From freeipa-github-notification at redhat.com Sun Apr 2 09:04:44 2017 From: freeipa-github-notification at redhat.com (alex-zel) Date: Sun, 02 Apr 2017 11:04:44 +0200 Subject: [Freeipa-devel] [freeipa PR#681][opened] Fix ipadiscovery Message-ID: URL: https://github.com/freeipa/freeipa/pull/681 Author: alex-zel Title: #681: Fix ipadiscovery Action: opened PR body: """ Sort SRV records for LDAP/KRB based on priority. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/681/head:pr681 git checkout pr681 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-681.patch Type: text/x-diff Size: 4317 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 3 04:14:16 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 03 Apr 2017 06:14:16 +0200 Subject: [Freeipa-devel] [freeipa PR#681][comment] Fix ipadiscovery In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/681 Title: #681: Fix ipadiscovery tiran commented: """ You can simplify your code a lot with the operator module and sorted(key) trick: https://docs.python.org/3/library/operator.html#operator.attrgetter https://docs.python.org/3/library/functions.html#sorted ``` import operator ``` ``` answers = resolver.query(qname, rdatatype.SRV) answers = sorted(answer, key=operator.attrgetter('priority')) ``` Please squash your changes into one commit. """ See the full comment at https://github.com/freeipa/freeipa/pull/681#issuecomment-291045102 From freeipa-github-notification at redhat.com Mon Apr 3 05:24:41 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 03 Apr 2017 07:24:41 +0200 Subject: [Freeipa-devel] [freeipa PR#671][synchronized] [WIP] Slim down dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/671 Author: tiran Title: #671: [WIP] Slim down dependencies Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/671/head:pr671 git checkout pr671 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-671.patch Type: text/x-diff Size: 3230 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 3 07:08:56 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 03 Apr 2017 09:08:56 +0200 Subject: [Freeipa-devel] [freeipa PR#681][comment] Fix ipadiscovery In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/681 Title: #681: Fix ipadiscovery martbab commented: """ Hi Alex, a few comments: 1.) please see PEP8 guide for correct Python formatting https://www.python.org/dev/peps/pep-0008/ namely, do not use tabs but 4 spaces for indentation. 2.) I do not see much value in sorting TXT records. We are searching for _kerberos TXT record which should occur only once in DNS domain. 3.) please use a more concise sorting mechanism mentioned by @tiran, your way is very unpythonic and inefficient (list insertions). """ See the full comment at https://github.com/freeipa/freeipa/pull/681#issuecomment-291064621 From freeipa-github-notification at redhat.com Mon Apr 3 07:35:34 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 03 Apr 2017 09:35:34 +0200 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing MartinBasti commented: """ @tiran sorry, but then something doesn't work as expected ``` $ dnf builddep -b -D "with_wheels 1" --spec freeipa.spec.in $ make wheel_bundle IPA_SERVER_WHEELS=1 ... Failed building wheel for dbus-python $ git grep -in dbus-devel freeipa.spec.in freeipa.spec.in:149:BuildRequires: dbus-devel $ rpm -q dbus-devel package dbus-devel is not installed ``` Probably because `%global with_wheels 0` is defined in the spec file, so it always overrides my CLI settings """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-291069185 From freeipa-github-notification at redhat.com Mon Apr 3 07:43:55 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 03 Apr 2017 09:43:55 +0200 Subject: [Freeipa-devel] [freeipa PR#682][opened] ipserver/dcerpc: unify error processing Message-ID: URL: https://github.com/freeipa/freeipa/pull/682 Author: abbra Title: #682: ipserver/dcerpc: unify error processing Action: opened PR body: """ Samba error code reporting changes from version to version but we also did not provide proper input into DCE RPC error processing method we have. Unify error processing and add few more fallback entries. With Samba 4.7 we'll have to change it again because error code processing for Samba Python modules will change with introduction of samba.ntstatus and samba.werror modules. Note that this commit also changes a message returned for error code -1073741772 (NT_STATUS_OBJECT_NOT_FOUND) because it is more general one. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/682/head:pr682 git checkout pr682 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-682.patch Type: text/x-diff Size: 3819 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 3 07:44:44 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 03 Apr 2017 09:44:44 +0200 Subject: [Freeipa-devel] [freeipa PR#682][comment] ipserver/dcerpc: unify error processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/682 Title: #682: ipserver/dcerpc: unify error processing abbra commented: """ Note: this is WIP, I'm waiting for Sudhir to provide a bug and logs that show the changes he encountered when running existing test suite against Samba 4.6.2. """ See the full comment at https://github.com/freeipa/freeipa/pull/682#issuecomment-291070811 From freeipa-github-notification at redhat.com Mon Apr 3 07:45:35 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 