnected from topology for longer time, ...) time synchronization must be taken care of accordingly by system administrator and FreeIPA simply can't help here. Also there are problems and weird behavior with the current FreeIPA installers: * ipa-client-install replaces all servers in /etc/ntp.conf with the ones specified by user or resolved from DNS. If none were provided nor resolved the FreeIPA server specified/resolved during installation it used. This leads in just single server in the configuration and no time synchronization when this server is down/decommissioned. * ipa-client-install replaces the NTP configuration. If there was any parts previously edited by system administrator it's lost. * ipa-server-install adds {0-4}.$PLATFORM.pool.ntp.org to /etc/ntp.conf. What's the point in doing that? These servers're already in the configuration file installed with ntp package. I have NTP-related WIP patches that solve some of the issues but in general I would prefer to remove the whole thing together with documenting "Please make sure that time on all FreeIPA servers and clients is synchronized. On most distributions this was already done during system installation." Can we mark NTP options deprecated in 4.5 and remove them and stop touching any time syncing service in 4.6? -- David Kupka From freeipa-github-notification at redhat.com Tue Nov 22 11:17:03 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 22 Nov 2016 12:17:03 +0100 Subject: [Freeipa-devel] [freeipa PR#258][comment] Break ipaplatform / ipalib import cycle of hell In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/258 Title: #258: Break ipaplatform / ipalib import cycle of hell tiran commented: """ It's no longer a priority, but I still like to fix the imports No matter what the cyclic imports and cross-package dependencies are a mess. A wrong order of imports can trigger an import error. Even with this PR, ipapython.dogtag triggers an import of ipalib.api. In the long run neither ipaplatform nor ipapython should have an import dependency on ipalib or a global ipalib.api object. Instead the API object should be passed. """ See the full comment at https://github.com/freeipa/freeipa/pull/258#issuecomment-262214571 From freeipa-github-notification at redhat.com Tue Nov 22 11:17:20 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 22 Nov 2016 12:17:20 +0100 Subject: [Freeipa-devel] [freeipa PR#122][synchronized] Acceptance tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/122 Author: dkupka Title: #122: Acceptance tests Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/122/head:pr122 git checkout pr122 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-122.patch Type: text/x-diff Size: 2551 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 22 11:43:55 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 22 Nov 2016 12:43:55 +0100 Subject: [Freeipa-devel] [freeipa PR#244][comment] Add templating to ipaplatform path [RFC] In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/244 Title: #244: Add templating to ipaplatform path [RFC] tiran commented: """ Please ignore this PR for now. It's not relevant for PyPI packages. """ See the full comment at https://github.com/freeipa/freeipa/pull/244#issuecomment-262220179 From freeipa-github-notification at redhat.com Tue Nov 22 11:50:54 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 22 Nov 2016 12:50:54 +0100 Subject: [Freeipa-devel] [freeipa PR#122][+ack] Acceptance tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/122 Title: #122: Acceptance tests Label: +ack From freeipa-github-notification at redhat.com Tue Nov 22 11:55:20 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 22 Nov 2016 12:55:20 +0100 Subject: [Freeipa-devel] [freeipa PR#122][closed] Acceptance tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/122 Author: dkupka Title: #122: Acceptance tests Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/122/head:pr122 git checkout pr122 From freeipa-github-notification at redhat.com Tue Nov 22 11:55:22 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 22 Nov 2016 12:55:22 +0100 Subject: [Freeipa-devel] [freeipa PR#122][+pushed] Acceptance tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/122 Title: #122: Acceptance tests Label: +pushed From freeipa-github-notification at redhat.com Tue Nov 22 11:55:24 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 22 Nov 2016 12:55:24 +0100 Subject: [Freeipa-devel] [freeipa PR#122][comment] Acceptance tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/122 Title: #122: Acceptance tests martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/3e53bbcc34bd256da36209fd8cf8ac5d33ec8093 https://fedorahosted.org/freeipa/changeset/4225484356426a73cc11211bceda7f06ee23d093 """ See the full comment at https://github.com/freeipa/freeipa/pull/122#issuecomment-262222350 From pspacek at redhat.com Tue Nov 22 12:06:27 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 22 Nov 2016 13:06:27 +0100 Subject: [Freeipa-devel] NTP in FreeIPA In-Reply-To: References: Message-ID: On 22.11.2016 12:15, David Kupka wrote: > Hello everyone! > > Is it worth to keep configuring NTP in FreeIPA? > > In usual environment there're no special requirements for time synchronization > and the distribution default (be it ntpd, chrony or anything else) will just > work. Any tampering with the configuration can't make it any better. > > In environment with special requirements (network disconnected from public > internet, nodes disconnected from topology for longer time, ...) time > synchronization must be taken care of accordingly by system administrator and > FreeIPA simply can't help here. > > Also there are problems and weird behavior with the current FreeIPA installers: > > * ipa-client-install replaces all servers in /etc/ntp.conf with the ones > specified by user or resolved from DNS. If none were provided nor resolved the > FreeIPA server specified/resolved during installation it used. This leads in > just single server in the configuration and no time synchronization when this > server is down/decommissioned. > > * ipa-client-install replaces the NTP configuration. If there was any parts > previously edited by system administrator it's lost. > > * ipa-server-install adds {0-4}.$PLATFORM.pool.ntp.org to /etc/ntp.conf. > What's the point in doing that? These servers're already in the configuration > file installed with ntp package. > > I have NTP-related WIP patches that solve some of the issues but in general I > would prefer to remove the whole thing together with documenting "Please make > sure that time on all FreeIPA servers and clients is synchronized. On most > distributions this was already done during system installation." > > Can we mark NTP options deprecated in 4.5 and remove them and stop touching > any time syncing service in 4.6? Considering that default config is just fine for normal cases, and given how poorly integrated it is into FreeIPA, I agree with David. FreeIPA should get out of configuration management business. -- Petr^2 Spacek From freeipa-github-notification at redhat.com Tue Nov 22 12:23:51 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 22 Nov 2016 13:23:51 +0100 Subject: [Freeipa-devel] [freeipa PR#254][comment] Replace LooseVersion with pkg_resource.parse_version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Title: #254: Replace LooseVersion with pkg_resource.parse_version tiran commented: """ @martbab more fun, the doc string of ```verify_client_version``` deviates from the actual implementation. The code does not implement the minor version check. It only compares major version numbers. https://github.com/freeipa/freeipa/blob/master/ipalib/frontend.py#L764 """ See the full comment at https://github.com/freeipa/freeipa/pull/254#issuecomment-262227600 From mbasti at redhat.com Tue Nov 22 12:37:44 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 22 Nov 2016 13:37:44 +0100 Subject: [Freeipa-devel] Removing ipa.pot file from git tree Message-ID: <2b8579cc-fca4-aac2-bc45-87bb377ea771@redhat.com> Hello list, we plan to remove ipa.pot file from git tree, as this is file can be generated from code during build time, and it is required only for pushing sources to Zanata. Does anybody remember reason why this file was added into git tree? Note: Translated strings (*.po files) will remain in git tree. If nobody is against it will be removed from git today, as it creates only huge diffs all the time without any extra value. Martin^2 From freeipa-github-notification at redhat.com Tue Nov 22 12:51:55 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 22 Nov 2016 13:51:55 +0100 Subject: [Freeipa-devel] [freeipa PR#238][+ack] Build system refactoring phase 8: update translation system In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/238 Title: #238: Build system refactoring phase 8: update translation system Label: +ack From dkupka at redhat.com Tue Nov 22 12:59:48 2016 From: dkupka at redhat.com (David Kupka) Date: Tue, 22 Nov 2016 13:59:48 +0100 Subject: [Freeipa-devel] Removing ipa.pot file from git tree In-Reply-To: <2b8579cc-fca4-aac2-bc45-87bb377ea771@redhat.com> References: <2b8579cc-fca4-aac2-bc45-87bb377ea771@redhat.com> Message-ID: <3ba2733c-4175-23a1-7f84-554614ce7a2a@redhat.com> On 22/11/16 13:37, Martin Basti wrote: > Hello list, > > we plan to remove ipa.pot file from git tree, as this is file can be > generated from code during build time, and it is required only for > pushing sources to Zanata. Does anybody remember reason why this file > was added into git tree? > > Note: Translated strings (*.po files) will remain in git tree. > > > If nobody is against it will be removed from git today, as it creates > only huge diffs all the time without any extra value. > > > Martin^2 > Hi! +1, if we can generate it there's no reason to keep it in git. git log reveals that is was added back in 2010 when adding support for internalization: https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=4461a74 -- David Kupka From freeipa-github-notification at redhat.com Tue Nov 22 13:56:46 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 22 Nov 2016 14:56:46 +0100 Subject: [Freeipa-devel] [freeipa PR#223][+ack] LDAP refactoring: remove admin_conn In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/223 Title: #223: LDAP refactoring: remove admin_conn Label: +ack From jcholast at redhat.com Tue Nov 22 14:05:38 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 22 Nov 2016 15:05:38 +0100 Subject: [Freeipa-devel] NTP in FreeIPA In-Reply-To: References: Message-ID: On 22.11.2016 13:06, Petr Spacek wrote: > On 22.11.2016 12:15, David Kupka wrote: >> Hello everyone! >> >> Is it worth to keep configuring NTP in FreeIPA? >> >> In usual environment there're no special requirements for time synchronization >> and the distribution default (be it ntpd, chrony or anything else) will just >> work. Any tampering with the configuration can't make it any better. >> >> In environment with special requirements (network disconnected from public >> internet, nodes disconnected from topology for longer time, ...) time >> synchronization must be taken care of accordingly by system administrator and >> FreeIPA simply can't help here. >> >> Also there are problems and weird behavior with the current FreeIPA installers: >> >> * ipa-client-install replaces all servers in /etc/ntp.conf with the ones >> specified by user or resolved from DNS. If none were provided nor resolved the >> FreeIPA server specified/resolved during installation it used. This leads in >> just single server in the configuration and no time synchronization when this >> server is down/decommissioned. >> >> * ipa-client-install replaces the NTP configuration. If there was any parts >> previously edited by system administrator it's lost. >> >> * ipa-server-install adds {0-4}.$PLATFORM.pool.ntp.org to /etc/ntp.conf. >> What's the point in doing that? These servers're already in the configuration >> file installed with ntp package. >> >> I have NTP-related WIP patches that solve some of the issues but in general I >> would prefer to remove the whole thing together with documenting "Please make >> sure that time on all FreeIPA servers and clients is synchronized. On most >> distributions this was already done during system installation." >> >> Can we mark NTP options deprecated in 4.5 and remove them and stop touching >> any time syncing service in 4.6? > > Considering that default config is just fine for normal cases, and given how > poorly integrated it is into FreeIPA, I agree with David. FreeIPA should get > out of configuration management business. +1 -- Jan Cholasta From jcholast at redhat.com Tue Nov 22 14:05:48 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 22 Nov 2016 15:05:48 +0100 Subject: [Freeipa-devel] Removing ipa.pot file from git tree In-Reply-To: <3ba2733c-4175-23a1-7f84-554614ce7a2a@redhat.com> References: <2b8579cc-fca4-aac2-bc45-87bb377ea771@redhat.com> <3ba2733c-4175-23a1-7f84-554614ce7a2a@redhat.com> Message-ID: <8a8f3b70-2cc8-0a66-e889-0bd2186a11fb@redhat.com> On 22.11.2016 13:59, David Kupka wrote: > On 22/11/16 13:37, Martin Basti wrote: >> Hello list, >> >> we plan to remove ipa.pot file from git tree, as this is file can be >> generated from code during build time, and it is required only for >> pushing sources to Zanata. Does anybody remember reason why this file >> was added into git tree? >> >> Note: Translated strings (*.po files) will remain in git tree. >> >> >> If nobody is against it will be removed from git today, as it creates >> only huge diffs all the time without any extra value. >> >> >> Martin^2 >> > > Hi! > > +1, if we can generate it there's no reason to keep it in git. +1 > > git log reveals that is was added back in 2010 when adding support for > internalization: > https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=4461a74 > -- Jan Cholasta From freeipa-github-notification at redhat.com Tue Nov 22 14:38:19 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 22 Nov 2016 15:38:19 +0100 Subject: [Freeipa-devel] [freeipa PR#254][synchronized] Replace LooseVersion with pkg_resource.parse_version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Author: tiran Title: #254: Replace LooseVersion with pkg_resource.parse_version Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/254/head:pr254 git checkout pr254 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-254.patch Type: text/x-diff Size: 10049 bytes Desc: not available URL: From pspacek at redhat.com Tue Nov 22 15:04:06 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 22 Nov 2016 16:04:06 +0100 Subject: [Freeipa-devel] client-only FreeIPA build Message-ID: <11a496fe-aa98-1192-2862-c7490f6c4330@redhat.com> Hello, the recent changes with regard to http://www.freeipa.org/page/V4/Integration_Improvements beg a question whether we should invest into supporting client-only builds in FreeIPA build system. Right now, FreeIPA can be built on all architectures we care about so there is no incentive to invest into client-only build - this applies to binary/RPM builds. The question is, do we need something special in build system for Integration Improvements effort? If not, can we drop the remains of client-only build? (They are not functional anyway so we should either drop them or fix them.) Thank you for answers. For completeness, the RPM build somehow works on following architectures: aarch64 armv7hl i686 ppc ppc64 ppc64le s390 s390x x86_64 -- Petr^2 Spacek From freeipa-github-notification at redhat.com Tue Nov 22 15:09:49 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 22 Nov 2016 16:09:49 +0100 Subject: [Freeipa-devel] [freeipa PR#263][opened] Backwards compatibility with setuptools 0.9.8 Message-ID: URL: https://github.com/freeipa/freeipa/pull/263 Author: tiran Title: #263: Backwards compatibility with setuptools 0.9.8 Action: opened PR body: """ Setuptools 0.9.8 does not support PEP 440 version schema with +git suffix. Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/263/head:pr263 git checkout pr263 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-263.patch Type: text/x-diff Size: 1691 bytes Desc: not available URL: From lslebodn at redhat.com Tue Nov 22 15:14:47 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 22 Nov 2016 16:14:47 +0100 Subject: [Freeipa-devel] client-only FreeIPA build In-Reply-To: <11a496fe-aa98-1192-2862-c7490f6c4330@redhat.com> References: <11a496fe-aa98-1192-2862-c7490f6c4330@redhat.com> Message-ID: <20161122151447.GE2754@10.4.128.1> On (22/11/16 16:04), Petr Spacek wrote: >Hello, > >the recent changes with regard to >http://www.freeipa.org/page/V4/Integration_Improvements >beg a question whether we should invest into supporting client-only builds in >FreeIPA build system. > >Right now, FreeIPA can be built on all architectures we care about so there is >no incentive to invest into client-only build - this applies to binary/RPM builds. > > >The question is, do we need something special in build system for Integration >Improvements effort? If not, can we drop the remains of client-only build? >(They are not functional anyway so we should either drop them or fix them.) > What do you mean by "remains of client-only build"? IIRC you drop this feature in the 1st patch set. LS From freeipa-github-notification at redhat.com Tue Nov 22 15:15:21 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 22 Nov 2016 16:15:21 +0100 Subject: [Freeipa-devel] [freeipa PR#238][+pushed] Build system refactoring phase 8: update translation system In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/238 Title: #238: Build system refactoring phase 8: update translation system Label: +pushed From freeipa-github-notification at redhat.com Tue Nov 22 15:15:22 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 22 Nov 2016 16:15:22 +0100 Subject: [Freeipa-devel] [freeipa PR#238][closed] Build system refactoring phase 8: update translation system In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/238 Author: pspacek Title: #238: Build system refactoring phase 8: update translation system Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/238/head:pr238 git checkout pr238 From freeipa-github-notification at redhat.com Tue Nov 22 15:15:24 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 22 Nov 2016 16:15:24 +0100 Subject: [Freeipa-devel] [freeipa PR#238][comment] Build system refactoring phase 8: update translation system In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/238 Title: #238: Build system refactoring phase 8: update translation system mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/4842231074683ff68be50b147560f5383aa305b6 https://fedorahosted.org/freeipa/changeset/d40c376ccc1ec9292df0306134c7bfdfd096566e https://fedorahosted.org/freeipa/changeset/166257ec5b33dd2c95bbaf8463867c77fd6ef5db https://fedorahosted.org/freeipa/changeset/9ef5a7de781f2508c2925225533973417458d0ea https://fedorahosted.org/freeipa/changeset/8a7962585069d7b0ff7e8d87ce094f07c16b3cd4 https://fedorahosted.org/freeipa/changeset/4c133837d149352a68e1d6cbefbb28e4ae048755 """ See the full comment at https://github.com/freeipa/freeipa/pull/238#issuecomment-262267304 From freeipa-github-notification at redhat.com Tue Nov 22 15:17:57 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 22 Nov 2016 16:17:57 +0100 Subject: [Freeipa-devel] [freeipa PR#223][+pushed] LDAP refactoring: remove admin_conn In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/223 Title: #223: LDAP refactoring: remove admin_conn Label: +pushed From freeipa-github-notification at redhat.com Tue Nov 22 15:17:58 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 22 Nov 2016 16:17:58 +0100 Subject: [Freeipa-devel] [freeipa PR#223][comment] LDAP refactoring: remove admin_conn In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/223 Title: #223: LDAP refactoring: remove admin_conn mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/68295bf8cfd57333deb50f58df1b336a4b48ffe7 https://fedorahosted.org/freeipa/changeset/0914fc6a6043846159f6d1c4bb433dcfe9ee3f46 """ See the full comment at https://github.com/freeipa/freeipa/pull/223#issuecomment-262268201 From freeipa-github-notification at redhat.com Tue Nov 22 15:17:59 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 22 Nov 2016 16:17:59 +0100 Subject: [Freeipa-devel] [freeipa PR#223][closed] LDAP refactoring: remove admin_conn In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/223 Author: tomaskrizek Title: #223: LDAP refactoring: remove admin_conn Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/223/head:pr223 git checkout pr223 From jcholast at redhat.com Tue Nov 22 15:27:15 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 22 Nov 2016 16:27:15 +0100 Subject: [Freeipa-devel] client-only FreeIPA build In-Reply-To: <11a496fe-aa98-1192-2862-c7490f6c4330@redhat.com> References: <11a496fe-aa98-1192-2862-c7490f6c4330@redhat.com> Message-ID: Hi, On 22.11.2016 16:04, Petr Spacek wrote: > Hello, > > the recent changes with regard to > http://www.freeipa.org/page/V4/Integration_Improvements > beg a question whether we should invest into supporting client-only builds in > FreeIPA build system. > > Right now, FreeIPA can be built on all architectures we care about so there is > no incentive to invest into client-only build - this applies to binary/RPM builds. Client-only build lowers the barrier for porting IPA to new platforms (porting only client code is *much* easier than porting the whole thing), so I would very much prefer if we kept it. Honza -- Jan Cholasta From pspacek at redhat.com Tue Nov 22 15:29:52 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 22 Nov 2016 16:29:52 +0100 Subject: [Freeipa-devel] client-only FreeIPA build In-Reply-To: References: <11a496fe-aa98-1192-2862-c7490f6c4330@redhat.com> Message-ID: <73043385-a5c1-9138-760a-d6e493c7608d@redhat.com> On 22.11.2016 16:27, Jan Cholasta wrote: > Hi, > > On 22.11.2016 16:04, Petr Spacek wrote: >> Hello, >> >> the recent changes with regard to >> http://www.freeipa.org/page/V4/Integration_Improvements >> beg a question whether we should invest into supporting client-only builds in >> FreeIPA build system. >> >> Right now, FreeIPA can be built on all architectures we care about so there is >> no incentive to invest into client-only build - this applies to binary/RPM >> builds. > > Client-only build lowers the barrier for porting IPA to new platforms (porting > only client code is *much* easier than porting the whole thing), so I would > very much prefer if we kept it. Understood. Wondering out loud: What prevents the "porter" from doing full build and then packaging only client bits? Yes, he has to install come of the dependencies for the build to pass but still, it is way easier than actually making server fully functional. Petr, are you going to allocate time for this soonish or should I open a ticket and forget about it for now? -- Petr^2 Spacek From pspacek at redhat.com Tue Nov 22 15:30:38 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 22 Nov 2016 16:30:38 +0100 Subject: [Freeipa-devel] client-only FreeIPA build In-Reply-To: <20161122151447.GE2754@10.4.128.1> References: <11a496fe-aa98-1192-2862-c7490f6c4330@redhat.com> <20161122151447.GE2754@10.4.128.1> Message-ID: <4a25b8c7-d897-b378-9366-f5f4af81da6a@redhat.com> On 22.11.2016 16:14, Lukas Slebodnik wrote: > On (22/11/16 16:04), Petr Spacek wrote: >> Hello, >> >> the recent changes with regard to >> http://www.freeipa.org/page/V4/Integration_Improvements >> beg a question whether we should invest into supporting client-only builds in >> FreeIPA build system. >> >> Right now, FreeIPA can be built on all architectures we care about so there is >> no incentive to invest into client-only build - this applies to binary/RPM builds. >> >> >> The question is, do we need something special in build system for Integration >> Improvements effort? If not, can we drop the remains of client-only build? >> (They are not functional anyway so we should either drop them or fix them.) >> > What do you mean by "remains of client-only build"? > IIRC you drop this feature in the 1st patch set. There are still references to it in freeipa.spec.in and so on. -- Petr^2 Spacek From freeipa-github-notification at redhat.com Tue Nov 22 15:54:37 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 22 Nov 2016 16:54:37 +0100 Subject: [Freeipa-devel] [freeipa PR#235][comment] Remove unused Knob function In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/235 Title: #235: Remove unused Knob function mbasti-rh commented: """ @jcholast ping """ See the full comment at https://github.com/freeipa/freeipa/pull/235#issuecomment-262279274 From lslebodn at redhat.com Tue Nov 22 15:59:06 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 22 Nov 2016 16:59:06 +0100 Subject: [Freeipa-devel] client-only FreeIPA build In-Reply-To: <73043385-a5c1-9138-760a-d6e493c7608d@redhat.com> References: <11a496fe-aa98-1192-2862-c7490f6c4330@redhat.com> <73043385-a5c1-9138-760a-d6e493c7608d@redhat.com> Message-ID: <20161122155905.GA27420@10.4.128.1> On (22/11/16 16:29), Petr Spacek wrote: >On 22.11.2016 16:27, Jan Cholasta wrote: >> Hi, >> >> On 22.11.2016 16:04, Petr Spacek wrote: >>> Hello, >>> >>> the recent changes with regard to >>> http://www.freeipa.org/page/V4/Integration_Improvements >>> beg a question whether we should invest into supporting client-only builds in >>> FreeIPA build system. >>> >>> Right now, FreeIPA can be built on all architectures we care about so there is >>> no incentive to invest into client-only build - this applies to binary/RPM >>> builds. >> >> Client-only build lowers the barrier for porting IPA to new platforms (porting >> only client code is *much* easier than porting the whole thing), so I would >> very much prefer if we kept it. > >Understood. > Agree about portability But upstream spec file needn't have such relicts. The upstream spec file is pure fedora specific. >Wondering out loud: What prevents the "porter" from doing full build and then >packaging only client bits? Yes, he has to install come of the dependencies >for the build to pass but still, it is way easier than actually making server >fully functional. > >Petr, are you going to allocate time for this soonish or should I open a >ticket and forget about it for now? > LS From rcritten at redhat.com Tue Nov 22 16:25:29 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 22 Nov 2016 11:25:29 -0500 Subject: [Freeipa-devel] client-only FreeIPA build In-Reply-To: <20161122155905.GA27420@10.4.128.1> References: <11a496fe-aa98-1192-2862-c7490f6c4330@redhat.com> <73043385-a5c1-9138-760a-d6e493c7608d@redhat.com> <20161122155905.GA27420@10.4.128.1> Message-ID: <58347179.8010309@redhat.com> Lukas Slebodnik wrote: > On (22/11/16 16:29), Petr Spacek wrote: >> On 22.11.2016 16:27, Jan Cholasta wrote: >>> Hi, >>> >>> On 22.11.2016 16:04, Petr Spacek wrote: >>>> Hello, >>>> >>>> the recent changes with regard to >>>> http://www.freeipa.org/page/V4/Integration_Improvements >>>> beg a question whether we should invest into supporting client-only builds in >>>> FreeIPA build system. Note that the Integration efforts don't really apply. The client-only install is for doing client enrollment and integration can mean lots of things. >>>> >>>> Right now, FreeIPA can be built on all architectures we care about so there is >>>> no incentive to invest into client-only build - this applies to binary/RPM >>>> builds. >>> >>> Client-only build lowers the barrier for porting IPA to new platforms (porting >>> only client code is *much* easier than porting the whole thing), so I would >>> very much prefer if we kept it. >> >> Understood. >> > Agree about portability > > But upstream spec file needn't have such relicts. > The upstream spec file is pure fedora specific. The upstream spec is what is used to document and verify that the client-only build actually works. I also think it is a worthy goal to maintain. >> Wondering out loud: What prevents the "porter" from doing full build and then >> packaging only client bits? Yes, he has to install come of the dependencies >> for the build to pass but still, it is way easier than actually making server >> fully functional. It is not an insignificant amount of dependencies to build all of IPA. >> Petr, are you going to allocate time for this soonish or should I open a >> ticket and forget about it for now? IMHO this should be covered under the build refactoring to avoid regressions. rob From freeipa-github-notification at redhat.com Tue Nov 22 16:29:57 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 22 Nov 2016 17:29:57 +0100 Subject: [Freeipa-devel] [freeipa PR#235][comment] Remove unused Knob function In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/235 Title: #235: Remove unused Knob function jcholast commented: """ There was no reason, I just forgot, so go ahead. """ See the full comment at https://github.com/freeipa/freeipa/pull/235#issuecomment-262290033 From freeipa-github-notification at redhat.com Tue Nov 22 16:36:01 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 22 Nov 2016 17:36:01 +0100 Subject: [Freeipa-devel] [freeipa PR#235][+ack] Remove unused Knob function In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/235 Title: #235: Remove unused Knob function Label: +ack From freeipa-github-notification at redhat.com Tue Nov 22 16:36:43 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 22 Nov 2016 17:36:43 +0100 Subject: [Freeipa-devel] [freeipa PR#256][+ack] Pylint: whitelist packages with extension modules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/256 Title: #256: Pylint: whitelist packages with extension modules Label: +ack From freeipa-github-notification at redhat.com Tue Nov 22 16:38:11 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 22 Nov 2016 17:38:11 +0100 Subject: [Freeipa-devel] [freeipa PR#256][+pushed] Pylint: whitelist packages with extension modules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/256 Title: #256: Pylint: whitelist packages with extension modules Label: +pushed From freeipa-github-notification at redhat.com Tue Nov 22 16:38:12 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 22 Nov 2016 17:38:12 +0100 Subject: [Freeipa-devel] [freeipa PR#256][comment] Pylint: whitelist packages with extension modules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/256 Title: #256: Pylint: whitelist packages with extension modules mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/573eee444e1746fd5949897294c96a1793e74511 """ See the full comment at https://github.com/freeipa/freeipa/pull/256#issuecomment-262292430 From freeipa-github-notification at redhat.com Tue Nov 22 16:38:14 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 22 Nov 2016 17:38:14 +0100 Subject: [Freeipa-devel] [freeipa PR#256][closed] Pylint: whitelist packages with extension modules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/256 Author: tiran Title: #256: Pylint: whitelist packages with extension modules Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/256/head:pr256 git checkout pr256 From freeipa-github-notification at redhat.com Tue Nov 22 16:38:59 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 22 Nov 2016 17:38:59 +0100 Subject: [Freeipa-devel] [freeipa PR#235][comment] Remove unused Knob function In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/235 Title: #235: Remove unused Knob function mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/55b14abcb561422cf48755dae6b0638656535fe5 """ See the full comment at https://github.com/freeipa/freeipa/pull/235#issuecomment-262292673 From freeipa-github-notification at redhat.com Tue Nov 22 16:39:00 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 22 Nov 2016 17:39:00 +0100 Subject: [Freeipa-devel] [freeipa PR#235][+pushed] Remove unused Knob function In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/235 Title: #235: Remove unused Knob function Label: +pushed From freeipa-github-notification at redhat.com Tue Nov 22 16:39:01 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 22 Nov 2016 17:39:01 +0100 Subject: [Freeipa-devel] [freeipa PR#235][closed] Remove unused Knob function In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/235 Author: mbasti-rh Title: #235: Remove unused Knob function Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/235/head:pr235 git checkout pr235 From freeipa-github-notification at redhat.com Tue Nov 22 16:44:20 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 22 Nov 2016 17:44:20 +0100 Subject: [Freeipa-devel] [freeipa PR#259][+ack] Minor fixes for IPAVersion class In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/259 Title: #259: Minor fixes for IPAVersion class Label: +ack From freeipa-github-notification at redhat.com Tue Nov 22 16:44:52 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 22 Nov 2016 17:44:52 +0100 Subject: [Freeipa-devel] [freeipa PR#259][+pushed] Minor fixes for IPAVersion class In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/259 Title: #259: Minor fixes for IPAVersion class Label: +pushed From freeipa-github-notification at redhat.com Tue Nov 22 16:44:54 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 22 Nov 2016 17:44:54 +0100 Subject: [Freeipa-devel] [freeipa PR#259][comment] Minor fixes for IPAVersion class In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/259 Title: #259: Minor fixes for IPAVersion class mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/29947fe1a304ff6f913e5d94d56d8108a7c94087 """ See the full comment at https://github.com/freeipa/freeipa/pull/259#issuecomment-262294491 From freeipa-github-notification at redhat.com Tue Nov 22 16:44:55 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 22 Nov 2016 17:44:55 +0100 Subject: [Freeipa-devel] [freeipa PR#259][closed] Minor fixes for IPAVersion class In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/259 Author: tiran Title: #259: Minor fixes for IPAVersion class Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/259/head:pr259 git checkout pr259 From pvoborni at redhat.com Tue Nov 22 17:10:12 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 22 Nov 2016 18:10:12 +0100 Subject: [Freeipa-devel] client-only FreeIPA build In-Reply-To: <58347179.8010309@redhat.com> References: <11a496fe-aa98-1192-2862-c7490f6c4330@redhat.com> <73043385-a5c1-9138-760a-d6e493c7608d@redhat.com> <20161122155905.GA27420@10.4.128.1> <58347179.8010309@redhat.com> Message-ID: <2937074f-9187-4a42-052b-2dc4d453f69b@redhat.com> On 11/22/2016 05:25 PM, Rob Crittenden wrote: > Lukas Slebodnik wrote: >> On (22/11/16 16:29), Petr Spacek wrote: >>> On 22.11.2016 16:27, Jan Cholasta wrote: >>>> Hi, >>>> >>>> On 22.11.2016 16:04, Petr Spacek wrote: >>>>> Hello, >>>>> >>>>> the recent changes with regard to >>>>> http://www.freeipa.org/page/V4/Integration_Improvements >>>>> beg a question whether we should invest into supporting client-only builds in >>>>> FreeIPA build system. > > Note that the Integration efforts don't really apply. The client-only > install is for doing client enrollment and integration can mean lots of > things. > >>>>> >>>>> Right now, FreeIPA can be built on all architectures we care about so there is >>>>> no incentive to invest into client-only build - this applies to binary/RPM >>>>> builds. >>>> >>>> Client-only build lowers the barrier for porting IPA to new platforms (porting >>>> only client code is *much* easier than porting the whole thing), so I would >>>> very much prefer if we kept it. >>> >>> Understood. >>> >> Agree about portability >> >> But upstream spec file needn't have such relicts. >> The upstream spec file is pure fedora specific. > > The upstream spec is what is used to document and verify that the > client-only build actually works. > > I also think it is a worthy goal to maintain. > >>> Wondering out loud: What prevents the "porter" from doing full build and then >>> packaging only client bits? Yes, he has to install come of the dependencies >>> for the build to pass but still, it is way easier than actually making server >>> fully functional. > > It is not an insignificant amount of dependencies to build all of IPA. > >>> Petr, are you going to allocate time for this soonish or should I open a >>> ticket and forget about it for now? > > IMHO this should be covered under the build refactoring to avoid > regressions. > > rob > I think we should not implement it. I see no need. Fedora, Debian, RHEL all work with server build. Difference between arches is not issue as well. If somebody would want it for porting IPA on other distro then fine. But at that stage there will be more stuff to figure out so writing the patch can wait for that eventuality. -- Petr Vobornik From freeipa-github-notification at redhat.com Tue Nov 22 17:33:07 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 22 Nov 2016 18:33:07 +0100 Subject: [Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/139 Title: #139: WebUI: Vault Management mbasti-rh commented: """ NACK 1) view My User Vaults/Add vault There is no marked radio button and all fields are shown which are mutual exclusive. A one option from radio group should be marked. It is doing fancy things when no radiobutton is marked and you fill other fields and press add. 2) Vault config view shows only one server, not list of all KRA servers installed 3) I'm quite puzzled wit behavior `User Vaults` and `My User Vaults` executes following commands ``` User Vaults: vault-find --users --pkey-only My Users Vaults: vault-find ``` So how does it actually works? What `My User Vault` do then? I would expect a filter in that command and users flag. Also why in one case was called command with --pkey-only and not in second time? """ See the full comment at https://github.com/freeipa/freeipa/pull/139#issuecomment-262308679 From redhatrises at gmail.com Tue Nov 22 22:15:07 2016 From: redhatrises at gmail.com (Gabe Alford) Date: Tue, 22 Nov 2016 15:15:07 -0700 Subject: [Freeipa-devel] NTP in FreeIPA In-Reply-To: References: Message-ID: I would say that it is worth keeping in FreeIPA. I know myself and some customers use its functionality by having the clients sync to the IPA servers and have the servers sync to the NTP source. This way if the NTP source ever gets disrupted for long periods of time (which has happened in my environment) the client time drifts with the authentication source. This is the way that AD often works and is configured. On Tue, Nov 22, 2016 at 7:05 AM, Jan Cholasta wrote: > On 22.11.2016 13:06, Petr Spacek wrote: > >> On 22.11.2016 12:15, David Kupka wrote: >> >>> Hello everyone! >>> >>> Is it worth to keep configuring NTP in FreeIPA? >>> >>> In usual environment there're no special requirements for time >>> synchronization >>> and the distribution default (be it ntpd, chrony or anything else) will >>> just >>> work. Any tampering with the configuration can't make it any better. >>> >>> In environment with special requirements (network disconnected from >>> public >>> internet, nodes disconnected from topology for longer time, ...) time >>> synchronization must be taken care of accordingly by system >>> administrator and >>> FreeIPA simply can't help here. >>> >>> Also there are problems and weird behavior with the current FreeIPA >>> installers: >>> >>> * ipa-client-install replaces all servers in /etc/ntp.conf with the ones >>> specified by user or resolved from DNS. If none were provided nor >>> resolved the >>> FreeIPA server specified/resolved during installation it used. This >>> leads in >>> just single server in the configuration and no time synchronization when >>> this >>> server is down/decommissioned. >>> >>> * ipa-client-install replaces the NTP configuration. If there was any >>> parts >>> previously edited by system administrator it's lost. >>> >>> * ipa-server-install adds {0-4}.$PLATFORM.pool.ntp.org to /etc/ntp.conf. >>> What's the point in doing that? These servers're already in the >>> configuration >>> file installed with ntp package. >>> >>> I have NTP-related WIP patches that solve some of the issues but in >>> general I >>> would prefer to remove the whole thing together with documenting "Please >>> make >>> sure that time on all FreeIPA servers and clients is synchronized. On >>> most >>> distributions this was already done during system installation." >>> >>> Can we mark NTP options deprecated in 4.5 and remove them and stop >>> touching >>> any time syncing service in 4.6? >>> >> >> Considering that default config is just fine for normal cases, and given >> how >> poorly integrated it is into FreeIPA, I agree with David. FreeIPA should >> get >> out of configuration management business. >> > > +1 > > -- > Jan Cholasta > > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Wed Nov 23 06:54:56 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 23 Nov 2016 07:54:56 +0100 Subject: [Freeipa-devel] client-only FreeIPA build In-Reply-To: <20161122155905.GA27420@10.4.128.1> References: <11a496fe-aa98-1192-2862-c7490f6c4330@redhat.com> <73043385-a5c1-9138-760a-d6e493c7608d@redhat.com> <20161122155905.GA27420@10.4.128.1> Message-ID: <2fc0ee2e-dafb-fb0d-0614-a830a8e85a1f@redhat.com> On 22.11.2016 16:59, Lukas Slebodnik wrote: > On (22/11/16 16:29), Petr Spacek wrote: >> On 22.11.2016 16:27, Jan Cholasta wrote: >>> Hi, >>> >>> On 22.11.2016 16:04, Petr Spacek wrote: >>>> Hello, >>>> >>>> the recent changes with regard to >>>> http://www.freeipa.org/page/V4/Integration_Improvements >>>> beg a question whether we should invest into supporting client-only builds in >>>> FreeIPA build system. >>>> >>>> Right now, FreeIPA can be built on all architectures we care about so there is >>>> no incentive to invest into client-only build - this applies to binary/RPM >>>> builds. >>> >>> Client-only build lowers the barrier for porting IPA to new platforms (porting >>> only client code is *much* easier than porting the whole thing), so I would >>> very much prefer if we kept it. >> >> Understood. >> > Agree about portability > > But upstream spec file needn't have such relicts. I like to think about the upstream spec file as sort of a template for porting, so I can't say I agree. There is no other definitive, up-to-date source of information about what are the dependencies, how to properly build IPA for downstream packaging and what needs to be executed on package install and upgrade. > The upstream spec file is pure fedora specific. Almost :-) The actual downstream Fedora spec file differs slightly, and the upstream spec file is actually usable on RHEL as well. > >> Wondering out loud: What prevents the "porter" from doing full build and then >> packaging only client bits? Yes, he has to install come of the dependencies >> for the build to pass but still, it is way easier than actually making server >> fully functional. The issue with this is that some of the dependencies might not had been ported as well, which would leave the porters to either do it themselves, which might not be a trivial task, or wait for someone else to do it, which might take ages. Speaking from my own experience, when I was porting IPA client to Arch Linux [1], I had to port authconfig first. I had hard time doing it, harder than porting IPA client itself. I can't imagine how much harder would it be if I had to first port DS and Samba 4 with MIT Kerberos as well. [1] https://aur.archlinux.org/packages/freeipa-client/ -- Jan Cholasta From jcholast at redhat.com Wed Nov 23 07:10:01 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 23 Nov 2016 08:10:01 +0100 Subject: [Freeipa-devel] client-only FreeIPA build In-Reply-To: <2937074f-9187-4a42-052b-2dc4d453f69b@redhat.com> References: <11a496fe-aa98-1192-2862-c7490f6c4330@redhat.com> <73043385-a5c1-9138-760a-d6e493c7608d@redhat.com> <20161122155905.GA27420@10.4.128.1> <58347179.8010309@redhat.com> <2937074f-9187-4a42-052b-2dc4d453f69b@redhat.com> Message-ID: <462588f9-9e37-a247-9758-7d97c139da7c@redhat.com> On 22.11.2016 18:10, Petr Vobornik wrote: > On 11/22/2016 05:25 PM, Rob Crittenden wrote: >> Lukas Slebodnik wrote: >>> On (22/11/16 16:29), Petr Spacek wrote: >>>> On 22.11.2016 16:27, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> On 22.11.2016 16:04, Petr Spacek wrote: >>>>>> Hello, >>>>>> >>>>>> the recent changes with regard to >>>>>> http://www.freeipa.org/page/V4/Integration_Improvements >>>>>> beg a question whether we should invest into supporting client-only builds in >>>>>> FreeIPA build system. >> >> Note that the Integration efforts don't really apply. The client-only >> install is for doing client enrollment and integration can mean lots of >> things. >> >>>>>> >>>>>> Right now, FreeIPA can be built on all architectures we care about so there is >>>>>> no incentive to invest into client-only build - this applies to binary/RPM >>>>>> builds. >>>>> >>>>> Client-only build lowers the barrier for porting IPA to new platforms (porting >>>>> only client code is *much* easier than porting the whole thing), so I would >>>>> very much prefer if we kept it. >>>> >>>> Understood. >>>> >>> Agree about portability >>> >>> But upstream spec file needn't have such relicts. >>> The upstream spec file is pure fedora specific. >> >> The upstream spec is what is used to document and verify that the >> client-only build actually works. >> >> I also think it is a worthy goal to maintain. >> >>>> Wondering out loud: What prevents the "porter" from doing full build and then >>>> packaging only client bits? Yes, he has to install come of the dependencies >>>> for the build to pass but still, it is way easier than actually making server >>>> fully functional. >> >> It is not an insignificant amount of dependencies to build all of IPA. >> >>>> Petr, are you going to allocate time for this soonish or should I open a >>>> ticket and forget about it for now? >> >> IMHO this should be covered under the build refactoring to avoid >> regressions. +1 >> >> rob >> > > I think we should not implement it. I see no need. Fedora, Debian, RHEL > all work with server build. Difference between arches is not issue as well. This assumes that these are the only ports out there, which I know for fact they are not [1]. > > If somebody would want it for porting IPA on other distro then fine. But > at that stage there will be more stuff to figure out so writing the > patch can wait for that eventuality. [1] https://aur.archlinux.org/packages/freeipa-client/ -- Jan Cholasta From abokovoy at redhat.com Wed Nov 23 07:38:09 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 23 Nov 2016 09:38:09 +0200 Subject: [Freeipa-devel] client-only FreeIPA build In-Reply-To: <462588f9-9e37-a247-9758-7d97c139da7c@redhat.com> References: <11a496fe-aa98-1192-2862-c7490f6c4330@redhat.com> <73043385-a5c1-9138-760a-d6e493c7608d@redhat.com> <20161122155905.GA27420@10.4.128.1> <58347179.8010309@redhat.com> <2937074f-9187-4a42-052b-2dc4d453f69b@redhat.com> <462588f9-9e37-a247-9758-7d97c139da7c@redhat.com> Message-ID: <20161123073809.c7k7arlcuoulrgeh@redhat.com> On ke, 23 marras 2016, Jan Cholasta wrote: >On 22.11.2016 18:10, Petr Vobornik wrote: >>On 11/22/2016 05:25 PM, Rob Crittenden wrote: >>>Lukas Slebodnik wrote: >>>>On (22/11/16 16:29), Petr Spacek wrote: >>>>>On 22.11.2016 16:27, Jan Cholasta wrote: >>>>>>Hi, >>>>>> >>>>>>On 22.11.2016 16:04, Petr Spacek wrote: >>>>>>>Hello, >>>>>>> >>>>>>>the recent changes with regard to >>>>>>>http://www.freeipa.org/page/V4/Integration_Improvements >>>>>>>beg a question whether we should invest into supporting client-only builds in >>>>>>>FreeIPA build system. >>> >>>Note that the Integration efforts don't really apply. The client-only >>>install is for doing client enrollment and integration can mean lots of >>>things. >>> >>>>>>> >>>>>>>Right now, FreeIPA can be built on all architectures we care about so there is >>>>>>>no incentive to invest into client-only build - this applies to binary/RPM >>>>>>>builds. >>>>>> >>>>>>Client-only build lowers the barrier for porting IPA to new platforms (porting >>>>>>only client code is *much* easier than porting the whole thing), so I would >>>>>>very much prefer if we kept it. >>>>> >>>>>Understood. >>>>> >>>>Agree about portability >>>> >>>>But upstream spec file needn't have such relicts. >>>>The upstream spec file is pure fedora specific. >>> >>>The upstream spec is what is used to document and verify that the >>>client-only build actually works. >>> >>>I also think it is a worthy goal to maintain. >>> >>>>>Wondering out loud: What prevents the "porter" from doing full build and then >>>>>packaging only client bits? Yes, he has to install come of the dependencies >>>>>for the build to pass but still, it is way easier than actually making server >>>>>fully functional. >>> >>>It is not an insignificant amount of dependencies to build all of IPA. >>> >>>>>Petr, are you going to allocate time for this soonish or should I open a >>>>>ticket and forget about it for now? >>> >>>IMHO this should be covered under the build refactoring to avoid >>>regressions. > >+1 > >>> >>>rob >>> >> >>I think we should not implement it. I see no need. Fedora, Debian, RHEL >>all work with server build. Difference between arches is not issue as well. > >This assumes that these are the only ports out there, which I know for >fact they are not [1]. Right. I also inclined to keep client-only build for bootstrapping new distros. For example, nothing prevents us to have a FreeBSD support for client side but I don't think there will be any effort of porting the whole server side there. -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Wed Nov 23 09:09:01 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 23 Nov 2016 10:09:01 +0100 Subject: [Freeipa-devel] [freeipa PR#264][opened] Python3 pylint fixes Message-ID: URL: https://github.com/freeipa/freeipa/pull/264 Author: tiran Title: #264: Python3 pylint fixes Action: opened PR body: """ Sprinkle 'pylint disable' comments over the code base to silence a bunch of pylint warnings on Python 3. All silenced warnings are harmless and not bugs. https://fedorahosted.org/freeipa/ticket/4985 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/264/head:pr264 git checkout pr264 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-264.patch Type: text/x-diff Size: 13587 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 23 10:00:49 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 23 Nov 2016 11:00:49 +0100 Subject: [Freeipa-devel] [freeipa PR#265][opened] Add main guards to a couple of Python scripts Message-ID: URL: https://github.com/freeipa/freeipa/pull/265 Author: tiran Title: #265: Add main guards to a couple of Python scripts Action: opened PR body: """ Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/265/head:pr265 git checkout pr265 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-265.patch Type: text/x-diff Size: 5351 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 23 10:04:04 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 23 Nov 2016 11:04:04 +0100 Subject: [Freeipa-devel] [freeipa PR#264][synchronized] Python3 pylint fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/264 Author: tiran Title: #264: Python3 pylint fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/264/head:pr264 git checkout pr264 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-264.patch Type: text/x-diff Size: 21619 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 23 10:11:38 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 23 Nov 2016 11:11:38 +0100 Subject: [Freeipa-devel] [freeipa PR#264][synchronized] Python3 pylint fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/264 Author: tiran Title: #264: Python3 pylint fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/264/head:pr264 git checkout pr264 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-264.patch Type: text/x-diff Size: 22843 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 23 10:18:12 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 23 Nov 2016 11:18:12 +0100 Subject: [Freeipa-devel] [freeipa PR#254][synchronized] Replace LooseVersion with pkg_resource.parse_version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Author: tiran Title: #254: Replace LooseVersion with pkg_resource.parse_version Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/254/head:pr254 git checkout pr254 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-254.patch Type: text/x-diff Size: 10049 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 23 10:20:26 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 23 Nov 2016 11:20:26 +0100 Subject: [Freeipa-devel] [freeipa PR#265][synchronized] Add main guards to a couple of Python scripts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/265 Author: tiran Title: #265: Add main guards to a couple of Python scripts Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/265/head:pr265 git checkout pr265 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-265.patch Type: text/x-diff Size: 5358 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 23 12:43:01 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Wed, 23 Nov 2016 13:43:01 +0100 Subject: [Freeipa-devel] [freeipa PR#266][opened] ipapython: simplify Env object initialization Message-ID: URL: https://github.com/freeipa/freeipa/pull/266 Author: jcholast Title: #266: ipapython: simplify Env object initialization Action: opened PR body: """ Fully initialize Env objects in Env() instead of having to call their private methods to complete the initialization later. Do not use custom Env instance to determine the debug level to use for the IPA API object - the IPA API object can properly determining the configured debug level on its own. Remove locking and related code from Env as it is never used. https://fedorahosted.org/freeipa/ticket/6408 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/266/head:pr266 git checkout pr266 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-266.patch Type: text/x-diff Size: 23144 bytes Desc: not available URL: From lslebodn at redhat.com Wed Nov 23 12:53:04 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 23 Nov 2016 13:53:04 +0100 Subject: [Freeipa-devel] client-only FreeIPA build In-Reply-To: <58347179.8010309@redhat.com> References: <11a496fe-aa98-1192-2862-c7490f6c4330@redhat.com> <73043385-a5c1-9138-760a-d6e493c7608d@redhat.com> <20161122155905.GA27420@10.4.128.1> <58347179.8010309@redhat.com> Message-ID: <20161123125304.GB7815@10.4.128.1> On (22/11/16 11:25), Rob Crittenden wrote: >Lukas Slebodnik wrote: >> On (22/11/16 16:29), Petr Spacek wrote: >>> On 22.11.2016 16:27, Jan Cholasta wrote: >>>> Hi, >>>> >>>> On 22.11.2016 16:04, Petr Spacek wrote: >>>>> Hello, >>>>> >>>>> the recent changes with regard to >>>>> http://www.freeipa.org/page/V4/Integration_Improvements >>>>> beg a question whether we should invest into supporting client-only builds in >>>>> FreeIPA build system. > >Note that the Integration efforts don't really apply. The client-only >install is for doing client enrollment and integration can mean lots of >things. > >>>>> >>>>> Right now, FreeIPA can be built on all architectures we care about so there is >>>>> no incentive to invest into client-only build - this applies to binary/RPM >>>>> builds. >>>> >>>> Client-only build lowers the barrier for porting IPA to new platforms (porting >>>> only client code is *much* easier than porting the whole thing), so I would >>>> very much prefer if we kept it. >>> >>> Understood. >>> >> Agree about portability >> >> But upstream spec file needn't have such relicts. >> The upstream spec file is pure fedora specific. > >The upstream spec is what is used to document and verify that the >client-only build actually works. > >I also think it is a worthy goal to maintain. > Maintaing is not enough. It would be also good to test it. And maybe it might be much simpler to have separate spec file for client only build. Because too many if conditions does not improve readability of spec file. But that's up to others to decide what would be simpler. LS From freeipa-github-notification at redhat.com Wed Nov 23 13:04:37 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Wed, 23 Nov 2016 14:04:37 +0100 Subject: [Freeipa-devel] [freeipa PR#266][comment] ipapython: simplify Env object initialization In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/266 Title: #266: ipapython: simplify Env object initialization jcholast commented: """ Only now I have noticed that this won't actually help fixing [ticket 6482](https://fedorahosted.org/freeipa/ticket/6482). Nevermind this PR then. """ See the full comment at https://github.com/freeipa/freeipa/pull/266#issuecomment-262507414 From freeipa-github-notification at redhat.com Wed Nov 23 13:04:45 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Wed, 23 Nov 2016 14:04:45 +0100 Subject: [Freeipa-devel] [freeipa PR#266][edited] ipapython: simplify Env object initialization In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/266 Author: jcholast Title: #266: ipapython: simplify Env object initialization Action: edited Changed field: body Original value: """ Fully initialize Env objects in Env() instead of having to call their private methods to complete the initialization later. Do not use custom Env instance to determine the debug level to use for the IPA API object - the IPA API object can properly determining the configured debug level on its own. Remove locking and related code from Env as it is never used. https://fedorahosted.org/freeipa/ticket/6408 """ From freeipa-github-notification at redhat.com Wed Nov 23 13:08:19 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 23 Nov 2016 14:08:19 +0100 Subject: [Freeipa-devel] [freeipa PR#267][opened] ipa-replica-conncheck: do not close listening ports until required Message-ID: URL: https://github.com/freeipa/freeipa/pull/267 Author: tomaskrizek Title: #267: ipa-replica-conncheck: do not close listening ports until required Action: opened PR body: """ Previously, a separate thread would be created for each socket used for conncheck. It would also time out after one second, after which it would be closed and reopened again. This caused random failures of conncheck. Now all sockets are handled in a single thread and once the server starts to listen on a port, it does not close that connection until the script finishes. Only IPv6 socket is used for simplicity, since it can handle both IPv6 and IPv4 connections. This requires IPv6 kernel support, which is required by other parts of IPA anyway. https://fedorahosted.org/freeipa/ticket/6487 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/267/head:pr267 git checkout pr267 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-267.patch Type: text/x-diff Size: 11401 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 23 13:23:04 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 23 Nov 2016 14:23:04 +0100 Subject: [Freeipa-devel] [freeipa PR#254][comment] Replace LooseVersion with pkg_resource.parse_version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Title: #254: Replace LooseVersion with pkg_resource.parse_version martbab commented: """ LGTM but please add the relevant ticket number into the commit message. """ See the full comment at https://github.com/freeipa/freeipa/pull/254#issuecomment-262511208 From freeipa-github-notification at redhat.com Wed Nov 23 14:04:13 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 23 Nov 2016 15:04:13 +0100 Subject: [Freeipa-devel] [freeipa PR#254][synchronized] Replace LooseVersion with pkg_resource.parse_version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Author: tiran Title: #254: Replace LooseVersion with pkg_resource.parse_version Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/254/head:pr254 git checkout pr254 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-254.patch Type: text/x-diff Size: 10095 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 23 14:06:15 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 23 Nov 2016 15:06:15 +0100 Subject: [Freeipa-devel] [freeipa PR#268][opened] Build system must regenerate file when template changes Message-ID: URL: https://github.com/freeipa/freeipa/pull/268 Author: pspacek Title: #268: Build system must regenerate file when template changes Action: opened PR body: """ Proper fix for https://fedorahosted.org/freeipa/ticket/6498. This PR obsoletes #251. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/268/head:pr268 git checkout pr268 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-268.patch Type: text/x-diff Size: 10222 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 23 15:52:38 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 23 Nov 2016 16:52:38 +0100 Subject: [Freeipa-devel] [freeipa PR#267][synchronized] ipa-replica-conncheck: do not close listening ports until required In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/267 Author: tomaskrizek Title: #267: ipa-replica-conncheck: do not close listening ports until required Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/267/head:pr267 git checkout pr267 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-267.patch Type: text/x-diff Size: 11483 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 23 16:04:33 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 23 Nov 2016 17:04:33 +0100 Subject: [Freeipa-devel] [freeipa PR#269][opened] Prevent denial of replication updates during CA replica install Message-ID: URL: https://github.com/freeipa/freeipa/pull/269 Author: martbab Title: #269: Prevent denial of replication updates during CA replica install Action: opened PR body: """ This PR fixes a case when CA replica install against upgraded topology hangs due to incorrectly configured ipaca replica entry. https://fedorahosted.org/freeipa/ticket/6508 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/269/head:pr269 git checkout pr269 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-269.patch Type: text/x-diff Size: 2282 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 23 16:17:40 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 23 Nov 2016 17:17:40 +0100 Subject: [Freeipa-devel] [freeipa PR#257][comment] Don't ship install subpackages with wheels In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/257 Title: #257: Don't ship install subpackages with wheels mbasti-rh commented: """ ACK, please rebase """ See the full comment at https://github.com/freeipa/freeipa/pull/257#issuecomment-262560605 From freeipa-github-notification at redhat.com Wed Nov 23 16:33:50 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 23 Nov 2016 17:33:50 +0100 Subject: [Freeipa-devel] [freeipa PR#257][synchronized] Don't ship install subpackages with wheels In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/257 Author: tiran Title: #257: Don't ship install subpackages with wheels Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/257/head:pr257 git checkout pr257 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-257.patch Type: text/x-diff Size: 3050 bytes Desc: not available URL: From dkupka at redhat.com Thu Nov 24 06:06:48 2016 From: dkupka at redhat.com (David Kupka) Date: Thu, 24 Nov 2016 07:06:48 +0100 Subject: [Freeipa-devel] NTP in FreeIPA In-Reply-To: References: Message-ID: On 22/11/16 23:15, Gabe Alford wrote: > I would say that it is worth keeping in FreeIPA. I know myself and some > customers use its functionality by having the clients sync to the IPA > servers and have the servers sync to the NTP source. This way if the NTP > source ever gets disrupted for long periods of time (which has happened in > my environment) the client time drifts with the authentication source. This > is the way that AD often works and is configured. Hello Gabe, I agree that it's common practice to synchronize all nodes in network with single source in order to have the same time and save bandwidth. Also I understand that it's comfortable to let FreeIPA installer take care of it. But I don't think FreeIPA should do it IMO this is job for Ansible or similar tool. Also the problem is that in some situations FreeIPA installer makes it worse. Example: 1. Install FreeIPA server (ipa1.example.org) 2. Install FreeIPA client on all nodes in network 3. Install replica (ipa2.example.org) of FreeIPA server to increase redundancy Now all the clients have ipa1.example.org as the only server in /etc/ntp.conf. If the first FreeIPA server becomes unreachable all clients will be able to contact KDC on the other server thanks to DNS autodiscovery in libkrb5 but will be unable to synchronize time. > > On Tue, Nov 22, 2016 at 7:05 AM, Jan Cholasta wrote: > >> On 22.11.2016 13:06, Petr Spacek wrote: >> >>> On 22.11.2016 12:15, David Kupka wrote: >>> >>>> Hello everyone! >>>> >>>> Is it worth to keep configuring NTP in FreeIPA? >>>> >>>> In usual environment there're no special requirements for time >>>> synchronization >>>> and the distribution default (be it ntpd, chrony or anything else) will >>>> just >>>> work. Any tampering with the configuration can't make it any better. >>>> >>>> In environment with special requirements (network disconnected from >>>> public >>>> internet, nodes disconnected from topology for longer time, ...) time >>>> synchronization must be taken care of accordingly by system >>>> administrator and >>>> FreeIPA simply can't help here. >>>> >>>> Also there are problems and weird behavior with the current FreeIPA >>>> installers: >>>> >>>> * ipa-client-install replaces all servers in /etc/ntp.conf with the ones >>>> specified by user or resolved from DNS. If none were provided nor >>>> resolved the >>>> FreeIPA server specified/resolved during installation it used. This >>>> leads in >>>> just single server in the configuration and no time synchronization when >>>> this >>>> server is down/decommissioned. >>>> >>>> * ipa-client-install replaces the NTP configuration. If there was any >>>> parts >>>> previously edited by system administrator it's lost. >>>> >>>> * ipa-server-install adds {0-4}.$PLATFORM.pool.ntp.org to /etc/ntp.conf. >>>> What's the point in doing that? These servers're already in the >>>> configuration >>>> file installed with ntp package. >>>> >>>> I have NTP-related WIP patches that solve some of the issues but in >>>> general I >>>> would prefer to remove the whole thing together with documenting "Please >>>> make >>>> sure that time on all FreeIPA servers and clients is synchronized. On >>>> most >>>> distributions this was already done during system installation." >>>> >>>> Can we mark NTP options deprecated in 4.5 and remove them and stop >>>> touching >>>> any time syncing service in 4.6? >>>> >>> >>> Considering that default config is just fine for normal cases, and given >>> how >>> poorly integrated it is into FreeIPA, I agree with David. FreeIPA should >>> get >>> out of configuration management business. >>> >> >> +1 >> >> -- >> Jan Cholasta >> >> >> -- >> Manage your subscription for the Freeipa-devel mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >> > > > -- David Kupka From mbasti at redhat.com Thu Nov 24 08:29:50 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 24 Nov 2016 09:29:50 +0100 Subject: [Freeipa-devel] NTP in FreeIPA In-Reply-To: References: Message-ID: <5fc2d8d3-8a96-331f-2940-fa95221a0235@redhat.com> On 24.11.2016 07:06, David Kupka wrote: > On 22/11/16 23:15, Gabe Alford wrote: >> I would say that it is worth keeping in FreeIPA. I know myself and some >> customers use its functionality by having the clients sync to the IPA >> servers and have the servers sync to the NTP source. This way if the NTP >> source ever gets disrupted for long periods of time (which has >> happened in >> my environment) the client time drifts with the authentication >> source. This >> is the way that AD often works and is configured. > > Hello Gabe, > I agree that it's common practice to synchronize all nodes in network > with single source in order to have the same time and save bandwidth. > Also I understand that it's comfortable to let FreeIPA installer take > care of it. > But I don't think FreeIPA should do it IMO this is job for Ansible or > similar tool. Also the problem is that in some situations FreeIPA > installer makes it worse. > > Example: > > 1. Install FreeIPA server (ipa1.example.org) > 2. Install FreeIPA client on all nodes in network > 3. Install replica (ipa2.example.org) of FreeIPA server to increase > redundancy > > Now all the clients have ipa1.example.org as the only server in > /etc/ntp.conf. If the first FreeIPA server becomes unreachable all > clients will be able to contact KDC on the other server thanks to DNS > autodiscovery in libkrb5 but will be unable to synchronize time. > This can be resolved by DHCP configured NTP. When NTP server changed, you just change DHCPd config and hosts conf will be synced. We may keep NTP on IPA server side configured, but I'm voting for removing it from clients and document+endorse people to use DHCP (anyway distros have always enabled some time synchronization so it should naturally work without even in small deployments) Also NTP is somehow incompatible with containers, usually containers have time synchronized from host, and by default IPA client container don't do NTP configuration. Let deprecate it in 4.5 Martin^2 >> >> On Tue, Nov 22, 2016 at 7:05 AM, Jan Cholasta >> wrote: >> >>> On 22.11.2016 13:06, Petr Spacek wrote: >>> >>>> On 22.11.2016 12:15, David Kupka wrote: >>>> >>>>> Hello everyone! >>>>> >>>>> Is it worth to keep configuring NTP in FreeIPA? >>>>> >>>>> In usual environment there're no special requirements for time >>>>> synchronization >>>>> and the distribution default (be it ntpd, chrony or anything else) >>>>> will >>>>> just >>>>> work. Any tampering with the configuration can't make it any better. >>>>> >>>>> In environment with special requirements (network disconnected from >>>>> public >>>>> internet, nodes disconnected from topology for longer time, ...) time >>>>> synchronization must be taken care of accordingly by system >>>>> administrator and >>>>> FreeIPA simply can't help here. >>>>> >>>>> Also there are problems and weird behavior with the current FreeIPA >>>>> installers: >>>>> >>>>> * ipa-client-install replaces all servers in /etc/ntp.conf with >>>>> the ones >>>>> specified by user or resolved from DNS. If none were provided nor >>>>> resolved the >>>>> FreeIPA server specified/resolved during installation it used. This >>>>> leads in >>>>> just single server in the configuration and no time >>>>> synchronization when >>>>> this >>>>> server is down/decommissioned. >>>>> >>>>> * ipa-client-install replaces the NTP configuration. If there was any >>>>> parts >>>>> previously edited by system administrator it's lost. >>>>> >>>>> * ipa-server-install adds {0-4}.$PLATFORM.pool.ntp.org to >>>>> /etc/ntp.conf. >>>>> What's the point in doing that? These servers're already in the >>>>> configuration >>>>> file installed with ntp package. >>>>> >>>>> I have NTP-related WIP patches that solve some of the issues but in >>>>> general I >>>>> would prefer to remove the whole thing together with documenting >>>>> "Please >>>>> make >>>>> sure that time on all FreeIPA servers and clients is synchronized. On >>>>> most >>>>> distributions this was already done during system installation." >>>>> >>>>> Can we mark NTP options deprecated in 4.5 and remove them and stop >>>>> touching >>>>> any time syncing service in 4.6? >>>>> >>>> >>>> Considering that default config is just fine for normal cases, and >>>> given >>>> how >>>> poorly integrated it is into FreeIPA, I agree with David. FreeIPA >>>> should >>>> get >>>> out of configuration management business. >>>> >>> >>> +1 >>> >>> -- >>> Jan Cholasta >>> >>> >>> -- >>> Manage your subscription for the Freeipa-devel mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >>> >> >> >> > > From pspacek at redhat.com Thu Nov 24 09:27:46 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 24 Nov 2016 10:27:46 +0100 Subject: [Freeipa-devel] client-only FreeIPA build In-Reply-To: <20161123125304.GB7815@10.4.128.1> References: <11a496fe-aa98-1192-2862-c7490f6c4330@redhat.com> <73043385-a5c1-9138-760a-d6e493c7608d@redhat.com> <20161122155905.GA27420@10.4.128.1> <58347179.8010309@redhat.com> <20161123125304.GB7815@10.4.128.1> Message-ID: On 23.11.2016 13:53, Lukas Slebodnik wrote: > On (22/11/16 11:25), Rob Crittenden wrote: >> Lukas Slebodnik wrote: >>> On (22/11/16 16:29), Petr Spacek wrote: >>>> On 22.11.2016 16:27, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> On 22.11.2016 16:04, Petr Spacek wrote: >>>>>> Hello, >>>>>> >>>>>> the recent changes with regard to >>>>>> http://www.freeipa.org/page/V4/Integration_Improvements >>>>>> beg a question whether we should invest into supporting client-only builds in >>>>>> FreeIPA build system. >> >> Note that the Integration efforts don't really apply. The client-only >> install is for doing client enrollment and integration can mean lots of >> things. >> >>>>>> >>>>>> Right now, FreeIPA can be built on all architectures we care about so there is >>>>>> no incentive to invest into client-only build - this applies to binary/RPM >>>>>> builds. >>>>> >>>>> Client-only build lowers the barrier for porting IPA to new platforms (porting >>>>> only client code is *much* easier than porting the whole thing), so I would >>>>> very much prefer if we kept it. >>>> >>>> Understood. >>>> >>> Agree about portability >>> >>> But upstream spec file needn't have such relicts. >>> The upstream spec file is pure fedora specific. >> >> The upstream spec is what is used to document and verify that the >> client-only build actually works. >> >> I also think it is a worthy goal to maintain. >> > Maintaing is not enough. It would be also good to test it. > > And maybe it might be much simpler to have separate > spec file for client only build. Because too many if conditions > does not improve readability of spec file. But that's up to > others to decide what would be simpler. The maintenance cost you mention is the only con I can see. I think that if we decide to support it, client-only support should be part of configure machinery. It would enable packagers to simply run ./configure --disable-server && make install and have the client installed. It would make easy to package it for whatever distro. Of course, upstream spec will be a good reference for packaging but IMHO we should keep separated build & install matters from packaging. -- Petr^2 Spacek From pviktori at redhat.com Thu Nov 24 10:08:44 2016 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 24 Nov 2016 11:08:44 +0100 Subject: [Freeipa-devel] [patch]pytest-multihost: Add external_ip parameter to specify external_ip when using openstack In-Reply-To: <20161117133952.GA27078@mniranja.pnq.csb> References: <20161117133952.GA27078@mniranja.pnq.csb> Message-ID: <83e61bed-3300-f5cb-fe60-aa76f5a8f4ec@redhat.com> On 11/17/2016 02:39 PM, Niranjan wrote: > Greetings, > > When using pytest multihost to connect with hosts provisioned in > openstack, it's required to have ability for the test to use floating ip[external > ip]. This patch adds another attribute external_ip parameter under hosts . Hello, The patch adds no tests (or documentation) for this functionality, so I'm a bit unclear about how exactly it should work. Should I attempt to add the tests for it? Specifically, what should happen when 'extenal_ip' is not specified in the configuration? I believe it should be either None or a copy of the ip. With this patch, it's set to the string `None`; I think that's a bug. -- Petr Viktorin From freeipa-github-notification at redhat.com Thu Nov 24 10:15:31 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Thu, 24 Nov 2016 11:15:31 +0100 Subject: [Freeipa-devel] [freeipa PR#270][opened] Test: uniqueness of certificate renewal master Message-ID: URL: https://github.com/freeipa/freeipa/pull/270 Author: ofayans Title: #270: Test: uniqueness of certificate renewal master Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6504 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/270/head:pr270 git checkout pr270 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-270.patch Type: text/x-diff Size: 2413 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 24 10:40:44 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 24 Nov 2016 11:40:44 +0100 Subject: [Freeipa-devel] [freeipa PR#257][+ack] Don't ship install subpackages with wheels In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/257 Title: #257: Don't ship install subpackages with wheels Label: +ack From freeipa-github-notification at redhat.com Thu Nov 24 10:41:24 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 24 Nov 2016 11:41:24 +0100 Subject: [Freeipa-devel] [freeipa PR#257][+pushed] Don't ship install subpackages with wheels In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/257 Title: #257: Don't ship install subpackages with wheels Label: +pushed From freeipa-github-notification at redhat.com Thu Nov 24 10:41:25 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 24 Nov 2016 11:41:25 +0100 Subject: [Freeipa-devel] [freeipa PR#257][comment] Don't ship install subpackages with wheels In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/257 Title: #257: Don't ship install subpackages with wheels mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/526bcea705d04895aa6b09bce996ac340783d1d0 """ See the full comment at https://github.com/freeipa/freeipa/pull/257#issuecomment-262745293 From freeipa-github-notification at redhat.com Thu Nov 24 10:41:27 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 24 Nov 2016 11:41:27 +0100 Subject: [Freeipa-devel] [freeipa PR#257][closed] Don't ship install subpackages with wheels In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/257 Author: tiran Title: #257: Don't ship install subpackages with wheels Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/257/head:pr257 git checkout pr257 From freeipa-github-notification at redhat.com Thu Nov 24 11:24:51 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Thu, 24 Nov 2016 12:24:51 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context pvoborni commented: """ If I understand it correctly, the review is stalled for some time given that there is misalignment if this pull request is needed. As described in Christian's design page: http://www.freeipa.org/page/V4/Integration_Improvements#API_for_local_configuration_directory there is clear method how to do it with current code. **So this cannot be regarded as a blocker for the whole effort.** It is only a convenience method for people who rather uses env variable instead of conf dir option. From maintenance perspective it is just another use case to support. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-262754088 From lslebodn at redhat.com Thu Nov 24 11:44:26 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 24 Nov 2016 12:44:26 +0100 Subject: [Freeipa-devel] client-only FreeIPA build In-Reply-To: References: <11a496fe-aa98-1192-2862-c7490f6c4330@redhat.com> <73043385-a5c1-9138-760a-d6e493c7608d@redhat.com> <20161122155905.GA27420@10.4.128.1> <58347179.8010309@redhat.com> <20161123125304.GB7815@10.4.128.1> Message-ID: <20161124114426.GA31364@10.4.128.1> On (24/11/16 10:27), Petr Spacek wrote: >On 23.11.2016 13:53, Lukas Slebodnik wrote: >> On (22/11/16 11:25), Rob Crittenden wrote: >>> Lukas Slebodnik wrote: >>>> On (22/11/16 16:29), Petr Spacek wrote: >>>>> On 22.11.2016 16:27, Jan Cholasta wrote: >>>>>> Hi, >>>>>> >>>>>> On 22.11.2016 16:04, Petr Spacek wrote: >>>>>>> Hello, >>>>>>> >>>>>>> the recent changes with regard to >>>>>>> http://www.freeipa.org/page/V4/Integration_Improvements >>>>>>> beg a question whether we should invest into supporting client-only builds in >>>>>>> FreeIPA build system. >>> >>> Note that the Integration efforts don't really apply. The client-only >>> install is for doing client enrollment and integration can mean lots of >>> things. >>> >>>>>>> >>>>>>> Right now, FreeIPA can be built on all architectures we care about so there is >>>>>>> no incentive to invest into client-only build - this applies to binary/RPM >>>>>>> builds. >>>>>> >>>>>> Client-only build lowers the barrier for porting IPA to new platforms (porting >>>>>> only client code is *much* easier than porting the whole thing), so I would >>>>>> very much prefer if we kept it. >>>>> >>>>> Understood. >>>>> >>>> Agree about portability >>>> >>>> But upstream spec file needn't have such relicts. >>>> The upstream spec file is pure fedora specific. >>> >>> The upstream spec is what is used to document and verify that the >>> client-only build actually works. >>> >>> I also think it is a worthy goal to maintain. >>> >> Maintaing is not enough. It would be also good to test it. >> >> And maybe it might be much simpler to have separate >> spec file for client only build. Because too many if conditions >> does not improve readability of spec file. But that's up to >> others to decide what would be simpler. > >The maintenance cost you mention is the only con I can see. > >I think that if we decide to support it, client-only support should be part of >configure machinery. It would enable packagers to simply run >./configure --disable-server && make install >and have the client installed. It would make easy to package it for whatever >distro. > I didn't mention anything about spec file only solution for client only build. But too many optional features does not improve readability in spec file. We have many optional features in upstream sssd spec file. e.g. %configure \ //snip --disable-static \ --disable-rpath \ %if %{with sssd_user} --with-sssd-user=sssd \ %endif %{with_initscript} \ %{?with_syslog} \ %{?with_cifs_utils_plugin_option} \ %{?with_python3_option} \ %{?enable_polkit_rules_option} \ %{?enable_systemtap_opt} \ %{?experimental} But there are also optional features which are not coverent in umpstrema spec file otherwise the spec file would not be maintanable. e.g. --with-samba But as I mention in previous mail its up to you to decide whether client only build should be handled in upstream spec file or in separate spec file. LS From freeipa-github-notification at redhat.com Thu Nov 24 12:33:44 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 24 Nov 2016 13:33:44 +0100 Subject: [Freeipa-devel] [freeipa PR#271][opened] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient Message-ID: URL: https://github.com/freeipa/freeipa/pull/271 Author: jcholast Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient Action: opened PR body: """ **paths: remove DEV_NULL** The platform-specific path to /dev/null is provided by the Python standard library in os.devnull. Replace all uses of paths.DEV_NULL with os.devnull and remove DEV_NULL. **custodiainstance: automatic restart on config file update** Automatically restart Custodia during IPA server upgrade if custodia.conf was updated. Use the new store class name in custodia.conf.template. **ipapython: move dnssec, p11helper and secrets to ipaserver** The dnssec and secrets subpackages and the p11helper module depend on ipaplatform. Move them to ipaserver as they are used only on the server. **ipapython: move certmonger and sysrestore to ipalib.install** The certmonger and sysrestore modules depend on ipaplatform. Move them to ipalib.install as they are used only from installers. **certdb: move IPA NSS DB install functions to ipaclient.install** The create_ipa_nssdb() and update_ipa_nssdb() depend on ipaplatform. Move them to ipaclient.install.client as they are used only from the client installer. **certdb: use a temporary file to pass password to pk12util** Currently the PKCS#12 file password is passed via stdin and pk12util reads it from /dev/stdin, which is platform-specific. Use a temporary file instead. **ipautil: remove SHARE_DIR and PLUGIN_SHARE_DIR** SHARE_DIR and PLUGIN_SHARE_DIR depend on ipaplatform. Replace all uses of SHARE_DIR with paths.USR_SHARE_IPA_DIR and remove both SHARE_DIR and PLUGIN_SHARE_DIR. **ipautil: remove get_domain_name()** get_domain_name() and related code depends on ipaplatform. Replace all uses of get_domain_name() with api.env.domain and remove get_domain_name() and all of the related code. **ipautil: remove the timeout argument of run()** The argument depends on the platform-specific timeout binary and is used only in ipaclient.ntpconf. Call the timeout binary explicitly in ipaclient.ntpconf and remove the argument. **ipautil: move is_fips_enabled() to ipaplatform.tasks** The FIPS setting is platform-specific. **ipautil: move kinit functions to ipalib.install** kinit_password() depends on ipaplatform. Move kinit_password() as well as kinit_keytab() to a new ipalib.install.kinit module, as they are used only from installers. **ipautil: move file encryption functions to installutils** The encrypt_file() and decrypt_file() functions depend on ipaplatform. Move them to ipaserver.install.installutils, as they are only used for the server installer. **ipapython: remove hard dependency on ipaplatform** Use hard-coded paths to certutil, pk12util and openssl in certdb if ipaplatform is not available. Hard-coded the path to setpasswd in ipautil.run() doc string. Remove ipaplatform dependency from ipapython's setup.py and add ipapython dependency to ipaplatform's setup.py. **ipalib: move certstore to the install subpackage** The certstore module depends on ipaplatform. Move it to ipalib.install, as it is used only from installers. **constants: remove CACERT** CACERT depends on ipaplatform. Replace all uses of CACERT with paths.IPA_CA_CRT and remove CACERT. **ipalib: remove hard dependency on ipapython** Hard-code the path to /bin/false in SubprocessError doc string. Remove ipaplatform dependency from ipalib's setup.py and add it as optional installer dependency to ipalib's and ipaclient's setup.py. **ipaclient: move install modules to the install subpackage** The ipa_certupdate, ipachangeconf, ipadiscovery and ntpconf modules depend on ipaplatform. Move them to ipaclient.install as they are used only from the client installer. **ipaclient: remove hard dependency on ipaplatform** Hard-code the user cache directory path in ipaclient.remote_plugins.schema. https://fedorahosted.org/freeipa/ticket/6474 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/271/head:pr271 git checkout pr271 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-271.patch Type: text/x-diff Size: 717628 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 24 13:29:16 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 24 Nov 2016 14:29:16 +0100 Subject: [Freeipa-devel] [freeipa PR#265][comment] Add main guards to a couple of Python scripts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/265 Title: #265: Add main guards to a couple of Python scripts mbasti-rh commented: """ Is this part of PIP effort? If yes then commit misses ticket otherwise ACK """ See the full comment at https://github.com/freeipa/freeipa/pull/265#issuecomment-262776482 From freeipa-github-notification at redhat.com Thu Nov 24 14:15:49 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 24 Nov 2016 15:15:49 +0100 Subject: [Freeipa-devel] [freeipa PR#264][+ack] Python3 pylint fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/264 Title: #264: Python3 pylint fixes Label: +ack From freeipa-github-notification at redhat.com Thu Nov 24 14:20:23 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 24 Nov 2016 15:20:23 +0100 Subject: [Freeipa-devel] [freeipa PR#263][+ack] Backwards compatibility with setuptools 0.9.8 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/263 Title: #263: Backwards compatibility with setuptools 0.9.8 Label: +ack From freeipa-github-notification at redhat.com Thu Nov 24 14:20:32 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 24 Nov 2016 15:20:32 +0100 Subject: [Freeipa-devel] [freeipa PR#263][comment] Backwards compatibility with setuptools 0.9.8 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/263 Title: #263: Backwards compatibility with setuptools 0.9.8 mbasti-rh commented: """ Please add ticket to commit message """ See the full comment at https://github.com/freeipa/freeipa/pull/263#issuecomment-262786953 From freeipa-github-notification at redhat.com Thu Nov 24 14:21:39 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Thu, 24 Nov 2016 15:21:39 +0100 Subject: [Freeipa-devel] [freeipa PR#268][synchronized] Build system must regenerate file when template changes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/268 Author: pspacek Title: #268: Build system must regenerate file when template changes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/268/head:pr268 git checkout pr268 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-268.patch Type: text/x-diff Size: 13362 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 24 14:23:09 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Thu, 24 Nov 2016 15:23:09 +0100 Subject: [Freeipa-devel] [freeipa PR#113][comment] ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/113 Title: #113: ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri pspacek commented: """ Honza will take care of this as part of ipalib cleanup for the Integration Improvements project. """ See the full comment at https://github.com/freeipa/freeipa/pull/113#issuecomment-262787493 From freeipa-github-notification at redhat.com Thu Nov 24 14:34:21 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 24 Nov 2016 15:34:21 +0100 Subject: [Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient tiran commented: """ The PR is too large. Please split it up in multiple small PRs. """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-262789735 From freeipa-github-notification at redhat.com Thu Nov 24 14:37:00 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 24 Nov 2016 15:37:00 +0100 Subject: [Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient stlaz commented: """ I do not have much trouble reviewing the whole PR, also it does not do that much and does not break tests (did not try integration) so I believe it's fine. I am not sure if adding all the os.path.joins is actually really necessary here but it'd be more foolproof for the future. """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-262790279 From freeipa-github-notification at redhat.com Thu Nov 24 14:46:27 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 24 Nov 2016 15:46:27 +0100 Subject: [Freeipa-devel] [freeipa PR#254][+ack] Replace LooseVersion with pkg_resource.parse_version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Title: #254: Replace LooseVersion with pkg_resource.parse_version Label: +ack From freeipa-github-notification at redhat.com Thu Nov 24 14:47:07 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 24 Nov 2016 15:47:07 +0100 Subject: [Freeipa-devel] [freeipa PR#254][+pushed] Replace LooseVersion with pkg_resource.parse_version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Title: #254: Replace LooseVersion with pkg_resource.parse_version Label: +pushed From freeipa-github-notification at redhat.com Thu Nov 24 14:47:09 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 24 Nov 2016 15:47:09 +0100 Subject: [Freeipa-devel] [freeipa PR#254][closed] Replace LooseVersion with pkg_resource.parse_version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Author: tiran Title: #254: Replace LooseVersion with pkg_resource.parse_version Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/254/head:pr254 git checkout pr254 From freeipa-github-notification at redhat.com Thu Nov 24 14:47:10 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 24 Nov 2016 15:47:10 +0100 Subject: [Freeipa-devel] [freeipa PR#254][comment] Replace LooseVersion with pkg_resource.parse_version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/254 Title: #254: Replace LooseVersion with pkg_resource.parse_version martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/2cbaf156045769b54150e4d4c3c1071f164a16fb """ See the full comment at https://github.com/freeipa/freeipa/pull/254#issuecomment-262792360 From freeipa-github-notification at redhat.com Thu Nov 24 14:54:03 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 24 Nov 2016 15:54:03 +0100 Subject: [Freeipa-devel] [freeipa PR#263][synchronized] Backwards compatibility with setuptools 0.9.8 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/263 Author: tiran Title: #263: Backwards compatibility with setuptools 0.9.8 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/263/head:pr263 git checkout pr263 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-263.patch Type: text/x-diff Size: 2737 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 24 14:54:56 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 24 Nov 2016 15:54:56 +0100 Subject: [Freeipa-devel] [freeipa PR#263][-ack] Backwards compatibility with setuptools 0.9.8 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/263 Title: #263: Backwards compatibility with setuptools 0.9.8 Label: -ack From freeipa-github-notification at redhat.com Thu Nov 24 15:00:57 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 24 Nov 2016 16:00:57 +0100 Subject: [Freeipa-devel] [freeipa PR#264][synchronized] Python3 pylint fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/264 Author: tiran Title: #264: Python3 pylint fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/264/head:pr264 git checkout pr264 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-264.patch Type: text/x-diff Size: 23869 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 24 15:03:16 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 24 Nov 2016 16:03:16 +0100 Subject: [Freeipa-devel] [freeipa PR#264][-ack] Python3 pylint fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/264 Title: #264: Python3 pylint fixes Label: -ack From freeipa-github-notification at redhat.com Thu Nov 24 15:10:25 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 24 Nov 2016 16:10:25 +0100 Subject: [Freeipa-devel] [freeipa PR#258][comment] Break ipaplatform / ipalib import cycle of hell In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/258 Title: #258: Break ipaplatform / ipalib import cycle of hell mbasti-rh commented: """ ACK from me if @jcholast is not against it """ See the full comment at https://github.com/freeipa/freeipa/pull/258#issuecomment-262797034 From redhatrises at gmail.com Thu Nov 24 15:11:08 2016 From: redhatrises at gmail.com (Gabe Alford) Date: Thu, 24 Nov 2016 08:11:08 -0700 Subject: [Freeipa-devel] NTP in FreeIPA In-Reply-To: <5fc2d8d3-8a96-331f-2940-fa95221a0235@redhat.com> References: <5fc2d8d3-8a96-331f-2940-fa95221a0235@redhat.com> Message-ID: On Thu, Nov 24, 2016 at 1:29 AM, Martin Basti wrote: > > > On 24.11.2016 07:06, David Kupka wrote: > >> On 22/11/16 23:15, Gabe Alford wrote: >> >>> I would say that it is worth keeping in FreeIPA. I know myself and some >>> customers use its functionality by having the clients sync to the IPA >>> servers and have the servers sync to the NTP source. This way if the NTP >>> source ever gets disrupted for long periods of time (which has happened >>> in >>> my environment) the client time drifts with the authentication source. >>> This >>> is the way that AD often works and is configured. >>> >> >> Hello Gabe, >> I agree that it's common practice to synchronize all nodes in network >> with single source in order to have the same time and save bandwidth. Also >> I understand that it's comfortable to let FreeIPA installer take care of it. >> But I don't think FreeIPA should do it IMO this is job for Ansible or >> similar tool. Also the problem is that in some situations FreeIPA installer >> makes it worse. >> >> Example: >> >> 1. Install FreeIPA server (ipa1.example.org) >> 2. Install FreeIPA client on all nodes in network >> 3. Install replica (ipa2.example.org) of FreeIPA server to increase >> redundancy >> > Why not have NTP look at a _srv_records? > Now all the clients have ipa1.example.org as the only server in >> /etc/ntp.conf. If the first FreeIPA server becomes unreachable all clients >> will be able to contact KDC on the other server thanks to DNS autodiscovery >> in libkrb5 but will be unable to synchronize time. >> >> > This can be resolved by DHCP configured NTP. When NTP server changed, you > just change DHCPd config and hosts conf will be synced. > We may keep NTP on IPA server side configured, but I'm voting for removing > it from clients and document+endorse people to use DHCP (anyway distros > have always enabled some time synchronization so it should naturally work > without even in small deployments) > If NTP is still configured on the IPA server, this may be less of an issue. Not everyone has/is/will be using ansible. Also in secure environments, DHCP is not allowed/used at all. > Also NTP is somehow incompatible with containers, usually containers have > time synchronized from host, and by default IPA client container don't do > NTP configuration. > Isn't that what the --no-ntp option in the client is for anyway? > > Let deprecate it in 4.5 > > Martin^2 > > > > >>> On Tue, Nov 22, 2016 at 7:05 AM, Jan Cholasta >>> wrote: >>> >>> On 22.11.2016 13:06, Petr Spacek wrote: >>>> >>>> On 22.11.2016 12:15, David Kupka wrote: >>>>> >>>>> Hello everyone! >>>>>> >>>>>> Is it worth to keep configuring NTP in FreeIPA? >>>>>> >>>>>> In usual environment there're no special requirements for time >>>>>> synchronization >>>>>> and the distribution default (be it ntpd, chrony or anything else) >>>>>> will >>>>>> just >>>>>> work. Any tampering with the configuration can't make it any better. >>>>>> >>>>>> In environment with special requirements (network disconnected from >>>>>> public >>>>>> internet, nodes disconnected from topology for longer time, ...) time >>>>>> synchronization must be taken care of accordingly by system >>>>>> administrator and >>>>>> FreeIPA simply can't help here. >>>>>> >>>>>> Also there are problems and weird behavior with the current FreeIPA >>>>>> installers: >>>>>> >>>>>> * ipa-client-install replaces all servers in /etc/ntp.conf with the >>>>>> ones >>>>>> specified by user or resolved from DNS. If none were provided nor >>>>>> resolved the >>>>>> FreeIPA server specified/resolved during installation it used. This >>>>>> leads in >>>>>> just single server in the configuration and no time synchronization >>>>>> when >>>>>> this >>>>>> server is down/decommissioned. >>>>>> >>>>>> * ipa-client-install replaces the NTP configuration. If there was any >>>>>> parts >>>>>> previously edited by system administrator it's lost. >>>>>> >>>>>> * ipa-server-install adds {0-4}.$PLATFORM.pool.ntp.org to >>>>>> /etc/ntp.conf. >>>>>> What's the point in doing that? These servers're already in the >>>>>> configuration >>>>>> file installed with ntp package. >>>>>> >>>>>> I have NTP-related WIP patches that solve some of the issues but in >>>>>> general I >>>>>> would prefer to remove the whole thing together with documenting >>>>>> "Please >>>>>> make >>>>>> sure that time on all FreeIPA servers and clients is synchronized. On >>>>>> most >>>>>> distributions this was already done during system installation." >>>>>> >>>>>> Can we mark NTP options deprecated in 4.5 and remove them and stop >>>>>> touching >>>>>> any time syncing service in 4.6? >>>>>> >>>>>> >>>>> Considering that default config is just fine for normal cases, and >>>>> given >>>>> how >>>>> poorly integrated it is into FreeIPA, I agree with David. FreeIPA >>>>> should >>>>> get >>>>> out of configuration management business. >>>>> >>>>> >>>> +1 >>>> >>>> -- >>>> Jan Cholasta >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-devel mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >>>> >>>> >>> >>> >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Thu Nov 24 15:13:17 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 24 Nov 2016 16:13:17 +0100 Subject: [Freeipa-devel] [freeipa PR#258][comment] Break ipaplatform / ipalib import cycle of hell In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/258 Title: #258: Break ipaplatform / ipalib import cycle of hell jcholast commented: """ I'm OK with it. """ See the full comment at https://github.com/freeipa/freeipa/pull/258#issuecomment-262797665 From freeipa-github-notification at redhat.com Thu Nov 24 15:14:01 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 24 Nov 2016 16:14:01 +0100 Subject: [Freeipa-devel] [freeipa PR#258][+ack] Break ipaplatform / ipalib import cycle of hell In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/258 Title: #258: Break ipaplatform / ipalib import cycle of hell Label: +ack From freeipa-github-notification at redhat.com Thu Nov 24 15:15:49 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 24 Nov 2016 16:15:49 +0100 Subject: [Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient jcholast commented: """ @tiran, how much granular PRs would you prefer? As @stlaz pointed out, there isn't actually much going on in this PR besides moving stuff around. """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-262798189 From freeipa-github-notification at redhat.com Thu Nov 24 15:20:31 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 24 Nov 2016 16:20:31 +0100 Subject: [Freeipa-devel] [freeipa PR#265][comment] Add main guards to a couple of Python scripts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/265 Title: #265: Add main guards to a couple of Python scripts tiran commented: """ Not really. I had the patch around since 91920e7cb48cbf143ae281c9c073df14b2c2dddf """ See the full comment at https://github.com/freeipa/freeipa/pull/265#issuecomment-262799192 From freeipa-github-notification at redhat.com Thu Nov 24 15:30:57 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 24 Nov 2016 16:30:57 +0100 Subject: [Freeipa-devel] [freeipa PR#258][+pushed] Break ipaplatform / ipalib import cycle of hell In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/258 Title: #258: Break ipaplatform / ipalib import cycle of hell Label: +pushed From freeipa-github-notification at redhat.com Thu Nov 24 15:30:59 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 24 Nov 2016 16:30:59 +0100 Subject: [Freeipa-devel] [freeipa PR#258][comment] Break ipaplatform / ipalib import cycle of hell In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/258 Title: #258: Break ipaplatform / ipalib import cycle of hell mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/6409abf1a60f3548203e6607a2b157ff72af2c89 """ See the full comment at https://github.com/freeipa/freeipa/pull/258#issuecomment-262801283 From freeipa-github-notification at redhat.com Thu Nov 24 15:31:00 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 24 Nov 2016 16:31:00 +0100 Subject: [Freeipa-devel] [freeipa PR#258][closed] Break ipaplatform / ipalib import cycle of hell In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/258 Author: tiran Title: #258: Break ipaplatform / ipalib import cycle of hell Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/258/head:pr258 git checkout pr258 From freeipa-github-notification at redhat.com Thu Nov 24 15:34:38 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 24 Nov 2016 16:34:38 +0100 Subject: [Freeipa-devel] [freeipa PR#265][+ack] Add main guards to a couple of Python scripts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/265 Title: #265: Add main guards to a couple of Python scripts Label: +ack From freeipa-github-notification at redhat.com Thu Nov 24 15:36:03 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 24 Nov 2016 16:36:03 +0100 Subject: [Freeipa-devel] [freeipa PR#265][+pushed] Add main guards to a couple of Python scripts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/265 Title: #265: Add main guards to a couple of Python scripts Label: +pushed From freeipa-github-notification at redhat.com Thu Nov 24 15:36:05 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 24 Nov 2016 16:36:05 +0100 Subject: [Freeipa-devel] [freeipa PR#265][comment] Add main guards to a couple of Python scripts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/265 Title: #265: Add main guards to a couple of Python scripts mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a8376a244758494db31341442bc2163e1807b7ac """ See the full comment at https://github.com/freeipa/freeipa/pull/265#issuecomment-262802339 From freeipa-github-notification at redhat.com Thu Nov 24 15:36:06 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 24 Nov 2016 16:36:06 +0100 Subject: [Freeipa-devel] [freeipa PR#265][closed] Add main guards to a couple of Python scripts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/265 Author: tiran Title: #265: Add main guards to a couple of Python scripts Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/265/head:pr265 git checkout pr265 From freeipa-github-notification at redhat.com Thu Nov 24 15:46:15 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 24 Nov 2016 16:46:15 +0100 Subject: [Freeipa-devel] [freeipa PR#270][comment] Test: uniqueness of certificate renewal master In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/270 Title: #270: Test: uniqueness of certificate renewal master martbab commented: """ I have suggested some improvements in your code inline. Also, can we actually do this test as a part of other test suite or is it necessary to create a new one? Also the commit message does not really state the purpose clearly. """ See the full comment at https://github.com/freeipa/freeipa/pull/270#issuecomment-262804317 From freeipa-github-notification at redhat.com Thu Nov 24 15:50:55 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 24 Nov 2016 16:50:55 +0100 Subject: [Freeipa-devel] [freeipa PR#263][synchronized] Backwards compatibility with setuptools 0.9.8 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/263 Author: tiran Title: #263: Backwards compatibility with setuptools 0.9.8 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/263/head:pr263 git checkout pr263 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-263.patch Type: text/x-diff Size: 2735 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 24 15:52:44 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 24 Nov 2016 16:52:44 +0100 Subject: [Freeipa-devel] [freeipa PR#252][comment] Use namespace-aware meta importer for ipaplatform In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/252 Title: #252: Use namespace-aware meta importer for ipaplatform martbab commented: """ Is this PR valid given that we discussed to remove ipaplatform dependency from client-side modules? """ See the full comment at https://github.com/freeipa/freeipa/pull/252#issuecomment-262805720 From slaznick at redhat.com Thu Nov 24 15:54:55 2016 From: slaznick at redhat.com (Standa Laznicka) Date: Thu, 24 Nov 2016 16:54:55 +0100 Subject: [Freeipa-devel] [Freeipa-users] ipalib authentication In-Reply-To: <81A0EC2E-7489-49C6-8480-768DA022321E@jisc.ac.uk> References: <81A0EC2E-7489-49C6-8480-768DA022321E@jisc.ac.uk> Message-ID: <393ca78c-d4d2-2932-3bb1-d39a85498cb3@redhat.com> On 11/24/2016 04:27 PM, Adam Bishop wrote: > I'm writing a bit of code using ipalib directly, I'm a little stuck on authentication though. > > It works fine if grab a Kerberos ticket with kinit then run the code interactively, but I'd like to run this as a daemon which makes maintaining a ticket tricky. > > What other options are there for authenticating to the API, avoiding calling external tools like curl or kinit? > > Regards, > > Adam Bishop > > gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 > > jisc.ac.uk > > Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc?s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. > > Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800. > > Hello Adam, Nice to see someone interested in FreeIPA development. For questions about developing FreeIPA, feel free to contact other developers at freeipa-devel at redhat.com (in CC). You can also create a pull request on GitHub (https://github.com/freeipa/freeipa) if you'd like to share your code with the community. As for your question, would it be feasible to use keytabs? Sure, you still have to perform kinit but there's no user action required (except for maintaining the keytab, of course). Standa From freeipa-github-notification at redhat.com Thu Nov 24 16:00:55 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 24 Nov 2016 17:00:55 +0100 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23211=5D=5B+ack=5D_IPA_Al?