03 Apr 2017 09:45:35 +0200 Subject: [Freeipa-devel] [freeipa PR#542][comment] Implementation independent interface for CSR generation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/542 Title: #542: Implementation independent interface for CSR generation HonzaCholasta commented: """ @LiptonB, superb, thank you! Have you made any progress with NSS support? If not, I can add it in a subsequent PR, if you agree. """ See the full comment at https://github.com/freeipa/freeipa/pull/542#issuecomment-291070970 From freeipa-github-notification at redhat.com Mon Apr 3 07:46:45 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 03 Apr 2017 09:46:45 +0200 Subject: [Freeipa-devel] [freeipa PR#542][+ack] Implementation independent interface for CSR generation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/542 Title: #542: Implementation independent interface for CSR generation Label: +ack From freeipa-github-notification at redhat.com Mon Apr 3 07:47:21 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 03 Apr 2017 09:47:21 +0200 Subject: [Freeipa-devel] [freeipa PR#542][comment] Implementation independent interface for CSR generation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/542 Title: #542: Implementation independent interface for CSR generation HonzaCholasta commented: """ master: * 5420e9cfbe7803808b6e26d2dae64f2a6a50149a csrgen: Remove helper abstraction * 136c6c3e2a4f77a27f435efd4a1cd95c9e089314 csrgen: Change to pure openssl config format (no script) * e7588ab2dc73e7f66ebc6cdcfb99470540e37731 csrgen: Modify cert_get_requestdata to return a CertificationRequestInfo * a53e17830c3d4fd59a62248d4447491675c6a80e csrgen: Beginnings of NSS database support """ See the full comment at https://github.com/freeipa/freeipa/pull/542#issuecomment-291071297 From freeipa-github-notification at redhat.com Mon Apr 3 07:47:30 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 03 Apr 2017 09:47:30 +0200 Subject: [Freeipa-devel] [freeipa PR#542][+pushed] Implementation independent interface for CSR generation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/542 Title: #542: Implementation independent interface for CSR generation Label: +pushed From freeipa-github-notification at redhat.com Mon Apr 3 07:47:25 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 03 Apr 2017 09:47:25 +0200 Subject: [Freeipa-devel] [freeipa PR#542][closed] Implementation independent interface for CSR generation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/542 Author: LiptonB Title: #542: Implementation independent interface for CSR generation Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/542/head:pr542 git checkout pr542 From freeipa-github-notification at redhat.com Mon Apr 3 07:48:36 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 03 Apr 2017 09:48:36 +0200 Subject: [Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Author: tiran Title: #397: Improve wheel building and provide ipaserver wheel for local testing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/397/head:pr397 git checkout pr397 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-397.patch Type: text/x-diff Size: 18059 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 3 08:04:13 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 03 Apr 2017 10:04:13 +0200 Subject: [Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Author: tiran Title: #397: Improve wheel building and provide ipaserver wheel for local testing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/397/head:pr397 git checkout pr397 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-397.patch Type: text/x-diff Size: 75038 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 3 08:25:47 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 03 Apr 2017 10:25:47 +0200 Subject: [Freeipa-devel] [freeipa PR#682][edited] ipserver/dcerpc: unify error processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/682 Author: abbra Title: #682: ipserver/dcerpc: unify error processing Action: edited Changed field: title Original value: """ ipserver/dcerpc: unify error processing """ From freeipa-github-notification at redhat.com Mon Apr 3 08:28:40 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 03 Apr 2017 10:28:40 +0200 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing MartinBasti commented: """ Missing dependency `dbus-glib-devel` otherwise it works """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-291079545 From freeipa-github-notification at redhat.com Mon Apr 3 08:31:23 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 03 Apr 2017 10:31:23 +0200 Subject: [Freeipa-devel] [freeipa PR#650][comment] CA-less installation fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/650 Title: #650: CA-less installation fix HonzaCholasta commented: """ @stlaz, please rebase. """ See the full comment at https://github.com/freeipa/freeipa/pull/650#issuecomment-291080182 From freeipa-github-notification at redhat.com Mon Apr 3 08:41:09 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 03 Apr 2017 10:41:09 +0200 Subject: [Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Author: tiran Title: #397: Improve wheel building and provide ipaserver wheel for local testing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/397/head:pr397 git checkout pr397 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-397.patch Type: text/x-diff Size: 75048 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 3 08:41:40 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 03 Apr 2017 10:41:40 +0200 Subject: [Freeipa-devel] [freeipa PR#650][synchronized] CA-less installation fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/650 Author: stlaz Title: #650: CA-less installation fix Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/650/head:pr650 git checkout pr650 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-650.patch Type: text/x-diff Size: 3904 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 3 09:23:49 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 03 Apr 2017 11:23:49 +0200 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing tiran commented: """ Sigh, I got it. """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-291091639 From freeipa-github-notification at redhat.com Mon Apr 3 09:50:01 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 03 Apr 2017 11:50:01 +0200 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing MartinBasti commented: """ Can you rebase please? I see Ben's commits in this PR """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-291097531 From freeipa-github-notification at redhat.com Mon Apr 3 09:55:12 2017 From: freeipa-github-notification at redhat.com (tjaalton) Date: Mon, 03 Apr 2017 11:55:12 +0200 Subject: [Freeipa-devel] [freeipa PR#680][synchronized] ipa-otpd.socket.in: Use a platform specific value for KDC service file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/680 Author: tjaalton Title: #680: ipa-otpd.socket.in: Use a platform specific value for KDC service file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/680/head:pr680 git checkout pr680 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-680.patch Type: text/x-diff Size: 1959 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 3 10:13:31 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 03 Apr 2017 12:13:31 +0200 Subject: [Freeipa-devel] [freeipa PR#650][comment] CA-less installation fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/650 Title: #650: CA-less installation fix HonzaCholasta commented: """ I found additional bugs in CA-less (replica) install, but with this PR, `publish_ca_cert` does not fail anymore. """ See the full comment at https://github.com/freeipa/freeipa/pull/650#issuecomment-291102436 From freeipa-github-notification at redhat.com Mon Apr 3 10:13:40 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 03 Apr 2017 12:13:40 +0200 Subject: [Freeipa-devel] [freeipa PR#650][+ack] CA-less installation fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/650 Title: #650: CA-less installation fix Label: +ack From freeipa-github-notification at redhat.com Mon Apr 3 10:15:12 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 03 Apr 2017 12:15:12 +0200 Subject: [Freeipa-devel] [freeipa PR#650][-ack] CA-less installation fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/650 Title: #650: CA-less installation fix Label: -ack From freeipa-github-notification at redhat.com Mon Apr 3 10:15:36 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 03 Apr 2017 12:15:36 +0200 Subject: [Freeipa-devel] [freeipa PR#650][comment] CA-less installation fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/650 Title: #650: CA-less installation fix HonzaCholasta commented: """ Actually, there is a pylint failure introduced by this PR: ``` ************* Module ipapython.certdb ipapython/certdb.py:579: [C0305(trailing-newlines), ] Trailing newlines) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/650#issuecomment-291102890 From freeipa-github-notification at redhat.com Mon Apr 3 10:20:23 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 03 Apr 2017 12:20:23 +0200 Subject: [Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Author: tiran Title: #397: Improve wheel building and provide ipaserver wheel for local testing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/397/head:pr397 git checkout pr397 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-397.patch Type: text/x-diff Size: 75048 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 3 10:47:13 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 03 Apr 2017 12:47:13 +0200 Subject: [Freeipa-devel] [freeipa PR#650][synchronized] CA-less installation fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/650 Author: stlaz Title: #650: CA-less installation fix Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/650/head:pr650 git checkout pr650 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-650.patch Type: text/x-diff Size: 3971 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 3 10:47:49 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 03 Apr 2017 12:47:49 +0200 Subject: [Freeipa-devel] [freeipa PR#650][comment] CA-less installation fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/650 Title: #650: CA-less installation fix stlaz commented: """ Sorry, must have screwed up the rebase. """ See the full comment at https://github.com/freeipa/freeipa/pull/650#issuecomment-291109172 From freeipa-github-notification at redhat.com Mon Apr 3 11:00:46 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 03 Apr 2017 13:00:46 +0200 Subject: [Freeipa-devel] [freeipa PR#684][opened] httpinstance: make sure NSS database is