= =?utf-8?q?lows_Password_Reuse_with_History_value_defined_when_admin_reset?= =?utf-8?b?4oCm?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/211 Title: #211: IPA Allows Password Reuse with History value defined when admin reset? Label: +ack From freeipa-github-notification at redhat.com Thu Nov 24 16:01:51 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 24 Nov 2016 17:01:51 +0100 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23211=5D=5Bcomment=5D_IPA?= =?utf-8?q?_Allows_Password_Reuse_with_History_value_defined_when_admin_re?= =?utf-8?b?c2V04oCm?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/211 Title: #211: IPA Allows Password Reuse with History value defined when admin reset? martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/c223130d5f429278202aaf8bf87af53911a3b448 """ See the full comment at https://github.com/freeipa/freeipa/pull/211#issuecomment-262807431 From freeipa-github-notification at redhat.com Thu Nov 24 16:01:52 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 24 Nov 2016 17:01:52 +0100 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23211=5D=5B+pushed=5D_IPA?= =?utf-8?q?_Allows_Password_Reuse_with_History_value_defined_when_admin_re?= =?utf-8?b?c2V04oCm?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/211 Title: #211: IPA Allows Password Reuse with History value defined when admin reset? Label: +pushed From freeipa-github-notification at redhat.com Thu Nov 24 16:01:53 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 24 Nov 2016 17:01:53 +0100 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23211=5D=5Bclosed=5D_IPA_?= =?utf-8?q?Allows_Password_Reuse_with_History_value_defined_when_admin_res?= =?utf-8?b?ZXTigKY=?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/211 Author: tbordaz Title: #211: IPA Allows Password Reuse with History value defined when admin reset? Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/211/head:pr211 git checkout pr211 From mbasti at redhat.com Thu Nov 24 16:14:25 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 24 Nov 2016 17:14:25 +0100 Subject: [Freeipa-devel] NTP in FreeIPA In-Reply-To: References: <5fc2d8d3-8a96-331f-2940-fa95221a0235@redhat.com> Message-ID: On 24.11.2016 16:11, Gabe Alford wrote: > On Thu, Nov 24, 2016 at 1:29 AM, Martin Basti > wrote: > > > > On 24.11.2016 07:06, David Kupka wrote: > > On 22/11/16 23:15, Gabe Alford wrote: > > I would say that it is worth keeping in FreeIPA. I know > myself and some > customers use its functionality by having the clients sync > to the IPA > servers and have the servers sync to the NTP source. This > way if the NTP > source ever gets disrupted for long periods of time (which > has happened in > my environment) the client time drifts with the > authentication source. This > is the way that AD often works and is configured. > > > Hello Gabe, > I agree that it's common practice to synchronize all nodes in > network with single source in order to have the same time and > save bandwidth. Also I understand that it's comfortable to let > FreeIPA installer take care of it. > But I don't think FreeIPA should do it IMO this is job for > Ansible or similar tool. Also the problem is that in some > situations FreeIPA installer makes it worse. > > Example: > > 1. Install FreeIPA server (ipa1.example.org > ) > 2. Install FreeIPA client on all nodes in network > 3. Install replica (ipa2.example.org > ) of FreeIPA server to increase > redundancy > > > Why not have NTP look at a _srv_records? Do ntpclients support this natively? I just found some ugly hacks for chrony, i.e extra service that is dynamically changing config file. But yes this may be way too, but dirty. > Now all the clients have ipa1.example.org > as the only server in /etc/ntp.conf. > If the first FreeIPA server becomes unreachable all clients > will be able to contact KDC on the other server thanks to DNS > autodiscovery in libkrb5 but will be unable to synchronize time. > > > This can be resolved by DHCP configured NTP. When NTP server > changed, you just change DHCPd config and hosts conf will be synced. > We may keep NTP on IPA server side configured, but I'm voting for > removing it from clients and document+endorse people to use DHCP > (anyway distros have always enabled some time synchronization so > it should naturally work without even in small deployments) > > > If NTP is still configured on the IPA server, this may be less of an > issue. Not everyone has/is/will be using ansible. Also in secure > environments, DHCP > is not allowed/used at all. > > Also NTP is somehow incompatible with containers, usually > containers have time synchronized from host, and by default IPA > client container don't do NTP configuration. > > > Isn't that what the --no-ntp option in the client is for anyway? > > > Let deprecate it in 4.5 > > Martin^2 > > > > > On Tue, Nov 22, 2016 at 7:05 AM, Jan Cholasta > > wrote: > > On 22.11.2016 13:06, Petr Spacek wrote: > > On 22.11.2016 12:15, David Kupka wrote: > > Hello everyone! > > Is it worth to keep configuring NTP in FreeIPA? > > In usual environment there're no special > requirements for time > synchronization > and the distribution default (be it ntpd, > chrony or anything else) will > just > work. Any tampering with the configuration > can't make it any better. > > In environment with special requirements > (network disconnected from > public > internet, nodes disconnected from topology for > longer time, ...) time > synchronization must be taken care of > accordingly by system > administrator and > FreeIPA simply can't help here. > > Also there are problems and weird behavior > with the current FreeIPA > installers: > > * ipa-client-install replaces all servers in > /etc/ntp.conf with the ones > specified by user or resolved from DNS. If > none were provided nor > resolved the > FreeIPA server specified/resolved during > installation it used. This > leads in > just single server in the configuration and no > time synchronization when > this > server is down/decommissioned. > > * ipa-client-install replaces the NTP > configuration. If there was any > parts > previously edited by system administrator it's > lost. > > * ipa-server-install adds > {0-4}.$PLATFORM.pool.ntp.org > to /etc/ntp.conf. > What's the point in doing that? These > servers're already in the > configuration > file installed with ntp package. > > I have NTP-related WIP patches that solve some > of the issues but in > general I > would prefer to remove the whole thing > together with documenting "Please > make > sure that time on all FreeIPA servers and > clients is synchronized. On > most > distributions this was already done during > system installation." > > Can we mark NTP options deprecated in 4.5 and > remove them and stop > touching > any time syncing service in 4.6? > > > Considering that default config is just fine for > normal cases, and given > how > poorly integrated it is into FreeIPA, I agree with > David. FreeIPA should > get > out of configuration management business. > > > +1 > > -- > Jan Cholasta > > > -- > Manage your subscription for the Freeipa-devel mailing > list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > > Contribute to FreeIPA: > http://www.freeipa.org/page/Contribute/Code > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Thu Nov 24 16:35:45 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 24 Nov 2016 17:35:45 +0100 Subject: [Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file tomaskrizek commented: """ Please update the xmlrpc tests to reflect the extra certificate attributes (~12 failed tests in `test_xmlrpc/test_ca_plugin.py`, `test_caacl_plugin.py` and `test_caacl_profile_enforcement.py`). There are also a couple tests failing with ACIError: ACIError: Insufficient access: Principal 'srv/santest-host-1...' is not permitted to use CA 'default-profile-subca' with profile 'caIPAserviceCert' for certificate issuance. I also found the `--certificate-out` option a bit confusing. At first I thought I should provide the certificate name to be exported. Perhaps the help text could be improved to make it clear the used should provide a file name? """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-262813919 From freeipa-github-notification at redhat.com Thu Nov 24 16:50:19 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Thu, 24 Nov 2016 17:50:19 +0100 Subject: [Freeipa-devel] [freeipa PR#272][opened] Build: makerpms.sh generates Python 2 & 3 packages at the same time Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Author: pspacek Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time Action: opened PR body: """ Petr Viktorin recommended me to copy the whole build directory and run configure twice, with different values for PYTHON variable. After thinking a bit about that, it seems as cleanest approach. Building for two versions of Python at the same time should be temporary state so I decided not to complicate Autotools build system with conditional spagetti for two versions of Python. For proper Python2/3 distiction in the two separate builds, I added find/grep/sed combo which replaces shebangs with system-wide Python interpreter as necessary. This is workaround for the fact that FreeIPA does not use setuptools properly. Honza told me that proper use of setuptools is not trivial so we decided to go with this for now. https://fedorahosted.org/freeipa/ticket/157 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/272/head:pr272 git checkout pr272 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-272.patch Type: text/x-diff Size: 10710 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 24 16:55:16 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 24 Nov 2016 17:55:16 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time tiran commented: """ AFAIK the build won't run pylint twice with the correct Python version. You could replace the configure option for pylint and the pylint command with: ``` $(PYTHON) -m pylint ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-262817204 From freeipa-github-notification at redhat.com Thu Nov 24 17:13:05 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 24 Nov 2016 18:13:05 +0100 Subject: [Freeipa-devel] [freeipa PR#222][comment] Fix ipa-replica-install when upgrade from ca-less to ca-full In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/222 Title: #222: Fix ipa-replica-install when upgrade from ca-less to ca-full tomaskrizek commented: """ Works just like expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/222#issuecomment-262819990 From freeipa-github-notification at redhat.com Thu Nov 24 17:13:14 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 24 Nov 2016 18:13:14 +0100 Subject: [Freeipa-devel] [freeipa PR#222][+ack] Fix ipa-replica-install when upgrade from ca-less to ca-full In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/222 Title: #222: Fix ipa-replica-install when upgrade from ca-less to ca-full Label: +ack From pspacek at redhat.com Thu Nov 24 17:25:24 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 24 Nov 2016 18:25:24 +0100 Subject: [Freeipa-devel] NTP in FreeIPA In-Reply-To: References: <5fc2d8d3-8a96-331f-2940-fa95221a0235@redhat.com> Message-ID: On 24.11.2016 17:14, Martin Basti wrote: > If NTP is still configured on the IPA server, this may be less of an issue. > Not everyone has/is/will be using ansible. Also in secure environments, DHCP > is not allowed/used at all. If DHCP is not good enough for your environment then you *must not* use standard NTP, otherwise you just broke all the security. Standard NTP is not more secure than DHCP. -- Petr^2 Spacek From freeipa-github-notification at redhat.com Thu Nov 24 17:27:25 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Thu, 24 Nov 2016 18:27:25 +0100 Subject: [Freeipa-devel] [freeipa PR#272][synchronized] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Author: pspacek Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/272/head:pr272 git checkout pr272 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-272.patch Type: text/x-diff Size: 10711 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Nov 24 17:29:49 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Thu, 24 Nov 2016 18:29:49 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time pspacek commented: """ It does not automatically run pylint at all. Isn't `--with-pylint` option for configure good enough? """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-262822327 From freeipa-github-notification at redhat.com Thu Nov 24 18:26:19 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Thu, 24 Nov 2016 19:26:19 +0100 Subject: [Freeipa-devel] [freeipa PR#213][edited] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Author: pspacek Title: #213: Build system refactoring phase 3 Action: edited Changed field: body Original value: """ This monster patch-set refactors most of build system and moves most of the logic from SPEC file to build system. It is not yet complete, missing parts are: - [ ] Python 3 support - [ ] Client-only build is not supported - [x] IPA_VERSION_IS_GIT_SNAPSHOT does not work (fix in #226) These will be sorted out later on but the review of the patch set can begin. """ From redhatrises at gmail.com Thu Nov 24 19:31:18 2016 From: redhatrises at gmail.com (Gabe Alford) Date: Thu, 24 Nov 2016 12:31:18 -0700 Subject: [Freeipa-devel] NTP in FreeIPA In-Reply-To: References: <5fc2d8d3-8a96-331f-2940-fa95221a0235@redhat.com> Message-ID: On Thu, Nov 24, 2016 at 9:14 AM, Martin Basti wrote: > > > On 24.11.2016 16:11, Gabe Alford wrote: > > On Thu, Nov 24, 2016 at 1:29 AM, Martin Basti wrote: > >> >> >> On 24.11.2016 07:06, David Kupka wrote: >> >>> On 22/11/16 23:15, Gabe Alford wrote: >>> >>>> I would say that it is worth keeping in FreeIPA. I know myself and some >>>> customers use its functionality by having the clients sync to the IPA >>>> servers and have the servers sync to the NTP source. This way if the NTP >>>> source ever gets disrupted for long periods of time (which has happened >>>> in >>>> my environment) the client time drifts with the authentication source. >>>> This >>>> is the way that AD often works and is configured. >>>> >>> >>> Hello Gabe, >>> I agree that it's common practice to synchronize all nodes in network >>> with single source in order to have the same time and save bandwidth. Also >>> I understand that it's comfortable to let FreeIPA installer take care of it. >>> But I don't think FreeIPA should do it IMO this is job for Ansible or >>> similar tool. Also the problem is that in some situations FreeIPA installer >>> makes it worse. >>> >>> Example: >>> >>> 1. Install FreeIPA server (ipa1.example.org) >>> 2. Install FreeIPA client on all nodes in network >>> 3. Install replica (ipa2.example.org) of FreeIPA server to increase >>> redundancy >>> >> > Why not have NTP look at a _srv_records? > > > Do ntpclients support this natively? I just found some ugly hacks for > chrony, i.e extra service that is dynamically changing config file. > But yes this may be way too, but dirty. > > You are right. It is an ugly. I wonder if we can push to make it not so ugly so that _srv_ is used for both Chrony and NTP which IMO makes those two products better. If not and the desire is truly to get rid of chrony/ntp configuration on the client side, what about adding Chrony and NTP configuration to ipa-advise? > > >> Now all the clients have ipa1.example.org as the only server in >>> /etc/ntp.conf. If the first FreeIPA server becomes unreachable all clients >>> will be able to contact KDC on the other server thanks to DNS autodiscovery >>> in libkrb5 but will be unable to synchronize time. >>> >>> >> This can be resolved by DHCP configured NTP. When NTP server changed, you >> just change DHCPd config and hosts conf will be synced. >> We may keep NTP on IPA server side configured, but I'm voting for >> removing it from clients and document+endorse people to use DHCP (anyway >> distros have always enabled some time synchronization so it should >> naturally work without even in small deployments) >> > > If NTP is still configured on the IPA server, this may be less of an > issue. Not everyone has/is/will be using ansible. Also in secure > environments, DHCP > is not allowed/used at all. > > > >> Also NTP is somehow incompatible with containers, usually containers have >> time synchronized from host, and by default IPA client container don't do >> NTP configuration. >> > > Isn't that what the --no-ntp option in the client is for anyway? > > >> >> Let deprecate it in 4.5 >> >> Martin^2 >> >> >> >> >>>> On Tue, Nov 22, 2016 at 7:05 AM, Jan Cholasta >>>> wrote: >>>> >>>> On 22.11.2016 13:06, Petr Spacek wrote: >>>>> >>>>> On 22.11.2016 12:15, David Kupka wrote: >>>>>> >>>>>> Hello everyone! >>>>>>> >>>>>>> Is it worth to keep configuring NTP in FreeIPA? >>>>>>> >>>>>>> In usual environment there're no special requirements for time >>>>>>> synchronization >>>>>>> and the distribution default (be it ntpd, chrony or anything else) >>>>>>> will >>>>>>> just >>>>>>> work. Any tampering with the configuration can't make it any better. >>>>>>> >>>>>>> In environment with special requirements (network disconnected from >>>>>>> public >>>>>>> internet, nodes disconnected from topology for longer time, ...) time >>>>>>> synchronization must be taken care of accordingly by system >>>>>>> administrator and >>>>>>> FreeIPA simply can't help here. >>>>>>> >>>>>>> Also there are problems and weird behavior with the current FreeIPA >>>>>>> installers: >>>>>>> >>>>>>> * ipa-client-install replaces all servers in /etc/ntp.conf with the >>>>>>> ones >>>>>>> specified by user or resolved from DNS. If none were provided nor >>>>>>> resolved the >>>>>>> FreeIPA server specified/resolved during installation it used. This >>>>>>> leads in >>>>>>> just single server in the configuration and no time synchronization >>>>>>> when >>>>>>> this >>>>>>> server is down/decommissioned. >>>>>>> >>>>>>> * ipa-client-install replaces the NTP configuration. If there was any >>>>>>> parts >>>>>>> previously edited by system administrator it's lost. >>>>>>> >>>>>>> * ipa-server-install adds {0-4}.$PLATFORM.pool.ntp.org to >>>>>>> /etc/ntp.conf. >>>>>>> What's the point in doing that? These servers're already in the >>>>>>> configuration >>>>>>> file installed with ntp package. >>>>>>> >>>>>>> I have NTP-related WIP patches that solve some of the issues but in >>>>>>> general I >>>>>>> would prefer to remove the whole thing together with documenting >>>>>>> "Please >>>>>>> make >>>>>>> sure that time on all FreeIPA servers and clients is synchronized. On >>>>>>> most >>>>>>> distributions this was already done during system installation." >>>>>>> >>>>>>> Can we mark NTP options deprecated in 4.5 and remove them and stop >>>>>>> touching >>>>>>> any time syncing service in 4.6? >>>>>>> >>>>>>> >>>>>> Considering that default config is just fine for normal cases, and >>>>>> given >>>>>> how >>>>>> poorly integrated it is into FreeIPA, I agree with David. FreeIPA >>>>>> should >>>>>> get >>>>>> out of configuration management business. >>>>>> >>>>>> >>>>> +1 >>>>> >>>>> -- >>>>> Jan Cholasta >>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-devel mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >>>>> >>>>> >>>> >>>> >>>> >>> >>> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Fri Nov 25 03:11:14 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Fri, 25 Nov 2016 04:11:14 +0100 Subject: [Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ @tomaskrizek thanks for reviewing. Updated tests and change the `--certificate-out` metavar to `FILE`. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-262872744 From freeipa-github-notification at redhat.com Fri Nov 25 03:11:35 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Fri, 25 Nov 2016 04:11:35 +0100 Subject: [Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-177.patch Type: text/x-diff Size: 21799 bytes Desc: not available URL: From mbasti at redhat.com Fri Nov 25 08:12:51 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 25 Nov 2016 09:12:51 +0100 Subject: [Freeipa-devel] NTP in FreeIPA In-Reply-To: References: <5fc2d8d3-8a96-331f-2940-fa95221a0235@redhat.com> Message-ID: <5a2e8e77-58b9-3bca-1483-3403d37c03d6@redhat.com> On 24.11.2016 20:31, Gabe Alford wrote: > On Thu, Nov 24, 2016 at 9:14 AM, Martin Basti > wrote: > > > > On 24.11.2016 16:11, Gabe Alford wrote: >> On Thu, Nov 24, 2016 at 1:29 AM, Martin Basti > > wrote: >> >> >> >> On 24.11.2016 07:06, David Kupka wrote: >> >> On 22/11/16 23:15, Gabe Alford wrote: >> >> I would say that it is worth keeping in FreeIPA. I >> know myself and some >> customers use its functionality by having the clients >> sync to the IPA >> servers and have the servers sync to the NTP source. >> This way if the NTP >> source ever gets disrupted for long periods of time >> (which has happened in >> my environment) the client time drifts with the >> authentication source. This >> is the way that AD often works and is configured. >> >> >> Hello Gabe, >> I agree that it's common practice to synchronize all >> nodes in network with single source in order to have the >> same time and save bandwidth. Also I understand that it's >> comfortable to let FreeIPA installer take care of it. >> But I don't think FreeIPA should do it IMO this is job >> for Ansible or similar tool. Also the problem is that in >> some situations FreeIPA installer makes it worse. >> >> Example: >> >> 1. Install FreeIPA server (ipa1.example.org >> ) >> 2. Install FreeIPA client on all nodes in network >> 3. Install replica (ipa2.example.org >> ) of FreeIPA server to increase >> redundancy >> >> >> Why not have NTP look at a _srv_records? > > Do ntpclients support this natively? I just found some ugly hacks > for chrony, i.e extra service that is dynamically changing config > file. > But yes this may be way too, but dirty. > > > You are right. It is an ugly. I wonder if we can push to make it not > so ugly so that _srv_ is used for both Chrony and NTP which IMO makes > those two products better. If not and the desire is truly to get rid > of chrony/ntp configuration on the client side, what about adding > Chrony and NTP configuration to ipa-advise? And I realized that this may be applicable only if IPA is installed with integrated DNS, when IPA automatically updates system services DNS records. With external DNS we will bother admins to create SRV records, so it is the same as creating DHCP configuration. we can add it to ipa-advise. Martin^2 >> Now all the clients have ipa1.example.org >> as the only server in >> /etc/ntp.conf. If the first FreeIPA server becomes >> unreachable all clients will be able to contact KDC on >> the other server thanks to DNS autodiscovery in libkrb5 >> but will be unable to synchronize time. >> >> >> This can be resolved by DHCP configured NTP. When NTP server >> changed, you just change DHCPd config and hosts conf will be >> synced. >> We may keep NTP on IPA server side configured, but I'm voting >> for removing it from clients and document+endorse people to >> use DHCP (anyway distros have always enabled some time >> synchronization so it should naturally work without even in >> small deployments) >> >> >> If NTP is still configured on the IPA server, this may be less of >> an issue. Not everyone has/is/will be using ansible. Also in >> secure environments, DHCP >> is not allowed/used at all. >> >> Also NTP is somehow incompatible with containers, usually >> containers have time synchronized from host, and by default >> IPA client container don't do NTP configuration. >> >> >> Isn't that what the --no-ntp option in the client is for anyway? >> >> >> Let deprecate it in 4.5 >> >> Martin^2 >> >> >> >> >> On Tue, Nov 22, 2016 at 7:05 AM, Jan Cholasta >> > wrote: >> >> On 22.11.2016 13:06, Petr Spacek wrote: >> >> On 22.11.2016 12:15, David Kupka wrote: >> >> Hello everyone! >> >> Is it worth to keep configuring NTP in >> FreeIPA? >> >> In usual environment there're no special >> requirements for time >> synchronization >> and the distribution default (be it ntpd, >> chrony or anything else) will >> just >> work. Any tampering with the >> configuration can't make it any better. >> >> In environment with special requirements >> (network disconnected from >> public >> internet, nodes disconnected from >> topology for longer time, ...) time >> synchronization must be taken care of >> accordingly by system >> administrator and >> FreeIPA simply can't help here. >> >> Also there are problems and weird >> behavior with the current FreeIPA >> installers: >> >> * ipa-client-install replaces all servers >> in /etc/ntp.conf with the ones >> specified by user or resolved from DNS. >> If none were provided nor >> resolved the >> FreeIPA server specified/resolved during >> installation it used. This >> leads in >> just single server in the configuration >> and no time synchronization when >> this >> server is down/decommissioned. >> >> * ipa-client-install replaces the NTP >> configuration. If there was any >> parts >> previously edited by system administrator >> it's lost. >> >> * ipa-server-install adds >> {0-4}.$PLATFORM.pool.ntp.org >> to >> /etc/ntp.conf. >> What's the point in doing that? These >> servers're already in the >> configuration >> file installed with ntp package. >> >> I have NTP-related WIP patches that solve >> some of the issues but in >> general I >> would prefer to remove the whole thing >> together with documenting "Please >> make >> sure that time on all FreeIPA servers and >> clients is synchronized. On >> most >> distributions this was already done >> during system installation." >> >> Can we mark NTP options deprecated in 4.5 >> and remove them and stop >> touching >> any time syncing service in 4.6? >> >> >> Considering that default config is just fine >> for normal cases, and given >> how >> poorly integrated it is into FreeIPA, I agree >> with David. FreeIPA should >> get >> out of configuration management business. >> >> >> +1 >> >> -- >> Jan Cholasta >> >> >> -- >> Manage your subscription for the Freeipa-devel >> mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> Contribute to FreeIPA: >> http://www.freeipa.org/page/Contribute/Code >> >> >> >> >> >> >> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Fri Nov 25 08:13:35 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 25 Nov 2016 09:13:35 +0100 Subject: [Freeipa-devel] [freeipa PR#231][+ack] Do not log DM password in ca/kra installation logs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/231 Title: #231: Do not log DM password in ca/kra installation logs Label: +ack From freeipa-github-notification at redhat.com Fri Nov 25 08:14:16 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 25 Nov 2016 09:14:16 +0100 Subject: [Freeipa-devel] [freeipa PR#231][closed] Do not log DM password in ca/kra installation logs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/231 Author: stlaz Title: #231: Do not log DM password in ca/kra installation logs Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/231/head:pr231 git checkout pr231 From freeipa-github-notification at redhat.com Fri Nov 25 08:14:18 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 25 Nov 2016 09:14:18 +0100 Subject: [Freeipa-devel] [freeipa PR#231][+pushed] Do not log DM password in ca/kra installation logs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/231 Title: #231: Do not log DM password in ca/kra installation logs Label: +pushed From freeipa-github-notification at redhat.com Fri Nov 25 08:14:19 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 25 Nov 2016 09:14:19 +0100 Subject: [Freeipa-devel] [freeipa PR#231][comment] Do not log DM password in ca/kra installation logs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/231 Title: #231: Do not log DM password in ca/kra installation logs martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/e617f895e70e6812836870f504af6e22a5dc7def """ See the full comment at https://github.com/freeipa/freeipa/pull/231#issuecomment-262902105 From freeipa-github-notification at redhat.com Fri Nov 25 08:26:50 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 25 Nov 2016 09:26:50 +0100 Subject: [Freeipa-devel] [freeipa PR#222][comment] Fix ipa-replica-install when upgrade from ca-less to ca-full In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/222 Title: #222: Fix ipa-replica-install when upgrade from ca-less to ca-full mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/044d887e81d433b43c33b076a21fd1054796786e """ See the full comment at https://github.com/freeipa/freeipa/pull/222#issuecomment-262904061 From freeipa-github-notification at redhat.com Fri Nov 25 08:26:52 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 25 Nov 2016 09:26:52 +0100 Subject: [Freeipa-devel] [freeipa PR#222][closed] Fix ipa-replica-install when upgrade from ca-less to ca-full In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/222 Author: flo-renaud Title: #222: Fix ipa-replica-install when upgrade from ca-less to ca-full Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/222/head:pr222 git checkout pr222 From freeipa-github-notification at redhat.com Fri Nov 25 08:26:54 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 25 Nov 2016 09:26:54 +0100 Subject: [Freeipa-devel] [freeipa PR#222][+pushed] Fix ipa-replica-install when upgrade from ca-less to ca-full In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/222 Title: #222: Fix ipa-replica-install when upgrade from ca-less to ca-full Label: +pushed From freeipa-github-notification at redhat.com Fri Nov 25 09:13:54 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 25 Nov 2016 10:13:54 +0100 Subject: [Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient stlaz commented: """ The changes seem fine, I especially dig moving parts only used in ipaserver/ipaclient to their respective submodules. I can see why `ipaplatform` is being removed from certain modules. It seems like a workaround/another solution for the dynamic platform linking which is proposed in https://fedorahosted.org/freeipa/ticket/6474. I wonder what the plan with `ipaplatform` is, then. Could it be that its removal from certain parts of the code would be redundant with the proposed changes? Or do we just keep these changes instead? """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-262912220 From freeipa-github-notification at redhat.com Fri Nov 25 09:16:16 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Fri, 25 Nov 2016 10:16:16 +0100 Subject: [Freeipa-devel] [freeipa PR#269][+ack] Prevent denial of replication updates during CA replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/269 Title: #269: Prevent denial of replication updates during CA replica install Label: +ack From freeipa-github-notification at redhat.com Fri Nov 25 09:16:18 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Fri, 25 Nov 2016 10:16:18 +0100 Subject: [Freeipa-devel] [freeipa PR#269][comment] Prevent denial of replication updates during CA replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/269 Title: #269: Prevent denial of replication updates during CA replica install flo-renaud commented: """ Hi, thanks for the patch! Everything works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/269#issuecomment-262912639 From freeipa-github-notification at redhat.com Fri Nov 25 09:32:41 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 25 Nov 2016 10:32:41 +0100 Subject: [Freeipa-devel] [freeipa PR#273][opened] Build: workaround bug while calling parallel make from rpmbuild Message-ID: URL: https://github.com/freeipa/freeipa/pull/273 Author: pspacek Title: #273: Build: workaround bug while calling parallel make from rpmbuild Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6418 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/273/head:pr273 git checkout pr273 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-273.patch Type: text/x-diff Size: 809 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 25 09:37:34 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 25 Nov 2016 10:37:34 +0100 Subject: [Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file jcholast commented: """ To continue the discussion from the mailing list: >> My point exactly - ca-show output should be equivalent to cert-show on the >> CA certificate, as far as the certificate and chain are concerned. >> > I reused `BaseCertObject.takes_params' and `BaseCertObject._parse' > to define the params and do most of the work. There is some overlap > with what `BaseCertObject' defines and fields of the `ca' LDAP > attribute so these are ignored/removed. What I actually meant is that `cert-show` should also have a `chain` option and `certificate_chain` param in the future, which should work the same as in `ca-show`. Adding everything from BaseCertObject is an overkill IMHO, and out of the scope of ticket 6178. >> I think I would prefer if the certificate was always returned by the server, >> but the chain only if --chain (or --all) is specified. >> >> Additionally, ca-add should also get the new options and do all of this. >> > I've implemented this. `--chain' implies `--all' but otherwise > remains a client-side only param. This does not scale well - if a new unrelated attribute is added to the CA LDAP entry, or if a new param is added to the CA object, `--chain` will imply retrieving them, which is not something we want. It should really be the other way around and `--all` should imply `--chain`, which also means `--chain` has to be defined on the server side. >> Generator expressions are generally preferred over map(): >> >> data = '\n'.join(to_pem(der) for der in ders) >> > Preferred by whom? ;) Pythonistas, I believe :) """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-262916556 From freeipa-github-notification at redhat.com Fri Nov 25 09:47:12 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 25 Nov 2016 10:47:12 +0100 Subject: [Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient jcholast commented: """ @stlaz, [this thread at freeipa-devel](https://www.redhat.com/archives/freeipa-devel/2016-November/msg00776.html) should answer your question. """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-262918453 From freeipa-github-notification at redhat.com Fri Nov 25 09:59:04 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 25 Nov 2016 10:59:04 +0100 Subject: [Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient tiran commented: """ @jcholast I prefer small patches, that change just one aspect and are easily reviewable in a couple of minutes. The PR touches the entire code base. With 600 additions, more than 700 removals and 316 QC high-severity issues, it is going to take a week to merge it. Merge conflicts are already cumulating, too. You have already split up your PR in a bunch of commits. It looks like most to all commits are unrelated and don't depend on each other. Basically your PR is an epic with a bunch of independent improvements. How about use the iterative approach and create a PR for each commit? """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-262920843 From freeipa-github-notification at redhat.com Fri Nov 25 11:06:36 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 25 Nov 2016 12:06:36 +0100 Subject: [Freeipa-devel] [freeipa PR#267][synchronized] ipa-replica-conncheck: do not close listening ports until required In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/267 Author: tomaskrizek Title: #267: ipa-replica-conncheck: do not close listening ports until required Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/267/head:pr267 git checkout pr267 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-267.patch Type: text/x-diff Size: 11702 bytes Desc: not available URL: From pviktori at redhat.com Fri Nov 25 11:13:03 2016 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 25 Nov 2016 12:13:03 +0100 Subject: [Freeipa-devel] Pytest plugins moved to Pagure Message-ID: <37bde9c1-7be8-8e91-f143-d399e5d7299a@redhat.com> Hello, I've moved these Pytest plugins, originally developed for FreeIPA, from Fedorahosted to Pagure: https://pagure.io/python-pytest-sourceorder https://pagure.io/python-pytest-multihost https://pagure.io/python-pytest-beakerlib As I don't actively monitor the freeipa-devel list any more, I'd like to ask everyone to start any *new* conversations about the plugins in Pagure Issues (or Pull Requests). Thanks for letting me use the list until now! -- Petr Viktorin From freeipa-github-notification at redhat.com Fri Nov 25 11:20:43 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 25 Nov 2016 12:20:43 +0100 Subject: [Freeipa-devel] [freeipa PR#274][opened] Improve the robustness FreeIPA's i18n module and its tests Message-ID: URL: https://github.com/freeipa/freeipa/pull/274 Author: martbab Title: #274: Improve the robustness FreeIPA's i18n module and its tests Action: opened PR body: """ Prevent false positive errors reported by `ipatests/i18n.py` and `ipatests/test_ipalib/test_text.py` when LANGUAGE env variable is set in the environment. Additionally, also set LC_ALL and LC_MESSAGES during checks to further improve the robustness. https://fedorahosted.org/freeipa/ticket/6512 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/274/head:pr274 git checkout pr274 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-274.patch Type: text/x-diff Size: 3785 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 25 11:25:34 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 25 Nov 2016 12:25:34 +0100 Subject: [Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient stlaz commented: """ @jcholast Thanks, I'll add it as a comment to that ticket so that it's more visible to a potential community :) + LGTM @tiran I already did the review, the conflicts are very easily resolvable (ntpconf was moved, two functions are moved from ipa_replica_prepare.) I can see where you're heading and I guess it'd be better to split the PR for the future, although I prefer 1 PR for 1 ticket if that is doable and it is in this case. Can you please rather check if it matches your use-case and bless this PR with functional ACK so that we can get it pushed? """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-262936876 From freeipa-github-notification at redhat.com Fri Nov 25 11:28:30 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 25 Nov 2016 12:28:30 +0100 Subject: [Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient stlaz commented: """ @jcholast Thanks, I'll add it as a comment to that ticket so that it's more visible to a potential community :) @tiran I already did the review, the conflicts are very easily resolvable (ntpconf was moved, two functions are moved from ipa_replica_prepare.) I can see where you're heading and I guess it'd be better to split the PR for the future, although I prefer 1 PR for 1 ticket if that is doable and it is in this case. Can you please rather check if it matches your use-case and bless this PR with functional ACK so that we can get it pushed? edit: Removed the LGTM till the outlined necessary issues are fixed, I expect that to come with the rebase. """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-262936876 From freeipa-github-notification at redhat.com Fri Nov 25 11:40:59 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 25 Nov 2016 12:40:59 +0100 Subject: [Freeipa-devel] [freeipa PR#268][comment] Build system must regenerate file when template changes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/268 Title: #268: Build system must regenerate file when template changes mbasti-rh commented: """ works for me """ See the full comment at https://github.com/freeipa/freeipa/pull/268#issuecomment-262939243 From freeipa-github-notification at redhat.com Fri Nov 25 11:41:03 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 25 Nov 2016 12:41:03 +0100 Subject: [Freeipa-devel] [freeipa PR#268][+ack] Build system must regenerate file when template changes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/268 Title: #268: Build system must regenerate file when template changes Label: +ack From freeipa-github-notification at redhat.com Fri Nov 25 11:46:19 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 25 Nov 2016 12:46:19 +0100 Subject: [Freeipa-devel] [freeipa PR#267][synchronized] ipa-replica-conncheck: do not close listening ports until required In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/267 Author: tomaskrizek Title: #267: ipa-replica-conncheck: do not close listening ports until required Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/267/head:pr267 git checkout pr267 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-267.patch Type: text/x-diff Size: 11702 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 25 11:48:28 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 25 Nov 2016 12:48:28 +0100 Subject: [Freeipa-devel] [freeipa PR#268][comment] Build system must regenerate file when template changes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/268 Title: #268: Build system must regenerate file when template changes tiran commented: """ I don't like the approach and prefer ```AC_CONFIG_FILE``` over manual sed for templating. You only have to add a couple of rules like ``` # Makefile.python.am $(top_builddir)/ipasetup.py: $(top_builddir)/config.status $(top_builddir)/ipasetup.py.in $(MAKE) -C $(top_builddir) $(@F) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/268#issuecomment-262940339 From freeipa-github-notification at redhat.com Fri Nov 25 12:30:22 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 25 Nov 2016 13:30:22 +0100 Subject: [Freeipa-devel] [freeipa PR#267][synchronized] ipa-replica-conncheck: do not close listening ports until required In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/267 Author: tomaskrizek Title: #267: ipa-replica-conncheck: do not close listening ports until required Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/267/head:pr267 git checkout pr267 From freeipa-github-notification at redhat.com Fri Nov 25 12:30:24 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 25 Nov 2016 13:30:24 +0100 Subject: [Freeipa-devel] [freeipa PR#267][closed] ipa-replica-conncheck: do not close listening ports until required In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/267 Author: tomaskrizek Title: #267: ipa-replica-conncheck: do not close listening ports until required Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/267/head:pr267 git checkout pr267 From freeipa-github-notification at redhat.com Fri Nov 25 12:31:06 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 25 Nov 2016 13:31:06 +0100 Subject: [Freeipa-devel] [freeipa PR#268][comment] Build system must regenerate file when template changes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/268 Title: #268: Build system must regenerate file when template changes pspacek commented: """ I already described problems with `AC_CONFIG_FILE` in https://github.com/freeipa/freeipa/pull/251#issuecomment-261470338 a week ago, including envisioned move from `AC_CONFIG_FILE` to `Makefile.am`. Please propose a solution which does not have problems mentioned in https://github.com/freeipa/freeipa/pull/251#issuecomment-261470338 so we can consider it. For the record, this sed replacement is nothing unusual. The sed replacement is what [Autoconf v2.69 manual chapter 4.8.2 Installation Directory Variables](https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Installation-Directory-Variables.html) recommends and is already used all over the place in the build system (init directory, daemons/ipa-otpd, and elsewhere). It is pitty that you did not comment on envisioned direction a week ago, nor a three days ago when first version of this PR was published. """ See the full comment at https://github.com/freeipa/freeipa/pull/268#issuecomment-262948252 From freeipa-github-notification at redhat.com Fri Nov 25 12:36:10 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 25 Nov 2016 13:36:10 +0100 Subject: [Freeipa-devel] [freeipa PR#267][synchronized] ipa-replica-conncheck: do not close listening ports until required In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/267 Author: tomaskrizek Title: #267: ipa-replica-conncheck: do not close listening ports until required Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/267/head:pr267 git checkout pr267 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-267.patch Type: text/x-diff Size: 11923 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 25 12:36:12 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 25 Nov 2016 13:36:12 +0100 Subject: [Freeipa-devel] [freeipa PR#267][reopened] ipa-replica-conncheck: do not close listening ports until required In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/267 Author: tomaskrizek Title: #267: ipa-replica-conncheck: do not close listening ports until required Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/267/head:pr267 git checkout pr267 From freeipa-github-notification at redhat.com Fri Nov 25 12:47:15 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 25 Nov 2016 13:47:15 +0100 Subject: [Freeipa-devel] [freeipa PR#252][comment] Use namespace-aware meta importer for ipaplatform In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/252 Title: #252: Use namespace-aware meta importer for ipaplatform stlaz commented: """ It is not AFAIK. I noted that in https://fedorahosted.org/freeipa/ticket/6474 comment and there's also discussion about this in https://github.com/freeipa/freeipa/pull/271. Closing this PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/252#issuecomment-262951316 From freeipa-github-notification at redhat.com Fri Nov 25 12:47:17 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 25 Nov 2016 13:47:17 +0100 Subject: [Freeipa-devel] [freeipa PR#252][closed] Use namespace-aware meta importer for ipaplatform In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/252 Author: tiran Title: #252: Use namespace-aware meta importer for ipaplatform Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/252/head:pr252 git checkout pr252 From freeipa-github-notification at redhat.com Fri Nov 25 12:55:33 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 25 Nov 2016 13:55:33 +0100 Subject: [Freeipa-devel] [freeipa PR#252][+rejected] Use namespace-aware meta importer for ipaplatform In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/252 Title: #252: Use namespace-aware meta importer for ipaplatform Label: +rejected From freeipa-github-notification at redhat.com Fri Nov 25 12:56:04 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 25 Nov 2016 13:56:04 +0100 Subject: [Freeipa-devel] [freeipa PR#268][comment] Build system must regenerate file when template changes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/268 Title: #268: Build system must regenerate file when template changes tiran commented: """ You gave a good reason to not use ```CONFIG_STATUS_DEPEDENCIES``` and I agree with your reasoning. I don't see a case against ```AC_CONFIG_FILE```, though. ```config.status``` substitution feature is more powerful than manual sed rules. I'm worried that we are going to run into problems in the future. It's surprising that some files can use all ```@VAR@``` substitutions and some only a limited subset. Your patch already introduces proper dependencies for ```ipasetup.py``` and ```version.py```. Why not introduce a build rule for these files in ```Makefile.python.am```? """ See the full comment at https://github.com/freeipa/freeipa/pull/268#issuecomment-262952627 From jcholast at redhat.com Fri Nov 25 13:19:10 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 25 Nov 2016 14:19:10 +0100 Subject: [Freeipa-devel] [RFC] Matching and Mapping Certificates In-Reply-To: <8fa31830-3f04-6a99-596c-5d05421b07cf@redhat.com> References: <20161006104930.GC22626@p.Speedport_W_724V_Typ_A_05011603_00_009> <20161011113709.GC4864@p.Speedport_W_724V_Typ_A_05011603_00_009> <20161013165235.GH4864@p.Speedport_W_724V_Typ_A_05011603_00_009> <8fa31830-3f04-6a99-596c-5d05421b07cf@redhat.com> Message-ID: Bump, Sumit, have you seen my comments? I haven't heard back from you. On 17.10.2016 09:50, Jan Cholasta wrote: > Hi, > > On 13.10.2016 18:52, Sumit Bose wrote: >> On Tue, Oct 11, 2016 at 01:37:09PM +0200, Sumit Bose wrote: >>> On Thu, Oct 06, 2016 at 12:49:30PM +0200, Sumit Bose wrote: >>>> Hi, >>>> >>>> I've started to write a SSSD design page about enhancing the current >>>> mapping of certificates to users and how to select/match a suitable >>>> certificate if multiple certificates are on a Smartcard. >>>> >>>> My currently thoughts and idea and be found at >>>> https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates >>>> >>>> and for your convenience below as well. >>>> >>>> Comments and suggestions are welcome. Please let me know about >>>> concerns, >>>> alternatives and missing use-cases/user-stories. >>>> >>>> bye, >>>> Sumit >>>> >>> >>> Hi, >>> >>> Rob, Fraser, Alexander, thank you for your comments. I think both the >>> issuer specific matching and the OID in the SUBJECT matching are good >>> ideas. I updated the design page accordingly. The changes can be shown >>> with >>> https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates?action=diff&version=9&old_version=6 >>> >>> >>> The updated version can be found below as well. Of course more >>> comments and >>> suggestions are still very welcome. >>> >> >> I did another update. A "Compatibility with Active Director" section is >> added which made me realize that there are use-cases for using the >> issuer in the mapping as well and the sub-strings in LDAP search filters >> might be useful as well. >> >> The changes can be seen with >> https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates?action=diff&version=10&old_version=9 >> >> >> Please let me know your comments and suggestions. >> >> bye, >> Sumit >> >> = Matching and Mapping Certificates = >> >> Related ticket(s): >> * >> http://www.freeipa.org/page/V4/User_Certificates#Certificate_Identity_Mapping >> >> >> === Problem statement === >> ==== Mapping ==== >> Currently it is required that a certificate used for authentication is >> either stored in the LDAP user entry or in a matching override. This >> might not always be applicable and other ways are needed to relate a >> user with a certificate. >> >> ==== Matching ==== >> Even if SSSD will support multiple certificates on a Smartcard in the >> context of https://fedorahosted.org/sssd/ticket/3050 it might be >> necessary to restrict (or relax) the current certificate selection in >> certain environments. >> >> === Use cases === >> ==== Mapping ==== >> In some environments it might not be possible or would cause unwanted >> effort to add certificates to the LDAP entry of the users to allow >> Smartcard based authentication. Reasons might be: >> * Certificates/Smartcards are issued externally >> * LDAP schema extension is not possible or not allowed >> >> ==== Matching ==== >> A user might have multiple certificate on a Smartcard which are >> suitable for authentication. But on some host in the environment only >> certificates from a specific CA (while all other CAs are trusted as >> well) or with some special extension should be valid for login. >> >> === Overview of the solution === >> To match a certificate a language/syntax has to be defined which >> allows to reference items from the certificate and compare the values >> with the expected data. To map the certificates to a user the >> language/syntax should allow to relate certificate items with LDAP >> attributes so that the value(s) from the certificate item can be used >> in a LDAP search filter. > > Note that in some cases it might be possible to map a certificate to a > user without having to do an extra LDAP search, for example when the > certificate contains the principal name of the user. Does the design > allow this? Or is there no extra LDAP search? > >> >> >> === Implementation details === >> ==== Matching ==== >> The pkinit plugin of MIT Kerberos must find a suitable certificate >> from a Smartcard as well and has defined the following syntax (see the >> pkinit_cert_match section of the krb5.conf man page or >> http://web.mit.edu/Kerberos/krb5-1.14/doc/admin/conf_files/krb5_conf.html >> for details). The main components are >> >> * regular-expression >> * regular-expression >> * regular-expression >> * extended-key-usage-list >> * key-usage-list >> >> and can be grouped together with a prefixed '&&' (and) or '`||`' (or) >> operator ('&&' is the default). If multiple rules are given they are >> iterated with the order in the config file as long as a rule matches >> exactly one certificate. >> >> '''Question: MIT Kerberos use case-sensitive matching and POSIX >> Extended Regular Expression syntax, shall we do the same?''' >> >> While and are (imo) already quite flexible I can >> see some potential extensions for the other components. > > I don't think regular expressions are a particularly good choice for DN > matching. It is difficult to express assertions which are quite natural > for DNs (matching multi-attribute RDNs, matching the same attribute type > by different identifiers, respecting the defined matching rules of > attribute types) and at the same time it is easy to express assertions > which do not make much sense for DNs (matching substrings in attribute > names, matching accross multiple syntactical elements, etc.). > > That said, does the design have to be based on the MIT pkinit matching? > To me it looks like something quickly hacked together rather than > thoughtfully designed. I would personally base the design on the > concepts of CertificateMatch, which is the standard way of matching > certificates, defined in X.509, rather than reinvent the wheel. > >> >> and in MIT Kerberos only accept certain string values >> related to some allowed values in those field as defined in >> https://www.ietf.org/rfc/rfc3280.txt . The selection is basically >> determined by what is supported on server side of the pkinit plugin of >> MIT Kerberos. Since we plan to extend pkinit and support local >> authentication without pkinit as well I would suggest to allow OID >> strings for those components as well (the comparison is done on the >> OID level nonetheless). >> >> The component in MIT Kerberos only checks the otherName SAN >> component for the id-pkinit-san OID as defined in >> https://www.ietf.org/rfc/rfc4556.txt or the szOID_NT_PRINCIPAL_NAME >> OID as mentioned in https://support.microsoft.com/en-us/kb/287547. >> While this is sufficient for the default pkinit user case of MIT >> Kerberos I would suggest to extend this component by allowing to >> specific an OID with >> >> ===== Issuer specific matching ===== >> Although the MIT Kerberos rules allow to select the issuer of a >> certificate there are use cases where a more specific selection is >> needed. E.g. if there are some default matching rules for all issuers >> and some other issuer specific rules where the default rules should >> not apply. To make this possible with the above scheme the default >> rules must have an clause which matches all but the issuer >> with the specific rules. Writing regular-expressions to not match a >> specific string or a list of strings is at least error-prone if not >> impossible. >> >> To make it easier to define issuer specific rules and default rules at >> the same time and optional issuer string can be added to the rule to >> indicate that for the given issuer only those rules should be >> considered. Given the use-case I think it is acceptable to require >> that the full issuer must be specified here in LDAP order (see below) >> and case-sensitive matching is used. > > This could also be solved by adding priority to rules - if two rules > match, the one with higher priority (the issuer specific rule) is > preferred over the one with lower priority (the default rule). IMO this > is better than an optional issuer string as it offers greater flexibility. > >> >> How the issuer string is linked to the matching rules depends on the >> storage (LDAP or sssd.conf, see below for details). >> ==== Mapping ==== >> Since different certificates, e.g. issued by different CAs, might have >> different mapping rule, a matching rule must be added if there are >> more than 1 mapping rule. A single mapping rule without a matching >> rule might be used as default/catch-all rule in this case. >> >> If multiple rules matches the derived LDAP filter components can be >> grouped with the or-operator "|". >> >> A mapping rule can use a similar syntax like the matching rule where >> the LDAP attribute can be added with a ':', e.g. >> * >> * >> * >> >> where O.I.D. is either the OID or name of a RDN type or the OID or >> some well-known-name of the SAN component respectively. Since the >> SUBJECT might contain multiple RDNs of the same type always the "most >> specific" is selected because in general this will be the most suited >> one to map the certificate to a specific user. "most specific" means >> the last in X.500 order and the first in LDAP order (see discussion >> below for details). >> >> If the O.I.D. is missing the full SUBJECT/ISSUER is used for mapping. >> If 'DN' is used as ldapAttributeName SUBJECT is expected to be the DN >> of the user. If the O.I.D. is missing in the SAN case the same default >> as with matching (id-pkinit-san and szOID_NT_PRINCIPAL_NAME OID) is >> used. If both SAN values can be found in the certificate and are >> different the LDAP search filter will combine both with the or-operator. >> >> The optional '*' in the end indicates that a sub-string search >> (ldapAttributeName=*value*) should be used and not an exact match >> (ldapAttributeName=value). Please note that it depends on the >> server-side definition of the LDAP attribute if case-sensitive or >> case-insensitve matching is used. > > This seems like a rather quirky way to write down an LDAP filter. IMHO a > better way would be to use a single attribute containing a filter > template, e.g.: > > (&(someAttr={issuer})(someOtherAttr=*{subject:O.I.D}*)) > >> >> Currently I see no usage for and in mapping rules because >> they do not contain any user-specific data. If at some point we will >> have personal CAs we might consider to add based mappings. >> >> ===== Future consideration ===== >> Most of the interesting values from the SAN should be directly >> map-able to LDAP attributes. And processing the string representation >> of might be tricky as discussed below. Nevertheless it might >> be possible to add to following in a future release if more complex >> operations on the values are needed: >> >> * /regexp/replacement/ >> * /regexp/replacement/ >> >> where "/regexp/replacement/" stands for optional sed-like substitution >> rules. E.g. a rule like >> {{{ >> /^CN=\([^,]*\).