backed up Message-ID: URL: https://github.com/freeipa/freeipa/pull/684 Author: HonzaCholasta Title: #684: httpinstance: make sure NSS database is backed up Action: opened PR body: """ The NSS database at /etc/httpd/alias is not properly initialized and backed up in CA-less replica promotion. This might cause the install to fail after previous install and uninstall. Make sure the NSS database is initialized and backed up even in CA-less replica promotion to fix the issue. https://pagure.io/freeipa/issue/4639 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/684/head:pr684 git checkout pr684 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-684.patch Type: text/x-diff Size: 1414 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 3 11:04:46 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 03 Apr 2017 13:04:46 +0200 Subject: [Freeipa-devel] [freeipa PR#397][+ack] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing Label: +ack From freeipa-github-notification at redhat.com Mon Apr 3 11:09:09 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 03 Apr 2017 13:09:09 +0200 Subject: [Freeipa-devel] [freeipa PR#397][+pushed] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing Label: +pushed From freeipa-github-notification at redhat.com Mon Apr 3 11:09:14 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 03 Apr 2017 13:09:14 +0200 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing MartinBasti commented: """ master: * 3064b890e24a5056c77f19c3951cfb59d49366f8 Conditionally import pyhbac * 7c9df35d3dd812543cf537c0762c6db728379919 Add extra_requires for additional dependencies * ae1c2086db3efb51341025ae25f9b39060868ac1 Add an option to build ipaserver wheels * 40a60675f3feb118af70562582399afefe97214d Don't hard-code with_wheels """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-291113162 From freeipa-github-notification at redhat.com Mon Apr 3 11:09:19 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 03 Apr 2017 13:09:19 +0200 Subject: [Freeipa-devel] [freeipa PR#397][closed] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Author: tiran Title: #397: Improve wheel building and provide ipaserver wheel for local testing Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/397/head:pr397 git checkout pr397 From mbasti at redhat.com Mon Apr 3 11:16:12 2017 From: mbasti at redhat.com (Martin Basti) Date: Mon, 3 Apr 2017 13:16:12 +0200 Subject: [Freeipa-devel] Mirroring from pagure to github is broken Message-ID: <6bf9bb80-a701-7eec-954a-70305448170e@redhat.com> https://pagure.io/fedora-infrastructure/issue/5946 Mirroring is broken, please make sure you pushed commits to both pagure and github. Martin^2 From freeipa-github-notification at redhat.com Mon Apr 3 11:55:36 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 03 Apr 2017 13:55:36 +0200 Subject: [Freeipa-devel] [freeipa PR#650][+ack] CA-less installation fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/650 Title: #650: CA-less installation fix Label: +ack From freeipa-github-notification at redhat.com Mon Apr 3 11:58:38 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 03 Apr 2017 13:58:38 +0200 Subject: [Freeipa-devel] [freeipa PR#683][+ack] certdb: fix `AttributeError` in `verify_ca_cert_validity` In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/683 Title: #683: certdb: fix `AttributeError` in `verify_ca_cert_validity` Label: +ack From freeipa-github-notification at redhat.com Mon Apr 3 11:59:03 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 03 Apr 2017 13:59:03 +0200 Subject: [Freeipa-devel] [freeipa PR#650][comment] CA-less installation fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/650 Title: #650: CA-less installation fix HonzaCholasta commented: """ @stlaz, please also provide a version of this PR rebased on ipa-4-5. """ See the full comment at https://github.com/freeipa/freeipa/pull/650#issuecomment-291122587 From freeipa-github-notification at redhat.com Mon Apr 3 12:22:10 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 03 Apr 2017 14:22:10 +0200 Subject: [Freeipa-devel] [freeipa PR#618][synchronized] [WIP] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Author: tiran Title: #618: [WIP] Tox testing support for client wheel packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/618/head:pr618 git checkout pr618 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-618.patch Type: text/x-diff Size: 5274 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 3 12:26:50 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 03 Apr 2017 14:26:50 +0200 Subject: [Freeipa-devel] [freeipa PR#685][opened] [4.5] Caless fix Message-ID: URL: https://github.com/freeipa/freeipa/pull/685 Author: stlaz Title: #685: [4.5] Caless fix Action: opened PR body: """ Get correct CA cert nickname in CA-less During CA-less installation, we initialize the HTTPD alias database from a pkcs12 file. This means there's going to be different nicknames to the added certificates. Store the CA certificate nickname in HTTPInstance__setup_ssl() to be able to correctly export it late """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/685/head:pr685 git checkout pr685 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-685.patch Type: text/x-diff Size: 3891 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 3 12:27:39 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 03 Apr 2017 14:27:39 +0200 Subject: [Freeipa-devel] [freeipa PR#686][opened] Stablize make pypi_packages Message-ID: URL: https://github.com/freeipa/freeipa/pull/686 Author: tiran Title: #686: Stablize make pypi_packages Action: opened PR body: """ Parallel make or flags like IPA_OMIT_INSTALL and IPA_SERVER_WHEELS could like to bad packages for PyPI. Only build the packages we want with correct flags. Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/686/head:pr686 git checkout pr686 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-686.patch Type: text/x-diff Size: 1645 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 3 12:41:40 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 03 Apr 2017 14:41:40 +0200 Subject: [Freeipa-devel] [freeipa PR#683][+pushed] certdb: fix `AttributeError` in `verify_ca_cert_validity` In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/683 Title: #683: certdb: fix `AttributeError` in `verify_ca_cert_validity` Label: +pushed From freeipa-github-notification at redhat.com Mon Apr 3 12:41:45 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 03 Apr 2017 14:41:45 +0200 Subject: [Freeipa-devel] [freeipa PR#683][comment] certdb: fix `AttributeError` in `verify_ca_cert_validity` In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/683 Title: #683: certdb: fix `AttributeError` in `verify_ca_cert_validity` HonzaCholasta commented: """ master: * 720034f1b440135671d03596368ed5e9e5a0f3c3 certdb: fix `AttributeError` in `verify_ca_cert_validity` """ See the full comment at https://github.com/freeipa/freeipa/pull/683#issuecomment-291131212 From freeipa-github-notification at redhat.com Mon Apr 3 12:41:50 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 03 Apr 2017 14:41:50 +0200 Subject: [Freeipa-devel] [freeipa PR#683][closed] certdb: fix `AttributeError` in `verify_ca_cert_validity` In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/683 Author: HonzaCholasta Title: #683: certdb: fix `AttributeError` in `verify_ca_cert_validity` Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/683/head:pr683 git checkout pr683 From freeipa-github-notification at redhat.com Mon Apr 3 12:42:43 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 03 Apr 2017 14:42:43 +0200 Subject: [Freeipa-devel] [freeipa PR#650][comment] CA-less installation fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/650 Title: #650: CA-less installation fix stlaz commented: """ Done in https://github.com/freeipa/freeipa/pull/685 """ See the full comment at https://github.com/freeipa/freeipa/pull/650#issuecomment-291131467 From freeipa-github-notification at redhat.com Mon Apr 3 12:54:26 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 03 Apr 2017 14:54:26 +0200 Subject: [Freeipa-devel] [freeipa PR#685][+ack] [4.5] Caless fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/685 Title: #685: [4.5] Caless fix Label: +ack From freeipa-github-notification at redhat.com Mon Apr 3 12:55:59 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 03 Apr 2017 14:55:59 +0200 Subject: [Freeipa-devel] [freeipa PR#679][synchronized] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Author: simo5 Title: #679: Make sure remote hosts have our keys Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/679/head:pr679 git checkout pr679 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-679.patch Type: text/x-diff Size: 2869 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 3 13:04:11 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 03 Apr 2017 15:04:11 +0200 Subject: [Freeipa-devel] [freeipa PR#686][synchronized] Stablize make pypi_packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/686 Author: tiran Title: #686: Stablize make pypi_packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/686/head:pr686 git checkout pr686 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-686.patch Type: text/x-diff Size: 1646 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 3 13:04:15 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 03 Apr 2017 15:04:15 +0200 Subject: [Freeipa-devel] [freeipa PR#686][edited] Stablize make pypi_packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/686 Author: tiran Title: #686: Stablize make pypi_packages Action: edited Changed field: title Original value: """ Stablize make pypi_packages """ From freeipa-github-notification at redhat.com Mon Apr 3 13:04:36 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 03 Apr 2017 15:04:36 +0200 Subject: [Freeipa-devel] [freeipa PR#618][edited] [WIP] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Author: tiran Title: #618: [WIP] Tox testing support for client wheel packages Action: edited Changed field: title Original value: """ [WIP] Tox testing support for client wheel packages """ From freeipa-github-notification at redhat.com Mon Apr 3 13:07:09 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 03 Apr 2017 15:07:09 +0200 Subject: [Freeipa-devel] [freeipa PR#650][+pushed] CA-less installation fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/650 Title: #650: CA-less installation fix Label: +pushed From freeipa-github-notification at redhat.com Mon Apr 3 13:07:16 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 03 Apr 2017 15:07:16 +0200 Subject: [Freeipa-devel] [freeipa PR#650][comment] CA-less installation fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/650 Title: #650: CA-less installation fix HonzaCholasta commented: """ master: * 8c87014e199b3dbe885c69d40a01d2723f813c3e Get correct CA cert nickname in CA-less * aae9a918b68dc4f9a7b4fb9abf1bb4d26673109d Remove publish_ca_cert() method from NSSDatabase """ See the full comment at https://github.com/freeipa/freeipa/pull/650#issuecomment-291137152 From freeipa-github-notification at redhat.com Mon Apr 3 13:07:19 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 03 Apr 2017 15:07:19 +0200 Subject: [Freeipa-devel] [freeipa PR#650][closed] CA-less installation fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/650 Author: stlaz Title: #650: CA-less installation fix Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/650/head:pr650 git checkout pr650 From freeipa-github-notification at redhat.com Mon Apr 3 13:07:37 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 03 Apr 2017 15:07:37 +0200 Subject: [Freeipa-devel] [freeipa PR#685][+pushed] [4.5] Caless fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/685 Title: #685: [4.5] Caless fix Label: +pushed From freeipa-github-notification at redhat.com Mon Apr 3 13:07:40 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 03 Apr 2017 15:07:40 +0200 Subject: [Freeipa-devel] [freeipa PR#685][comment] [4.5] Caless fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/685 Title: #685: [4.5] Caless fix HonzaCholasta commented: """ ipa-4-5: * ebf24e783604952e59e557b5537c6d0de6146ce4 Get correct CA cert nickname in CA-less * 99389748beb0158811505efa606c27e1e2e0bc7b Remove publish_ca_cert() method from NSSDatabase """ See the full comment at https://github.com/freeipa/freeipa/pull/685#issuecomment-291137263 From freeipa-github-notification at redhat.com Mon Apr 3 13:07:46 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 03 Apr 2017 15:07:46 +0200 Subject: [Freeipa-devel] [freeipa PR#685][closed] [4.5] Caless fix In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/685 Author: stlaz Title: #685: [4.5] Caless fix Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/685/head:pr685 git checkout pr685 From freeipa-github-notification at redhat.com Mon Apr 3 14:01:09 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 03 Apr 2017 16:01:09 +0200 Subject: [Freeipa-devel] [freeipa PR#686][synchronized] Stabilize make pypi_packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/686 Author: tiran Title: #686: Stabilize make pypi_packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/686/head:pr686 git checkout pr686 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-686.patch Type: text/x-diff Size: 2379 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 3 14:01:47 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 03 Apr 2017 16:01:47 +0200 Subject: [Freeipa-devel] [freeipa PR#687][opened] Add pki_pin only when needed Message-ID: URL: https://github.com/freeipa/freeipa/pull/687 Author: stlaz Title: #687: Add pki_pin only when needed Action: opened PR body: """ If both the pki-tomcat NSS database and its password.conf have been created, don't try to override the password.conf file. https://pagure.io/freeipa/issue/6839 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/687/head:pr687 git checkout pr687 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-687.patch Type: text/x-diff Size: 2390 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 3 14:16:17 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 03 Apr 2017 16:16:17 +0200 Subject: [Freeipa-devel] [freeipa PR#618][synchronized] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Author: tiran Title: #618: Tox testing support for client wheel packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/618/head:pr618 git checkout pr618 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-618.patch Type: text/x-diff Size: 10800 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 3 14:17:12 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 03 Apr 2017 16:17:12 +0200 Subject: [Freeipa-devel] [freeipa PR#618][edited] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Author: tiran Title: #618: Tox testing support for client wheel packages Action: edited Changed field: body Original value: """ Depends on PR #613 """ From freeipa-github-notification at redhat.com Mon Apr 3 14:17:27 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 03 Apr 2017 16:17:27 +0200 Subject: [Freeipa-devel] [freeipa PR#618][synchronized] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Author: tiran Title: #618: Tox testing support for client wheel packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/618/head:pr618 git checkout pr618 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-618.patch Type: text/x-diff Size: 9622 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 3 15:09:40 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Mon, 03 Apr 2017 17:09:40 +0200 Subject: [Freeipa-devel] [freeipa PR#542][comment] Implementation independent interface for CSR generation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/542 Title: #542: Implementation independent interface for CSR generation LiptonB commented: """ @HonzaCholasta, thanks! I have an attempt at NSS support in progress. It might take me a few more days to get it ready to send out, but I think it's close. On Mon, Apr 3, 2017 at 3:45 AM Jan Cholasta wrote: > @LiptonB , superb, thank you! > > Have you made any progress with NSS support? If not, I can add it in a > subsequent PR, if you agree. > > ? > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > , or mute > the thread > > . > """ See the full comment at https://github.com/freeipa/freeipa/pull/542#issuecomment-291172628 From bind-dyndb-ldap-github-notification at redhat.com Mon Apr 3 15:23:02 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Mon, 03 Apr 2017 17:23:02 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#12][synchronized] README.md: fix markdown formatting In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/12 Author: tomaskrizek Title: #12: README.md: fix markdown formatting Action: synchronized To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/12/head:pr12 git checkout pr12 -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pr-12.patch Type: text/x-diff Size: 9469 bytes Desc: not available URL: From bind-dyndb-ldap-github-notification at redhat.com Mon Apr 3 15:26:02 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Mon, 03 Apr 2017 17:26:02 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#11][synchronized] Coverity: fix REVERSE_INULL for pevent->inst In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/11 Author: tomaskrizek Title: #11: Coverity: fix REVERSE_INULL for pevent->inst Action: synchronized To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/11/head:pr11 git checkout pr11 -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pr-11.patch Type: text/x-diff Size: 4070 bytes Desc: not available URL: From bind-dyndb-ldap-github-notification at redhat.com Mon Apr 3 15:26:51 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Mon, 03 Apr 2017 17:26:51 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#11][comment] Coverity: fix REVERSE_INULL for pevent->inst In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/11 Title: #11: Coverity: fix REVERSE_INULL for pevent->inst tomaskrizek commented: """ Thanks for the review, Petr! I added the check to `syncrepl_update` as well. """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/11#issuecomment-291178049 From bind-dyndb-ldap-github-notification at redhat.com Mon Apr 3 16:57:19 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Mon, 03 Apr 2017 18:57:19 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#13][+ack] releng: remove obsolete Trac scripts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/13 Title: #13: releng: remove obsolete Trac scripts Label: +ack From bind-dyndb-ldap-github-notification at redhat.com Mon Apr 3 17:03:30 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Mon, 03 Apr 2017 19:03:30 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#13][comment] releng: remove obsolete Trac scripts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/13 Title: #13: releng: remove obsolete Trac scripts tomaskrizek commented: """ master: - f5d6f5e821b4f714e8534742b450f7fdd577f766 """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/13#issuecomment-291206704 From bind-dyndb-ldap-github-notification at redhat.com Mon Apr 3 17:03:34 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Mon, 03 Apr 2017 19:03:34 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#13][closed] releng: remove obsolete Trac scripts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/13 Author: tomaskrizek Title: #13: releng: remove obsolete Trac scripts Action: closed To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/13/head:pr13 git checkout pr13 From bind-dyndb-ldap-github-notification at redhat.com Mon Apr 3 17:03:37 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Mon, 03 Apr 2017 19:03:37 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#13][+pushed] releng: remove obsolete Trac scripts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/13 Title: #13: releng: remove obsolete Trac scripts Label: +pushed From freeipa-github-notification at redhat.com Mon Apr 3 18:13:49 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 03 Apr 2017 20:13:49 +0200 Subject: [Freeipa-devel] [freeipa PR#632][synchronized] ipa-sam: create the gidNumber attribute in the trusted domain entry In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/632 Author: flo-renaud Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/632/head:pr632 git checkout pr632 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-632.patch Type: text/x-diff Size: 8839 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 3 18:16:23 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 03 Apr 2017 20:16:23 +0200 Subject: [Freeipa-devel] [freeipa PR#632][comment] ipa-sam: create the gidNumber attribute in the trusted domain entry In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/632 Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry flo-renaud commented: """ Hi @abbra thank you for the review. PR updated following your comments, and with an upgrade plugin to handle existing trusted domain objects. """ See the full comment at https://github.com/freeipa/freeipa/pull/632#issuecomment-291227659 From freeipa-github-notification at redhat.com Mon Apr 3 18:29:45 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Mon, 03 Apr 2017 20:29:45 +0200 Subject: [Freeipa-devel] [freeipa PR#590][synchronized] Validate user input for cert-get-requestdata In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/590 