*$/\1/ >> }}} >> would take the subject string 'CN=Certuser,CN=Users,DC=example,DC=com' >> from the certificate and generate a LDAP search filter component >> '(samAccountName=Certuser)' which can be included in a LDAP search >> filter which includes additional components like e.g. an objectClass. >> >> The search-and-replace does not has to be sed-like because afaik there >> is not library which offers this and I would like to avoid >> implementing it. GLib e.g. has >> [https://developer.gnome.org/glib/stable/glib-Perl-compatible-regular-expressions.html#g-regex-replace >> g_regex_replace]. Since we already have a GLib dependency in SSSD due >> to soem utf8 helper functions using might be acceptable as well. >> Nevertheless it would be nice to hear if there are alternative >> libraries available as well. >> >> Maybe even search-and-replace are not sufficient for all cases and >> something like embedded lua scripts are needed. But since certificate >> mapping is about access control and authorization it should be always >> considered if adding a new attribute to the users LDAP entry which >> makes mapping easy and straight-forward wouldn't be the better solution. >> >> ===== Some notes about DNs ===== >> The X.500 family of standards define names as "SEQUENCE OF >> RelativeDistinguishedName" where the sequence is "starting with the >> root and ending with the object being named" (see X.501 section 9.2 >> for details). On the other hand RFC4514 section 2.1 says "Otherwise, >> the output consists of the string encoding of each >> RelativeDistinguishedName in the RDNSequence (according to Section >> 2.2), starting with the last element of the sequence and moving >> backwards toward the first." This means that the ASN.1 encoded issuer >> and subject DN from the X.509 certificate can be either displayed as >> string in the >> * X.500 order: DC=com,DC=example,CN=users,CN=Certuser >> or in the >> * LDAP order: CN=Certuser,CN=Users,DC=example,DC=com >> >> As a consequence different tools will use a different order when >> printing the issuer and subject DN. While NSS's certutil will use the >> LDAP order, 'openssl x509' and gnutls's certtool will use the X.500 >> order (the latter might change due to >> https://gitlab.com/gnutls/gnutls/issues/111). >> >> This makes it important to specific the order which is used by SSSD >> for mapping and matching. I would prefer the LDAP order here. E.g. by >> default the AD CA uses the DN of the users entry in AD as subject in >> the issues certificate. So a matching rule like '' could >> tell SSSD to directly search the user based on its DN (which btw is >> the original intention of the subject field in the certificate, only >> that the DN should be looked up in a more general DAP as defined by >> X.500 and not in the lightweight version called LDAP) >> >> Another issue is the limited set of attribute names/types required by >> the RFCs (see section 4.1.2.4 of RFC 3280 and section 3 of RFC 4514). >> If e.g. the deprecated OID >> [http://www.oid-info.com/get/1.2.840.113549.1.9.1 >> 1.2.840.113549.1.9.1] is used all tools are able to identify it as an >> email address but OpenSSL displays it as >> 'emailAddress=user at example.com', certtool as 'EMAIL=user at example.com' >> and certutil as 'E=user at example.com'. So matching rules should try to >> avoid attribute names or only the ones from >> [https://www.ietf.org/rfc/rfc4514.txt RFC 4514]: >> * CN commonName (2.5.4.3) >> * L localityName (2.5.4.7) >> * ST stateOrProvinceName (2.5.4.8) >> * O organizationName (2.5.4.10) >> * OU organizationalUnitName (2.5.4.11) >> * C countryName (2.5.4.6) >> * STREET streetAddress (2.5.4.9) >> * DC domainComponent (0.9.2342.19200300.100.1.25) >> * UID userId (0.9.2342.19200300.100.1.1) >> >> ==== About restricting or enforcing the mapping an matching any >> further ==== >> The goal of the matching rules in MIT Kerberos is to select a single >> certificate from a Smartcard which will then be used for PKINIT. Since >> we already plan to enhance SSSD to support multiple certificates on a >> Smartcard and if needed prompt the user which one to use for login we >> should not enforce that the matching rules should return only a single >> certificate or nothing. >> >> Similar we plan to enhance SSSD to use the same certificate to log in >> with different user identities, e.g. as a user with standard >> privileges or as a user with administrator privileges. So it can make >> sense that multiple mapping rules apply to the same certificate and >> the related LDAP search filter components are or-ed together. >> >> In many cases the login program will first ask for a user name which >> will help to restrict the number of suitable certificates even further >> and the mapping rules are only needed to check if the certificate >> belongs to the user trying to log in. >> >> But gdm has a feature where gdm will detect when a Smartcard is >> inserted and call PAM without a user name. In this case SSSD has to >> determine the user name based on the certificates found on the >> Smartcard. If in this case multiple valid certificates are on the card >> and the mapping rules will return multiple users for each certificate >> gdm has to display a quite long selection of certificate-user pairs >> the user has to choose from. >> >> So it should be underlined in the documentation that the matching and >> mapping rules should be detailed and specific so that for the given >> environment they help to avoid cases where the user is prompted to >> select a certificate (or user name in the gdm case) when trying to log >> in. >> >> ==== Storing matching and mapping configuration ==== >> On the IPA server a new objectclass can be created to store an >> matching-mapping rule pair together with a specific issuer. All >> attributes are optional because a missing mapping rule would mean that >> the user entry will be search with the whole certificate. A missing >> matching rule will indicate catch-all rule with a default mapping. If >> only a specific issuer is given certificates from this issuer must be >> stored in the LDAP entry of the user to make authentication possible. >> >> Specifying matching-mapping rules in sssd.conf is a bit more >> complicated because SSSD does not respect multiple entries with the >> same keyword, only the last one is used. So all rules have to be added >> to a single line. To give it a little bit of structure the rules can >> be enclosed by curly-braces '{}{}{}' and each rule pair is separated >> by a comma ','. A single rule in curly braces indicates a matching >> rule and the mapping will be done with the whole certificate. A >> default/catch-all mapping rule will start with an empty pair of curly >> braces followed by a pair containing the mapping rule. Issuer specific >> rules will have three pairs of curly braces where the first pair must >> contain an issuer string. >> >> ===== Future considerations ===== >> If it turns out that this option is used quite often and it gets >> complicated to manage a larger set of rules with it and storing the >> rules in LDAP/IPA/AD is not an option we might add support to read the >> rules from a separate file (certificate_rules = >> FILE:///etc/sssd/cert_rules) with a more suitable format, e.g. ini >> where a list can be defined by given the same option multiple times. >> >> ===== Examples ===== >> * '''certificate_rules = {msScLogin}''': only allow certificates >> with have the Microsoft OID for Smartcard logon >> 1.3.6.1.4.1.311.20.2.2 set. use the whole certificate to look-up the >> user. The same result can be achieved with >> * '''certificate_rules = {1.3.6.1.4.1.311.20.2.2}''': see above >> * '''certificate_rules = >> {*my-company**@my-company.com$}{}''': >> only allow certificates form the 'my-company' issuer which have an >> email address from the 'my-company.com' domain in the rfc882Name SAN >> attribute. Use the email address in a LDAP search filter >> '(mail=email-address)' to find the matching user. >> >> ==== Compatibility with Active Directory ==== >> Active Directory uses a per-user LDAP attribute >> [https://msdn.microsoft.com/en-us/library/cc220106.aspx >> altSecurityIdentities] to allow arbitrary user-certificate mappings is >> there is no suitable user-principal-name entry in the SAN of the >> certificate. >> >> Unfortunately it is more or less undocumented how AD use the values of >> this attribute. The best overview I found is in >> https://blogs.msdn.microsoft.com/spatdsg/2010/06/18/howto-map-a-user-to-a-certificate-via-all-the-methods-available-in-the-altsecurityidentities-attribute/. >> >> >> It looks like the most important variant is the issuer-subject pair. >> This one is e.g. created when a certificate is added via the 'Name >> Mappings' context menu entry in AD's 'Users and Computers' utility >> ('Advanced Features' must be activated in the 'View' menu). The >> attribute value might look like >> {{{ >> altSecurityIdentities: X509:O=Red Hat,OU=prod,CN=Certificate >> AuthorityDC >> =com,DC=redhat,OU=users,OID.0.9.2342.19200300.100.1.1=sbose,E=sbose at redhat.co >> >> m,CN=Sumit Bose Sumit Bose >> }}} >> First it can be seen that X.500 ordering is used. Second, if RDN types >> not explicitly mentioned in the RFCs are used, you are on your own. As >> can be seen AD can translate the deprecated OID >> [http://www.oid-info.com/get/1.2.840.113549.1.9.1 >> 1.2.840.113549.1.9.1] and uses 'E' as NSS. But the OID >> [http://www.oid-info.com/get/0.9.2342.19200300.100.1.1 >> 0.9.2342.19200300.100.1.1] which is explicitly mentioned in RFC4514 is >> not translated as UID but the plain OID syntax is used (my guess it >> that Microsoft tries to be compatible with "older" versions because >> the UID was added in RFC2253 from 1997 but was not present in the >> RFC1779 from 1995 and RFC1485 from 1993). >> >> Nevertheless with the mapping rules described above a rule like >> {{{ >> >> }}} >> would product a LDAP search filter like >> {{{ >> (&(altSecurityIdentities=*Red Hat*)(altSecurityIdentities=*Sumit Bose >> Sumit Bose*)) >> }}} >> which should quite reliable find the right LDAP entry. >> >> As an alternative it would be possible to add special mapping rules >> like which would try in a best >> effort to produce the exact attribute value AD is using. This should >> work reliable with standard RDN types (see above). I think an optional >> 'ldapAttributeName' is useful here so that the same mapping rule can >> be used with different LDAP servers (e.g. IPA) where user-specific >> mapping attributes are used with the same content but a different >> attribute name. >> >> According to the blob post describing altSecurityIdentities some other >> additional mapping rules might be useful too. This will give us >> * >> * >> * >> * >> * >> * >> >> So far I didn't found a AD tool which creates to other mappings, if >> you know one, please let me know. >> === Configuration changes === >> Does your feature involve changes to configuration, like new options >> or options changing values? Summarize them here. There's no need to go >> into too many details, that's what man pages are for. >> >> === How To Test === >> This section should explain to a person with admin-level of SSSD >> understanding how this change affects run time behaviour of SSSD and >> how can an SSSD user test this change. If the feature is >> internal-only, please list what areas of SSSD are affected so that >> testers know where to focus. >> >> === How To Debug === >> Explain how to debug this feature if something goes wrong. This >> section might include examples of additional commands the user might >> run (such as keytab or certificate sanity checks) or explain what >> message to look for. >> >> === Authors === >> Give credit to authors of the design in this section. >> > > Honza > -- Jan Cholasta From freeipa-github-notification at redhat.com Fri Nov 25 13:17:28 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 25 Nov 2016 14:17:28 +0100 Subject: [Freeipa-devel] [freeipa PR#268][comment] Build system must regenerate file when template changes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/268 Title: #268: Build system must regenerate file when template changes pspacek commented: """ Oh, you are right, I was mixing `CONFIG_STATUS_DEPEDENCIES` and `AC_CONFIG_FILES`. Sorry! So please let me explain the problem with `AC_CONFIG_FILES`: `AC_CONFIG_FILES` properly substitutes variables only in Makefiles, as explained in [Autoconf v2.69 manual chapter 4.8.2 Installation Directory Variables](https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Installation-Directory-Variables.html). Yes, we can use `AC_CONFIG_FILES` so all variables can used for substitution, but in that case only subset of all usable variables will be substituted correctly. I do not think that it is right approach. """ See the full comment at https://github.com/freeipa/freeipa/pull/268#issuecomment-262955693 From freeipa-github-notification at redhat.com Fri Nov 25 13:57:37 2016 From: freeipa-github-notification at redhat.com (apophys) Date: Fri, 25 Nov 2016 14:57:37 +0100 Subject: [Freeipa-devel] [freeipa PR#225][comment] tests: Added basic tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/225 Title: #225: tests: Added basic tests for certs in idoverrides apophys commented: """ Please address the inline comments """ See the full comment at https://github.com/freeipa/freeipa/pull/225#issuecomment-262961820 From freeipa-github-notification at redhat.com Fri Nov 25 14:51:41 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 25 Nov 2016 15:51:41 +0100 Subject: [Freeipa-devel] [freeipa PR#101][synchronized] Improved vault-show error message In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/101 Author: stlaz Title: #101: Improved vault-show error message Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/101/head:pr101 git checkout pr101 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-101.patch Type: text/x-diff Size: 7092 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 25 14:52:09 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 25 Nov 2016 15:52:09 +0100 Subject: [Freeipa-devel] [freeipa PR#101][comment] Improved vault-show error message In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/101 Title: #101: Improved vault-show error message stlaz commented: """ Seems like nobody objected so far. """ See the full comment at https://github.com/freeipa/freeipa/pull/101#issuecomment-262971504 From sbose at redhat.com Fri Nov 25 14:55:43 2016 From: sbose at redhat.com (Sumit Bose) Date: Fri, 25 Nov 2016 15:55:43 +0100 Subject: [Freeipa-devel] [RFC] Matching and Mapping Certificates In-Reply-To: References: <20161006104930.GC22626@p.Speedport_W_724V_Typ_A_05011603_00_009> <20161011113709.GC4864@p.Speedport_W_724V_Typ_A_05011603_00_009> <20161013165235.GH4864@p.Speedport_W_724V_Typ_A_05011603_00_009> <8fa31830-3f04-6a99-596c-5d05421b07cf@redhat.com> Message-ID: <20161125145543.GC11202@p.Speedport_W_724V_Typ_A_05011603_00_009> On Fri, Nov 25, 2016 at 02:19:10PM +0100, Jan Cholasta wrote: > Bump, Sumit, have you seen my comments? I haven't heard back from you. Yes, I've seen it and added a comment about it on the page https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates#Matching-alternativeRFC4523syntax To cut it short I would prefer to use a standard, but I think RFC4523 currently does nit meet out needs. But I would be happy if there are ways to mitigate my concerns. I'm working on updating and changing other sections as well and planned to reply when I'm done with the other sections as well. bye, Sumit > > On 17.10.2016 09:50, Jan Cholasta wrote: > > Hi, > > > > On 13.10.2016 18:52, Sumit Bose wrote: > > > On Tue, Oct 11, 2016 at 01:37:09PM +0200, Sumit Bose wrote: > > > > On Thu, Oct 06, 2016 at 12:49:30PM +0200, Sumit Bose wrote: > > > > > Hi, > > > > > > > > > > I've started to write a SSSD design page about enhancing the current > > > > > mapping of certificates to users and how to select/match a suitable > > > > > certificate if multiple certificates are on a Smartcard. > > > > > > > > > > My currently thoughts and idea and be found at > > > > > https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates > > > > > > > > > > and for your convenience below as well. > > > > > > > > > > Comments and suggestions are welcome. Please let me know about > > > > > concerns, > > > > > alternatives and missing use-cases/user-stories. > > > > > > > > > > bye, > > > > > Sumit > > > > > > > > > > > > > Hi, > > > > > > > > Rob, Fraser, Alexander, thank you for your comments. I think both the > > > > issuer specific matching and the OID in the SUBJECT matching are good > > > > ideas. I updated the design page accordingly. The changes can be shown > > > > with > > > > https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates?action=diff&version=9&old_version=6 > > > > > > > > > > > > The updated version can be found below as well. Of course more > > > > comments and > > > > suggestions are still very welcome. > > > > > > > > > > I did another update. A "Compatibility with Active Director" section is > > > added which made me realize that there are use-cases for using the > > > issuer in the mapping as well and the sub-strings in LDAP search filters > > > might be useful as well. > > > > > > The changes can be seen with > > > https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates?action=diff&version=10&old_version=9 > > > > > > > > > Please let me know your comments and suggestions. > > > > > > bye, > > > Sumit > > > > > > = Matching and Mapping Certificates = > > > > > > Related ticket(s): > > > * > > > http://www.freeipa.org/page/V4/User_Certificates#Certificate_Identity_Mapping > > > > > > > > > === Problem statement === > > > ==== Mapping ==== > > > Currently it is required that a certificate used for authentication is > > > either stored in the LDAP user entry or in a matching override. This > > > might not always be applicable and other ways are needed to relate a > > > user with a certificate. > > > > > > ==== Matching ==== > > > Even if SSSD will support multiple certificates on a Smartcard in the > > > context of https://fedorahosted.org/sssd/ticket/3050 it might be > > > necessary to restrict (or relax) the current certificate selection in > > > certain environments. > > > > > > === Use cases === > > > ==== Mapping ==== > > > In some environments it might not be possible or would cause unwanted > > > effort to add certificates to the LDAP entry of the users to allow > > > Smartcard based authentication. Reasons might be: > > > * Certificates/Smartcards are issued externally > > > * LDAP schema extension is not possible or not allowed > > > > > > ==== Matching ==== > > > A user might have multiple certificate on a Smartcard which are > > > suitable for authentication. But on some host in the environment only > > > certificates from a specific CA (while all other CAs are trusted as > > > well) or with some special extension should be valid for login. > > > > > > === Overview of the solution === > > > To match a certificate a language/syntax has to be defined which > > > allows to reference items from the certificate and compare the values > > > with the expected data. To map the certificates to a user the > > > language/syntax should allow to relate certificate items with LDAP > > > attributes so that the value(s) from the certificate item can be used > > > in a LDAP search filter. > > > > Note that in some cases it might be possible to map a certificate to a > > user without having to do an extra LDAP search, for example when the > > certificate contains the principal name of the user. Does the design > > allow this? Or is there no extra LDAP search? > > > > > > > > > > > === Implementation details === > > > ==== Matching ==== > > > The pkinit plugin of MIT Kerberos must find a suitable certificate > > > from a Smartcard as well and has defined the following syntax (see the > > > pkinit_cert_match section of the krb5.conf man page or > > > http://web.mit.edu/Kerberos/krb5-1.14/doc/admin/conf_files/krb5_conf.html > > > for details). The main components are > > > > > > * regular-expression > > > * regular-expression > > > * regular-expression > > > * extended-key-usage-list > > > * key-usage-list > > > > > > and can be grouped together with a prefixed '&&' (and) or '`||`' (or) > > > operator ('&&' is the default). If multiple rules are given they are > > > iterated with the order in the config file as long as a rule matches > > > exactly one certificate. > > > > > > '''Question: MIT Kerberos use case-sensitive matching and POSIX > > > Extended Regular Expression syntax, shall we do the same?''' > > > > > > While and are (imo) already quite flexible I can > > > see some potential extensions for the other components. > > > > I don't think regular expressions are a particularly good choice for DN > > matching. It is difficult to express assertions which are quite natural > > for DNs (matching multi-attribute RDNs, matching the same attribute type > > by different identifiers, respecting the defined matching rules of > > attribute types) and at the same time it is easy to express assertions > > which do not make much sense for DNs (matching substrings in attribute > > names, matching accross multiple syntactical elements, etc.). > > > > That said, does the design have to be based on the MIT pkinit matching? > > To me it looks like something quickly hacked together rather than > > thoughtfully designed. I would personally base the design on the > > concepts of CertificateMatch, which is the standard way of matching > > certificates, defined in X.509, rather than reinvent the wheel. > > > > > > > > and in MIT Kerberos only accept certain string values > > > related to some allowed values in those field as defined in > > > https://www.ietf.org/rfc/rfc3280.txt . The selection is basically > > > determined by what is supported on server side of the pkinit plugin of > > > MIT Kerberos. Since we plan to extend pkinit and support local > > > authentication without pkinit as well I would suggest to allow OID > > > strings for those components as well (the comparison is done on the > > > OID level nonetheless). > > > > > > The component in MIT Kerberos only checks the otherName SAN > > > component for the id-pkinit-san OID as defined in > > > https://www.ietf.org/rfc/rfc4556.txt or the szOID_NT_PRINCIPAL_NAME > > > OID as mentioned in https://support.microsoft.com/en-us/kb/287547. > > > While this is sufficient for the default pkinit user case of MIT > > > Kerberos I would suggest to extend this component by allowing to > > > specific an OID with > > > > > > ===== Issuer specific matching ===== > > > Although the MIT Kerberos rules allow to select the issuer of a > > > certificate there are use cases where a more specific selection is > > > needed. E.g. if there are some default matching rules for all issuers > > > and some other issuer specific rules where the default rules should > > > not apply. To make this possible with the above scheme the default > > > rules must have an clause which matches all but the issuer > > > with the specific rules. Writing regular-expressions to not match a > > > specific string or a list of strings is at least error-prone if not > > > impossible. > > > > > > To make it easier to define issuer specific rules and default rules at > > > the same time and optional issuer string can be added to the rule to > > > indicate that for the given issuer only those rules should be > > > considered. Given the use-case I think it is acceptable to require > > > that the full issuer must be specified here in LDAP order (see below) > > > and case-sensitive matching is used. > > > > This could also be solved by adding priority to rules - if two rules > > match, the one with higher priority (the issuer specific rule) is > > preferred over the one with lower priority (the default rule). IMO this > > is better than an optional issuer string as it offers greater flexibility. > > > > > > > > How the issuer string is linked to the matching rules depends on the > > > storage (LDAP or sssd.conf, see below for details). > > > ==== Mapping ==== > > > Since different certificates, e.g. issued by different CAs, might have > > > different mapping rule, a matching rule must be added if there are > > > more than 1 mapping rule. A single mapping rule without a matching > > > rule might be used as default/catch-all rule in this case. > > > > > > If multiple rules matches the derived LDAP filter components can be > > > grouped with the or-operator "|". > > > > > > A mapping rule can use a similar syntax like the matching rule where > > > the LDAP attribute can be added with a ':', e.g. > > > * > > > * > > > * > > > > > > where O.I.D. is either the OID or name of a RDN type or the OID or > > > some well-known-name of the SAN component respectively. Since the > > > SUBJECT might contain multiple RDNs of the same type always the "most > > > specific" is selected because in general this will be the most suited > > > one to map the certificate to a specific user. "most specific" means > > > the last in X.500 order and the first in LDAP order (see discussion > > > below for details). > > > > > > If the O.I.D. is missing the full SUBJECT/ISSUER is used for mapping. > > > If 'DN' is used as ldapAttributeName SUBJECT is expected to be the DN > > > of the user. If the O.I.D. is missing in the SAN case the same default > > > as with matching (id-pkinit-san and szOID_NT_PRINCIPAL_NAME OID) is > > > used. If both SAN values can be found in the certificate and are > > > different the LDAP search filter will combine both with the or-operator. > > > > > > The optional '*' in the end indicates that a sub-string search > > > (ldapAttributeName=*value*) should be used and not an exact match > > > (ldapAttributeName=value). Please note that it depends on the > > > server-side definition of the LDAP attribute if case-sensitive or > > > case-insensitve matching is used. > > > > This seems like a rather quirky way to write down an LDAP filter. IMHO a > > better way would be to use a single attribute containing a filter > > template, e.g.: > > > > (&(someAttr={issuer})(someOtherAttr=*{subject:O.I.D}*)) > > > > > > > > Currently I see no usage for and in mapping rules because > > > they do not contain any user-specific data. If at some point we will > > > have personal CAs we might consider to add based mappings. > > > > > > ===== Future consideration ===== > > > Most of the interesting values from the SAN should be directly > > > map-able to LDAP attributes. And processing the string representation > > > of might be tricky as discussed below. Nevertheless it might > > > be possible to add to following in a future release if more complex > > > operations on the values are needed: > > > > > > * /regexp/replacement/ > > > * /regexp/replacement/ > > > > > > where "/regexp/replacement/" stands for optional sed-like substitution > > > rules. E.g. a rule like > > > {{{ > > > /^CN=\([^,]*\).*$/\1/ > > > }}} > > > would take the subject string 'CN=Certuser,CN=Users,DC=example,DC=com' > > > from the certificate and generate a LDAP search filter component > > > '(samAccountName=Certuser)' which can be included in a LDAP search > > > filter which includes additional components like e.g. an objectClass. > > > > > > The search-and-replace does not has to be sed-like because afaik there > > > is not library which offers this and I would like to avoid > > > implementing it. GLib e.g. has > > > [https://developer.gnome.org/glib/stable/glib-Perl-compatible-regular-expressions.html#g-regex-replace > > > g_regex_replace]. Since we already have a GLib dependency in SSSD due > > > to soem utf8 helper functions using might be acceptable as well. > > > Nevertheless it would be nice to hear if there are alternative > > > libraries available as well. > > > > > > Maybe even search-and-replace are not sufficient for all cases and > > > something like embedded lua scripts are needed. But since certificate > > > mapping is about access control and authorization it should be always > > > considered if adding a new attribute to the users LDAP entry which > > > makes mapping easy and straight-forward wouldn't be the better solution. > > > > > > ===== Some notes about DNs ===== > > > The X.500 family of standards define names as "SEQUENCE OF > > > RelativeDistinguishedName" where the sequence is "starting with the > > > root and ending with the object being named" (see X.501 section 9.2 > > > for details). On the other hand RFC4514 section 2.1 says "Otherwise, > > > the output consists of the string encoding of each > > > RelativeDistinguishedName in the RDNSequence (according to Section > > > 2.2), starting with the last element of the sequence and moving > > > backwards toward the first." This means that the ASN.1 encoded issuer > > > and subject DN from the X.509 certificate can be either displayed as > > > string in the > > > * X.500 order: DC=com,DC=example,CN=users,CN=Certuser > > > or in the > > > * LDAP order: CN=Certuser,CN=Users,DC=example,DC=com > > > > > > As a consequence different tools will use a different order when > > > printing the issuer and subject DN. While NSS's certutil will use the > > > LDAP order, 'openssl x509' and gnutls's certtool will use the X.500 > > > order (the latter might change due to > > > https://gitlab.com/gnutls/gnutls/issues/111). > > > > > > This makes it important to specific the order which is used by SSSD > > > for mapping and matching. I would prefer the LDAP order here. E.g. by > > > default the AD CA uses the DN of the users entry in AD as subject in > > > the issues certificate. So a matching rule like '' could > > > tell SSSD to directly search the user based on its DN (which btw is > > > the original intention of the subject field in the certificate, only > > > that the DN should be looked up in a more general DAP as defined by > > > X.500 and not in the lightweight version called LDAP) > > > > > > Another issue is the limited set of attribute names/types required by > > > the RFCs (see section 4.1.2.4 of RFC 3280 and section 3 of RFC 4514). > > > If e.g. the deprecated OID > > > [http://www.oid-info.com/get/1.2.840.113549.1.9.1 > > > 1.2.840.113549.1.9.1] is used all tools are able to identify it as an > > > email address but OpenSSL displays it as > > > 'emailAddress=user at example.com', certtool as 'EMAIL=user at example.com' > > > and certutil as 'E=user at example.com'. So matching rules should try to > > > avoid attribute names or only the ones from > > > [https://www.ietf.org/rfc/rfc4514.txt RFC 4514]: > > > * CN commonName (2.5.4.3) > > > * L localityName (2.5.4.7) > > > * ST stateOrProvinceName (2.5.4.8) > > > * O organizationName (2.5.4.10) > > > * OU organizationalUnitName (2.5.4.11) > > > * C countryName (2.5.4.6) > > > * STREET streetAddress (2.5.4.9) > > > * DC domainComponent (0.9.2342.19200300.100.1.25) > > > * UID userId (0.9.2342.19200300.100.1.1) > > > > > > ==== About restricting or enforcing the mapping an matching any > > > further ==== > > > The goal of the matching rules in MIT Kerberos is to select a single > > > certificate from a Smartcard which will then be used for PKINIT. Since > > > we already plan to enhance SSSD to support multiple certificates on a > > > Smartcard and if needed prompt the user which one to use for login we > > > should not enforce that the matching rules should return only a single > > > certificate or nothing. > > > > > > Similar we plan to enhance SSSD to use the same certificate to log in > > > with different user identities, e.g. as a user with standard > > > privileges or as a user with administrator privileges. So it can make > > > sense that multiple mapping rules apply to the same certificate and > > > the related LDAP search filter components are or-ed together. > > > > > > In many cases the login program will first ask for a user name which > > > will help to restrict the number of suitable certificates even further > > > and the mapping rules are only needed to check if the certificate > > > belongs to the user trying to log in. > > > > > > But gdm has a feature where gdm will detect when a Smartcard is > > > inserted and call PAM without a user name. In this case SSSD has to > > > determine the user name based on the certificates found on the > > > Smartcard. If in this case multiple valid certificates are on the card > > > and the mapping rules will return multiple users for each certificate > > > gdm has to display a quite long selection of certificate-user pairs > > > the user has to choose from. > > > > > > So it should be underlined in the documentation that the matching and > > > mapping rules should be detailed and specific so that for the given > > > environment they help to avoid cases where the user is prompted to > > > select a certificate (or user name in the gdm case) when trying to log > > > in. > > > > > > ==== Storing matching and mapping configuration ==== > > > On the IPA server a new objectclass can be created to store an > > > matching-mapping rule pair together with a specific issuer. All > > > attributes are optional because a missing mapping rule would mean that > > > the user entry will be search with the whole certificate. A missing > > > matching rule will indicate catch-all rule with a default mapping. If > > > only a specific issuer is given certificates from this issuer must be > > > stored in the LDAP entry of the user to make authentication possible. > > > > > > Specifying matching-mapping rules in sssd.conf is a bit more > > > complicated because SSSD does not respect multiple entries with the > > > same keyword, only the last one is used. So all rules have to be added > > > to a single line. To give it a little bit of structure the rules can > > > be enclosed by curly-braces '{}{}{}' and each rule pair is separated > > > by a comma ','. A single rule in curly braces indicates a matching > > > rule and the mapping will be done with the whole certificate. A > > > default/catch-all mapping rule will start with an empty pair of curly > > > braces followed by a pair containing the mapping rule. Issuer specific > > > rules will have three pairs of curly braces where the first pair must > > > contain an issuer string. > > > > > > ===== Future considerations ===== > > > If it turns out that this option is used quite often and it gets > > > complicated to manage a larger set of rules with it and storing the > > > rules in LDAP/IPA/AD is not an option we might add support to read the > > > rules from a separate file (certificate_rules = > > > FILE:///etc/sssd/cert_rules) with a more suitable format, e.g. ini > > > where a list can be defined by given the same option multiple times. > > > > > > ===== Examples ===== > > > * '''certificate_rules = {msScLogin}''': only allow certificates > > > with have the Microsoft OID for Smartcard logon > > > 1.3.6.1.4.1.311.20.2.2 set. use the whole certificate to look-up the > > > user. The same result can be achieved with > > > * '''certificate_rules = {1.3.6.1.4.1.311.20.2.2}''': see above > > > * '''certificate_rules = > > > {*my-company**@my-company.com$}{}''': > > > only allow certificates form the 'my-company' issuer which have an > > > email address from the 'my-company.com' domain in the rfc882Name SAN > > > attribute. Use the email address in a LDAP search filter > > > '(mail=email-address)' to find the matching user. > > > > > > ==== Compatibility with Active Directory ==== > > > Active Directory uses a per-user LDAP attribute > > > [https://msdn.microsoft.com/en-us/library/cc220106.aspx > > > altSecurityIdentities] to allow arbitrary user-certificate mappings is > > > there is no suitable user-principal-name entry in the SAN of the > > > certificate. > > > > > > Unfortunately it is more or less undocumented how AD use the values of > > > this attribute. The best overview I found is in > > > https://blogs.msdn.microsoft.com/spatdsg/2010/06/18/howto-map-a-user-to-a-certificate-via-all-the-methods-available-in-the-altsecurityidentities-attribute/. > > > > > > > > > It looks like the most important variant is the issuer-subject pair. > > > This one is e.g. created when a certificate is added via the 'Name > > > Mappings' context menu entry in AD's 'Users and Computers' utility > > > ('Advanced Features' must be activated in the 'View' menu). The > > > attribute value might look like > > > {{{ > > > altSecurityIdentities: X509:O=Red Hat,OU=prod,CN=Certificate > > > AuthorityDC > > > =com,DC=redhat,OU=users,OID.0.9.2342.19200300.100.1.1=sbose,E=sbose at redhat.co > > > > > > m,CN=Sumit Bose Sumit Bose > > > }}} > > > First it can be seen that X.500 ordering is used. Second, if RDN types > > > not explicitly mentioned in the RFCs are used, you are on your own. As > > > can be seen AD can translate the deprecated OID > > > [http://www.oid-info.com/get/1.2.840.113549.1.9.1 > > > 1.2.840.113549.1.9.1] and uses 'E' as NSS. But the OID > > > [http://www.oid-info.com/get/0.9.2342.19200300.100.1.1 > > > 0.9.2342.19200300.100.1.1] which is explicitly mentioned in RFC4514 is > > > not translated as UID but the plain OID syntax is used (my guess it > > > that Microsoft tries to be compatible with "older" versions because > > > the UID was added in RFC2253 from 1997 but was not present in the > > > RFC1779 from 1995 and RFC1485 from 1993). > > > > > > Nevertheless with the mapping rules described above a rule like > > > {{{ > > > > > > }}} > > > would product a LDAP search filter like > > > {{{ > > > (&(altSecurityIdentities=*Red Hat*)(altSecurityIdentities=*Sumit Bose > > > Sumit Bose*)) > > > }}} > > > which should quite reliable find the right LDAP entry. > > > > > > As an alternative it would be possible to add special mapping rules > > > like which would try in a best > > > effort to produce the exact attribute value AD is using. This should > > > work reliable with standard RDN types (see above). I think an optional > > > 'ldapAttributeName' is useful here so that the same mapping rule can > > > be used with different LDAP servers (e.g. IPA) where user-specific > > > mapping attributes are used with the same content but a different > > > attribute name. > > > > > > According to the blob post describing altSecurityIdentities some other > > > additional mapping rules might be useful too. This will give us > > > * > > > * > > > * > > > * > > > * > > > * > > > > > > So far I didn't found a AD tool which creates to other mappings, if > > > you know one, please let me know. > > > === Configuration changes === > > > Does your feature involve changes to configuration, like new options > > > or options changing values? Summarize them here. There's no need to go > > > into too many details, that's what man pages are for. > > > > > > === How To Test === > > > This section should explain to a person with admin-level of SSSD > > > understanding how this change affects run time behaviour of SSSD and > > > how can an SSSD user test this change. If the feature is > > > internal-only, please list what areas of SSSD are affected so that > > > testers know where to focus. > > > > > > === How To Debug === > > > Explain how to debug this feature if something goes wrong. This > > > section might include examples of additional commands the user might > > > run (such as keytab or certificate sanity checks) or explain what > > > message to look for. > > > > > > === Authors === > > > Give credit to authors of the design in this section. > > > > > > > Honza > > > > > -- > Jan Cholasta From freeipa-github-notification at redhat.com Fri Nov 25 15:02:10 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 25 Nov 2016 16:02:10 +0100 Subject: [Freeipa-devel] [freeipa PR#267][synchronized] ipa-replica-conncheck: do not close listening ports until required In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/267 Author: tomaskrizek Title: #267: ipa-replica-conncheck: do not close listening ports until required Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/267/head:pr267 git checkout pr267 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-267.patch Type: text/x-diff Size: 11903 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Nov 25 15:08:54 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 25 Nov 2016 16:08:54 +0100 Subject: [Freeipa-devel] [freeipa PR#264][+ack] Python3 pylint fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/264 Title: #264: Python3 pylint fixes Label: +ack From freeipa-github-notification at redhat.com Fri Nov 25 15:19:03 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 25 Nov 2016 16:19:03 +0100 Subject: [Freeipa-devel] [freeipa PR#264][comment] Python3 pylint fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/264 Title: #264: Python3 pylint fixes mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/38e8719f728e6d54289507fe2c7f79f9272c45c0 https://fedorahosted.org/freeipa/changeset/7fef9cbec725beed62eb425449083c59416ed975 https://fedorahosted.org/freeipa/changeset/fef6f18aa27c3c5286c48dce4419db6ff9ac967b https://fedorahosted.org/freeipa/changeset/6bbbce44733761fda1fc588397b8baddbc7f8de3 """ See the full comment at https://github.com/freeipa/freeipa/pull/264#issuecomment-262977665 From freeipa-github-notification at redhat.com Fri Nov 25 15:19:05 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 25 Nov 2016 16:19:05 +0100 Subject: [Freeipa-devel] [freeipa PR#264][closed] Python3 pylint fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/264 Author: tiran Title: #264: Python3 pylint fixes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/264/head:pr264 git checkout pr264 From freeipa-github-notification at redhat.com Fri Nov 25 15:19:11 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 25 Nov 2016 16:19:11 +0100 Subject: [Freeipa-devel] [freeipa PR#264][+pushed] Python3 pylint fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/264 Title: #264: Python3 pylint fixes Label: +pushed From simo at redhat.com Fri Nov 25 15:34:33 2016 From: simo at redhat.com (Simo Sorce) Date: Fri, 25 Nov 2016 10:34:33 -0500 Subject: [Freeipa-devel] NTP in FreeIPA In-Reply-To: References: Message-ID: <1480088073.3917.100.camel@redhat.com> On Tue, 2016-11-22 at 15:05 +0100, Jan Cholasta wrote: > On 22.11.2016 13:06, Petr Spacek wrote: > > On 22.11.2016 12:15, David Kupka wrote: > >> Hello everyone! > >> > >> Is it worth to keep configuring NTP in FreeIPA? > >> > >> In usual environment there're no special requirements for time synchronization > >> and the distribution default (be it ntpd, chrony or anything else) will just > >> work. Any tampering with the configuration can't make it any better. > >> > >> In environment with special requirements (network disconnected from public > >> internet, nodes disconnected from topology for longer time, ...) time > >> synchronization must be taken care of accordingly by system administrator and > >> FreeIPA simply can't help here. > >> > >> Also there are problems and weird behavior with the current FreeIPA installers: > >> > >> * ipa-client-install replaces all servers in /etc/ntp.conf with the ones > >> specified by user or resolved from DNS. If none were provided nor resolved the > >> FreeIPA server specified/resolved during installation it used. This leads in > >> just single server in the configuration and no time synchronization when this > >> server is down/decommissioned. > >> > >> * ipa-client-install replaces the NTP configuration. If there was any parts > >> previously edited by system administrator it's lost. > >> > >> * ipa-server-install adds {0-4}.$PLATFORM.pool.ntp.org to /etc/ntp.conf. > >> What's the point in doing that? These servers're already in the configuration > >> file installed with ntp package. > >> > >> I have NTP-related WIP patches that solve some of the issues but in general I > >> would prefer to remove the whole thing together with documenting "Please make > >> sure that time on all FreeIPA servers and clients is synchronized. On most > >> distributions this was already done during system installation." > >> > >> Can we mark NTP options deprecated in 4.5 and remove them and stop touching > >> any time syncing service in 4.6? > > > > Considering that default config is just fine for normal cases, and given how > > poorly integrated it is into FreeIPA, I agree with David. FreeIPA should get > > out of configuration management business. > > +1 Just FYI, when we integrated NTP the plan was to eventually get NTPD compiled on the server (and on the client) to generate/check signatures on time packets. We never got around to do it, and at some point we decided to wait as daemons werre in flux in some distributions and IETF had efforts to provide some more standardized way to provide packet signatures (we were planning to use the GSS based signature format developed by Microsoft and used in AD). When we get back to signing packets we may have to get back in the business of configuring the clients to check in with the right servers ... So I am in 2 minds if we should completely remove it, but I am ok not touching it by default for now in ipa-client-install, ie adding a --ntp-conf=off|on or some such and default to off. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Fri Nov 25 15:38:07 2016 From: simo at redhat.com (Simo Sorce) Date: Fri, 25 Nov 2016 10:38:07 -0500 Subject: [Freeipa-devel] NTP in FreeIPA In-Reply-To: <1480088073.3917.100.camel@redhat.com> References: <1480088073.3917.100.camel@redhat.com> Message-ID: <1480088287.3917.104.camel@redhat.com> On Fri, 2016-11-25 at 10:34 -0500, Simo Sorce wrote: > On Tue, 2016-11-22 at 15:05 +0100, Jan Cholasta wrote: > > On 22.11.2016 13:06, Petr Spacek wrote: > > > On 22.11.2016 12:15, David Kupka wrote: > > >> Hello everyone! > > >> > > >> Is it worth to keep configuring NTP in FreeIPA? > > >> > > >> In usual environment there're no special requirements for time synchronization > > >> and the distribution default (be it ntpd, chrony or anything else) will just > > >> work. Any tampering with the configuration can't make it any better. > > >> > > >> In environment with special requirements (network disconnected from public > > >> internet, nodes disconnected from topology for longer time, ...) time > > >> synchronization must be taken care of accordingly by system administrator and > > >> FreeIPA simply can't help here. > > >> > > >> Also there are problems and weird behavior with the current FreeIPA installers: > > >> > > >> * ipa-client-install replaces all servers in /etc/ntp.conf with the ones > > >> specified by user or resolved from DNS. If none were provided nor resolved the > > >> FreeIPA server specified/resolved during installation it used. This leads in > > >> just single server in the configuration and no time synchronization when this > > >> server is down/decommissioned. > > >> > > >> * ipa-client-install replaces the NTP configuration. If there was any parts > > >> previously edited by system administrator it's lost. > > >> > > >> * ipa-server-install adds {0-4}.$PLATFORM.pool.ntp.org to /etc/ntp.conf. > > >> What's the point in doing that? These servers're already in the configuration > > >> file installed with ntp package. > > >> > > >> I have NTP-related WIP patches that solve some of the issues but in general I > > >> would prefer to remove the whole thing together with documenting "Please make > > >> sure that time on all FreeIPA servers and clients is synchronized. On most > > >> distributions this was already done during system installation." > > >> > > >> Can we mark NTP options deprecated in 4.5 and remove them and stop touching > > >> any time syncing service in 4.6? > > > > > > Considering that default config is just fine for normal cases, and given how > > > poorly integrated it is into FreeIPA, I agree with David. FreeIPA should get > > > out of configuration management business. > > > > +1 > > Just FYI, when we integrated NTP the plan was to eventually get NTPD > compiled on the server (and on the client) to generate/check signatures > on time packets. We never got around to do it, and at some point we > decided to wait as daemons werre in flux in some distributions and IETF > had efforts to provide some more standardized way to provide packet > signatures (we were planning to use the GSS based signature format > developed by Microsoft and used in AD). > > When we get back to signing packets we may have to get back in the > business of configuring the clients to check in with the right > servers ... > > So I am in 2 minds if we should completely remove it, but I am ok not > touching it by default for now in ipa-client-install, ie adding a > --ntp-conf=off|on or some such and default to off. Forgot to add, the other reason for us to configure NTP was to make sure servers and clients had the same time. It was very commo back then to have issues with Virtualized environments. So ... if we do this (stop configuring NTP) then we MUST (IMO) add some code to the installer that checks if the server and client agree on the time (with a few minutes clock skew) and then LOUDLY warn the user if they do not and suggest they configure NTP properly (and offer them to enable the option to do it ourselves perhaps). Simo. -- Simo Sorce * Red Hat, Inc * New York From freeipa-github-notification at redhat.com Fri Nov 25 15:44:38 2016 From: freeipa-github-notification at redhat.com (apophys) Date: Fri, 25 Nov 2016 16:44:38 +0100 Subject: [Freeipa-devel] [freeipa PR#200][comment] Test: basic kerberos over http functionality In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/200 Title: #200: Test: basic kerberos over http functionality apophys commented: """ Please rebase the commits in the right order. What will happen when the hosts in the topology have both IPv4 and IPv6 stacks when you disable ports for only one? Is the IPA server serving on both network stacks? """ See the full comment at https://github.com/freeipa/freeipa/pull/200#issuecomment-262982688 From freeipa-github-notification at redhat.com Fri Nov 25 15:54:04 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 25 Nov 2016 16:54:04 +0100 Subject: [Freeipa-devel] [freeipa PR#213][edited] Build system refactoring phase 3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/213 Author: pspacek Title: #213: Build system refactoring phase 3 Action: edited Changed field: body Original value: """ This monster patch-set refactors most of build system and moves most of the logic from SPEC file to build system. It is not yet complete, missing parts are: - [ ] Python 3 support (fix in #272) - [ ] Client-only build is not supported - [x] IPA_VERSION_IS_GIT_SNAPSHOT does not work (fix in #226) These will be sorted out later on but the review of the patch set can begin. """ From freeipa-github-notification at redhat.com Fri Nov 25 16:28:29 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 25 Nov 2016 17:28:29 +0100 Subject: [Freeipa-devel] [freeipa PR#266][comment] ipapython: simplify Env object initialization In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/266 Title: #266: ipapython: simplify Env object initialization pvoborni commented: """ I don't understand the "Nevermind this PR then.". fixing ticket 6482 is good but fixing ticket 6408 is required event more for @tiran work, right? """ See the full comment at https://github.com/freeipa/freeipa/pull/266#issuecomment-262991677 From freeipa-github-notification at redhat.com Sat Nov 26 10:00:19 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Sat, 26 Nov 2016 11:00:19 +0100 Subject: [Freeipa-devel] [freeipa PR#200][synchronized] Test: basic kerberos over http functionality In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/200 Author: ofayans Title: #200: Test: basic kerberos over http functionality Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/200/head:pr200 git checkout pr200 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-200.patch Type: text/x-diff Size: 3848 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sat Nov 26 11:49:02 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Sat, 26 Nov 2016 12:49:02 +0100 Subject: [Freeipa-devel] [freeipa PR#200][synchronized] Test: basic kerberos over http functionality In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/200 Author: ofayans Title: #200: Test: basic kerberos over http functionality Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/200/head:pr200 git checkout pr200 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-200.patch Type: text/x-diff Size: 3566 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sat Nov 26 12:03:49 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Sat, 26 Nov 2016 13:03:49 +0100 Subject: [Freeipa-devel] [freeipa PR#200][synchronized] Test: basic kerberos over http functionality In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/200 Author: ofayans Title: #200: Test: basic kerberos over http functionality Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/200/head:pr200 git checkout pr200 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-200.patch Type: text/x-diff Size: 3841 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sat Nov 26 12:08:01 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Sat, 26 Nov 2016 13:08:01 +0100 Subject: [Freeipa-devel] [freeipa PR#200][comment] Test: basic kerberos over http functionality In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/200 Title: #200: Test: basic kerberos over http functionality ofayans commented: """ Commits were swapped. The traffic blocking is now performed on a client for both ipv4 and ipv6 """ See the full comment at https://github.com/freeipa/freeipa/pull/200#issuecomment-263059947 From freeipa-github-notification at redhat.com Mon Nov 28 08:13:11 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 28 Nov 2016 09:13:11 +0100 Subject: [Freeipa-devel] [freeipa PR#267][synchronized] ipa-replica-conncheck: do not close listening ports until required In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/267 Author: tomaskrizek Title: #267: ipa-replica-conncheck: do not close listening ports until required Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/267/head:pr267 git checkout pr267 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-267.patch Type: text/x-diff Size: 12709 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 28 08:38:46 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 28 Nov 2016 09:38:46 +0100 Subject: [Freeipa-devel] [freeipa PR#255][synchronized] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Author: tiran Title: #255: Adjustments for setup requirements Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/255/head:pr255 git checkout pr255 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-255.patch Type: text/x-diff Size: 6382 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 28 08:49:50 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 28 Nov 2016 09:49:50 +0100 Subject: [Freeipa-devel] [freeipa PR#101][synchronized] Improved vault-show error message In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/101 Author: stlaz Title: #101: Improved vault-show error message Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/101/head:pr101 git checkout pr101 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-101.patch Type: text/x-diff Size: 7095 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 28 09:24:40 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 28 Nov 2016 10:24:40 +0100 Subject: [Freeipa-devel] [freeipa PR#275][opened] Enhance __repr__ method of Principal Message-ID: URL: https://github.com/freeipa/freeipa/pull/275 Author: martbab Title: #275: Enhance __repr__ method of Principal Action: opened PR body: """ `__repr__` now returns more descriptive string containing the actual principal name while keeping the ability to reconstruct the object from it. This makes principal names visible in debug logs, easing troubleshooting a bit. https://fedorahosted.org/freeipa/ticket/6505 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/275/head:pr275 git checkout pr275 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-275.patch Type: text/x-diff Size: 974 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 28 10:45:56 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 28 Nov 2016 11:45:56 +0100 Subject: [Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient tiran commented: """ This PR is just too big and has too many CI errors to even begin a sensible review. I would need at least half a day without any interruption to perform even a basic review. Given my other responsibilities and daily meetings, I won't have time until Thursday. """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-263239797 From freeipa-github-notification at redhat.com Mon Nov 28 10:54:46 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 28 Nov 2016 11:54:46 +0100 Subject: [Freeipa-devel] [freeipa PR#270][comment] Test: uniqueness of certificate renewal master In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/270 Title: #270: Test: uniqueness of certificate renewal master flo-renaud commented: """ Hi, you may also want to perform the same test after changing the renewal master with _ipa config-mod --ca-renewal-master-server newrenewalmaster.example.com_. """ See the full comment at https://github.com/freeipa/freeipa/pull/270#issuecomment-263241720 From freeipa-github-notification at redhat.com Mon Nov 28 11:04:26 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 28 Nov 2016 12:04:26 +0100 Subject: [Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements mbasti-rh commented: """ Better now, but commit message missing explanation why bumping requires was needed. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263243606 From freeipa-github-notification at redhat.com Mon Nov 28 11:59:06 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 28 Nov 2016 12:59:06 +0100 Subject: [Freeipa-devel] [freeipa PR#101][comment] Improved vault-show error message In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/101 Title: #101: Improved vault-show error message mbasti-rh commented: """ I had discussion with @jcholast and he disagrees. This weird handling of DN should stay isolated in vault code and shouldn't be spreaded across the framework. I'm starting to think that we should close ticket as won't/can't fix instead of doing that bad code even worse. """ See the full comment at https://github.com/freeipa/freeipa/pull/101#issuecomment-263253629 From freeipa-github-notification at redhat.com Mon Nov 28 12:08:27 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 28 Nov 2016 13:08:27 +0100 Subject: [Freeipa-devel] [freeipa PR#276][opened] replica-conncheck: improve error msg + logging Message-ID: URL: https://github.com/freeipa/freeipa/pull/276 Author: tomaskrizek Title: #276: replica-conncheck: improve error msg + logging Action: opened PR body: """ Replica conncheck may fail for other reasons then network misconfiguration. For example, an incorrect admin password might be provided. Since conncheck is ran as a separate script in quiet mode, no insightful error message can be displayed. User is instead pointed to the logs, which were also improved to contain the usual on screen messages. https://fedorahosted.org/freeipa/ticket/6497 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/276/head:pr276 git checkout pr276 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-276.patch Type: text/x-diff Size: 12643 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 28 12:18:30 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 28 Nov 2016 13:18:30 +0100 Subject: [Freeipa-devel] [freeipa PR#273][+ack] Build: workaround bug while calling parallel make from rpmbuild In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/273 Title: #273: Build: workaround bug while calling parallel make from rpmbuild Label: +ack From freeipa-github-notification at redhat.com Mon Nov 28 12:45:34 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 28 Nov 2016 13:45:34 +0100 Subject: [Freeipa-devel] [freeipa PR#271][synchronized] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/271 Author: jcholast Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/271/head:pr271 git checkout pr271 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-271.patch Type: text/x-diff Size: 719908 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 28 12:53:39 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 28 Nov 2016 13:53:39 +0100 Subject: [Freeipa-devel] [freeipa PR#274][+ack] Improve the robustness FreeIPA's i18n module and its tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/274 Title: #274: Improve the robustness FreeIPA's i18n module and its tests Label: +ack From freeipa-github-notification at redhat.com Mon Nov 28 12:58:54 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 28 Nov 2016 13:58:54 +0100 Subject: [Freeipa-devel] [freeipa PR#274][+pushed] Improve the robustness FreeIPA's i18n module and its tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/274 Title: #274: Improve the robustness FreeIPA's i18n module and its tests Label: +pushed From freeipa-github-notification at redhat.com Mon Nov 28 12:58:56 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 28 Nov 2016 13:58:56 +0100 Subject: [Freeipa-devel] [freeipa PR#274][comment] Improve the robustness FreeIPA's i18n module and its tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/274 Title: #274: Improve the robustness FreeIPA's i18n module and its tests mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/211c944a353dbc241ae6e280c9474145ab48dbe4 """ See the full comment at https://github.com/freeipa/freeipa/pull/274#issuecomment-263265053 From freeipa-github-notification at redhat.com Mon Nov 28 12:58:57 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 28 Nov 2016 13:58:57 +0100 Subject: [Freeipa-devel] [freeipa PR#274][closed] Improve the robustness FreeIPA's i18n module and its tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/274 Author: martbab Title: #274: Improve the robustness FreeIPA's i18n module and its tests Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/274/head:pr274 git checkout pr274 From freeipa-github-notification at redhat.com Mon Nov 28 12:59:01 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 28 Nov 2016 13:59:01 +0100 Subject: [Freeipa-devel] [freeipa PR#101][comment] Improved vault-show error message In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/101 Title: #101: Improved vault-show error message stlaz commented: """ WONTFIX then. There's no winning here. """ See the full comment at https://github.com/freeipa/freeipa/pull/101#issuecomment-263265074 From freeipa-github-notification at redhat.com Mon Nov 28 13:02:39 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Mon, 28 Nov 2016 14:02:39 +0100 Subject: [Freeipa-devel] [freeipa PR#270][synchronized] Test: uniqueness of certificate renewal master In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/270 Author: ofayans Title: #270: Test: uniqueness of certificate renewal master Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/270/head:pr270 git checkout pr270 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-270.patch Type: text/x-diff Size: 2045 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 28 13:20:31 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 28 Nov 2016 14:20:31 +0100 Subject: [Freeipa-devel] [freeipa PR#276][synchronized] replica-conncheck: improve error msg + logging In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/276 Author: tomaskrizek Title: #276: replica-conncheck: improve error msg + logging Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/276/head:pr276 git checkout pr276 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-276.patch Type: text/x-diff Size: 12643 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 28 13:23:19 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 28 Nov 2016 14:23:19 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time mbasti-rh commented: """ Shouldn't be there python3 in BuildRequires as well? At least with python3-pylint we need python3 dependencies to be able do pylint3 validation """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-263269939 From freeipa-github-notification at redhat.com Mon Nov 28 13:55:31 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 28 Nov 2016 14:55:31 +0100 Subject: [Freeipa-devel] [freeipa PR#277][opened] DNS: URI records: bump python-dns requirements Message-ID: URL: https://github.com/freeipa/freeipa/pull/277 Author: mbasti-rh Title: #277: DNS: URI records: bump python-dns requirements Action: opened PR body: """ Support for DNS URI records has been added in python-dns 1.13 https://fedorahosted.org/freeipa/ticket/6344 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/277/head:pr277 git checkout pr277 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-277.patch Type: text/x-diff Size: 1735 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 28 14:00:36 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 28 Nov 2016 15:00:36 +0100 Subject: [Freeipa-devel] [freeipa PR#277][comment] DNS: URI records: bump python-dns requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/277 Title: #277: DNS: URI records: bump python-dns requirements tiran commented: """ You forgot to bump ```ipasetup.py.in```. """ See the full comment at https://github.com/freeipa/freeipa/pull/277#issuecomment-263277910 From freeipa-github-notification at redhat.com Mon Nov 28 14:08:37 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 28 Nov 2016 15:08:37 +0100 Subject: [Freeipa-devel] [freeipa PR#277][synchronized] DNS: URI records: bump python-dns requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/277 Author: mbasti-rh Title: #277: DNS: URI records: bump python-dns requirements Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/277/head:pr277 git checkout pr277 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-277.patch Type: text/x-diff Size: 2194 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 28 14:39:01 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 28 Nov 2016 15:39:01 +0100 Subject: [Freeipa-devel] [freeipa PR#278][opened] Restore the original functionality of `env` and `plugins` commands Message-ID: URL: https://github.com/freeipa/freeipa/pull/278 Author: martbab Title: #278: Restore the original functionality of `env` and `plugins` commands Action: opened PR body: """ This reverts commit 1166fbc4946596fcc2ed51a1ec6990fc7dae8964 "Add 'ipa localenv' subcommand" and instead fixes the command to be executed locally unless `--server` option is given. This also should make the command usable locally without Kerberos TGT. Note than `plugins` command fails due to https://fedorahosted.org/freeipa/ticket/6513 but now at least it fails either locally or on server-side :). https://fedorahosted.org/freeipa/ticket/6482 https://fedorahosted.org/freeipa/ticket/6490 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/278/head:pr278 git checkout pr278 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-278.patch Type: text/x-diff Size: 15239 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 28 14:42:13 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 28 Nov 2016 15:42:13 +0100 Subject: [Freeipa-devel] [freeipa PR#278][synchronized] Restore the original functionality of `env` and `plugins` commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/278 Author: martbab Title: #278: Restore the original functionality of `env` and `plugins` commands Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/278/head:pr278 git checkout pr278 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-278.patch Type: text/x-diff Size: 15391 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 28 15:02:31 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Mon, 28 Nov 2016 16:02:31 +0100 Subject: [Freeipa-devel] [freeipa PR#279][opened] installer: Stop adding distro-specific NTP servers into ntp.conf Message-ID: URL: https://github.com/freeipa/freeipa/pull/279 Author: dkupka Title: #279: installer: Stop adding distro-specific NTP servers into ntp.conf Action: opened PR body: """ Distribution packaged ntpd has servers preconfigured in ntp.conf so there's no point in trying to add them again during FreeIPA server installation. https://fedorahosted.org/freeipa/ticket/6486 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/279/head:pr279 git checkout pr279 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-279.patch Type: text/x-diff Size: 1557 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 28 15:23:55 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 28 Nov 2016 16:23:55 +0100 Subject: [Freeipa-devel] [freeipa PR#278][synchronized] Restore the original functionality of `env` and `plugins` commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/278 Author: martbab Title: #278: Restore the original functionality of `env` and `plugins` commands Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/278/head:pr278 git checkout pr278 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-278.patch Type: text/x-diff Size: 15239 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 28 15:25:59 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 28 Nov 2016 16:25:59 +0100 Subject: [Freeipa-devel] [freeipa PR#278][edited] Restore the original functionality of `env` and `plugins` commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/278 Author: martbab Title: #278: Restore the original functionality of `env` and `plugins` commands Action: edited Changed field: body Original value: """ This reverts commit 1166fbc4946596fcc2ed51a1ec6990fc7dae8964 "Add 'ipa localenv' subcommand" and instead fixes the command to be executed locally unless `--server` option is given. This also should make the command usable locally without Kerberos TGT. Note than `plugins` command fails due to https://fedorahosted.org/freeipa/ticket/6513 but now at least it fails either locally or on server-side :). https://fedorahosted.org/freeipa/ticket/6482 https://fedorahosted.org/freeipa/ticket/6490 """ From freeipa-github-notification at redhat.com Mon Nov 28 15:30:12 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 28 Nov 2016 16:30:12 +0100 Subject: [Freeipa-devel] [freeipa PR#280][opened] Set explicit confdir option for global contexts Message-ID: URL: https://github.com/freeipa/freeipa/pull/280 Author: tiran Title: #280: Set explicit confdir option for global contexts Action: opened PR body: """ Some API contexts are used to modify global state (e.g. files in /etc and /var). These contexts do not support confdir overrides. Initialize the API with an explicit confdir argument to paths.ETC_IPA. The special contexts are: * backup * cli_installer * installer * ipctl * renew * restore * server * updates The patch also corrects the context of the ipa-httpd-kdcproxy script to 'server'. https://fedorahosted.org/freeipa/ticket/6389 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/280/head:pr280 git checkout pr280 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-280.patch Type: text/x-diff Size: 17804 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 28 15:30:31 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 28 Nov 2016 16:30:31 +0100 Subject: [Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts tiran commented: """ For #182 """ See the full comment at https://github.com/freeipa/freeipa/pull/280#issuecomment-263301120 From freeipa-github-notification at redhat.com Mon Nov 28 15:36:06 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 28 Nov 2016 16:36:06 +0100 Subject: [Freeipa-devel] [freeipa PR#263][comment] Backwards compatibility with setuptools 0.9.8 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/263 Title: #263: Backwards compatibility with setuptools 0.9.8 tiran commented: """ PR #255 fixes the problem with download of wheel package. """ See the full comment at https://github.com/freeipa/freeipa/pull/263#issuecomment-263302787 From freeipa-github-notification at redhat.com Mon Nov 28 15:42:13 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 28 Nov 2016 16:42:13 +0100 Subject: [Freeipa-devel] [freeipa PR#255][synchronized] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Author: tiran Title: #255: Adjustments for setup requirements Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/255/head:pr255 git checkout pr255 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-255.patch Type: text/x-diff Size: 6485 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 28 15:58:12 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 28 Nov 2016 16:58:12 +0100 Subject: [Freeipa-devel] [freeipa PR#281][opened] Accept server host names resolvable only using /etc/hosts Message-ID: URL: https://github.com/freeipa/freeipa/pull/281 Author: pspacek Title: #281: Accept server host names resolvable only using /etc/hosts Action: opened PR body: """ Apparently "files" implementation of hosts NSS database cannot deal with trailing period in host names. Previously name server.example.com which is was resolvable neither using dns nor myhostname NSS modules were rejected by installer (despite having matching line in /etc/hosts). These names which are resolvable purely using "files" database are now accepted. The problem is that I had to remove trailing period from names passed to getaddrinfo() function. This effectivelly enables search list processing. This means that items from the search list might be silently appended to the query and we might get an IP address for totally different names than we asked for. Unfortunatelly I see no way around this while keeping ability to use names from NSS hosts database. https://fedorahosted.org/freeipa/ticket/6518 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/281/head:pr281 git checkout pr281 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-281.patch Type: text/x-diff Size: 2175 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 28 16:02:46 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 28 Nov 2016 17:02:46 +0100 Subject: [Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension tomaskrizek commented: """ As I have understood from the mailing list discussion, we have two options: 1. We use this patch as is. That means Subject Alternative Name (SAN) DN always has to be the same as the Subject DN. Is there any use case for this? To me this seems like a duplicate info. Isn't the purpose of SAN to provide an *alternative* name? 2. We extend the validation to allow any existing principal. Are there any use cases for this? Perhaps I'm missing something, but the first option doesn't seem very useful and I don't know if the second one is a valid and needed use case. """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263310866 From freeipa-github-notification at redhat.com Mon Nov 28 16:09:04 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 28 Nov 2016 17:09:04 +0100 Subject: [Freeipa-devel] [freeipa PR#182][synchronized] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Author: tiran Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/182/head:pr182 git checkout pr182 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-182.patch Type: text/x-diff Size: 23552 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 28 16:09:38 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 28 Nov 2016 17:09:38 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context tiran commented: """ Latest PR depends on PR #280 . """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-263313005 From freeipa-github-notification at redhat.com Mon Nov 28 16:18:34 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 28 Nov 2016 17:18:34 +0100 Subject: [Freeipa-devel] [freeipa PR#263][comment] Backwards compatibility with setuptools 0.9.8 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/263 Title: #263: Backwards compatibility with setuptools 0.9.8 pvomacka commented: """ I'm able to build FreeIPA on Fedora and it also fixes bugs in building on RHEL, so it works for me. But I don't see any ticket in the commit. Do we have any ticket for this? """ See the full comment at https://github.com/freeipa/freeipa/pull/263#issuecomment-263315538 From freeipa-github-notification at redhat.com Mon Nov 28 16:48:16 2016 From: freeipa-github-notification at redhat.com (splashx) Date: Mon, 28 Nov 2016 17:48:16 +0100 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install splashx commented: """ @simo5 done, however not successfully. It's [not really my first time](http://www.securiteam.com/securitynews/6C02X0AHGA.html) on the pkinit rodeo, so I'm wondering if FreeIPA's got something on top. I've got on freeipa for testing purposes, so not fussin with several servers. For debug purposes, I have done: /etc/kdc.conf ``` [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 + restrict_anonymous_to_tgt = true [realms] REALM.EU = { master_key_type = aes256-cts max_life = 7d max_renewable_life = 14d acl_file = /etc/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words default_principal_flags = +preauth ; admin_keytab = /etc/krb5kdc/kadm5.keytab + pkinit_identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem + pkinit_eku_checking = none } ``` The anonymous user (created manually first with`-rankey`, modified with `-requires_preauth` and then later with `purgekeys -all WELLKNOWN/ANONYMOUS at REALM.EU`) looks like this: ``` root at ipa01:/var/lib/krb5kdc# kadmin.local -x ipa-setup-override-restrictions Authenticating as principal admin/admin at REALM.EU with password. kadmin.local: getprinc WELLKNOWN/ANONYMOUS at REALM.EU Principal: WELLKNOWN/ANONYMOUS at REALM.EU Expiration date: [never] Last password change: Mon Nov 28 12:46:41 UTC 2016 Password expiration date: [none] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Nov 28 16:04:32 UTC 2016 (admin/admin at REALM.EU) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 0 MKey: vno 1 Attributes: Policy: [none] ``` I made sure the certificate's common name matches the fqdn, still getting: ``` root at ubuntu:~# KRB5_TRACE=/dev/stdout kinit -n [10593] 1480350802.381306: Getting initial credentials for WELLKNOWN/ANONYMOUS at REALM.EU [10593] 1480350802.384075: Sending request (178 bytes) to REALM.EU [10593] 1480350802.433623: Retrying AS request with master KDC [10593] 1480350802.434688: Getting initial credentials for WELLKNOWN/ANONYMOUS at REALM.EU [10593] 1480350802.435476: Sending request (178 bytes) to REALM.EU (master) [10593] 1480350802.436191: Resolving hostname kdc.domain.eu [10593] 1480350802.462072: Sending initial UDP request to dgram 10.235.2.25:88 [10593] 1480350803.465087: Resolving hostname kdc.domain.eu [10593] 1480350803.489656: Sending initial UDP request to dgram 10.235.2.25:750 [10593] 1480350804.491058: Initiating TCP connection to stream 10.235.2.25:88 [10593] 1480350804.515736: Sending TCP request to stream 10.235.2.25:88 [10593] 1480350804.547579: Received answer (269 bytes) from stream 10.235.2.25:88 [10593] 1480350804.547663: Received error from KDC: -1765328359/Additional pre-authentication required [10593] 1480350804.547708: Processing preauth types: 16, 15, 14, 136, 147, 133 [10593] 1480350804.547713: Received cookie: MIT [10593] 1480350804.547744: Preauth module pkinit (147) (info) returned: 0/Success [10593] 1480350804.547758: PKINIT client has no configured identity; giving up [10593] 1480350804.547765: Preauth module pkinit (16) (real) returned: 22/Invalid argument [10593] 1480350804.547776: PKINIT client has no configured identity; giving up [10593] 1480350804.547782: Preauth module pkinit (14) (real) returned: 22/Invalid argument [10593] 1480350804.547793: PKINIT client has no configured identity; giving up [10593] 1480350804.547798: Preauth module pkinit (14) (real) returned: 22/Invalid argument kinit: Invalid argument while getting initial credentials root at ubuntu:~# ``` Any thoughts would be helpful. Thanks in advance """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-263324302 From freeipa-github-notification at redhat.com Mon Nov 28 16:55:39 2016 From: freeipa-github-notification at redhat.com (splashx) Date: Mon, 28 Nov 2016 17:55:39 +0100 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install splashx commented: """ @simo5 done, however not successfully. It's [not really my first time](http://www.securiteam.com/securitynews/6C02X0AHGA.html) on the pkinit rodeo, so I'm wondering if FreeIPA's got something on top. I've got on freeipa for testing purposes, so not fussin with several servers. For debug purposes, I have done: /etc/kdc.conf ``` [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 + restrict_anonymous_to_tgt = true [realms] REALM.EU = { master_key_type = aes256-cts max_life = 7d max_renewable_life = 14d acl_file = /etc/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words default_principal_flags = +preauth ; admin_keytab = /etc/krb5kdc/kadm5.keytab + pkinit_identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem + pkinit_eku_checking = none } ``` The anonymous user (created manually first with`-rankey`, modified with `-requires_preauth` and then later with `purgekeys -all WELLKNOWN/ANONYMOUS at REALM.EU`) looks like this: ``` root at ipa01:/var/lib/krb5kdc# kadmin.local -x ipa-setup-override-restrictions Authenticating as principal admin/admin at REALM.EU with password. kadmin.local: getprinc WELLKNOWN/ANONYMOUS at REALM.EU Principal: WELLKNOWN/ANONYMOUS at REALM.EU Expiration date: [never] Last password change: Mon Nov 28 12:46:41 UTC 2016 Password expiration date: [none] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Nov 28 16:04:32 UTC 2016 (admin/admin at REALM.EU) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 0 MKey: vno 1 Attributes: Policy: [none] ``` I made sure the certificate's common name matches the fqdn, still getting: ``` root at ubuntu:~# KRB5_TRACE=/dev/stdout kinit -n [10593] 1480350802.381306: Getting initial credentials for WELLKNOWN/ANONYMOUS at REALM.EU [10593] 1480350802.384075: Sending request (178 bytes) to REALM.EU [10593] 1480350802.433623: Retrying AS request with master KDC [10593] 1480350802.434688: Getting initial credentials for WELLKNOWN/ANONYMOUS at REALM.EU [10593] 1480350802.435476: Sending request (178 bytes) to REALM.EU (master) [10593] 1480350802.436191: Resolving hostname kdc.domain.eu [10593] 1480350802.462072: Sending initial UDP request to dgram 10.235.2.25:88 [10593] 1480350803.465087: Resolving hostname kdc.domain.eu [10593] 1480350803.489656: Sending initial UDP request to dgram 10.235.2.25:750 [10593] 1480350804.491058: Initiating TCP connection to stream 10.235.2.25:88 [10593] 1480350804.515736: Sending TCP request to stream 10.235.2.25:88 [10593] 1480350804.547579: Received answer (269 bytes) from stream 10.235.2.25:88 [10593] 1480350804.547663: Received error from KDC: -1765328359/Additional pre-authentication required [10593] 1480350804.547708: Processing preauth types: 16, 15, 14, 136, 147, 133 [10593] 1480350804.547713: Received cookie: MIT [10593] 1480350804.547744: Preauth module pkinit (147) (info) returned: 0/Success [10593] 1480350804.547758: PKINIT client has no configured identity; giving up [10593] 1480350804.547765: Preauth module pkinit (16) (real) returned: 22/Invalid argument [10593] 1480350804.547776: PKINIT client has no configured identity; giving up [10593] 1480350804.547782: Preauth module pkinit (14) (real) returned: 22/Invalid argument [10593] 1480350804.547793: PKINIT client has no configured identity; giving up [10593] 1480350804.547798: Preauth module pkinit (14) (real) returned: 22/Invalid argument kinit: Invalid argument while getting initial credentials root at ubuntu:~# ``` Any thoughts would be helpful. Thanks in advance """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-263324302 From freeipa-github-notification at redhat.com Mon Nov 28 16:56:54 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 28 Nov 2016 17:56:54 +0100 Subject: [Freeipa-devel] [freeipa PR#279][comment] installer: Stop adding distro-specific NTP servers into ntp.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/279 Title: #279: installer: Stop adding distro-specific NTP servers into ntp.conf pspacek commented: """ NACK ``` Pylint is running, please wait ... ************* Module ipaserver.install.ntpinstance ipaserver/install/ntpinstance.py:23: [W0611(unused-import), ] Unused ipautil imported from ipapython) make: *** [pylint] Error 4 Makefile:1111: recipe for target 'pylint' failed ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/279#issuecomment-263326846 From freeipa-github-notification at redhat.com Mon Nov 28 16:58:11 2016 From: freeipa-github-notification at redhat.com (splashx) Date: Mon, 28 Nov 2016 17:58:11 +0100 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install splashx commented: """ @simo5 done, however not successfully. It's [not really my first time](http://www.securiteam.com/securitynews/6C02X0AHGA.html) on the pkinit rodeo, so I'm wondering if FreeIPA's got something on top. I've got one freeipa instance for testing purposes, so not fussing with several servers. For debug purposes, I have done: /etc/kdc.conf ``` [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 + restrict_anonymous_to_tgt = true [realms] REALM.EU = { master_key_type = aes256-cts max_life = 7d max_renewable_life = 14d acl_file = /etc/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words default_principal_flags = +preauth ; admin_keytab = /etc/krb5kdc/kadm5.keytab + pkinit_identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem + pkinit_eku_checking = none } ``` The anonymous user (created manually first with`-rankey`, modified with `-requires_preauth` and then later with `purgekeys -all WELLKNOWN/ANONYMOUS at REALM.EU`) looks like this: ``` root at ipa01:/var/lib/krb5kdc# kadmin.local -x ipa-setup-override-restrictions Authenticating as principal admin/admin at REALM.EU with password. kadmin.local: getprinc WELLKNOWN/ANONYMOUS at REALM.EU Principal: WELLKNOWN/ANONYMOUS at REALM.EU Expiration date: [never] Last password change: Mon Nov 28 12:46:41 UTC 2016 Password expiration date: [none] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Nov 28 16:04:32 UTC 2016 (admin/admin at REALM.EU) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 0 MKey: vno 1 Attributes: Policy: [none] ``` I made sure the certificate's common name matches the fqdn, still getting: ``` root at ubuntu:~# KRB5_TRACE=/dev/stdout kinit -n [10593] 1480350802.381306: Getting initial credentials for WELLKNOWN/ANONYMOUS at REALM.EU [10593] 1480350802.384075: Sending request (178 bytes) to REALM.EU [10593] 1480350802.433623: Retrying AS request with master KDC [10593] 1480350802.434688: Getting initial credentials for WELLKNOWN/ANONYMOUS at REALM.EU [10593] 1480350802.435476: Sending request (178 bytes) to REALM.EU (master) [10593] 1480350802.436191: Resolving hostname kdc.domain.eu [10593] 1480350802.462072: Sending initial UDP request to dgram 10.235.2.25:88 [10593] 1480350803.465087: Resolving hostname kdc.domain.eu [10593] 1480350803.489656: Sending initial UDP request to dgram 10.235.2.25:750 [10593] 1480350804.491058: Initiating TCP connection to stream 10.235.2.25:88 [10593] 1480350804.515736: Sending TCP request to stream 10.235.2.25:88 [10593] 1480350804.547579: Received answer (269 bytes) from stream 10.235.2.25:88 [10593] 1480350804.547663: Received error from KDC: -1765328359/Additional pre-authentication required [10593] 1480350804.547708: Processing preauth types: 16, 15, 14, 136, 147, 133 [10593] 1480350804.547713: Received cookie: MIT [10593] 1480350804.547744: Preauth module pkinit (147) (info) returned: 0/Success [10593] 1480350804.547758: PKINIT client has no configured identity; giving up [10593] 1480350804.547765: Preauth module pkinit (16) (real) returned: 22/Invalid argument [10593] 1480350804.547776: PKINIT client has no configured identity; giving up [10593] 1480350804.547782: Preauth module pkinit (14) (real) returned: 22/Invalid argument [10593] 1480350804.547793: PKINIT client has no configured identity; giving up [10593] 1480350804.547798: Preauth module pkinit (14) (real) returned: 22/Invalid argument kinit: Invalid argument while getting initial credentials root at ubuntu:~# ``` Any thoughts would be helpful. Thanks in advance """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-263324302 From freeipa-github-notification at redhat.com Mon Nov 28 17:01:02 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 28 Nov 2016 18:01:02 +0100 Subject: [Freeipa-devel] [freeipa PR#279][comment] installer: Stop adding distro-specific NTP servers into ntp.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/279 Title: #279: installer: Stop adding distro-specific NTP servers into ntp.conf pspacek commented: """ Have you tested the code? I would bet that it will remove everything except 127.127... from the list of servers. """ See the full comment at https://github.com/freeipa/freeipa/pull/279#issuecomment-263328076 From freeipa-github-notification at redhat.com Mon Nov 28 17:11:49 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Mon, 28 Nov 2016 18:11:49 +0100 Subject: [Freeipa-devel] [freeipa PR#225][synchronized] tests: Added basic tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/225 Author: ofayans Title: #225: tests: Added basic tests for certs in idoverrides Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/225/head:pr225 git checkout pr225 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-225.patch Type: text/x-diff Size: 9457 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 28 17:13:53 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Mon, 28 Nov 2016 18:13:53 +0100 Subject: [Freeipa-devel] [freeipa PR#225][comment] tests: Added basic tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/225 Title: #225: tests: Added basic tests for certs in idoverrides ofayans commented: """ @apophys done, thank you for review! """ See the full comment at https://github.com/freeipa/freeipa/pull/225#issuecomment-263331778 From freeipa-github-notification at redhat.com Mon Nov 28 17:19:14 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 28 Nov 2016 18:19:14 +0100 Subject: [Freeipa-devel] [freeipa PR#278][synchronized] Restore the original functionality of `env` and `plugins` commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/278 Author: martbab Title: #278: Restore the original functionality of `env` and `plugins` commands Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/278/head:pr278 git checkout pr278 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-278.patch Type: text/x-diff Size: 15408 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 28 17:30:27 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Mon, 28 Nov 2016 18:30:27 +0100 Subject: [Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements pvoborni commented: """ The commit message doesn't explain why python-gssapi version is raised. Is it required by something? It also doesn't explain if the minimal required version of python-cryptography should be 1.3. Review would be much smoother if this information was here since the beginning. That said, answers to those questions are not important. Fedora 23+, RHEL 7.3, PyPi all have the same or newer versions and it is actually more work to install older versions. (Not sure about Debian) Or it might not even be possible. So there is no point to waste time with discussing why it needs to be bumped. If it was a version which would not be on target platforms then it would be different story. @mbasti-rh is there any other reason for having full explanation of version bumps which I don't see? If not can we move the review forward to unblock #263 ? """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263336537 From freeipa-github-notification at redhat.com Mon Nov 28 17:45:25 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Mon, 28 Nov 2016 18:45:25 +0100 Subject: [Freeipa-devel] [freeipa PR#270][synchronized] Test: uniqueness of certificate renewal master In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/270 Author: ofayans Title: #270: Test: uniqueness of certificate renewal master Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/270/head:pr270 git checkout pr270 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-270.patch Type: text/x-diff Size: 2579 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Nov 28 19:49:40 2016 From: freeipa-github-notification at redhat.com (rcritten) Date: Mon, 28 Nov 2016 20:49:40 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context rcritten commented: """ I don't see this as a convenience method. I'd find it less likely to use directly with the ipa tool (though having to specify -e every time I used a command get old pretty quickly. From a library perspective it is going to call api.bootstrap(options). Sure one can pass the config file location through that but then EVERY SINGLE app using IPA is going to have to create an option to allow that, creating disparate means of doing so, when IPA can more simply accept an environment variable, like many other libraries do. If you want to change the location of krb5.conf what do you do? Right, set an environment variable. In fact, IPA leverages this. Treat ipalib the same way, giving lots of rope, and let people utilize that power (or hang themselves). """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-263374646 From rcritten at redhat.com Mon Nov 28 19:57:55 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Nov 2016 14:57:55 -0500 Subject: [Freeipa-devel] NTP in FreeIPA In-Reply-To: References: Message-ID: <583C8C43.8070202@redhat.com> David Kupka wrote: > On 22/11/16 23:15, Gabe Alford wrote: >> I would say that it is worth keeping in FreeIPA. I know myself and some >> customers use its functionality by having the clients sync to the IPA >> servers and have the servers sync to the NTP source. This way if the NTP >> source ever gets disrupted for long periods of time (which has >> happened in >> my environment) the client time drifts with the authentication source. >> This >> is the way that AD often works and is configured. > > Hello Gabe, > I agree that it's common practice to synchronize all nodes in network > with single source in order to have the same time and save bandwidth. > Also I understand that it's comfortable to let FreeIPA installer take > care of it. > But I don't think FreeIPA should do it IMO this is job for Ansible or > similar tool. Also the problem is that in some situations FreeIPA > installer makes it worse. > > Example: > > 1. Install FreeIPA server (ipa1.example.org) > 2. Install FreeIPA client on all nodes in network > 3. Install replica (ipa2.example.org) of FreeIPA server to increase > redundancy > > Now all the clients have ipa1.example.org as the only server in > /etc/ntp.conf. If the first FreeIPA server becomes unreachable all > clients will be able to contact KDC on the other server thanks to DNS > autodiscovery in libkrb5 but will be unable to synchronize time. Remember that the goal of IPA was to herd together a bunch of software to make hard things easier. This included dealing with the 5-minute Kerberos window so ntp was configured on the client and server (which is less of any issue now). When making changes you have to ask yourself who are you making this easier for: you or the user. Yes, getting NTP right is hard, but does it meet the 80/20 rule in terms of success? I'd think so. I If someone wants to configure it using Ansible they can use the --no-ntp. If they want to use different time servers they can pass in --ntp-server. But by default IMHO it should do something sane to give a good experience. There don't seem to be a ton of NTP tickets and I don't recall a lot of user's pressing for it to go away (the reverse, many times their problems revolve around time not being synced). I wonder if a survey on freeipa-users would be in order to see how hot an issue this really is. rob From jdennis at redhat.com Mon Nov 28 20:18:53 2016 From: jdennis at redhat.com (John Dennis) Date: Mon, 28 Nov 2016 15:18:53 -0500 Subject: [Freeipa-devel] NTP in FreeIPA In-Reply-To: <583C8C43.8070202@redhat.com> References: <583C8C43.8070202@redhat.com> Message-ID: On 11/28/2016 02:57 PM, Rob Crittenden wrote: > David Kupka wrote: >> On 22/11/16 23:15, Gabe Alford wrote: >>> I would say that it is worth keeping in FreeIPA. I know myself and some >>> customers use its functionality by having the clients sync to the IPA >>> servers and have the servers sync to the NTP source. This way if the NTP >>> source ever gets disrupted for long periods of time (which has >>> happened in >>> my environment) the client time drifts with the authentication source. >>> This >>> is the way that AD often works and is configured. >> >> Hello Gabe, >> I agree that it's common practice to synchronize all nodes in network >> with single source in order to have the same time and save bandwidth. >> Also I understand that it's comfortable to let FreeIPA installer take >> care of it. >> But I don't think FreeIPA should do it IMO this is job for Ansible or >> similar tool. Also the problem is that in some situations FreeIPA >> installer makes it worse. >> >> Example: >> >> 1. Install FreeIPA server (ipa1.example.org) >> 2. Install FreeIPA client on all nodes in network >> 3. Install replica (ipa2.example.org) of FreeIPA server to increase >> redundancy >> >> Now all the clients have ipa1.example.org as the only server in >> /etc/ntp.conf. If the first FreeIPA server becomes unreachable all >> clients will be able to contact KDC on the other server thanks to DNS >> autodiscovery in libkrb5 but will be unable to synchronize time. > > Remember that the goal of IPA was to herd together a bunch of software > to make hard things easier. This included dealing with the 5-minute > Kerberos window so ntp was configured on the client and server (which is > less of any issue now). > > When making changes you have to ask yourself who are you making this > easier for: you or the user. > > Yes, getting NTP right is hard, but does it meet the 80/20 rule in terms > of success? I'd think so. I > > If someone wants to configure it using Ansible they can use the > --no-ntp. If they want to use different time servers they can pass in > --ntp-server. But by default IMHO it should do something sane to give a > good experience. > > There don't seem to be a ton of NTP tickets and I don't recall a lot of > user's pressing for it to go away (the reverse, many times their > problems revolve around time not being synced). I wonder if a survey on > freeipa-users would be in order to see how hot an issue this really is. +1 Thanks Rob for taking the words out of my mouth. -- John From freeipa-github-notification at redhat.com Mon Nov 28 21:32:56 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 28 Nov 2016 22:32:56 +0100 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install simo5 commented: """ @splashx we are starting to pollute this PR here now. Please provide KDC logs on the user's mailing list and let's proceed there. """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-263401055 From freeipa-github-notification at redhat.com Tue Nov 29 01:26:14 2016 From: freeipa-github-notification at redhat.com (shanyin) Date: Tue, 29 Nov 2016 02:26:14 +0100 Subject: [Freeipa-devel] [freeipa PR#174][comment] add log module In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/174 Title: #174: add log module shanyin commented: """ I am sorry that the follow comments could not be sent successfully. What do you mean is that I should send the log module as separate PR? If so, I will do it later. """ See the full comment at https://github.com/freeipa/freeipa/pull/174#issuecomment-263448879 From freeipa-github-notification at redhat.com Tue Nov 29 05:08:21 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Tue, 29 Nov 2016 06:08:21 +0100 Subject: [Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension frasertweedale commented: """ @tomaskrizek 1. The SAN DN is permitted if it matches the IPA principal's full DN in LDAP. The _certificate_ subject DN need not match the LDAP DN. In fact, by the current behaviour of `ipa cert-request` it cannot, because we expect to see the user name in the CN in the CSR subject DN, whereas in LDAP we use `uid=alice,cn=users,...`. So it is not duplicate info - it names the subject's LDAP DN. 2. In this patch, DirectoryName SAN is accepted for all principal types (as long as it matches their LDAP DN). Existing rules for other SAN name types are not changed (e.g., DNSName is still allowed only for host and service principals). """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263477676 From jcholast at redhat.com Tue Nov 29 08:11:02 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 29 Nov 2016 09:11:02 +0100 Subject: [Freeipa-devel] NTP in FreeIPA In-Reply-To: <583C8C43.8070202@redhat.com> References: <583C8C43.8070202@redhat.com> Message-ID: On 28.11.2016 20:57, Rob Crittenden wrote: > David Kupka wrote: >> On 22/11/16 23:15, Gabe Alford wrote: >>> I would say that it is worth keeping in FreeIPA. I know myself and some >>> customers use its functionality by having the clients sync to the IPA >>> servers and have the servers sync to the NTP source. This way if the NTP >>> source ever gets disrupted for long periods of time (which has >>> happened in >>> my environment) the client time drifts with the authentication source. >>> This >>> is the way that AD often works and is configured. >> >> Hello Gabe, >> I agree that it's common practice to synchronize all nodes in network >> with single source in order to have the same time and save bandwidth. >> Also I understand that it's comfortable to let FreeIPA installer take >> care of it. >> But I don't think FreeIPA should do it IMO this is job for Ansible or >> similar tool. Also the problem is that in some situations FreeIPA >> installer makes it worse. >> >> Example: >> >> 1. Install FreeIPA server (ipa1.example.org) >> 2. Install FreeIPA client on all nodes in network >> 3. Install replica (ipa2.example.org) of FreeIPA server to increase >> redundancy >> >> Now all the clients have ipa1.example.org as the only server in >> /etc/ntp.conf. If the first FreeIPA server becomes unreachable all >> clients will be able to contact KDC on the other server thanks to DNS >> autodiscovery in libkrb5 but will be unable to synchronize time. > > Remember that the goal of IPA was to herd together a bunch of software > to make hard things easier. This included dealing with the 5-minute > Kerberos window so ntp was configured on the client and server (which is > less of any issue now). > > When making changes you have to ask yourself who are you making this > easier for: you or the user. > > Yes, getting NTP right is hard, but does it meet the 80/20 rule in terms > of success? I'd think so. I > > If someone wants to configure it using Ansible they can use the > --no-ntp. If they want to use different time servers they can pass in > --ntp-server. But by default IMHO it should do something sane to give a > good experience. I think to do something sane is exactly the point of this, and the sanest thing we can do is to not touch NTP configuration at all: * if the NTP configuration obtained via DHCP works, we can't make it any better by touching it, only worse, * if the default NTP configuration shipped with the distribution works, we again can't make it any better by touching it, * if we are running inside container, time is synchronized by other means and we should not touch NTP configuration at all, * if neither the default NTP configuration nor the NTP configuration obtained via DHCP works and we are not running inside container, we may attempt to fix the configuration, but it will not be permanent and will work only for this specific host. I think the first 3 points cover 99% of real-life deployments, and yet we are optimized towards the remaining 1%, with the potential of breaking the configuration for the 99%. This is far from sane IMHO. > > There don't seem to be a ton of NTP tickets and I don't recall a lot of > user's pressing for it to go away (the reverse, many times their > problems revolve around time not being synced). I wonder if a survey on > freeipa-users would be in order to see how hot an issue this really is. > > rob > -- Jan Cholasta From freeipa-github-notification at redhat.com Tue Nov 29 08:06:17 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 29 Nov 2016 09:06:17 +0100 Subject: [Freeipa-devel] [freeipa PR#276][synchronized] replica-conncheck: improve error msg + logging In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/276 Author: tomaskrizek Title: #276: replica-conncheck: improve error msg + logging Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/276/head:pr276 git checkout pr276 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-276.patch Type: text/x-diff Size: 12554 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 29 08:09:38 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 29 Nov 2016 09:09:38 +0100 Subject: [Freeipa-devel] [freeipa PR#266][comment] ipapython: simplify Env object initialization In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/266 Title: #266: ipapython: simplify Env object initialization stlaz commented: """ From offline discussion I got that the PR should actually work in the end. I'll make the review. """ See the full comment at https://github.com/freeipa/freeipa/pull/266#issuecomment-263503377 From pspacek at redhat.com Tue Nov 29 08:15:22 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 29 Nov 2016 09:15:22 +0100 Subject: [Freeipa-devel] NTP in FreeIPA In-Reply-To: References: <583C8C43.8070202@redhat.com> Message-ID: <8cb49a87-bdc4-0db5-504a-d10d6dd6152e@redhat.com> On 29.11.2016 09:11, Jan Cholasta wrote: > On 28.11.2016 20:57, Rob Crittenden wrote: >> David Kupka wrote: >>> On 22/11/16 23:15, Gabe Alford wrote: >>>> I would say that it is worth keeping in FreeIPA. I know myself and some >>>> customers use its functionality by having the clients sync to the IPA >>>> servers and have the servers sync to the NTP source. This way if the NTP >>>> source ever gets disrupted for long periods of time (which has >>>> happened in >>>> my environment) the client time drifts with the authentication source. >>>> This >>>> is the way that AD often works and is configured. >>> >>> Hello Gabe, >>> I agree that it's common practice to synchronize all nodes in network >>> with single source in order to have the same time and save bandwidth. >>> Also I understand that it's comfortable to let FreeIPA installer take >>> care of it. >>> But I don't think FreeIPA should do it IMO this is job for Ansible or >>> similar tool. Also the problem is that in some situations FreeIPA >>> installer makes it worse. >>> >>> Example: >>> >>> 1. Install FreeIPA server (ipa1.example.org) >>> 2. Install FreeIPA client on all nodes in network >>> 3. Install replica (ipa2.example.org) of FreeIPA server to increase >>> redundancy >>> >>> Now all the clients have ipa1.example.org as the only server in >>> /etc/ntp.conf. If the first FreeIPA server becomes unreachable all >>> clients will be able to contact KDC on the other server thanks to DNS >>> autodiscovery in libkrb5 but will be unable to synchronize time. >> >> Remember that the goal of IPA was to herd together a bunch of software >> to make hard things easier. This included dealing with the 5-minute >> Kerberos window so ntp was configured on the client and server (which is >> less of any issue now). >> >> When making changes you have to ask yourself who are you making this >> easier for: you or the user. >> >> Yes, getting NTP right is hard, but does it meet the 80/20 rule in terms >> of success? I'd think so. I >> >> If someone wants to configure it using Ansible they can use the >> --no-ntp. If they want to use different time servers they can pass in >> --ntp-server. But by default IMHO it should do something sane to give a >> good experience. > > I think to do something sane is exactly the point of this, and the sanest > thing we can do is to not touch NTP configuration at all: > > * if the NTP configuration obtained via DHCP works, we can't make it any > better by touching it, only worse, > * if the default NTP configuration shipped with the distribution works, we > again can't make it any better by touching it, > * if we are running inside container, time is synchronized by other means > and we should not touch NTP configuration at all, > * if neither the default NTP configuration nor the NTP configuration > obtained via DHCP works and we are not running inside container, we may > attempt to fix the configuration, but it will not be permanent and will work > only for this specific host. > > I think the first 3 points cover 99% of real-life deployments, and yet we are > optimized towards the remaining 1%, with the potential of breaking the > configuration for the 99%. This is far from sane IMHO. +1 for Honza's point. Current NTP code is works only for initial setup and silently breaks synchronization later on. Most importantly it breaks synchronization as soon as admin removes old replicas and replaces them with new ones - there is no mechanism to update the records in the client configuration (and SRV discovery is not supported by clients). I.e. when admin decommission replicas which were around at the time of client installation, the NTP on client will silently break. This would not happen if you did not touch it. (This also implicitly means that IPA-configured NTP is broken on all clients in topologies which were completely migrated from RHEL 6 to RHEL 7.) Either DHCP or default distro config would solve the problem better. Petr^2 Spacek >> There don't seem to be a ton of NTP tickets and I don't recall a lot of >> user's pressing for it to go away (the reverse, many times their >> problems revolve around time not being synced). I wonder if a survey on >> freeipa-users would be in order to see how hot an issue this really is. From freeipa-github-notification at redhat.com Tue Nov 29 08:19:21 2016 From: freeipa-github-notification at redhat.com (apophys) Date: Tue, 29 Nov 2016 09:19:21 +0100 Subject: [Freeipa-devel] [freeipa PR#225][comment] tests: Added basic tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/225 Title: #225: tests: Added basic tests for certs in idoverrides apophys commented: """ Thank you for the change of the order and using the objectclasses module. There are still things I'd like to be changed, though. """ See the full comment at https://github.com/freeipa/freeipa/pull/225#issuecomment-263505112 From freeipa-github-notification at redhat.com Tue Nov 29 08:20:04 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 29 Nov 2016 09:20:04 +0100 Subject: [Freeipa-devel] [freeipa PR#266][comment] ipapython: simplify Env object initialization In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/266 Title: #266: ipapython: simplify Env object initialization jcholast commented: """ Yes, my above comment is wrong (sorry). """ See the full comment at https://github.com/freeipa/freeipa/pull/266#issuecomment-263505232 From freeipa-github-notification at redhat.com Tue Nov 29 08:20:23 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 29 Nov 2016 09:20:23 +0100 Subject: [Freeipa-devel] [freeipa PR#266][edited] ipapython: simplify Env object initialization In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/266 Author: jcholast Title: #266: ipapython: simplify Env object initialization Action: edited Changed field: body Original value: """ Fully initialize Env objects in Env() instead of having to call their private methods to complete the initialization later. Do not use custom Env instance to determine the debug level to use for the IPA API object - the IPA API object can properly determining the configured debug level on its own. Remove locking and related code from Env as it is never used. """ From freeipa-github-notification at redhat.com Tue Nov 29 08:59:41 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 29 Nov 2016 09:59:41 +0100 Subject: [Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts jcholast commented: """ You missed a few: ``` daemons/dnssec/ipa-dnskeysync-replica:124:ipalib.api.bootstrap(in_server=True, log=None) # no logging to file daemons/dnssec/ipa-dnskeysyncd:23:api.bootstrap(in_server=True, log=None) # no logging to file daemons/dnssec/ipa-ods-exporter:618:ipalib.api.bootstrap(in_server=True, log=None) # no logging to file doc/guide/wsgi.py.txt:9:env._bootstrap(context='server', log=None) doc/guide/wsgi.py.txt:13:api.bootstrap(context='server', debug=env.debug, log=None) (ref:wsgi-app-bootstrap) install/restart_scripts/renew_ra_cert:39: api.bootstrap(in_server=True, context='restart') install/tools/ipa-adtrust-install:269: api.bootstrap(**cfg) install/tools/ipa-ca-install:262: api.bootstrap(in_server=True, ra_plugin='dogtag') install/tools/ipa-compat-manage:105: api.bootstrap(context='cli', in_server=True, debug=options.debug) install/tools/ipa-csreplica-manage:418: api.bootstrap(**api_env) install/tools/ipa-dns-install:139: api.bootstrap(**cfg) install/tools/ipa-managed-entries:75: api.bootstrap(context='cli', debug=options.debug) install/tools/ipa-nis-manage:118: api.bootstrap(context='cli', debug=options.debug, in_server=True) install/tools/ipa-replica-manage:1512: api.bootstrap(**api_env) ipapython/dnssec/ldapkeydb.py:417: ipalib.api.bootstrap(in_server=True, log=None) # no logging to file ipaserver/advise/base.py:238: api.bootstrap(in_server=False, context='cli') ipaserver/advise/base.py:240: advise_api.bootstrap(in_server=False, context='cli') ipaserver/install/ipa_cacert_manage.py:99: api.bootstrap(in_server=True) ipaserver/install/ipa_kra_install.py:80: api.bootstrap(in_server=True) ipaserver/install/ipa_otptoken_import.py:512: api.bootstrap(in_server=True) ipaserver/install/ipa_replica_prepare.py:183: api.bootstrap(in_server=True) ipaserver/install/ipa_server_certinstall.py:102: api.bootstrap(in_server=True) ipatests/test_ipaserver/test_ldap.py:114: myapi.bootstrap(context='cli', in_server=True) ipatests/test_ipaserver/test_serverroles.py:472: test_api.bootstrap(in_server=True, ldap_uri=api.env.ldap_uri) lite-server.py:130: (options, args) = api.bootstrap_with_global_options(parser, context='lite') ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/280#issuecomment-263513330 From freeipa-github-notification at redhat.com Tue Nov 29 09:17:24 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 29 Nov 2016 10:17:24 +0100 Subject: [Freeipa-devel] [freeipa PR#279][synchronized] installer: Stop adding distro-specific NTP servers into ntp.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/279 Author: dkupka Title: #279: installer: Stop adding distro-specific NTP servers into ntp.conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/279/head:pr279 git checkout pr279 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-279.patch Type: text/x-diff Size: 2188 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 29 09:34:14 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 29 Nov 2016 10:34:14 +0100 Subject: [Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension jcholast commented: """ @frasertweedale, if the subject DN need not match the LDAP DN, then DN SANs need not match it as well - both the subject DN and DN SANs are supposed to identify the subject in the directory, and for us the directory is LDAP. There should be no special casing one way or the other, if something is allowed for the subject DN it must be allowed for DN SANs and vice-versa (with the exception of the special handling of the most specific CN in subject DN of server certificates). The fact that we currently require a non-LDAP subject DN in `cert-request` is a different issue. All I'm asking for is consistency. If we first allowed the subject DN to match the LDAP DN I would be perfectly happy with this PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263521018 From freeipa-github-notification at redhat.com Tue Nov 29 09:47:14 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Tue, 29 Nov 2016 10:47:14 +0100 Subject: [Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension frasertweedale commented: """ @jcholast OK. Let's put this PR on ice for now... I may well take up your suggestion to allow subject DN to match LDAP DN, but I don't have the cycles for it right now. Thanks for your feedback. """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263524060 From freeipa-github-notification at redhat.com Tue Nov 29 10:20:55 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 29 Nov 2016 11:20:55 +0100 Subject: [Freeipa-devel] [freeipa PR#280][synchronized] Set explicit confdir option for global contexts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/280 Author: tiran Title: #280: Set explicit confdir option for global contexts Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/280/head:pr280 git checkout pr280 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-280.patch Type: text/x-diff Size: 24441 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 29 10:23:03 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 29 Nov 2016 11:23:03 +0100 Subject: [Freeipa-devel] [freeipa PR#266][comment] ipapython: simplify Env object initialization In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/266 Title: #266: ipapython: simplify Env object initialization stlaz commented: """ This PR breaks almost all tests in test_ipalib/test_crud.py with `AttributeError: 'API' object has no attribute 'env'`. This error can be observed in some other tests: http://pastebin.com/8EjE2QVS (please disregard the DNS tests failures). """ See the full comment at https://github.com/freeipa/freeipa/pull/266#issuecomment-263532334 From freeipa-github-notification at redhat.com Tue Nov 29 10:23:27 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 29 Nov 2016 11:23:27 +0100 Subject: [Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts tiran commented: """ I fixed a few. Some scripts deliberately do not have the confdir flag in bootstrap. """ See the full comment at https://github.com/freeipa/freeipa/pull/280#issuecomment-263532412 From freeipa-github-notification at redhat.com Tue Nov 29 10:42:46 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 29 Nov 2016 11:42:46 +0100 Subject: [Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension tiran commented: """ @jcholast I'm not familiar with any standard that mandates that a X.509 Subject DN should identify a subject in a directory. Which standard mandates the relationship? RFC 5280 only requires that the Subject DN must be unique for each entity. A CA is allowed to issue multiple certs with the same Subject DN for the same entity. https://tools.ietf.org/html/rfc5280#section-4.1.2.6 """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263536634 From freeipa-github-notification at redhat.com Tue Nov 29 10:53:41 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 29 Nov 2016 11:53:41 +0100 Subject: [Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension jcholast commented: """ @tiran, could you please stay on topic? I haven't said anything about it being mandatory, and it's not the point anyway (consistency between subject DN and DN SAN validation is). About CA being allowed to issue multiple certs with the same subject DN, thanks for stating the obvious, but again, not the point here. """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263539133 From freeipa-github-notification at redhat.com Tue Nov 29 11:00:54 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 29 Nov 2016 12:00:54 +0100 Subject: [Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts jcholast commented: """ Please explain, all of the affected scripts are server-only and thus not related to the integration effort and most probably won't work correctly with non-server configuration anyway. """ See the full comment at https://github.com/freeipa/freeipa/pull/280#issuecomment-263540749 From freeipa-github-notification at redhat.com Tue Nov 29 11:28:12 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 29 Nov 2016 12:28:12 +0100 Subject: [Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension tiran commented: """ I'm on topic and I'm trying to understand your point. Why do you see a relationship between the subject DN of a X.509 and the directoryName general name in SAN X.509v3 extension? It doesn't make sense to me. The subject follows different rules, e.g. a disjunct set of RDN attributes. Attributes like DC, UID etc. are not commonly found in a X.509 cert's subject. Further more a CA usually imposes some policies and requires the certificate's subject to have fixed C, O, OU etc values. With multiple SubCAs (e.g. for VPN, client cert auth, host certs) we end up with different subject DNs but with the same directoryName GN SAN entry. The directoryName is designed to hold a LDAP DN. By the way, I was quoting the RFC to give some context. With X.509 there is no such thing as an obvious thing. In fact multiple certs with the same Subject DN is very relevant and important for this topic. A certificate's Subject DN is not really a distinguishing name in the sense of a unique identifier. """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263546428 From freeipa-github-notification at redhat.com Tue Nov 29 11:35:52 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 29 Nov 2016 12:35:52 +0100 Subject: [Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements mbasti-rh commented: """ @tiran You can split patch to useful part and please send unneeded bumping of requires as separate pull request, we can continue with discussion there about bumping versions. It is unrelated part of patch and should be in separated commit anyway. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263547842 From freeipa-github-notification at redhat.com Tue Nov 29 11:39:47 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 29 Nov 2016 12:39:47 +0100 Subject: [Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient stlaz commented: """ I checked the rebase again as well as ran the tests. The changes in the PR clean the code nicely aside from doing what's proposed in the given ticket. The issues from CI and QuantifiedCode are only caused by moving the code in between modules. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-263548530 From freeipa-github-notification at redhat.com Tue Nov 29 11:39:50 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 29 Nov 2016 12:39:50 +0100 Subject: [Freeipa-devel] [freeipa PR#271][+ack] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient Label: +ack From freeipa-github-notification at redhat.com Tue Nov 29 11:48:39 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 29 Nov 2016 12:48:39 +0100 Subject: [Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ @mbasti-rh The bumped version numbers are required. gssapi needs to be bumped because 1.1.x has wrong dependency information for Python 3 (enum34). cryptography 0.9 does not build any more. gssapi 1.2 and cryptography 1.3 are the oldest releases that are actually been tested by QE. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263550183 From freeipa-github-notification at redhat.com Tue Nov 29 11:50:05 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 29 Nov 2016 12:50:05 +0100 Subject: [Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ @mbasti-rh The bumped version numbers are required. gssapi needs to be bumped because 1.1.x has wrong dependency information for Python 3 (enum34). cryptography 0.9 does not build any more. gssapi 1.2 and cryptography 1.3 are the oldest releases that are actually been tested by QE. I did not bother to verify older releases because I consider it a waste of time and resources. In a couple of weeks we have to bump up cryptography to 1.7 anyway. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263550183 From freeipa-github-notification at redhat.com Tue Nov 29 11:50:45 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 29 Nov 2016 12:50:45 +0100 Subject: [Freeipa-devel] [freeipa PR#174][comment] add log module In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/174 Title: #174: add log module mbasti-rh commented: """ Hello, what I meant was to send fixing of missing translations strings as separated PR and if you identified any parts of code that should be logged too, you can send a PR too. Basically your changes in: `ipalib/plugins/config.py` and at the end of `ipaserver/rpcserver.py` (but the second one need discussion first why is that needed) """ See the full comment at https://github.com/freeipa/freeipa/pull/174#issuecomment-263550567 From freeipa-github-notification at redhat.com Tue Nov 29 11:51:37 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 29 Nov 2016 12:51:37 +0100 Subject: [Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension tomaskrizek commented: """ @frasertweedale Oh, I didn't realize the DN in SAN matches the LDAP DN, while the Subject DN does not. In that case, this PR makes sense to me as is. I also don't see the need to validate Subject DN and SAN DN differently, since they use different representation (subject is a more generic identifier, as @tiran pointed out; while SAN DN should be the unique LDAP DN identifier). """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263550747 From freeipa-github-notification at redhat.com Tue Nov 29 11:57:32 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 29 Nov 2016 12:57:32 +0100 Subject: [Freeipa-devel] [freeipa PR#273][closed] Build: workaround bug while calling parallel make from rpmbuild In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/273 Author: pspacek Title: #273: Build: workaround bug while calling parallel make from rpmbuild Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/273/head:pr273 git checkout pr273 From freeipa-github-notification at redhat.com Tue Nov 29 11:57:34 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 29 Nov 2016 12:57:34 +0100 Subject: [Freeipa-devel] [freeipa PR#273][+pushed] Build: workaround bug while calling parallel make from rpmbuild In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/273 Title: #273: Build: workaround bug while calling parallel make from rpmbuild Label: +pushed From freeipa-github-notification at redhat.com Tue Nov 29 11:57:35 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 29 Nov 2016 12:57:35 +0100 Subject: [Freeipa-devel] [freeipa PR#273][comment] Build: workaround bug while calling parallel make from rpmbuild In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/273 Title: #273: Build: workaround bug while calling parallel make from rpmbuild martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/132b475c2586f3ced68724355e9c45722dccf604 """ See the full comment at https://github.com/freeipa/freeipa/pull/273#issuecomment-263551875 From freeipa-github-notification at redhat.com Tue Nov 29 11:58:28 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 29 Nov 2016 12:58:28 +0100 Subject: [Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ PS: There is no technical reason to bump the version of python-gssapi in freeipa.spec. The enum34 dependency issues is solely a Python packaging bug. It does not affect RPM packages. Since you insist on syncing PyPI versions with RPM versions, I had to bump both. Have it your way. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263552051 From freeipa-github-notification at redhat.com Tue Nov 29 11:58:34 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 29 Nov 2016 12:58:34 +0100 Subject: [Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements mbasti-rh commented: """ > @mbasti-rh The bumped version numbers are required. gssapi needs to be bumped because 1.1.x has wrong dependency information for Python 3 (enum34). So, this is broken fedora dependency on fedora side? If yes then this should be fixed by fedora downstream patch. I don't see reason why upstream version should have raised dependency just because fedora is broken. > cryptography 0.9 does not build any more. gssapi 1.2 and cryptography 1.3 are the oldest releases that are actually been tested by QE. I did not bother to verify older releases because I consider it a waste of time and resources. In a couple of weeks we have to bump up cryptography to 1.7 anyway. I don't see reason why bumping requires just because we are unable to build on fedora. Fedora is not the only linux distro. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263552072 From freeipa-github-notification at redhat.com Tue Nov 29 12:00:10 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 29 Nov 2016 13:00:10 +0100 Subject: [Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements mbasti-rh commented: """ > PS: There is no technical reason to bump the version of python-gssapi in freeipa.spec. The enum34 dependency issues is solely a Python packaging bug. It does not affect RPM packages. Since you insist on syncing PyPI versions with RPM versions, I had to bump both. Have it your way. So finally we have reason to bump version, which should be docummented in git history as separate commit. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263552388 From freeipa-github-notification at redhat.com Tue Nov 29 12:01:54 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 29 Nov 2016 13:01:54 +0100 Subject: [Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ You said Fedora, I didn't. The build bug is not related to Fedora at all. Cryptography 0.9 does not build on any distribution or platform with a recent version of OpenSSL. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263552748 From freeipa-github-notification at redhat.com Tue Nov 29 12:03:08 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 29 Nov 2016 13:03:08 +0100 Subject: [Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ You said Fedora, I didn't. The build bug is not related to Fedora at all. Cryptography 0.9 does not build on any distribution or platform with a recent version of OpenSSL. Touch?, I said Fedora in the commit message. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263552748 From freeipa-github-notification at redhat.com Tue Nov 29 12:08:11 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 29 Nov 2016 13:08:11 +0100 Subject: [Freeipa-devel] [freeipa PR#281][comment] Accept server host names resolvable only using /etc/hosts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts martbab commented: """ So can you imagine some scenario where this behavior may cause issues? Some exotic DNS setup maybe? """ See the full comment at https://github.com/freeipa/freeipa/pull/281#issuecomment-263553887 From freeipa-github-notification at redhat.com Tue Nov 29 12:11:30 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 29 Nov 2016 13:11:30 +0100 Subject: [Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements mbasti-rh commented: """ So create a separate commits: - fixes ipasetup.py - bumps python-gssapi for pypi, with proper explanation in commit message and maybe comment in code may be helpful. And we will be happy because we have reason why it needs to be raised and this reason can be found in git history. I'm still not persuaded with need for bumping cryptography. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263554517 From freeipa-github-notification at redhat.com Tue Nov 29 12:54:34 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 29 Nov 2016 13:54:34 +0100 Subject: [Freeipa-devel] [freeipa PR#277][synchronized] DNS: URI records: bump python-dns requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/277 Author: mbasti-rh Title: #277: DNS: URI records: bump python-dns requirements Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/277/head:pr277 git checkout pr277 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-277.patch Type: text/x-diff Size: 2271 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 29 12:54:38 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 29 Nov 2016 13:54:38 +0100 Subject: [Freeipa-devel] [freeipa PR#277][comment] DNS: URI records: bump python-dns requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/277 Title: #277: DNS: URI records: bump python-dns requirements mbasti-rh commented: """ Thank you, fixed. """ See the full comment at https://github.com/freeipa/freeipa/pull/277#issuecomment-263562846 From freeipa-github-notification at redhat.com Tue Nov 29 13:05:38 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 29 Nov 2016 14:05:38 +0100 Subject: [Freeipa-devel] [freeipa PR#277][+ack] DNS: URI records: bump python-dns requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/277 Title: #277: DNS: URI records: bump python-dns requirements Label: +ack From freeipa-github-notification at redhat.com Tue Nov 29 13:07:47 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 29 Nov 2016 14:07:47 +0100 Subject: [Freeipa-devel] [freeipa PR#282][opened] replicainstall: give correct error message on DL mismatch Message-ID: URL: https://github.com/freeipa/freeipa/pull/282 Author: stlaz Title: #282: replicainstall: give correct error message on DL mismatch Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6510 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/282/head:pr282 git checkout pr282 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-282.patch Type: text/x-diff Size: 986 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 29 13:14:03 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Tue, 29 Nov 2016 14:14:03 +0100 Subject: [Freeipa-devel] [freeipa PR#225][synchronized] tests: Added basic tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/225 Author: ofayans Title: #225: tests: Added basic tests for certs in idoverrides Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/225/head:pr225 git checkout pr225 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-225.patch Type: text/x-diff Size: 9232 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 29 13:21:15 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Tue, 29 Nov 2016 14:21:15 +0100 Subject: [Freeipa-devel] [freeipa PR#225][synchronized] tests: Added basic tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/225 Author: ofayans Title: #225: tests: Added basic tests for certs in idoverrides Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/225/head:pr225 git checkout pr225 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-225.patch Type: text/x-diff Size: 8846 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 29 13:29:19 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 29 Nov 2016 14:29:19 +0100 Subject: [Freeipa-devel] [freeipa PR#277][+pushed] DNS: URI records: bump python-dns requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/277 Title: #277: DNS: URI records: bump python-dns requirements Label: +pushed From freeipa-github-notification at redhat.com Tue Nov 29 13:29:20 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 29 Nov 2016 14:29:20 +0100 Subject: [Freeipa-devel] [freeipa PR#277][comment] DNS: URI records: bump python-dns requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/277 Title: #277: DNS: URI records: bump python-dns requirements mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a291c6ded91611ea2bd1a1fdb96314721d73a75f """ See the full comment at https://github.com/freeipa/freeipa/pull/277#issuecomment-263569947 From freeipa-github-notification at redhat.com Tue Nov 29 13:29:21 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 29 Nov 2016 14:29:21 +0100 Subject: [Freeipa-devel] [freeipa PR#277][closed] DNS: URI records: bump python-dns requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/277 Author: mbasti-rh Title: #277: DNS: URI records: bump python-dns requirements Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/277/head:pr277 git checkout pr277 From freeipa-github-notification at redhat.com Tue Nov 29 13:35:54 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 29 Nov 2016 14:35:54 +0100 Subject: [Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ Would you rather claim to be compatible with a broken, unsupported, and old version? """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263571342 From freeipa-github-notification at redhat.com Tue Nov 29 13:39:19 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 29 Nov 2016 14:39:19 +0100 Subject: [Freeipa-devel] [freeipa PR#255][synchronized] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Author: tiran Title: #255: Adjustments for setup requirements Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/255/head:pr255 git checkout pr255 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-255.patch Type: text/x-diff Size: 6483 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 29 13:47:52 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 29 Nov 2016 14:47:52 +0100 Subject: [Freeipa-devel] [freeipa PR#269][comment] Prevent denial of replication updates during CA replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/269 Title: #269: Prevent denial of replication updates during CA replica install mbasti-rh commented: """ Patch does not apply to 4.4.3 branch """ See the full comment at https://github.com/freeipa/freeipa/pull/269#issuecomment-263574061 From freeipa-github-notification at redhat.com Tue Nov 29 13:48:40 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 29 Nov 2016 14:48:40 +0100 Subject: [Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension jcholast commented: """ Ok, > Why do you see a relationship between the subject DN of a X.509 and the directoryName general name in SAN X.509v3 extension? According to RFC 5280 section 4.1.2.6 the subject DN and SANs are equivallent in terms of identifying the subject entity: > The subject field identifies the entity associated with the public > key stored in the subject public key field. The subject name MAY be > carried in the subject field and/or the subjectAltName extension. Compare how the subject DN is defined in RFC 5280 section 4.1.2.6: > Where it is non-empty, the subject field MUST contain an X.500 > distinguished name (DN). The DN MUST be unique for each subject > entity certified by the one CA as defined by the issuer field. A CA > MAY issue more than one certificate with the same DN to the same > subject entity. ... with how the DN SAN is defined in RFC 5280 section 4.2.1.6: > When the subjectAltName extension contains a DN in the directoryName, > the encoding rules are the same as those specified for the issuer > field in Section 4.1.2.4. The DN MUST be unique for each subject > entity certified by the one CA as defined by the issuer field. A CA > MAY issue more than one certificate with the same DN to the same > subject entity. See that there is no mention of any semantical difference between them as means of identifying the subject entity. Further specifications such as the name constraints extension also treat them equally. RFC 5280 section 4.2.1.10: > Restrictions of the form directoryName MUST be applied to the subject > field in the certificate (when the certificate includes a non-empty > subject field) and to any names of type directoryName in the > subjectAltName extension. > The subject follows different rules, e.g. a disjunct set of RDN attributes. I could not find any mention of this in RFC 5280 nor the X.500 series of standards. I'm assuming it's because it's not there. > Attributes like DC, UID etc. are not commonly found in a X.509 cert's subject. Neither RFC 5280 nor the X.500 series of standards impose any restrictions on the attributes used. However, RFC 5280 section 4.1.2.4 says: > In addition, **implementations of this specification MUST be prepared** > **to receive the domainComponent attribute**, as defined in [RFC4519]. > With multiple SubCAs (e.g. for VPN, client cert auth, host certs) we end up with different subject DNs but with the same directoryName GN SAN entry. Currently we in fact end up with the same subject DN. Which is just fine, as they refer to the same subject entity. > The directoryName is designed to hold a LDAP DN. I don't think that's true, as there is no mention of this in the directoryName SAN specification (see above). > A certificate's Subject DN is not really a distinguishing name in the sense of a unique identifier. Let me quote RFC 5280 section 4.1.2.6 again: > Where it is non-empty, the subject field MUST contain an X.500 > distinguished name (DN). **The DN MUST be unique for each subject** > **entity certified by the one CA as defined by the issuer field**. A CA > MAY issue more than one certificate with the same DN to the same > subject entity. """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263574255 From freeipa-github-notification at redhat.com Tue Nov 29 13:54:20 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 29 Nov 2016 14:54:20 +0100 Subject: [Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient mbasti-rh commented: """ Ticket https://fedorahosted.org/freeipa/ticket/6474 is closed as wontfix and even doesn't seems right to me. """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-263575595 From freeipa-github-notification at redhat.com Tue Nov 29 13:59:27 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 29 Nov 2016 14:59:27 +0100 Subject: [Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient stlaz commented: """ Last I checked the ticket was still open. The ticket was trying to solve the same issue as this PR although its aim shifted (see the link I posted in the comments). """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-263576832 From freeipa-github-notification at redhat.com Tue Nov 29 14:01:47 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Tue, 29 Nov 2016 15:01:47 +0100 Subject: [Freeipa-devel] [freeipa PR#225][synchronized] tests: Added basic tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/225 Author: ofayans Title: #225: tests: Added basic tests for certs in idoverrides Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/225/head:pr225 git checkout pr225 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-225.patch Type: text/x-diff Size: 8696 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 29 14:04:20 2016 From: freeipa-github-notification at redhat.com (apophys) Date: Tue, 29 Nov 2016 15:04:20 +0100 Subject: [Freeipa-devel] [freeipa PR#200][comment] Test: basic kerberos over http functionality In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/200 Title: #200: Test: basic kerberos over http functionality apophys commented: """ Thank you for rebasing the commits. The test looks good. """ See the full comment at https://github.com/freeipa/freeipa/pull/200#issuecomment-263578009 From freeipa-github-notification at redhat.com Tue Nov 29 14:04:29 2016 From: freeipa-github-notification at redhat.com (apophys) Date: Tue, 29 Nov 2016 15:04:29 +0100 Subject: [Freeipa-devel] [freeipa PR#200][+ack] Test: basic kerberos over http functionality In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/200 Title: #200: Test: basic kerberos over http functionality Label: +ack From freeipa-github-notification at redhat.com Tue Nov 29 14:15:11 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 29 Nov 2016 15:15:11 +0100 Subject: [Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts tiran commented: """ All bootstrap() calls without an explicit confdir argument are fine. If you think otherwise, please list all calls and give me a compelling reason to have them ignore IPA_CONFDIR. """ See the full comment at https://github.com/freeipa/freeipa/pull/280#issuecomment-263580703 From freeipa-github-notification at redhat.com Tue Nov 29 14:19:32 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 29 Nov 2016 15:19:32 +0100 Subject: [Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient mbasti-rh commented: """ Ticket updated. """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-263581781 From freeipa-github-notification at redhat.com Tue Nov 29 14:28:46 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 29 Nov 2016 15:28:46 +0100 Subject: [Freeipa-devel] [freeipa PR#268][+pushed] Build system must regenerate file when template changes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/268 Title: #268: Build system must regenerate file when template changes Label: +pushed From freeipa-github-notification at redhat.com Tue Nov 29 14:28:48 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 29 Nov 2016 15:28:48 +0100 Subject: [Freeipa-devel] [freeipa PR#268][comment] Build system must regenerate file when template changes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/268 Title: #268: Build system must regenerate file when template changes mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ba6ae666acaf8b930d18f45efc7c9c9faad3526b https://fedorahosted.org/freeipa/changeset/6857de02f3a9c2d7e99e33863be3c65f71fa0d58 https://fedorahosted.org/freeipa/changeset/89739a6c910461a3cac3abc1bf2ff162c7c5bc82 https://fedorahosted.org/freeipa/changeset/6fcfe689f47a02df023de69f62c889d9b4dc26fe https://fedorahosted.org/freeipa/changeset/6aa360775a781bee5a2fdd884cbfa33b545fcbb4 https://fedorahosted.org/freeipa/changeset/a89f63c5a62c4a02fc248a095f539a099a9c28c5 """ See the full comment at https://github.com/freeipa/freeipa/pull/268#issuecomment-263584306 From freeipa-github-notification at redhat.com Tue Nov 29 14:28:49 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 29 Nov 2016 15:28:49 +0100 Subject: [Freeipa-devel] [freeipa PR#268][closed] Build system must regenerate file when template changes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/268 Author: pspacek Title: #268: Build system must regenerate file when template changes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/268/head:pr268 git checkout pr268 From freeipa-github-notification at redhat.com Tue Nov 29 14:46:35 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Tue, 29 Nov 2016 15:46:35 +0100 Subject: [Freeipa-devel] [freeipa PR#281][comment] Accept server host names resolvable only using /etc/hosts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts pspacek commented: """ This entierly depens on configuration. Imagine following imaginary company setup: - public part of DNS tree is `example.com.` - private part of DNS tree is `corp.` - resolv.conf contains `corp` in search list Now an admin is going to install IPA instance for publicly available services at server `srv1.ipa.example.com.`. The name `srv1.ipa.example.com.` is not resolvable as --setup-dns option is used. Now, the `dns` module invoked by NSS will try to lookup `srv1.ipa.example.com.`. It might (depending on configuration) fallback to `srv1.ipa.example.com.corp.` which may accidentally exist (as an IPA server for company internal purposes). This is purely hypotetical, I'm just trying to show that the code is subtly broken. """ See the full comment at https://github.com/freeipa/freeipa/pull/281#issuecomment-263589129 From freeipa-github-notification at redhat.com Tue Nov 29 14:54:39 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 29 Nov 2016 15:54:39 +0100 Subject: [Freeipa-devel] [freeipa PR#283][opened] [ipa-4-4] Prevent denial of replication updates during CA replica install Message-ID: URL: https://github.com/freeipa/freeipa/pull/283 Author: martbab Title: #283: [ipa-4-4] Prevent denial of replication updates during CA replica install Action: opened PR body: """ This is https://github.com/freeipa/freeipa/pull/269 rebased on top of ipa-4-4 branch. https://fedorahosted.org/freeipa/ticket/6508 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/283/head:pr283 git checkout pr283 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-283.patch Type: text/x-diff Size: 2268 bytes Desc: not available URL: From rcritten at redhat.com Tue Nov 29 15:02:23 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Nov 2016 10:02:23 -0500 Subject: [Freeipa-devel] NTP in FreeIPA In-Reply-To: <8cb49a87-bdc4-0db5-504a-d10d6dd6152e@redhat.com> References: <583C8C43.8070202@redhat.com> <8cb49a87-bdc4-0db5-504a-d10d6dd6152e@redhat.com> Message-ID: <583D987F.9040102@redhat.com> Petr Spacek wrote: > On 29.11.2016 09:11, Jan Cholasta wrote: >> On 28.11.2016 20:57, Rob Crittenden wrote: >>> David Kupka wrote: >>>> On 22/11/16 23:15, Gabe Alford wrote: >>>>> I would say that it is worth keeping in FreeIPA. I know myself and some >>>>> customers use its functionality by having the clients sync to the IPA >>>>> servers and have the servers sync to the NTP source. This way if the NTP >>>>> source ever gets disrupted for long periods of time (which has >>>>> happened in >>>>> my environment) the client time drifts with the authentication source. >>>>> This >>>>> is the way that AD often works and is configured. >>>> >>>> Hello Gabe, >>>> I agree that it's common practice to synchronize all nodes in network >>>> with single source in order to have the same time and save bandwidth. >>>> Also I understand that it's comfortable to let FreeIPA installer take >>>> care of it. >>>> But I don't think FreeIPA should do it IMO this is job for Ansible or >>>> similar tool. Also the problem is that in some situations FreeIPA >>>> installer makes it worse. >>>> >>>> Example: >>>> >>>> 1. Install FreeIPA server (ipa1.example.org) >>>> 2. Install FreeIPA client on all nodes in network >>>> 3. Install replica (ipa2.example.org) of FreeIPA server to increase >>>> redundancy >>>> >>>> Now all the clients have ipa1.example.org as the only server in >>>> /etc/ntp.conf. If the first FreeIPA server becomes unreachable all >>>> clients will be able to contact KDC on the other server thanks to DNS >>>> autodiscovery in libkrb5 but will be unable to synchronize time. >>> >>> Remember that the goal of IPA was to herd together a bunch of software >>> to make hard things easier. This included dealing with the 5-minute >>> Kerberos window so ntp was configured on the client and server (which is >>> less of any issue now). >>> >>> When making changes you have to ask yourself who are you making this >>> easier for: you or the user. >>> >>> Yes, getting NTP right is hard, but does it meet the 80/20 rule in terms >>> of success? I'd think so. I >>> >>> If someone wants to configure it using Ansible they can use the >>> --no-ntp. If they want to use different time servers they can pass in >>> --ntp-server. But by default IMHO it should do something sane to give a >>> good experience. >> >> I think to do something sane is exactly the point of this, and the sanest >> thing we can do is to not touch NTP configuration at all: >> >> * if the NTP configuration obtained via DHCP works, we can't make it any >> better by touching it, only worse, >> * if the default NTP configuration shipped with the distribution works, we >> again can't make it any better by touching it, >> * if we are running inside container, time is synchronized by other means >> and we should not touch NTP configuration at all, >> * if neither the default NTP configuration nor the NTP configuration >> obtained via DHCP works and we are not running inside container, we may >> attempt to fix the configuration, but it will not be permanent and will work >> only for this specific host. >> >> I think the first 3 points cover 99% of real-life deployments, and yet we are >> optimized towards the remaining 1%, with the potential of breaking the >> configuration for the 99%. This is far from sane IMHO. > > +1 for Honza's point. > > Current NTP code is works only for initial setup and silently breaks > synchronization later on. Most importantly it breaks synchronization as soon > as admin removes old replicas and replaces them with new ones - there is no > mechanism to update the records in the client configuration (and SRV discovery > is not supported by clients). > > I.e. when admin decommission replicas which were around at the time of client > installation, the NTP on client will silently break. This would not happen if > you did not touch it. > > (This also implicitly means that IPA-configured NTP is broken on all clients > in topologies which were completely migrated from RHEL 6 to RHEL 7.) > > Either DHCP or default distro config would solve the problem better. That's fair but where are the huge pile of bugs, tickets and user e-mails complaining about time? Or has nobody noticed yet? I'm just wondering whether dropping it altogether is the right choice or if enhancing the time clients to say, support SRV records is a preferable option. There is a real advantage in having the IPA clients using the same time source as the IPA masters (in this case the masters themselves). Like Simo I have mixed feelings about this and won't push on it anymore but completely dropping features should be well-considered and a last resort IMHO. rob From freeipa-github-notification at redhat.com Tue Nov 29 15:09:24 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 29 Nov 2016 16:09:24 +0100 Subject: [Freeipa-devel] [freeipa PR#255][synchronized] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Author: tiran Title: #255: Adjustments for setup requirements Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/255/head:pr255 git checkout pr255 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-255.patch Type: text/x-diff Size: 6259 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 29 15:10:24 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 29 Nov 2016 16:10:24 +0100 Subject: [Freeipa-devel] [freeipa PR#269][+pushed] Prevent denial of replication updates during CA replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/269 Title: #269: Prevent denial of replication updates during CA replica install Label: +pushed From freeipa-github-notification at redhat.com Tue Nov 29 15:10:26 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 29 Nov 2016 16:10:26 +0100 Subject: [Freeipa-devel] [freeipa PR#269][comment] Prevent denial of replication updates during CA replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/269 Title: #269: Prevent denial of replication updates during CA replica install mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/73d0d03891c8585a925f5b49739990c579999f6e https://fedorahosted.org/freeipa/changeset/266b9d9c6c9b9dec10b8a70382445fa2f800dd69 """ See the full comment at https://github.com/freeipa/freeipa/pull/269#issuecomment-263595900 From freeipa-github-notification at redhat.com Tue Nov 29 15:10:27 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 29 Nov 2016 16:10:27 +0100 Subject: [Freeipa-devel] [freeipa PR#269][closed] Prevent denial of replication updates during CA replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/269 Author: martbab Title: #269: Prevent denial of replication updates during CA replica install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/269/head:pr269 git checkout pr269 From freeipa-github-notification at redhat.com Tue Nov 29 15:10:41 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 29 Nov 2016 16:10:41 +0100 Subject: [Freeipa-devel] [freeipa PR#281][comment] Accept server host names resolvable only using /etc/hosts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts martbab commented: """ I see. I guess we can live with the fact that we may break such eccentric DNS topologies. I think we cannot really handle all the corner cases associated with guessing/setting hostname by ourselves anyway (yes I am not a big fan of FreeIPA stepping onto provisioning system's toes). """ See the full comment at https://github.com/freeipa/freeipa/pull/281#issuecomment-263595995 From freeipa-github-notification at redhat.com Tue Nov 29 15:12:13 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 29 Nov 2016 16:12:13 +0100 Subject: [Freeipa-devel] [freeipa PR#255][synchronized] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Author: tiran Title: #255: Adjustments for setup requirements Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/255/head:pr255 git checkout pr255 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-255.patch Type: text/x-diff Size: 6433 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 29 15:14:03 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 29 Nov 2016 16:14:03 +0100 Subject: [Freeipa-devel] [freeipa PR#281][comment] Accept server host names resolvable only using /etc/hosts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts martbab commented: """ Thinking of this some more, shouldn't be `--no-host-dns` option used and advertised if you want to set unresolvable hostname during install? """ See the full comment at https://github.com/freeipa/freeipa/pull/281#issuecomment-263596975 From pspacek at redhat.com Tue Nov 29 15:40:06 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 29 Nov 2016 16:40:06 +0100 Subject: [Freeipa-devel] NTP in FreeIPA In-Reply-To: <583D987F.9040102@redhat.com> References: <583C8C43.8070202@redhat.com> <8cb49a87-bdc4-0db5-504a-d10d6dd6152e@redhat.com> <583D987F.9040102@redhat.com> Message-ID: <8496ee7a-d4d7-cb77-24db-4cb2d4bf24a9@redhat.com> On 29.11.2016 16:02, Rob Crittenden wrote: > Petr Spacek wrote: >> On 29.11.2016 09:11, Jan Cholasta wrote: >>> On 28.11.2016 20:57, Rob Crittenden wrote: >>>> David Kupka wrote: >>>>> On 22/11/16 23:15, Gabe Alford wrote: >>>>>> I would say that it is worth keeping in FreeIPA. I know myself and some >>>>>> customers use its functionality by having the clients sync to the IPA >>>>>> servers and have the servers sync to the NTP source. This way if the NTP >>>>>> source ever gets disrupted for long periods of time (which has >>>>>> happened in >>>>>> my environment) the client time drifts with the authentication source. >>>>>> This >>>>>> is the way that AD often works and is configured. >>>>> >>>>> Hello Gabe, >>>>> I agree that it's common practice to synchronize all nodes in network >>>>> with single source in order to have the same time and save bandwidth. >>>>> Also I understand that it's comfortable to let FreeIPA installer take >>>>> care of it. >>>>> But I don't think FreeIPA should do it IMO this is job for Ansible or >>>>> similar tool. Also the problem is that in some situations FreeIPA >>>>> installer makes it worse. >>>>> >>>>> Example: >>>>> >>>>> 1. Install FreeIPA server (ipa1.example.org) >>>>> 2. Install FreeIPA client on all nodes in network >>>>> 3. Install replica (ipa2.example.org) of FreeIPA server to increase >>>>> redundancy >>>>> >>>>> Now all the clients have ipa1.example.org as the only server in >>>>> /etc/ntp.conf. If the first FreeIPA server becomes unreachable all >>>>> clients will be able to contact KDC on the other server thanks to DNS >>>>> autodiscovery in libkrb5 but will be unable to synchronize time. >>>> >>>> Remember that the goal of IPA was to herd together a bunch of software >>>> to make hard things easier. This included dealing with the 5-minute >>>> Kerberos window so ntp was configured on the client and server (which is >>>> less of any issue now). >>>> >>>> When making changes you have to ask yourself who are you making this >>>> easier for: you or the user. >>>> >>>> Yes, getting NTP right is hard, but does it meet the 80/20 rule in terms >>>> of success? I'd think so. I >>>> >>>> If someone wants to configure it using Ansible they can use the >>>> --no-ntp. If they want to use different time servers they can pass in >>>> --ntp-server. But by default IMHO it should do something sane to give a >>>> good experience. >>> >>> I think to do something sane is exactly the point of this, and the sanest >>> thing we can do is to not touch NTP configuration at all: >>> >>> * if the NTP configuration obtained via DHCP works, we can't make it any >>> better by touching it, only worse, >>> * if the default NTP configuration shipped with the distribution works, we >>> again can't make it any better by touching it, >>> * if we are running inside container, time is synchronized by other means >>> and we should not touch NTP configuration at all, >>> * if neither the default NTP configuration nor the NTP configuration >>> obtained via DHCP works and we are not running inside container, we may >>> attempt to fix the configuration, but it will not be permanent and will work >>> only for this specific host. >>> >>> I think the first 3 points cover 99% of real-life deployments, and yet we are >>> optimized towards the remaining 1%, with the potential of breaking the >>> configuration for the 99%. This is far from sane IMHO. >> >> +1 for Honza's point. >> >> Current NTP code is works only for initial setup and silently breaks >> synchronization later on. Most importantly it breaks synchronization as soon >> as admin removes old replicas and replaces them with new ones - there is no >> mechanism to update the records in the client configuration (and SRV discovery >> is not supported by clients). >> >> I.e. when admin decommission replicas which were around at the time of client >> installation, the NTP on client will silently break. This would not happen if >> you did not touch it. >> >> (This also implicitly means that IPA-configured NTP is broken on all clients >> in topologies which were completely migrated from RHEL 6 to RHEL 7.) >> >> Either DHCP or default distro config would solve the problem better. > > That's fair but where are the huge pile of bugs, tickets and user > e-mails complaining about time? Or has nobody noticed yet? Hard to say. There might be multiple reasons for this. E.g. - Starting with Fedora 16, there is Chronyd installed by default. IPA client installer does not configure Chronyd by default so there is nothing to break. - DHCP integration still modifies IPA-generated ntp.conf. - Users who care might use configuration management tool. > I'm just wondering whether dropping it altogether is the right choice or > if enhancing the time clients to say, support SRV records is a > preferable option. > > There is a real advantage in having the IPA clients using the same time > source as the IPA masters (in this case the masters themselves). > > Like Simo I have mixed feelings about this and won't push on it anymore > but completely dropping features should be well-considered and a last > resort IMHO. +1 We should carefully consider the change and document it so we have something to start with in future, when things need to be changed again. -- Petr^2 Spacek From freeipa-github-notification at redhat.com Tue Nov 29 15:53:26 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Tue, 29 Nov 2016 16:53:26 +0100 Subject: [Freeipa-devel] [freeipa PR#281][comment] Accept server host names resolvable only using /etc/hosts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts pspacek commented: """ `--no-host-dns` disables all checks (theoretically) so it should be used only in special cases. Given it acts as kind of force switch, we should not advertise it. In either case the user will have to provide `--ip-address` option. Also, the user is asked for IP address in interactive mode so IMHO we are sufficiently covered. """ See the full comment at https://github.com/freeipa/freeipa/pull/281#issuecomment-263609320 From freeipa-github-notification at redhat.com Tue Nov 29 17:01:01 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 29 Nov 2016 18:01:01 +0100 Subject: [Freeipa-devel] [freeipa PR#275][comment] Enhance __repr__ method of Principal In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/275 Title: #275: Enhance __repr__ method of Principal martbab commented: """ Sorry I somehow botched that, but it worked nevertheless. I have re-worked the PR according to your comments. ``` In [1]: import ipapython.kerberos In [2]: p = ipapython.kerberos.Principal(u"HTTP/replica1.ipa.test") In [3]: p Out[3]: ipapython.kerberos.Principal('HTTP/replica1.ipa.test') In [5]: r = eval('p') In [6]: r Out[6]: ipapython.kerberos.Principal('HTTP/replica1.ipa.test') In [7]: r == p Out[7]: True ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/275#issuecomment-263630652 From abokovoy at redhat.com Tue Nov 29 17:10:12 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 29 Nov 2016 19:10:12 +0200 Subject: [Freeipa-devel] NTP in FreeIPA In-Reply-To: <8496ee7a-d4d7-cb77-24db-4cb2d4bf24a9@redhat.com> References: <583C8C43.8070202@redhat.com> <8cb49a87-bdc4-0db5-504a-d10d6dd6152e@redhat.com> <583D987F.9040102@redhat.com> <8496ee7a-d4d7-cb77-24db-4cb2d4bf24a9@redhat.com> Message-ID: <20161129171012.nsqmaevs4dnlrpzh@redhat.com> On ti, 29 marras 2016, Petr Spacek wrote: >On 29.11.2016 16:02, Rob Crittenden wrote: >> Petr Spacek wrote: >>> On 29.11.2016 09:11, Jan Cholasta wrote: >>>> On 28.11.2016 20:57, Rob Crittenden wrote: >>>>> David Kupka wrote: >>>>>> On 22/11/16 23:15, Gabe Alford wrote: >>>>>>> I would say that it is worth keeping in FreeIPA. I know myself and some >>>>>>> customers use its functionality by having the clients sync to the IPA >>>>>>> servers and have the servers sync to the NTP source. This way if the NTP >>>>>>> source ever gets disrupted for long periods of time (which has >>>>>>> happened in >>>>>>> my environment) the client time drifts with the authentication source. >>>>>>> This >>>>>>> is the way that AD often works and is configured. >>>>>> >>>>>> Hello Gabe, >>>>>> I agree that it's common practice to synchronize all nodes in network >>>>>> with single source in order to have the same time and save bandwidth. >>>>>> Also I understand that it's comfortable to let FreeIPA installer take >>>>>> care of it. >>>>>> But I don't think FreeIPA should do it IMO this is job for Ansible or >>>>>> similar tool. Also the problem is that in some situations FreeIPA >>>>>> installer makes it worse. >>>>>> >>>>>> Example: >>>>>> >>>>>> 1. Install FreeIPA server (ipa1.example.org) >>>>>> 2. Install FreeIPA client on all nodes in network >>>>>> 3. Install replica (ipa2.example.org) of FreeIPA server to increase >>>>>> redundancy >>>>>> >>>>>> Now all the clients have ipa1.example.org as the only server in >>>>>> /etc/ntp.conf. If the first FreeIPA server becomes unreachable all >>>>>> clients will be able to contact KDC on the other server thanks to DNS >>>>>> autodiscovery in libkrb5 but will be unable to synchronize time. >>>>> >>>>> Remember that the goal of IPA was to herd together a bunch of software >>>>> to make hard things easier. This included dealing with the 5-minute >>>>> Kerberos window so ntp was configured on the client and server (which is >>>>> less of any issue now). >>>>> >>>>> When making changes you have to ask yourself who are you making this >>>>> easier for: you or the user. >>>>> >>>>> Yes, getting NTP right is hard, but does it meet the 80/20 rule in terms >>>>> of success? I'd think so. I >>>>> >>>>> If someone wants to configure it using Ansible they can use the >>>>> --no-ntp. If they want to use different time servers they can pass in >>>>> --ntp-server. But by default IMHO it should do something sane to give a >>>>> good experience. >>>> >>>> I think to do something sane is exactly the point of this, and the sanest >>>> thing we can do is to not touch NTP configuration at all: >>>> >>>> * if the NTP configuration obtained via DHCP works, we can't make it any >>>> better by touching it, only worse, >>>> * if the default NTP configuration shipped with the distribution works, we >>>> again can't make it any better by touching it, >>>> * if we are running inside container, time is synchronized by other means >>>> and we should not touch NTP configuration at all, >>>> * if neither the default NTP configuration nor the NTP configuration >>>> obtained via DHCP works and we are not running inside container, we may >>>> attempt to fix the configuration, but it will not be permanent and will work >>>> only for this specific host. >>>> >>>> I think the first 3 points cover 99% of real-life deployments, and yet we are >>>> optimized towards the remaining 1%, with the potential of breaking the >>>> configuration for the 99%. This is far from sane IMHO. >>> >>> +1 for Honza's point. >>> >>> Current NTP code is works only for initial setup and silently breaks >>> synchronization later on. Most importantly it breaks synchronization as soon >>> as admin removes old replicas and replaces them with new ones - there is no >>> mechanism to update the records in the client configuration (and SRV discovery >>> is not supported by clients). >>> >>> I.e. when admin decommission replicas which were around at the time of client >>> installation, the NTP on client will silently break. This would not happen if >>> you did not touch it. >>> >>> (This also implicitly means that IPA-configured NTP is broken on all clients >>> in topologies which were completely migrated from RHEL 6 to RHEL 7.) >>> >>> Either DHCP or default distro config would solve the problem better. >> >> That's fair but where are the huge pile of bugs, tickets and user >> e-mails complaining about time? Or has nobody noticed yet? > >Hard to say. There might be multiple reasons for this. E.g. > >- Starting with Fedora 16, there is Chronyd installed by default. IPA client >installer does not configure Chronyd by default so there is nothing to break. > >- DHCP integration still modifies IPA-generated ntp.conf. > >- Users who care might use configuration management tool. Still, bug reports and users' complaints is the only external measure we have. There are close to nothing in complaints about NTP functionality, other than requests to support chronyd and a better discover of existing NTP setups. I don't think that requires dramatic action like removal of NTP support at all. -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Tue Nov 29 17:10:31 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 29 Nov 2016 18:10:31 +0100 Subject: [Freeipa-devel] [freeipa PR#275][comment] Enhance __repr__ method of Principal In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/275 Title: #275: Enhance __repr__ method of Principal tiran commented: """ Can you please add a test to```ipatests/test_ipapython/test_kerberos.py``` ```test_principals```? Something along the line ```assert repr(princ) == "ipapython.kerberos.Principal('{}')".format(principal_name)``` should do the trick (untested). """ See the full comment at https://github.com/freeipa/freeipa/pull/275#issuecomment-263633526 From freeipa-github-notification at redhat.com Tue Nov 29 17:21:50 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 29 Nov 2016 18:21:50 +0100 Subject: [Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements martbab commented: """ Well from our (as upstream) POV 0.9 and later is required for Custodia to work correctly. This requirement was introduced by me in commit aa749957360b85fecaed2f9f8dc286f560b89e0b when I was building 4.3 in Copr for CentOS 7. There was ye olde 0.8 something version and I found empirically that 0.9 or later is required for replica promotion to work (at that time 1.2.1 was the most up-to-date version built in Brew IIRC). Yes, this version is ancient and vast majority of distros does not support it anymore but then it is their job to provide newer version fullfilling our Required and I see no point in artificially bumping it in upstream unless some of our code depends on functionality of newer version. I mentioned the CentOS story as an example that demonstrates that you never know on what distro your software is being ported. That said, if you are afraid that it can break the PIP use-case then I am fine with bumping the version but as @mbasti-rh said, please split version bumps into a separate commit with clean explanation of the reasons (already provided in the commit message). This makes it easier for our future selves to review the build/runtime requirements during spec file cleanups and similar work. I remember that @jcholast was very frustrated when he was cleaning up BuildRequires recently and was unable to find any reasonable explanation for many of them in git history. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263636692 From freeipa-github-notification at redhat.com Tue Nov 29 17:25:29 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 29 Nov 2016 18:25:29 +0100 Subject: [Freeipa-devel] [freeipa PR#275][synchronized] Enhance __repr__ method of Principal In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/275 Author: martbab Title: #275: Enhance __repr__ method of Principal Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/275/head:pr275 git checkout pr275 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-275.patch Type: text/x-diff Size: 1549 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 29 17:26:59 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 29 Nov 2016 18:26:59 +0100 Subject: [Freeipa-devel] [freeipa PR#275][comment] Enhance __repr__ method of Principal In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/275 Title: #275: Enhance __repr__ method of Principal martbab commented: """ That sound like a good idea. Added such assert to the unit tests. """ See the full comment at https://github.com/freeipa/freeipa/pull/275#issuecomment-263638134 From freeipa-github-notification at redhat.com Tue Nov 29 17:27:55 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 29 Nov 2016 18:27:55 +0100 Subject: [Freeipa-devel] [freeipa PR#284][opened] ipautil: check for open ports on all resolved IPs Message-ID: URL: https://github.com/freeipa/freeipa/pull/284 Author: tomaskrizek Title: #284: ipautil: check for open ports on all resolved IPs Action: opened PR body: """ When a hostname is provided to host_port_open, it should check if ports are open for ALL IPs that are resolved from the hostname, instead of checking whether the port is reachable on at least one of the IPs. https://fedorahosted.org/freeipa/ticket/6522 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/284/head:pr284 git checkout pr284 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-284.patch Type: text/x-diff Size: 4171 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Nov 29 17:29:16 2016 From: freeipa-github-notification at redhat.com (apophys) Date: Tue, 29 Nov 2016 18:29:16 +0100 Subject: [Freeipa-devel] [freeipa PR#225][comment] tests: Added basic tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/225 Title: #225: tests: Added basic tests for certs in idoverrides apophys commented: """ Thank you for addressing the issues. The implementation is somehow minimal, however in the future it can be extended as needed. """ See the full comment at https://github.com/freeipa/freeipa/pull/225#issuecomment-263638790 From freeipa-github-notification at redhat.com Tue Nov 29 17:29:26 2016 From: freeipa-github-notification at redhat.com (apophys) Date: Tue, 29 Nov 2016 18:29:26 +0100 Subject: [Freeipa-devel] [freeipa PR#225][+ack] tests: Added basic tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/225 Title: #225: tests: Added basic tests for certs in idoverrides Label: +ack From freeipa-github-notification at redhat.com Tue Nov 29 17:30:31 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 29 Nov 2016 18:30:31 +0100 Subject: [Freeipa-devel] [freeipa PR#267][comment] ipa-replica-conncheck: do not close listening ports until required In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/267 Title: #267: ipa-replica-conncheck: do not close listening ports until required tomaskrizek commented: """ I've created a separate [ticket](https://fedorahosted.org/freeipa/ticket/6522) and PR #284 for the change discussed offline, since it seemed out of the scope for this ticket. """ See the full comment at https://github.com/freeipa/freeipa/pull/267#issuecomment-263639123 From freeipa-github-notification at redhat.com Tue Nov 29 17:31:09 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 29 Nov 2016 18:31:09 +0100 Subject: [Freeipa-devel] [freeipa PR#225][comment] tests: Added basic tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/225 Title: #225: tests: Added basic tests for certs in idoverrides martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ccd3677b50eab2223ddf1e1b6682c20fc695ad24 https://fedorahosted.org/freeipa/changeset/452dc97aba12288a23c20f519f4c1c0d4408b765 ipa-4-4: https://fedorahosted.org/freeipa/changeset/62061a3a0444c65dc058ee1b9d0ef0096b621be3 https://fedorahosted.org/freeipa/changeset/b5ab5c1cef09555417e912fa767d78e4afa10872 """ See the full comment at https://github.com/freeipa/freeipa/pull/225#issuecomment-263639311 From freeipa-github-notification at redhat.com Tue Nov 29 17:31:11 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 29 Nov 2016 18:31:11 +0100 Subject: [Freeipa-devel] [freeipa PR#225][+pushed] tests: Added basic tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/225 Title: #225: tests: Added basic tests for certs in idoverrides Label: +pushed From freeipa-github-notification at redhat.com Tue Nov 29 17:31:12 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 29 Nov 2016 18:31:12 +0100 Subject: [Freeipa-devel] [freeipa PR#225][closed] tests: Added basic tests for certs in idoverrides In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/225 Author: ofayans Title: #225: tests: Added basic tests for certs in idoverrides Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/225/head:pr225 git checkout pr225 From freeipa-github-notification at redhat.com Tue Nov 29 17:34:15 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 29 Nov 2016 18:34:15 +0100 Subject: [Freeipa-devel] [freeipa PR#281][comment] Accept server host names resolvable only using /etc/hosts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts martbab commented: """ Ok I am fine with this. """ See the full comment at https://github.com/freeipa/freeipa/pull/281#issuecomment-263640183 From freeipa-github-notification at redhat.com Tue Nov 29 17:35:20 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 29 Nov 2016 18:35:20 +0100 Subject: [Freeipa-devel] [freeipa PR#281][+ack] Accept server host names resolvable only using /etc/hosts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts Label: +ack From freeipa-github-notification at redhat.com Tue Nov 29 17:35:54 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 29 Nov 2016 18:35:54 +0100 Subject: [Freeipa-devel] [freeipa PR#281][+pushed] Accept server host names resolvable only using /etc/hosts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts Label: +pushed From freeipa-github-notification at redhat.com Tue Nov 29 17:35:56 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 29 Nov 2016 18:35:56 +0100 Subject: [Freeipa-devel] [freeipa PR#281][comment] Accept server host names resolvable only using /etc/hosts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/0e093f938d8126f11fed920b7381ba6e3d07da5b ipa-4-4: https://fedorahosted.org/freeipa/changeset/47ee2870d83eeb9b07137c765d3feb41da8b02c7 """ See the full comment at https://github.com/freeipa/freeipa/pull/281#issuecomment-263640668 From freeipa-github-notification at redhat.com Tue Nov 29 17:35:58 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 29 Nov 2016 18:35:58 +0100 Subject: [Freeipa-devel] [freeipa PR#281][closed] Accept server host names resolvable only using /etc/hosts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/281 Author: pspacek Title: #281: Accept server host names resolvable only using /etc/hosts Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/281/head:pr281 git checkout pr281 From freeipa-github-notification at redhat.com Tue Nov 29 18:47:52 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 29 Nov 2016 19:47:52 +0100 Subject: [Freeipa-devel] [freeipa PR#275][+ack] Enhance __repr__ method of Principal In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/275 Title: #275: Enhance __repr__ method of Principal Label: +ack From freeipa-github-notification at redhat.com Tue Nov 29 19:06:23 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 29 Nov 2016 20:06:23 +0100 Subject: [Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ @martbab Welcome to the party! This discussion has been running for a very long time and in multiple places. Let me bring you up to speed. First of all the requirements in ```ipasetup.py``` are completely unrelated to distribution packaging (RPM, DEB, whatever). PyPI packaging follows slightly different rules. For example you don't get carefully curated packages, downstream patches for build issues or a known working set of packages. It's a bit more wild west and fast moving. I was against bumping the version in the spec file because the bump is not required for my work. The other insisted on it. Next up a version information like "cryptography >= 0.9" means that any version equal or greater than 0.9 is known to work. If you follow upstream development of OpenSSL and Cryptography closely then you are aware that any version of cryptography < 1.3 does no longer compile against a recent version of OpenSSL 1.0.2. CFFI bindings are very sensitive to subtle changes in the ABI and C API. OpenSSL tend to break both every now and then. Finally this discussion is pointless. I will bump the version requirements of cryptography to 1.7.0 in a matter of weeks. BZ for RHEL has been filed. The version 1.7.0 hasn't been released yet. it will contain two important fixes (lock and osrandom) and a new feature for @frasertweedale (multi RDN). ``` $ python3 -m venv /tmp/cryptovenv $ . /tmp/cryptovenv/bin/activate (cryptovenv) $ pip install 'cryptography==0.9' Collecting cryptography==0.9 Downloading cryptography-0.9.tar.gz (302kB) 100% |????????????????????????????????| 303kB 122kB/s Collecting idna (from cryptography==0.9) Using cached idna-2.1-py2.py3-none-any.whl Collecting pyasn1 (from cryptography==0.9) Using cached pyasn1-0.1.9-py2.py3-none-any.whl Collecting six>=1.4.1 (from cryptography==0.9) Using cached six-1.10.0-py2.py3-none-any.whl Requirement already satisfied (use --upgrade to upgrade): setuptools in ./cryptovenv/lib/python3.5/site-packages (from cryptography==0.9) Collecting cffi>=0.8 (from cryptography==0.9) Using cached cffi-1.9.1.tar.gz Collecting pycparser (from cffi>=0.8->cryptography==0.9) Installing collected packages: idna, pyasn1, six, pycparser, cffi, cryptography Running setup.py install for cffi ... done Running setup.py install for cryptography ... error Complete output from command /tmp/cryptovenv/bin/python3 -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-_2z81799/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-83qpivr4-record/install-record.txt --single-version-externally-managed --compile --install-headers /tmp/cryptovenv/include/site/python3.5/cryptography: running install running build running build_py creating build creating build/lib.linux-x86_64-3.5 creating build/lib.linux-x86_64-3.5/cryptography ... running build_ext building '_Cryptography_cffi_1251de2xc302a38b' extension creating build/temp.linux-x86_64-3.5 creating build/temp.linux-x86_64-3.5/src creating build/temp.linux-x86_64-3.5/src/cryptography creating build/temp.linux-x86_64-3.5/src/cryptography/hazmat creating build/temp.linux-x86_64-3.5/src/cryptography/hazmat/bindings creating build/temp.linux-x86_64-3.5/src/cryptography/hazmat/bindings/__pycache__ gcc -pthread -Wno-unused-result -Wsign-compare -DDYNAMIC_ANNOTATIONS_ENABLED=1 -DNDEBUG -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -fPIC -I/tmp/cryptovenv/include -I/usr/include/python3.5m -c src/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_1251de2xc302a38b.c -o build/temp.linux-x86_64-3.5/src/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_1251de2xc302a38b.o src/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_1251de2xc302a38b.c:505:6: error: conflicting types for ?BIO_new_mem_buf? BIO *BIO_new_mem_buf(void *, int); ^~~~~~~~~~~~~~~ In file included from /usr/include/openssl/asn1.h:65:0, from src/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_1251de2xc302a38b.c:220: /usr/include/openssl/bio.h:692:6: note: previous declaration of ?BIO_new_mem_buf? was here BIO *BIO_new_mem_buf(const void *buf, int len); ^~~~~~~~~~~~~~~ src/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_1251de2xc302a38b.c:2019:15: error: ?SSLv2_method? redeclared as different kind of symbol SSL_METHOD* (*SSLv2_method)(void) = NULL; ^~~~~~~~~~~~ In file included from src/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_1251de2xc302a38b.c:316:0: /usr/include/openssl/ssl.h:2287:19: note: previous declaration of ?SSLv2_method? was here const SSL_METHOD *SSLv2_method(void); /* SSLv2 */ ^~~~~~~~~~~~ src/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_1251de2xc302a38b.c:2020:15: error: ?SSLv2_client_method? redeclared as different kind of symbol SSL_METHOD* (*SSLv2_client_method)(void) = NULL; ^~~~~~~~~~~~~~~~~~~ In file included from src/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_1251de2xc302a38b.c:316:0: /usr/include/openssl/ssl.h:2289:19: note: previous declaration of ?SSLv2_client_method? was here const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */ ^~~~~~~~~~~~~~~~~~~ src/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_1251de2xc302a38b.c:2021:15: error: ?SSLv2_server_method? redeclared as different kind of symbol SSL_METHOD* (*SSLv2_server_method)(void) = NULL; ^~~~~~~~~~~~~~~~~~~ In file included from src/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_1251de2xc302a38b.c:316:0: /usr/include/openssl/ssl.h:2288:19: note: previous declaration of ?SSLv2_server_method? was here const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */ ^~~~~~~~~~~~~~~~~~~ src/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_1251de2xc302a38b.c: In function ?_cffi_f_EC_GFp_nistp224_method?: src/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_1251de2xc302a38b.c:24411:14: warning: implicit declaration of function ?EC_GFp_nistp224_method? [-Wimplicit-function-declaration] { result = EC_GFp_nistp224_method(); } ^~~~~~~~~~~~~~~~~~~~~~ src/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_1251de2xc302a38b.c:24411:12: warning: assignment makes pointer from integer without a cast [-Wint-conversion] { result = EC_GFp_nistp224_method(); } ^ error: command 'gcc' failed with exit status 1 ---------------------------------------- Command "/tmp/cryptovenv/bin/python3 -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-_2z81799/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-83qpivr4-record/install-record.txt --single-version-externally-managed --compile --install-headers /tmp/cryptovenv/include/site/python3.5/cryptography" failed with error code 1 in /tmp/pip-build-_2z81799/cryptography ``` ## 1.2 ``` $ pip install 'cryptography==1.2' ... running build_ext generating cffi module 'build/temp.linux-x86_64-3.5/_padding.c' creating build/temp.linux-x86_64-3.5 generating cffi module 'build/temp.linux-x86_64-3.5/_constant_time.c' generating cffi module 'build/temp.linux-x86_64-3.5/_openssl.c' building '_openssl' extension creating build/temp.linux-x86_64-3.5/build creating build/temp.linux-x86_64-3.5/build/temp.linux-x86_64-3.5 gcc -pthread -Wno-unused-result -Wsign-compare -DDYNAMIC_ANNOTATIONS_ENABLED=1 -DNDEBUG -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -fPIC -I/tmp/cryptovenv/include -I/usr/include/python3.5m -c build/temp.linux-x86_64-3.5/_openssl.c -o build/temp.linux-x86_64-3.5/build/temp.linux-x86_64-3.5/_openssl.o build/temp.linux-x86_64-3.5/_openssl.c:737:6: error: conflicting types for ?BIO_new_mem_buf? BIO *BIO_new_mem_buf(void *, int); ^~~~~~~~~~~~~~~ In file included from /usr/include/openssl/asn1.h:65:0, from build/temp.linux-x86_64-3.5/_openssl.c:445: /usr/include/openssl/bio.h:692:6: note: previous declaration of ?BIO_new_mem_buf? was here BIO *BIO_new_mem_buf(const void *buf, int len); ^~~~~~~~~~~~~~~ error: command 'gcc' failed with exit status 1 ---------------------------------------- Command "/tmp/cryptovenv/bin/python3 -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-c4zo1h2l/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-xlaxncs5-record/install-record.txt --single-version-externally-managed --compile --install-headers /tmp/cryptovenv/include/site/python3.5/cryptography" failed with error code 1 in /tmp/pip-build-c4zo1h2l/cryptography ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263666139 From freeipa-github-notification at redhat.com Tue Nov 29 20:57:23 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 29 Nov 2016 21:57:23 +0100 Subject: [Freeipa-devel] [freeipa PR#285][opened] Check the result of cert request in replica installer Message-ID: URL: https://github.com/freeipa/freeipa/pull/285 Author: flo-renaud Title: #285: Check the result of cert request in replica installer Action: opened PR body: """ When running ipa-replica-install in domain-level 1, the installer requests the LDAP and HTTP certificates using certmonger but does not check the return code. The installer goes on and fails when restarting dirsrv. Fix: when certmonger was not able to request the certificate, raise an exception and exit from the installer: [28/45]: retrieving DS Certificate [error] RuntimeError: Certificate issuance failed Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Certificate issuance failed ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information https://fedorahosted.org/freeipa/ticket/6514 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/285/head:pr285 git checkout pr285 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-285.patch Type: text/x-diff Size: 2351 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 30 03:01:16 2016 From: freeipa-github-notification at redhat.com (shanyin) Date: Wed, 30 Nov 2016 04:01:16 +0100 Subject: [Freeipa-devel] [freeipa PR#286][opened] fix miss translation in Chinese Message-ID: URL: https://github.com/freeipa/freeipa/pull/286 Author: shanyin Title: #286: fix miss translation in Chinese Action: opened PR body: """ Fix the missing translation in Chinese. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/286/head:pr286 git checkout pr286 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-286.patch Type: text/x-diff Size: 1929176 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 30 06:32:27 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 30 Nov 2016 07:32:27 +0100 Subject: [Freeipa-devel] [freeipa PR#245][synchronized] Allow full customisability of IPA CA subject DN In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/245 Author: frasertweedale Title: #245: Allow full customisability of IPA CA subject DN Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/245/head:pr245 git checkout pr245 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-245.patch Type: text/x-diff Size: 62786 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 30 07:22:56 2016 From: freeipa-github-notification at redhat.com (shanyin) Date: Wed, 30 Nov 2016 08:22:56 +0100 Subject: [Freeipa-devel] [freeipa PR#174][comment] add log module In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/174 Title: #174: add log module shanyin commented: """ Hello, I have sent fixing of missing translations as separated PR in https://github.com/freeipa/freeipa/pull/286. The changes in the ipaserver/rpcserver.py file was used for parsing the apache error.log information to ipa.log that was used for providing the interfaces of Web UI log module. """ See the full comment at https://github.com/freeipa/freeipa/pull/174#issuecomment-263801899 From freeipa-github-notification at redhat.com Wed Nov 30 07:47:05 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 30 Nov 2016 08:47:05 +0100 Subject: [Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-177.patch Type: text/x-diff Size: 20193 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 30 07:49:01 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 30 Nov 2016 08:49:01 +0100 Subject: [Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ @jcholast thanks for review. PR updated. No longer inheriting `BaseCertObject`. `--chain` now defined server-side and no longer implies `--all`. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-263805812 From freeipa-github-notification at redhat.com Wed Nov 30 07:52:42 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 30 Nov 2016 08:52:42 +0100 Subject: [Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ Never mind... my `--chain` option disappeared... not quite there yet >_< """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-263806421 From freeipa-github-notification at redhat.com Wed Nov 30 08:01:02 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 30 Nov 2016 09:01:02 +0100 Subject: [Freeipa-devel] [freeipa PR#271][+pushed] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient Label: +pushed From freeipa-github-notification at redhat.com Wed Nov 30 08:02:56 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 30 Nov 2016 09:02:56 +0100 Subject: [Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient stlaz commented: """ The patch's already been pushed, could you, @mbasti-rh, supply the automated message? """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-263808153 From freeipa-github-notification at redhat.com Wed Nov 30 08:11:40 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 30 Nov 2016 09:11:40 +0100 Subject: [Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-177.patch Type: text/x-diff Size: 20139 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 30 08:14:03 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 30 Nov 2016 09:14:03 +0100 Subject: [Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ @jcholast OK there we go. I'd forgotten to remove the `include='cli'` when converting to server-side option. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-263809966 From freeipa-github-notification at redhat.com Wed Nov 30 08:18:09 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 30 Nov 2016 09:18:09 +0100 Subject: [Freeipa-devel] [freeipa PR#271][closed] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/271 Author: jcholast Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/271/head:pr271 git checkout pr271 From freeipa-github-notification at redhat.com Wed Nov 30 08:18:10 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 30 Nov 2016 09:18:10 +0100 Subject: [Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient mbasti-rh commented: """ master: 9117a5d5a6ae7b3b97407e46f81a06c387974d7f paths: remove DEV_NULL 8e5d2c7014ff6371a3b306e666c301aea1f7a488 custodiainstance: automatic restart on config file update a1f260d021bf5d018e634438fde6b7c81ebbbcef ipapython: move dnssec, p11helper and secrets to ipaserver 26c46a447f82b4cf37a5076b72cf6328857d5f35 ipapython: move certmonger and sysrestore to ipalib.install f919ab4ee0ec26d77ee6978e75de5daba4073402 certdb: use a temporary file to pass password to pk12util d6b755e3fcaf32158f4ee36d45e3344b4a03fbc2 ipautil: remove SHARE_DIR and PLUGIN_SHARE_DIR 7b966e8577fdb56f069cf26a6ab4d6c77b8743b9 ipautil: remove get_domain_name() d911f493482d29829199cce2f91f88a9b53369e1 ipautil: remove the timeout argument of run() 75b70e3f0d52a9c98f443d3fc2f7cef92bdc7b1a ipautil: move is_fips_enabled() to ipaplatform.tasks 7d5c680ace7ccea3b0f7f1471cf8dbc07b3da5a1 ipautil: move kinit functions to ipalib.install 6e50fae9ec6dea35e12a65dbc46228a1e6276e07 ipautil: move file encryption functions to installutils 528012fe8a8976961203021ef36353b7a4c3b8a8 ipapython: remove hard dependency on ipaplatform a2c58889735c794cd1e93331c755b6f9ba273773 ipalib: move certstore to the install subpackage 977050c66bccd7b8cf468c115d73250505a01034 constants: remove CACERT d43b57d2ce8552ed4977dcc33667b4226fe3333b ipalib: remove hard dependency on ipapython 70c3cd7f482bee7d5ad12062daa7ad6181a29094 ipaclient: move install modules to the install subpackage a260fd8058d757b631dd4eb39ee8a58b91cf2efb ipaclient: remove hard dependency on ipaplatform """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-263810669 From freeipa-github-notification at redhat.com Wed Nov 30 08:31:41 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 30 Nov 2016 09:31:41 +0100 Subject: [Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements martbab commented: """ As I said, if 0.9 break your PyPI work feel freee to bump it but please split the version bumps into a separate commit on top of ipasetup fixes. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263813183 From freeipa-github-notification at redhat.com Wed Nov 30 08:41:08 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 30 Nov 2016 09:41:08 +0100 Subject: [Freeipa-devel] [freeipa PR#275][+pushed] Enhance __repr__ method of Principal In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/275 Title: #275: Enhance __repr__ method of Principal Label: +pushed From freeipa-github-notification at redhat.com Wed Nov 30 08:41:10 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 30 Nov 2016 09:41:10 +0100 Subject: [Freeipa-devel] [freeipa PR#275][comment] Enhance __repr__ method of Principal In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/275 Title: #275: Enhance __repr__ method of Principal martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/38cc40ddb5bf965801500bb4f66fd965b12e3c88 """ See the full comment at https://github.com/freeipa/freeipa/pull/275#issuecomment-263814999 From freeipa-github-notification at redhat.com Wed Nov 30 08:41:11 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 30 Nov 2016 09:41:11 +0100 Subject: [Freeipa-devel] [freeipa PR#275][closed] Enhance __repr__ method of Principal In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/275 Author: martbab Title: #275: Enhance __repr__ method of Principal Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/275/head:pr275 git checkout pr275 From freeipa-github-notification at redhat.com Wed Nov 30 08:46:08 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 30 Nov 2016 09:46:08 +0100 Subject: [Freeipa-devel] [freeipa PR#286][comment] fix miss translation in Chinese In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/286 Title: #286: fix miss translation in Chinese mbasti-rh commented: """ We automatically add translations to IPA from zanata before releasing. If it is translated in zanata it will appear in next release. """ See the full comment at https://github.com/freeipa/freeipa/pull/286#issuecomment-263815960 From freeipa-github-notification at redhat.com Wed Nov 30 08:46:10 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 30 Nov 2016 09:46:10 +0100 Subject: [Freeipa-devel] [freeipa PR#286][closed] fix miss translation in Chinese In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/286 Author: shanyin Title: #286: fix miss translation in Chinese Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/286/head:pr286 git checkout pr286 From freeipa-github-notification at redhat.com Wed Nov 30 08:46:11 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 30 Nov 2016 09:46:11 +0100 Subject: [Freeipa-devel] [freeipa PR#286][+rejected] fix miss translation in Chinese In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/286 Title: #286: fix miss translation in Chinese Label: +rejected From freeipa-github-notification at redhat.com Wed Nov 30 08:54:35 2016 From: freeipa-github-notification at redhat.com (shanyin) Date: Wed, 30 Nov 2016 09:54:35 +0100 Subject: [Freeipa-devel] [freeipa PR#286][comment] fix miss translation in Chinese In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/286 Title: #286: fix miss translation in Chinese shanyin commented: """ Ok, it was already translated in zanata. But what do you mean about you said "what I meant was to send fixing of missing translations strings as separated PR" in #174? """ See the full comment at https://github.com/freeipa/freeipa/pull/286#issuecomment-263817736 From freeipa-github-notification at redhat.com Wed Nov 30 09:01:57 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 30 Nov 2016 10:01:57 +0100 Subject: [Freeipa-devel] [freeipa PR#286][comment] fix miss translation in Chinese In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/286 Title: #286: fix miss translation in Chinese mbasti-rh commented: """ This: ``` - label='Group search fields', ? + label=_('Group search fields'), ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/286#issuecomment-263819271 From freeipa-github-notification at redhat.com Wed Nov 30 09:18:28 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 30 Nov 2016 10:18:28 +0100 Subject: [Freeipa-devel] [freeipa PR#276][synchronized] replica-conncheck: improve error msg + logging In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/276 Author: tomaskrizek Title: #276: replica-conncheck: improve error msg + logging Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/276/head:pr276 git checkout pr276 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-276.patch Type: text/x-diff Size: 12555 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 30 09:22:53 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 30 Nov 2016 10:22:53 +0100 Subject: [Freeipa-devel] [freeipa PR#287][opened] Wheel bundles fixes Message-ID: URL: https://github.com/freeipa/freeipa/pull/287 Author: tiran Title: #287: Wheel bundles fixes Action: opened PR body: """ * make wheel_bundle no longer bundles ipaplatform * ipaclient and ipalib use a consistent extra tag for the install subpackage. `pip install ipalib[ipalib.install]` looks a bit silly. https://fedorahosted.org/freeipa/ticket/6474 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/287/head:pr287 git checkout pr287 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-287.patch Type: text/x-diff Size: 1870 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 30 09:23:13 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 30 Nov 2016 10:23:13 +0100 Subject: [Freeipa-devel] [freeipa PR#287][comment] Wheel bundles fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/287 Title: #287: Wheel bundles fixes tiran commented: """ Fixup for #271 """ See the full comment at https://github.com/freeipa/freeipa/pull/287#issuecomment-263823717 From freeipa-github-notification at redhat.com Wed Nov 30 09:28:30 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 30 Nov 2016 10:28:30 +0100 Subject: [Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension tomaskrizek commented: """ @frasertweedale Oh, I didn't realize the DN in SAN matches the LDAP DN, while the Subject DN does not. In that case, this PR makes sense to me as is. I also don't see the need to validate Subject DN and SAN DN differently, since they use different representation (subject is a more generic identifier, as @tiran pointed out; while SAN DN should be the unique LDAP DN identifier). """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263550747 From freeipa-github-notification at redhat.com Wed Nov 30 09:29:44 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 30 Nov 2016 10:29:44 +0100 Subject: [Freeipa-devel] [freeipa PR#285][comment] Check the result of cert request in replica installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/285 Title: #285: Check the result of cert request in replica installer mbasti-rh commented: """ Can we add cert state to error message? `raise RuntimeError("Certificate issuance failed")` is not too much detailed in `request_and_wait_for_cert`. Something like: ``` "Certificate issuance failed (CA_UNREACHABLE)" ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/285#issuecomment-263825114 From freeipa-github-notification at redhat.com Wed Nov 30 09:37:51 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 30 Nov 2016 10:37:51 +0100 Subject: [Freeipa-devel] [freeipa PR#280][synchronized] Set explicit confdir option for global contexts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/280 Author: tiran Title: #280: Set explicit confdir option for global contexts Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/280/head:pr280 git checkout pr280 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-280.patch Type: text/x-diff Size: 24209 bytes Desc: not available URL: From dkupka at redhat.com Wed Nov 30 09:52:35 2016 From: dkupka at redhat.com (David Kupka) Date: Wed, 30 Nov 2016 10:52:35 +0100 Subject: [Freeipa-devel] NTP in FreeIPA In-Reply-To: <20161129171012.nsqmaevs4dnlrpzh@redhat.com> References: <583C8C43.8070202@redhat.com> <8cb49a87-bdc4-0db5-504a-d10d6dd6152e@redhat.com> <583D987F.9040102@redhat.com> <8496ee7a-d4d7-cb77-24db-4cb2d4bf24a9@redhat.com> <20161129171012.nsqmaevs4dnlrpzh@redhat.com> Message-ID: <292772c2-0ff4-07f4-ead0-5809ad18f682@redhat.com> On 29/11/16 18:10, Alexander Bokovoy wrote: > On ti, 29 marras 2016, Petr Spacek wrote: >> On 29.11.2016 16:02, Rob Crittenden wrote: >>> Petr Spacek wrote: >>>> On 29.11.2016 09:11, Jan Cholasta wrote: >>>>> On 28.11.2016 20:57, Rob Crittenden wrote: >>>>>> David Kupka wrote: >>>>>>> On 22/11/16 23:15, Gabe Alford wrote: >>>>>>>> I would say that it is worth keeping in FreeIPA. I know myself >>>>>>>> and some >>>>>>>> customers use its functionality by having the clients sync to >>>>>>>> the IPA >>>>>>>> servers and have the servers sync to the NTP source. This way if >>>>>>>> the NTP >>>>>>>> source ever gets disrupted for long periods of time (which has >>>>>>>> happened in >>>>>>>> my environment) the client time drifts with the authentication >>>>>>>> source. >>>>>>>> This >>>>>>>> is the way that AD often works and is configured. >>>>>>> >>>>>>> Hello Gabe, >>>>>>> I agree that it's common practice to synchronize all nodes in >>>>>>> network >>>>>>> with single source in order to have the same time and save >>>>>>> bandwidth. >>>>>>> Also I understand that it's comfortable to let FreeIPA installer >>>>>>> take >>>>>>> care of it. >>>>>>> But I don't think FreeIPA should do it IMO this is job for >>>>>>> Ansible or >>>>>>> similar tool. Also the problem is that in some situations FreeIPA >>>>>>> installer makes it worse. >>>>>>> >>>>>>> Example: >>>>>>> >>>>>>> 1. Install FreeIPA server (ipa1.example.org) >>>>>>> 2. Install FreeIPA client on all nodes in network >>>>>>> 3. Install replica (ipa2.example.org) of FreeIPA server to increase >>>>>>> redundancy >>>>>>> >>>>>>> Now all the clients have ipa1.example.org as the only server in >>>>>>> /etc/ntp.conf. If the first FreeIPA server becomes unreachable all >>>>>>> clients will be able to contact KDC on the other server thanks to >>>>>>> DNS >>>>>>> autodiscovery in libkrb5 but will be unable to synchronize time. >>>>>> >>>>>> Remember that the goal of IPA was to herd together a bunch of >>>>>> software >>>>>> to make hard things easier. This included dealing with the 5-minute >>>>>> Kerberos window so ntp was configured on the client and server >>>>>> (which is >>>>>> less of any issue now). >>>>>> >>>>>> When making changes you have to ask yourself who are you making this >>>>>> easier for: you or the user. >>>>>> >>>>>> Yes, getting NTP right is hard, but does it meet the 80/20 rule in >>>>>> terms >>>>>> of success? I'd think so. I >>>>>> >>>>>> If someone wants to configure it using Ansible they can use the >>>>>> --no-ntp. If they want to use different time servers they can pass in >>>>>> --ntp-server. But by default IMHO it should do something sane to >>>>>> give a >>>>>> good experience. >>>>> >>>>> I think to do something sane is exactly the point of this, and the >>>>> sanest >>>>> thing we can do is to not touch NTP configuration at all: >>>>> >>>>> * if the NTP configuration obtained via DHCP works, we can't make >>>>> it any >>>>> better by touching it, only worse, >>>>> * if the default NTP configuration shipped with the distribution >>>>> works, we >>>>> again can't make it any better by touching it, >>>>> * if we are running inside container, time is synchronized by >>>>> other means >>>>> and we should not touch NTP configuration at all, >>>>> * if neither the default NTP configuration nor the NTP configuration >>>>> obtained via DHCP works and we are not running inside container, we >>>>> may >>>>> attempt to fix the configuration, but it will not be permanent and >>>>> will work >>>>> only for this specific host. >>>>> >>>>> I think the first 3 points cover 99% of real-life deployments, and >>>>> yet we are >>>>> optimized towards the remaining 1%, with the potential of breaking the >>>>> configuration for the 99%. This is far from sane IMHO. >>>> >>>> +1 for Honza's point. >>>> >>>> Current NTP code is works only for initial setup and silently breaks >>>> synchronization later on. Most importantly it breaks synchronization >>>> as soon >>>> as admin removes old replicas and replaces them with new ones - >>>> there is no >>>> mechanism to update the records in the client configuration (and SRV >>>> discovery >>>> is not supported by clients). >>>> >>>> I.e. when admin decommission replicas which were around at the time >>>> of client >>>> installation, the NTP on client will silently break. This would not >>>> happen if >>>> you did not touch it. >>>> >>>> (This also implicitly means that IPA-configured NTP is broken on all >>>> clients >>>> in topologies which were completely migrated from RHEL 6 to RHEL 7.) >>>> >>>> Either DHCP or default distro config would solve the problem better. >>> >>> That's fair but where are the huge pile of bugs, tickets and user >>> e-mails complaining about time? Or has nobody noticed yet? >> >> Hard to say. There might be multiple reasons for this. E.g. >> >> - Starting with Fedora 16, there is Chronyd installed by default. IPA >> client >> installer does not configure Chronyd by default so there is nothing to >> break. >> >> - DHCP integration still modifies IPA-generated ntp.conf. >> >> - Users who care might use configuration management tool. > Still, bug reports and users' complaints is the only external measure we > have. There are close to nothing in complaints about NTP functionality, > other than requests to support chronyd and a better discover of existing > NTP setups. I don't think that requires dramatic action like removal of > NTP support at all. > As Petr already pointed out, since Fedora 16 chronyd is enabled by default and ipa-client-install doesn't configure time synchronization when chronyd is enabled. I believe that majority of users haven't used '--force-ntpd' and since it still worked they haven't filed any ticket. IMO in this case no bug reports means no users rather than no bugs or requests. Unfortunately, this is just my guess and AFAIK we don't have any data from users showing how they use FreeIPA. -- David Kupka From freeipa-github-notification at redhat.com Wed Nov 30 09:53:36 2016 From: freeipa-github-notification at redhat.com (shanyin) Date: Wed, 30 Nov 2016 10:53:36 +0100 Subject: [Freeipa-devel] [freeipa PR#288][opened] Fix missing translation string Message-ID: URL: https://github.com/freeipa/freeipa/pull/288 Author: shanyin Title: #288: Fix missing translation string Action: opened PR body: """ Fix missing translation string. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/288/head:pr288 git checkout pr288 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-288.patch Type: text/x-diff Size: 1930002 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 30 09:59:15 2016 From: freeipa-github-notification at redhat.com (shanyin) Date: Wed, 30 Nov 2016 10:59:15 +0100 Subject: [Freeipa-devel] [freeipa PR#286][comment] fix miss translation in Chinese In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/286 Title: #286: fix miss translation in Chinese shanyin commented: """ Ok, I have just sent a PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/286#issuecomment-263831788 From freeipa-github-notification at redhat.com Wed Nov 30 10:07:23 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 30 Nov 2016 11:07:23 +0100 Subject: [Freeipa-devel] [freeipa PR#289][opened] Require python-gssapi >= 1.2.0 Message-ID: URL: https://github.com/freeipa/freeipa/pull/289 Author: tiran Title: #289: Require python-gssapi >= 1.2.0 Action: opened PR body: """ The PyPI package for python-gssapi 1.1.x has a packaging bug. It depends on enum34 for Python 3 although it is only required for 2.7. 1.2.0 is the oldest version that has been tested at length by QE. It's know to work. Bump up in freeipa.spec is not required for technical reasons. The packaging bug only affects PyPI packages. It's policy to keep requirements in sync. https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/289/head:pr289 git checkout pr289 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-289.patch Type: text/x-diff Size: 3352 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 30 10:13:19 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 30 Nov 2016 11:13:19 +0100 Subject: [Freeipa-devel] [freeipa PR#290][opened] Require python-cryptography >= 1.3.1 Message-ID: URL: https://github.com/freeipa/freeipa/pull/290 Author: tiran Title: #290: Require python-cryptography >= 1.3.1 Action: opened PR body: """ python-cryptography versions < 1.3 no longer compile with recent OpenSSL 1.0.2 versions. In order to build wheels, a more recent version of cryptography is required. 1.3.1 is the oldest well tested version (RHEL 7.3) that is known to work with FreeIPA. Bump up in freeipa.spec is not required for technical reasons. The problem only affects PyPI packages. It's policy to keep requirements in sync. https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/290/head:pr290 git checkout pr290 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-290.patch Type: text/x-diff Size: 3034 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 30 10:16:57 2016 From: freeipa-github-notification at redhat.com (gkaihorodova) Date: Wed, 30 Nov 2016 11:16:57 +0100 Subject: [Freeipa-devel] [freeipa PR#210][synchronized] Tests: Stage User Tracker implementation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/210 Author: gkaihorodova Title: #210: Tests: Stage User Tracker implementation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/210/head:pr210 git checkout pr210 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-210.patch Type: text/x-diff Size: 3017 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 30 10:20:12 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 30 Nov 2016 11:20:12 +0100 Subject: [Freeipa-devel] [freeipa PR#255][synchronized] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Author: tiran Title: #255: Adjustments for setup requirements Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/255/head:pr255 git checkout pr255 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-255.patch Type: text/x-diff Size: 4300 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 30 10:26:44 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 30 Nov 2016 11:26:44 +0100 Subject: [Freeipa-devel] [freeipa PR#182][synchronized] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Author: tiran Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/182/head:pr182 git checkout pr182 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-182.patch Type: text/x-diff Size: 23320 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 30 10:40:23 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 30 Nov 2016 11:40:23 +0100 Subject: [Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ I opened PR #289 and #290. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263840863 From freeipa-github-notification at redhat.com Wed Nov 30 10:40:55 2016 From: freeipa-github-notification at redhat.com (gkaihorodova) Date: Wed, 30 Nov 2016 11:40:55 +0100 Subject: [Freeipa-devel] [freeipa PR#210][synchronized] Tests: Stage User Tracker implementation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/210 Author: gkaihorodova Title: #210: Tests: Stage User Tracker implementation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/210/head:pr210 git checkout pr210 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-210.patch Type: text/x-diff Size: 4675 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 30 10:46:31 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 30 Nov 2016 11:46:31 +0100 Subject: [Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-177.patch Type: text/x-diff Size: 21963 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 30 11:20:43 2016 From: freeipa-github-notification at redhat.com (gkaihorodova) Date: Wed, 30 Nov 2016 12:20:43 +0100 Subject: [Freeipa-devel] [freeipa PR#181][synchronized] Tests : User Tracker creation of user with minimal values In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/181 Author: gkaihorodova Title: #181: Tests : User Tracker creation of user with minimal values Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/181/head:pr181 git checkout pr181 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-181.patch Type: text/x-diff Size: 2852 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 30 11:39:36 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Wed, 30 Nov 2016 12:39:36 +0100 Subject: [Freeipa-devel] [freeipa PR#291][opened] replica install: track the RA agent certificate again Message-ID: URL: https://github.com/freeipa/freeipa/pull/291 Author: jcholast Title: #291: replica install: track the RA agent certificate again Action: opened PR body: """ During the rebase of commit 822e1bc82af3a6c1556546c4fbe96eeafad45762 on top of commit 808b1436b4158cb6f926ac2b5bd0979df6ea7e9f, the call to track the RA agent certificate with certmonger was accidentally removed from ipa-replica-install. Put the call back so that the certificate is tracked after replica install. https://fedorahosted.org/freeipa/ticket/6392 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/291/head:pr291 git checkout pr291 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-291.patch Type: text/x-diff Size: 1839 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 30 11:55:34 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 30 Nov 2016 12:55:34 +0100 Subject: [Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements martbab commented: """ Thank you. It seems that 'bdist_wheel' target is broken in your PR: ``` # make bdist_wheel mkdir -p ./dist/wheels for dir in ipaclient ipalib ipaplatform ipapython; do \ make -C ${dir} bdist_wheel || exit 1; \ done make[1]: Entering directory '/freeipa/ipaclient' (cd .. && make ipasetup.py) make[2]: Entering directory '/freeipa' sed \ -e 's|@VERSION[@]|4.4.90.dev201611301151+git785f924|g' \ ipasetup.py.in > ipasetup.py make[2]: Leaving directory '/freeipa' rm -rf ../dist/wheels/ipaclient*.whl /usr/bin/python "./setup.py" bdist_wheel --dist-dir=../dist/wheels usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...] or: setup.py --help [cmd1 cmd2 ...] or: setup.py --help-commands or: setup.py cmd --help error: invalid command 'bdist_wheel' Makefile:586: recipe for target 'bdist_wheel' failed make[1]: *** [bdist_wheel] Error 1 make[1]: Leaving directory '/freeipa/ipaclient' Makefile:1172: recipe for target 'bdist_wheel' failed make: *** [bdist_wheel] Error 1 ``` Do i need some of your other pull-requests to build wheels or this is a genuine issue? """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263856069 From freeipa-github-notification at redhat.com Wed Nov 30 12:05:04 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 30 Nov 2016 13:05:04 +0100 Subject: [Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ The bdist_wheel command requires the Python wheel package installed in the system. Since setup.py no longer contains ```setup_requires=["wheel"]```, the dependency is no longer resolved automatically by setuptools. Does it makes sense to include the dependency in freeipa.spec as build requirement? Technically it's not a build requirement for RPMs. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263857749 From freeipa-github-notification at redhat.com Wed Nov 30 12:10:41 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 30 Nov 2016 13:10:41 +0100 Subject: [Freeipa-devel] [freeipa PR#288][comment] Fix missing translation string In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/288 Title: #288: Fix missing translation string mbasti-rh commented: """ Hello, could you please remove `fix miss translation in Chinese` and `Delete zh_CN.po` from this PR? """ See the full comment at https://github.com/freeipa/freeipa/pull/288#issuecomment-263858753 From freeipa-github-notification at redhat.com Wed Nov 30 12:13:15 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 30 Nov 2016 13:13:15 +0100 Subject: [Freeipa-devel] [freeipa PR#286][comment] fix miss translation in Chinese In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/286 Title: #286: fix miss translation in Chinese mbasti-rh commented: """ Thanks """ See the full comment at https://github.com/freeipa/freeipa/pull/286#issuecomment-263859193 From freeipa-github-notification at redhat.com Wed Nov 30 12:14:32 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 30 Nov 2016 13:14:32 +0100 Subject: [Freeipa-devel] [freeipa PR#285][comment] Check the result of cert request in replica installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/285 Title: #285: Check the result of cert request in replica installer tomaskrizek commented: """ Functional ACK. If it's possible, it would be nice to have a bit more info in the error msg as @mbasti-rh pointed out. """ See the full comment at https://github.com/freeipa/freeipa/pull/285#issuecomment-263859423 From freeipa-github-notification at redhat.com Wed Nov 30 12:23:10 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 30 Nov 2016 13:23:10 +0100 Subject: [Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements martbab commented: """ Installing python-wheel worked, thanks. I have discovered some other missing dependencies in minimal Docker container. I will investigate them some more and open a ticket. I think there is no need to add python-wheel to BuildRequires now. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263860989 From freeipa-github-notification at redhat.com Wed Nov 30 12:26:31 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 30 Nov 2016 13:26:31 +0100 Subject: [Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts tiran commented: """ - [X] ```daemons/dnssec/ipa-dnskeysync-replica:124:ipalib.api.bootstrap(in_server=True, log=None) # no logging to file``` - [X] ```daemons/dnssec/ipa-dnskeysyncd:23:api.bootstrap(in_server=True, log=None) # no logging to file``` - [X] ```daemons/dnssec/ipa-ods-exporter:618:ipalib.api.bootstrap(in_server=True, log=None) # no logging to file``` - [ ] ```doc/guide/wsgi.py.txt:9:env._bootstrap(context='server', log=None)``` - [ ] ```doc/guide/wsgi.py.txt:13:api.bootstrap(context='server', debug=env.debug, log=None) (ref:wsgi-app-bootstrap)``` - [X] ```install/restart_scripts/renew_ra_cert:39: api.bootstrap(in_server=True, context='restart')``` - [X] ```install/tools/ipa-adtrust-install:269: api.bootstrap(**cfg)``` - [X] ```install/tools/ipa-ca-install:262: api.bootstrap(in_server=True, ra_plugin='dogtag')``` - [ ] ```install/tools/ipa-compat-manage:105: api.bootstrap(context='cli', in_server=True, debug=options.debug)``` - [ ] ```install/tools/ipa-csreplica-manage:418: api.bootstrap(**api_env)``` - [X] ```install/tools/ipa-dns-install:139: api.bootstrap(**cfg)``` - [ ] ```install/tools/ipa-managed-entries:75: api.bootstrap(context='cli', debug=options.debug)``` - [X] ```install/tools/ipa-nis-manage:118: api.bootstrap(context='cli', debug=options.debug, in_server=True)``` - [X] ```install/tools/ipa-replica-manage:1512: api.bootstrap(**api_env)``` - [ ] ```ipaserver/dnssec/ldapkeydb.py:417: ipalib.api.bootstrap(in_server=True, log=None) # no logging to file``` - [ ] ```ipaserver/advise/base.py:238: api.bootstrap(in_server=False, context='cli')``` - [ ] ```ipaserver/advise/base.py:240: advise_api.bootstrap(in_server=False, context='cli')``` - [ ] ```ipaserver/install/ipa_cacert_manage.py:99: api.bootstrap(in_server=True)``` - [ ] ```ipaserver/install/ipa_kra_install.py:80: api.bootstrap(in_server=True)``` - [ ] ```ipaserver/install/ipa_otptoken_import.py:512: api.bootstrap(in_server=True)``` - [ ] ```ipaserver/install/ipa_replica_prepare.py:183: api.bootstrap(in_server=True)``` - [ ] ```ipaserver/install/ipa_server_certinstall.py:102: api.bootstrap(in_server=True)``` - [ ] ```ipatests/test_ipaserver/test_ldap.py:114: myapi.bootstrap(context='cli', in_server=True)``` - [ ] ```ipatests/test_ipaserver/test_serverroles.py:472: test_api.bootstrap(in_server=True, ldap_uri=api.env.ldap_uri)``` - [ ] ```lite-server.py:130: (options, args) = api.bootstrap_with_global_options(parser, context='lite')``` """ See the full comment at https://github.com/freeipa/freeipa/pull/280#issuecomment-263861585 From freeipa-github-notification at redhat.com Wed Nov 30 12:32:06 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 30 Nov 2016 13:32:06 +0100 Subject: [Freeipa-devel] [freeipa PR#255][+ack] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements Label: +ack From freeipa-github-notification at redhat.com Wed Nov 30 12:32:52 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 30 Nov 2016 13:32:52 +0100 Subject: [Freeipa-devel] [freeipa PR#255][+pushed] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements Label: +pushed From freeipa-github-notification at redhat.com Wed Nov 30 12:32:53 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 30 Nov 2016 13:32:53 +0100 Subject: [Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ed9645b2ac58fd4664810f05970ea258c7948420 """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263862693 From freeipa-github-notification at redhat.com Wed Nov 30 12:32:55 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 30 Nov 2016 13:32:55 +0100 Subject: [Freeipa-devel] [freeipa PR#255][closed] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Author: tiran Title: #255: Adjustments for setup requirements Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/255/head:pr255 git checkout pr255 From freeipa-github-notification at redhat.com Wed Nov 30 12:36:10 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 30 Nov 2016 13:36:10 +0100 Subject: [Freeipa-devel] [freeipa PR#291][+ack] replica install: track the RA agent certificate again In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/291 Title: #291: replica install: track the RA agent certificate again Label: +ack From freeipa-github-notification at redhat.com Wed Nov 30 12:49:07 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 30 Nov 2016 13:49:07 +0100 Subject: [Freeipa-devel] [freeipa PR#272][synchronized] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Author: pspacek Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/272/head:pr272 git checkout pr272 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-272.patch Type: text/x-diff Size: 13322 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 30 12:50:16 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 30 Nov 2016 13:50:16 +0100 Subject: [Freeipa-devel] [freeipa PR#285][synchronized] Check the result of cert request in replica installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/285 Author: flo-renaud Title: #285: Check the result of cert request in replica installer Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/285/head:pr285 git checkout pr285 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-285.patch Type: text/x-diff Size: 3121 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 30 12:51:07 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 30 Nov 2016 13:51:07 +0100 Subject: [Freeipa-devel] [freeipa PR#285][comment] Check the result of cert request in replica installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/285 Title: #285: Check the result of cert request in replica installer flo-renaud commented: """ Thanks for the suggestion. I added certmonger's request status in the exception message. """ See the full comment at https://github.com/freeipa/freeipa/pull/285#issuecomment-263865840 From freeipa-github-notification at redhat.com Wed Nov 30 12:59:29 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Wed, 30 Nov 2016 13:59:29 +0100 Subject: [Freeipa-devel] [freeipa PR#291][comment] replica install: track the RA agent certificate again In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/291 Title: #291: replica install: track the RA agent certificate again jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/4221266562778806f02748fee2dfbd814261f2b4 """ See the full comment at https://github.com/freeipa/freeipa/pull/291#issuecomment-263867421 From freeipa-github-notification at redhat.com Wed Nov 30 12:59:31 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Wed, 30 Nov 2016 13:59:31 +0100 Subject: [Freeipa-devel] [freeipa PR#291][closed] replica install: track the RA agent certificate again In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/291 Author: jcholast Title: #291: replica install: track the RA agent certificate again Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/291/head:pr291 git checkout pr291 From freeipa-github-notification at redhat.com Wed Nov 30 12:59:32 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Wed, 30 Nov 2016 13:59:32 +0100 Subject: [Freeipa-devel] [freeipa PR#291][+pushed] replica install: track the RA agent certificate again In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/291 Title: #291: replica install: track the RA agent certificate again Label: +pushed From freeipa-github-notification at redhat.com Wed Nov 30 13:04:39 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 30 Nov 2016 14:04:39 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time pspacek commented: """ Fixed. Now `with_pylint` section contains nested section `with_python3`. """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-263868364 From freeipa-github-notification at redhat.com Wed Nov 30 13:07:41 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 30 Nov 2016 14:07:41 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time pspacek commented: """ @mbasti-rh @jcholast @tiran If you want I can replace the `--with-pytlint` option with `--enable-pylint` option (without parameters) and use cheimes's trick with `$(PYTHON) -m pylint` so the Pylint always follows the Python version you used for particular build. Up to you. (Just keep in mind that build needs to be done under Python 2 till samba-python bindings are ported to Python 3.) """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-263868961 From freeipa-github-notification at redhat.com Wed Nov 30 13:16:44 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 30 Nov 2016 14:16:44 +0100 Subject: [Freeipa-devel] [freeipa PR#285][comment] Check the result of cert request in replica installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/285 Title: #285: Check the result of cert request in replica installer mbasti-rh commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/285#issuecomment-263870742 From freeipa-github-notification at redhat.com Wed Nov 30 13:38:23 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 30 Nov 2016 14:38:23 +0100 Subject: [Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ @martbab The wheel bundle and packages need some documentation. I have started some docs but they are not finished.. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263875159 From freeipa-github-notification at redhat.com Wed Nov 30 13:42:25 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 30 Nov 2016 14:42:25 +0100 Subject: [Freeipa-devel] [freeipa PR#263][synchronized] Backwards compatibility with setuptools 0.9.8 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/263 Author: tiran Title: #263: Backwards compatibility with setuptools 0.9.8 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/263/head:pr263 git checkout pr263 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-263.patch Type: text/x-diff Size: 2727 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 30 13:48:58 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 30 Nov 2016 14:48:58 +0100 Subject: [Freeipa-devel] [freeipa PR#285][+ack] Check the result of cert request in replica installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/285 Title: #285: Check the result of cert request in replica installer Label: +ack From freeipa-github-notification at redhat.com Wed Nov 30 14:36:16 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 30 Nov 2016 15:36:16 +0100 Subject: [Freeipa-devel] [freeipa PR#283][+ack] [ipa-4-4] Prevent denial of replication updates during CA replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/283 Title: #283: [ipa-4-4] Prevent denial of replication updates during CA replica install Label: +ack From freeipa-github-notification at redhat.com Wed Nov 30 14:36:21 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 30 Nov 2016 15:36:21 +0100 Subject: [Freeipa-devel] [freeipa PR#283][comment] [ipa-4-4] Prevent denial of replication updates during CA replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/283 Title: #283: [ipa-4-4] Prevent denial of replication updates during CA replica install flo-renaud commented: """ Hi, the patch works as expected. Thanks! """ See the full comment at https://github.com/freeipa/freeipa/pull/283#issuecomment-263888532 From freeipa-github-notification at redhat.com Wed Nov 30 14:36:34 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 30 Nov 2016 15:36:34 +0100 Subject: [Freeipa-devel] [freeipa PR#284][synchronized] ipautil: check for open ports on all resolved IPs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/284 Author: tomaskrizek Title: #284: ipautil: check for open ports on all resolved IPs Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/284/head:pr284 git checkout pr284 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-284.patch Type: text/x-diff Size: 4145 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 30 14:43:10 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 30 Nov 2016 15:43:10 +0100 Subject: [Freeipa-devel] [freeipa PR#283][+pushed] [ipa-4-4] Prevent denial of replication updates during CA replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/283 Title: #283: [ipa-4-4] Prevent denial of replication updates during CA replica install Label: +pushed From freeipa-github-notification at redhat.com Wed Nov 30 14:43:11 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 30 Nov 2016 15:43:11 +0100 Subject: [Freeipa-devel] [freeipa PR#283][closed] [ipa-4-4] Prevent denial of replication updates during CA replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/283 Author: martbab Title: #283: [ipa-4-4] Prevent denial of replication updates during CA replica install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/283/head:pr283 git checkout pr283 From freeipa-github-notification at redhat.com Wed Nov 30 14:43:12 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 30 Nov 2016 15:43:12 +0100 Subject: [Freeipa-devel] [freeipa PR#283][comment] [ipa-4-4] Prevent denial of replication updates during CA replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/283 Title: #283: [ipa-4-4] Prevent denial of replication updates during CA replica install martbab commented: """ Fixed upstream ipa-4-4: https://fedorahosted.org/freeipa/changeset/8c6a10ceddb4fce9a3dd4a334e6804800b5c89f9 https://fedorahosted.org/freeipa/changeset/9502ee5fb84edf40422bd0bc38949b03e4171f4d """ See the full comment at https://github.com/freeipa/freeipa/pull/283#issuecomment-263890231 From freeipa-github-notification at redhat.com Wed Nov 30 14:48:58 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 30 Nov 2016 15:48:58 +0100 Subject: [Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts pvoborni commented: """ If I understand Christian right, it is not disagreement about something which needs to be done. But rather a proposal to address rest of the scripts later in other pull request. So that we can push this PR to unblock subsequent reviews. Is it correct? If so can be proceed with checking if current code is OK and finished rest in other PR? """ See the full comment at https://github.com/freeipa/freeipa/pull/280#issuecomment-263891701 From freeipa-github-notification at redhat.com Wed Nov 30 14:55:27 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 30 Nov 2016 15:55:27 +0100 Subject: [Freeipa-devel] [freeipa PR#263][+ack] Backwards compatibility with setuptools 0.9.8 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/263 Title: #263: Backwards compatibility with setuptools 0.9.8 Label: +ack From freeipa-github-notification at redhat.com Wed Nov 30 15:07:12 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 30 Nov 2016 16:07:12 +0100 Subject: [Freeipa-devel] [freeipa PR#267][+ack] ipa-replica-conncheck: do not close listening ports until required In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/267 Title: #267: ipa-replica-conncheck: do not close listening ports until required Label: +ack From freeipa-github-notification at redhat.com Wed Nov 30 15:09:28 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 30 Nov 2016 16:09:28 +0100 Subject: [Freeipa-devel] [freeipa PR#287][comment] Wheel bundles fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/287 Title: #287: Wheel bundles fixes tomaskrizek commented: """ PR needs a rebase to fix `extra_requires` -> `extras_require` typo. """ See the full comment at https://github.com/freeipa/freeipa/pull/287#issuecomment-263896997 From rcritten at redhat.com Wed Nov 30 15:09:28 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 30 Nov 2016 10:09:28 -0500 Subject: [Freeipa-devel] NTP in FreeIPA In-Reply-To: <292772c2-0ff4-07f4-ead0-5809ad18f682@redhat.com> References: <583C8C43.8070202@redhat.com> <8cb49a87-bdc4-0db5-504a-d10d6dd6152e@redhat.com> <583D987F.9040102@redhat.com> <8496ee7a-d4d7-cb77-24db-4cb2d4bf24a9@redhat.com> <20161129171012.nsqmaevs4dnlrpzh@redhat.com> <292772c2-0ff4-07f4-ead0-5809ad18f682@redhat.com> Message-ID: <583EEBA8.5010702@redhat.com> David Kupka wrote: > On 29/11/16 18:10, Alexander Bokovoy wrote: >> Still, bug reports and users' complaints is the only external measure we >> have. There are close to nothing in complaints about NTP functionality, >> other than requests to support chronyd and a better discover of existing >> NTP setups. I don't think that requires dramatic action like removal of >> NTP support at all. >> > > As Petr already pointed out, since Fedora 16 chronyd is enabled by > default and ipa-client-install doesn't configure time synchronization > when chronyd is enabled. > > I believe that majority of users haven't used '--force-ntpd' and since > it still worked they haven't filed any ticket. > > IMO in this case no bug reports means no users rather than no bugs or > requests. > > Unfortunately, this is just my guess and AFAIK we don't have any data > from users showing how they use FreeIPA. For argument's sake, let's say NTP configuration in the client is dropped and managed by the OS or other administrators. What implication does this have for configuring NTP server on masters? Would that be stopped as well? What about existing installs? I don't believe there is a precedence for removing a service from IPA. rob From freeipa-github-notification at redhat.com Wed Nov 30 15:13:03 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 30 Nov 2016 16:13:03 +0100 Subject: [Freeipa-devel] [freeipa PR#287][synchronized] Wheel bundles fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/287 Author: tiran Title: #287: Wheel bundles fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/287/head:pr287 git checkout pr287 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-287.patch Type: text/x-diff Size: 1868 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 30 15:13:22 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 30 Nov 2016 16:13:22 +0100 Subject: [Freeipa-devel] [freeipa PR#287][comment] Wheel bundles fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/287 Title: #287: Wheel bundles fixes tiran commented: """ @tomaskrizek thanks! I rebased the PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/287#issuecomment-263898074 From freeipa-github-notification at redhat.com Wed Nov 30 15:24:30 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 30 Nov 2016 16:24:30 +0100 Subject: [Freeipa-devel] [freeipa PR#289][+ack] Require python-gssapi >= 1.2.0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/289 Title: #289: Require python-gssapi >= 1.2.0 Label: +ack From freeipa-github-notification at redhat.com Wed Nov 30 15:25:03 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 30 Nov 2016 16:25:03 +0100 Subject: [Freeipa-devel] [freeipa PR#289][comment] Require python-gssapi >= 1.2.0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/289 Title: #289: Require python-gssapi >= 1.2.0 martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/8559791e0d520f4a3503e35d1975ac31448b1390 """ See the full comment at https://github.com/freeipa/freeipa/pull/289#issuecomment-263901279 From freeipa-github-notification at redhat.com Wed Nov 30 15:25:05 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 30 Nov 2016 16:25:05 +0100 Subject: [Freeipa-devel] [freeipa PR#289][+pushed] Require python-gssapi >= 1.2.0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/289 Title: #289: Require python-gssapi >= 1.2.0 Label: +pushed From freeipa-github-notification at redhat.com Wed Nov 30 15:25:06 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 30 Nov 2016 16:25:06 +0100 Subject: [Freeipa-devel] [freeipa PR#289][closed] Require python-gssapi >= 1.2.0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/289 Author: tiran Title: #289: Require python-gssapi >= 1.2.0 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/289/head:pr289 git checkout pr289 From abokovoy at redhat.com Wed Nov 30 15:25:52 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 30 Nov 2016 17:25:52 +0200 Subject: [Freeipa-devel] NTP in FreeIPA In-Reply-To: <583EEBA8.5010702@redhat.com> References: <583C8C43.8070202@redhat.com> <8cb49a87-bdc4-0db5-504a-d10d6dd6152e@redhat.com> <583D987F.9040102@redhat.com> <8496ee7a-d4d7-cb77-24db-4cb2d4bf24a9@redhat.com> <20161129171012.nsqmaevs4dnlrpzh@redhat.com> <292772c2-0ff4-07f4-ead0-5809ad18f682@redhat.com> <583EEBA8.5010702@redhat.com> Message-ID: <20161130152552.g4twk2hej6tlqvwa@redhat.com> On ke, 30 marras 2016, Rob Crittenden wrote: >David Kupka wrote: >> On 29/11/16 18:10, Alexander Bokovoy wrote: >>> Still, bug reports and users' complaints is the only external measure we >>> have. There are close to nothing in complaints about NTP functionality, >>> other than requests to support chronyd and a better discover of existing >>> NTP setups. I don't think that requires dramatic action like removal of >>> NTP support at all. >>> >> >> As Petr already pointed out, since Fedora 16 chronyd is enabled by >> default and ipa-client-install doesn't configure time synchronization >> when chronyd is enabled. >> >> I believe that majority of users haven't used '--force-ntpd' and since >> it still worked they haven't filed any ticket. >> >> IMO in this case no bug reports means no users rather than no bugs or >> requests. >> >> Unfortunately, this is just my guess and AFAIK we don't have any data >> from users showing how they use FreeIPA. > >For argument's sake, let's say NTP configuration in the client is >dropped and managed by the OS or other administrators. > >What implication does this have for configuring NTP server on masters? >Would that be stopped as well? What about existing installs? Here is the problem: in Kerberos realm services must have time synchronized with KDC. The patches from StefW which added ability to record a time skew between the Kerberos client and KDC do not apply to Kerberos client - Kerberos service communication. Given that IPA clients can host Kerberos services (at the very least, SSH is such a service), this practically means they need to have a time source that is synchronized with the KDC(s) they are talking to. To me this means we should not really remove NTP configuration but instead expand ntpd support to cover chronyd as well. >I don't believe there is a precedence for removing a service from IPA. Neither do I. -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Wed Nov 30 15:28:58 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 30 Nov 2016 16:28:58 +0100 Subject: [Freeipa-devel] [freeipa PR#290][comment] Require python-cryptography >= 1.3.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/290 Title: #290: Require python-cryptography >= 1.3.1 martbab commented: """ Please rebase the PR so we can do clean merge, it should be simple conflict resolution. """ See the full comment at https://github.com/freeipa/freeipa/pull/290#issuecomment-263902430 From freeipa-github-notification at redhat.com Wed Nov 30 15:29:49 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 30 Nov 2016 16:29:49 +0100 Subject: [Freeipa-devel] [freeipa PR#200][+pushed] Test: basic kerberos over http functionality In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/200 Title: #200: Test: basic kerberos over http functionality Label: +pushed From freeipa-github-notification at redhat.com Wed Nov 30 15:29:51 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 30 Nov 2016 16:29:51 +0100 Subject: [Freeipa-devel] [freeipa PR#200][comment] Test: basic kerberos over http functionality In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/200 Title: #200: Test: basic kerberos over http functionality mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/c7fd46e42a9f5b4676415910b800e0340f77dc88 https://fedorahosted.org/freeipa/changeset/503d0929e9265dfc0c6c28ac49146b72a0a7edea """ See the full comment at https://github.com/freeipa/freeipa/pull/200#issuecomment-263902720 From freeipa-github-notification at redhat.com Wed Nov 30 15:31:31 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 30 Nov 2016 16:31:31 +0100 Subject: [Freeipa-devel] [freeipa PR#287][comment] Wheel bundles fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/287 Title: #287: Wheel bundles fixes tomaskrizek commented: """ I wasn't able to fully test this since there is an issue with building `bdist_wheel`. But since ipaplatform dependency has been removed, it seems to be all right. """ See the full comment at https://github.com/freeipa/freeipa/pull/287#issuecomment-263903162 From freeipa-github-notification at redhat.com Wed Nov 30 15:31:35 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 30 Nov 2016 16:31:35 +0100 Subject: [Freeipa-devel] [freeipa PR#287][+ack] Wheel bundles fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/287 Title: #287: Wheel bundles fixes Label: +ack From freeipa-github-notification at redhat.com Wed Nov 30 15:31:53 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 30 Nov 2016 16:31:53 +0100 Subject: [Freeipa-devel] [freeipa PR#267][comment] ipa-replica-conncheck: do not close listening ports until required In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/267 Title: #267: ipa-replica-conncheck: do not close listening ports until required mbasti-rh commented: """ needs rebase """ See the full comment at https://github.com/freeipa/freeipa/pull/267#issuecomment-263903284 From freeipa-github-notification at redhat.com Wed Nov 30 15:32:09 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 30 Nov 2016 16:32:09 +0100 Subject: [Freeipa-devel] [freeipa PR#263][comment] Backwards compatibility with setuptools 0.9.8 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/263 Title: #263: Backwards compatibility with setuptools 0.9.8 martbab commented: """ Please reabse this PR and add ticket to the commit message. """ See the full comment at https://github.com/freeipa/freeipa/pull/263#issuecomment-263903379 From freeipa-github-notification at redhat.com Wed Nov 30 15:33:51 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 30 Nov 2016 16:33:51 +0100 Subject: [Freeipa-devel] [freeipa PR#263][synchronized] Backwards compatibility with setuptools 0.9.8 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/263 Author: tiran Title: #263: Backwards compatibility with setuptools 0.9.8 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/263/head:pr263 git checkout pr263 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-263.patch Type: text/x-diff Size: 2727 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 30 15:34:16 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 30 Nov 2016 16:34:16 +0100 Subject: [Freeipa-devel] [freeipa PR#285][comment] Check the result of cert request in replica installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/285 Title: #285: Check the result of cert request in replica installer mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/dbb98765d73519289ee22f3de1a5ccde140f6f5d """ See the full comment at https://github.com/freeipa/freeipa/pull/285#issuecomment-263904080 From freeipa-github-notification at redhat.com Wed Nov 30 15:34:18 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 30 Nov 2016 16:34:18 +0100 Subject: [Freeipa-devel] [freeipa PR#285][closed] Check the result of cert request in replica installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/285 Author: flo-renaud Title: #285: Check the result of cert request in replica installer Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/285/head:pr285 git checkout pr285 From freeipa-github-notification at redhat.com Wed Nov 30 15:34:19 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 30 Nov 2016 16:34:19 +0100 Subject: [Freeipa-devel] [freeipa PR#285][+pushed] Check the result of cert request in replica installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/285 Title: #285: Check the result of cert request in replica installer Label: +pushed From freeipa-github-notification at redhat.com Wed Nov 30 15:40:23 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 30 Nov 2016 16:40:23 +0100 Subject: [Freeipa-devel] [freeipa PR#267][synchronized] ipa-replica-conncheck: do not close listening ports until required In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/267 Author: tomaskrizek Title: #267: ipa-replica-conncheck: do not close listening ports until required Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/267/head:pr267 git checkout pr267 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-267.patch Type: text/x-diff Size: 12729 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 30 15:45:12 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 30 Nov 2016 16:45:12 +0100 Subject: [Freeipa-devel] [freeipa PR#287][comment] Wheel bundles fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/287 Title: #287: Wheel bundles fixes mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/235f68524767c1eb2e12fb6d1d9f6a520414c583 """ See the full comment at https://github.com/freeipa/freeipa/pull/287#issuecomment-263907173 From freeipa-github-notification at redhat.com Wed Nov 30 15:45:13 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 30 Nov 2016 16:45:13 +0100 Subject: [Freeipa-devel] [freeipa PR#287][closed] Wheel bundles fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/287 Author: tiran Title: #287: Wheel bundles fixes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/287/head:pr287 git checkout pr287 From freeipa-github-notification at redhat.com Wed Nov 30 15:45:14 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 30 Nov 2016 16:45:14 +0100 Subject: [Freeipa-devel] [freeipa PR#287][+pushed] Wheel bundles fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/287 Title: #287: Wheel bundles fixes Label: +pushed From freeipa-github-notification at redhat.com Wed Nov 30 15:46:32 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 30 Nov 2016 16:46:32 +0100 Subject: [Freeipa-devel] [freeipa PR#284][synchronized] ipautil: check for open ports on all resolved IPs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/284 Author: tomaskrizek Title: #284: ipautil: check for open ports on all resolved IPs Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/284/head:pr284 git checkout pr284 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-284.patch Type: text/x-diff Size: 4147 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Nov 30 15:52:47 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 30 Nov 2016 16:52:47 +0100 Subject: [Freeipa-devel] [freeipa PR#284][+ack] ipautil: check for open ports on all resolved IPs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/284 Title: #284: ipautil: check for open ports on all resolved IPs Label: +ack From dkupka at redhat.com Wed Nov 30 15:57:35 2016 From: dkupka at redhat.com (David Kupka) Date: Wed, 30 Nov 2016 16:57:35 +0100 Subject: [Freeipa-devel] NTP in FreeIPA In-Reply-To: <583EEBA8.5010702@redhat.com> References: <583C8C43.8070202@redhat.com> <8cb49a87-bdc4-0db5-504a-d10d6dd6152e@redhat.com> <583D987F.9040102@redhat.com> <8496ee7a-d4d7-cb77-24db-4cb2d4bf24a9@redhat.com> <20161129171012.nsqmaevs4dnlrpzh@redhat.com> <292772c2-0ff4-07f4-ead0-5809ad18f682@redhat.com> <583EEBA8.5010702@redhat.com> Message-ID: <0ed28e6a-7ba1-898c-fcd5-1efdd778ec6d@redhat.com> On 30/11/16 16:09, Rob Crittenden wrote: > David Kupka wrote: >> On 29/11/16 18:10, Alexander Bokovoy wrote: >>> Still, bug reports and users' complaints is the only external measure we >>> have. There are close to nothing in complaints about NTP functionality, >>> other than requests to support chronyd and a better discover of existing >>> NTP setups. I don't think that requires dramatic action like removal of >>> NTP support at all. >>> >> >> As Petr already pointed out, since Fedora 16 chronyd is enabled by >> default and ipa-client-install doesn't configure time synchronization >> when chronyd is enabled. >> >> I believe that majority of users haven't used '--force-ntpd' and since >> it still worked they haven't filed any ticket. >> >> IMO in this case no bug reports means no users rather than no bugs or >> requests. >> >> Unfortunately, this is just my guess and AFAIK we don't have any data >> from users showing how they use FreeIPA. > > For argument's sake, let's say NTP configuration in the client is > dropped and managed by the OS or other administrators. > > What implication does this have for configuring NTP server on masters? > Would that be stopped as well? What about existing installs? > > I don't believe there is a precedence for removing a service from IPA. > > rob > Well, everything was done for the first time at some point in history. I would prefer removing it from server too. I imagine it this way: 0. We agree that NTP as FreeIPA service will be dropped in 4.x 1. We add big fat warning to nearest release (currently 4.5) that FreeIPA will stop supporting NTP as its service on server and client and if NTP was configured by FreeIPA (we can tell from sysrestore) upgrade will revert those changes. 2. New installations of 4.x will not configure NTP on server nor client. Upgrades to 4.x will revert configuration if done by FreeIPA. I think it's actually that simple. The only hard part is reaching the agreement. While I understand that the value of FreeIPA is entirely in taking care of non-trivial services and orchestrating them in a way most comfortable for the administrator I think configuring NTP is: * reasonably easy (<5 lines on client, <10 lines on server), * unnecessary in most cases (distributions defaults or DHCP+NetworkManager just work) and so not worth keeping in FreeIPA. -- David Kupka From freeipa-github-notification at redhat.com Wed Nov 30 16:11:13 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 30 Nov 2016 17:11:13 +0100 Subject: [Freeipa-devel] [freeipa PR#290][synchronized] Require python-cryptography >= 1.3.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/290 Author: tiran Title: #290: Require python-cryptography >= 1.3.1 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/290/head:pr290 git checkout pr290 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-290.patch Type: text/x-diff Size: 3043 bytes Desc: not available URL: From bind-dyndb-ldap-github-notification at redhat.com Wed Nov 30 16:13:23 2016 From: bind-dyndb-ldap-github-notification at redhat.com (pspacek) Date: Wed, 30 Nov 2016 17:13:23 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#1][comment] Port bind-dyndb-ldap to BIND 9.11 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/1 Title: #1: Port bind-dyndb-ldap to BIND 9.11 pspacek commented: """ Pushed to master: 2649ef1da1cbfc1203337665c4e589e1fe75f04b BIND 9.11: Remove #if blocks for older BIND versions. 8178f3cf856829c081a663a2e3f4d77ecc2db6b1 BIND 9.11: Add wrapper for new DB API method nodefullname. da9bc9b157a5ddc9a70147bf8df94e2bebb05c07 BIND 9.11: Port to new dyndb API. 08da3390cfc0985abdc0f791115f0f595e915df6 BIND 9.11: use new public header isc/errno.h instead of private isc/errno2result.h 4424cc349142dc7501eabaf352cf2ce59c34d7cb Fix error handling in syncrepl_update() to avoid hung mctx. c3bfe1a62ac4f8a73207bf4e80d64a4a3a58d9e4 Remove obsolete options: cache_ttl, psearch, serial_autoincrement, zone_refresh. e7cb75353d1b8fec6f063e4edaf5ead5b784e10d Use ISC configuration parser for dyndb section. 7c8d8e553932ad1ce05d6fb8b4e845d4fdf7d6c2 Print configuration grammar when a configuration error is detected. 189c1850582bac964877764e7f0828d083a1d384 Migrate README to Markdown syntax: create README.md """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/1#issuecomment-263915947 From bind-dyndb-ldap-github-notification at redhat.com Wed Nov 30 16:13:24 2016 From: bind-dyndb-ldap-github-notification at redhat.com (pspacek) Date: Wed, 30 Nov 2016 17:13:24 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#1][closed] Port bind-dyndb-ldap to BIND 9.11 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/1 Author: pspacek Title: #1: Port bind-dyndb-ldap to BIND 9.11 Action: closed To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/1/head:pr1 git checkout pr1 From freeipa-github-notification at redhat.com Wed Nov 30 16:19:00 2016 From: freeipa-github-notification at redhat.com (frozencemetery) Date: Wed, 30 Nov 2016 17:19:00 +0100 Subject: [Freeipa-devel] [freeipa PR#289][comment] Require python-gssapi >= 1.2.0 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/289 Title: #289: Require python-gssapi >= 1.2.0 frozencemetery commented: """ We (the python-gssapi team) do not believe that is correct. This problem with enum34 is fixed in the latest 1.1.z release (1.1.4). We also do have CI that runs on every commit, so every released version should be stable, though 1.2.0 is also a great version. """ See the full comment at https://github.com/freeipa/freeipa/pull/289#issuecomment-263917633 From freeipa-github-notification at redhat.com Wed Nov 30 16:33:24 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 30 Nov 2016 17:33:24 +0100 Subject: [Freeipa-devel] [freeipa PR#290][+ack] Require python-cryptography >= 1.3.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/290 Title: #290: Require python-cryptography >= 1.3.1 Label: +ack From freeipa-github-notification at redhat.com Wed Nov 30 16:33:52 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 30 Nov 2016 17:33:52 +0100 Subject: [Freeipa-devel] [freeipa PR#290][comment] Require python-cryptography >= 1.3.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/290 Title: #290: Require python-cryptography >= 1.3.1 martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/289982e02fa6bef700fe2c1900ddbed864876faa """ See the full comment at https://github.com/freeipa/freeipa/pull/290#issuecomment-263922200 From freeipa-github-notification at redhat.com Wed Nov 30 16:33:54 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 30 Nov 2016 17:33:54 +0100 Subject: [Freeipa-devel] [freeipa PR#290][closed] Require python-cryptography >= 1.3.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/290 Author: tiran Title: #290: Require python-cryptography >= 1.3.1 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/290/head:pr290 git checkout pr290 From freeipa-github-notification at redhat.com Wed Nov 30 16:33:55 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 30 Nov 2016 17:33:55 +0100 Subject: [Freeipa-devel] [freeipa PR#290][+pushed] Require python-cryptography >= 1.3.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/290 Title: #290: Require python-cryptography >= 1.3.1 Label: +pushed From freeipa-github-notification at redhat.com Wed Nov 30 18:30:36 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 30 Nov 2016 19:30:36 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time tiran commented: """ +1 for my trick Since I disabled the import warnings for samba bindings in fef6f18aa, pylint is passing under Python 3, too. """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-263954366 From simo at redhat.com Wed Nov 30 20:44:41 2016 From: simo at redhat.com (Simo Sorce) Date: Wed, 30 Nov 2016 15:44:41 -0500 Subject: [Freeipa-devel] NTP in FreeIPA In-Reply-To: <0ed28e6a-7ba1-898c-fcd5-1efdd778ec6d@redhat.com> References: <583C8C43.8070202@redhat.com> <8cb49a87-bdc4-0db5-504a-d10d6dd6152e@redhat.com> <583D987F.9040102@redhat.com> <8496ee7a-d4d7-cb77-24db-4cb2d4bf24a9@redhat.com> <20161129171012.nsqmaevs4dnlrpzh@redhat.com> <292772c2-0ff4-07f4-ead0-5809ad18f682@redhat.com> <583EEBA8.5010702@redhat.com> <0ed28e6a-7ba1-898c-fcd5-1efdd778ec6d@redhat.com> Message-ID: <1480538681.4311.80.camel@redhat.com> On Wed, 2016-11-30 at 16:57 +0100, David Kupka wrote: > Upgrades to 4.x will revert configuration if done by FreeIPA. Why would you revert a perfectly valid configuration ? I can understand that you wan to stop managing the server, but I do not see why you should un-configure it. > I think it's actually that simple. The only hard part is reaching the > agreement. I still think we need to offer the NTP option even if not on by default, so on upgrade we would have to keep maintaining it. Keep in mind that NTP is extremely important, still, in virtualized environment and PoC environment where you must assure, with your own means, that clocks are synchronized. Testing environments are often very broken, reason why we also offer a DNS server. And a testing environment generally give you the first impression, so if it breaks horrible (as it does when clocks are not in sync then people just stop caring and do not move to production. Simo. -- Simo Sorce * Red Hat, Inc * New York