Author: Akasurde Title: #590: Validate user input for cert-get-requestdata Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/590/head:pr590 git checkout pr590 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-590.patch Type: text/x-diff Size: 1056 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 3 19:12:54 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Mon, 03 Apr 2017 21:12:54 +0200 Subject: [Freeipa-devel] [freeipa PR#688][opened] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches Message-ID: URL: https://github.com/freeipa/freeipa/pull/688 Author: redhatrises Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches Action: opened PR body: """ - Update get_attr_filter in LDAPSearch to handle nsaccountlock by setting nsaccountlock=True if `ipa user-find --disabled=False` is entered in the command line and then search for any case where nsaccountlock != True. This handles the case where nsaccountlock may not exist as an attribute or is False. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/688/head:pr688 git checkout pr688 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-688.patch Type: text/x-diff Size: 2017 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 3 19:32:33 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 03 Apr 2017 21:32:33 +0200 Subject: [Freeipa-devel] [freeipa PR#632][comment] ipa-sam: create the gidNumber attribute in the trusted domain entry In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/632 Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry abbra commented: """ Thanks. I read through the code and it looks good to me. I'm going to test it together with my work on ipasam_update_sam_account() tomorrow. """ See the full comment at https://github.com/freeipa/freeipa/pull/632#issuecomment-291249140 From freeipa-github-notification at redhat.com Tue Apr 4 05:46:42 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 04 Apr 2017 07:46:42 +0200 Subject: [Freeipa-devel] [freeipa PR#686][synchronized] Stabilize make pypi_packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/686 Author: tiran Title: #686: Stabilize make pypi_packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/686/head:pr686 git checkout pr686 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-686.patch Type: text/x-diff Size: 2398 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 4 05:57:08 2017 From: freeipa-github-notification at redhat.com (alex-zel) Date: Tue, 04 Apr 2017 07:57:08 +0200 Subject: [Freeipa-devel] [freeipa PR#681][synchronized] Fix ipadiscovery In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/681 Author: alex-zel Title: #681: Fix ipadiscovery Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/681/head:pr681 git checkout pr681 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-681.patch Type: text/x-diff Size: 6667 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 4 06:06:46 2017 From: freeipa-github-notification at redhat.com (alex-zel) Date: Tue, 04 Apr 2017 08:06:46 +0200 Subject: [Freeipa-devel] [freeipa PR#681][synchronized] Fix ipadiscovery In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/681 Author: alex-zel Title: #681: Fix ipadiscovery Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/681/head:pr681 git checkout pr681 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-681.patch Type: text/x-diff Size: 6667 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 4 06:08:13 2017 From: freeipa-github-notification at redhat.com (alex-zel) Date: Tue, 04 Apr 2017 08:08:13 +0200 Subject: [Freeipa-devel] [freeipa PR#681][closed] Fix ipadiscovery In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/681 Author: alex-zel Title: #681: Fix ipadiscovery Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/681/head:pr681 git checkout pr681 From freeipa-github-notification at redhat.com Tue Apr 4 06:55:58 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 04 Apr 2017 08:55:58 +0200 Subject: [Freeipa-devel] [freeipa PR#684][comment] httpinstance: make sure NSS database is backed up In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/684 Title: #684: httpinstance: make sure NSS database is backed up stlaz commented: """ Without this patch, I encountered a different issue but with the same root cause. The patch fixes it, so ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/684#issuecomment-291411099 From freeipa-github-notification at redhat.com Tue Apr 4 06:56:03 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 04 Apr 2017 08:56:03 +0200 Subject: [Freeipa-devel] [freeipa PR#684][+ack] httpinstance: make sure NSS database is backed up In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/684 Title: #684: httpinstance: make sure NSS database is backed up Label: +ack From freeipa-github-notification at redhat.com Tue Apr 4 07:03:44 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 04 Apr 2017 09:03:44 +0200 Subject: [Freeipa-devel] [freeipa PR#687][synchronized] Add pki_pin only when needed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/687 Author: stlaz Title: #687: Add pki_pin only when needed Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/687/head:pr687 git checkout pr687 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-687.patch Type: text/x-diff Size: 2388 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 4 07:04:25 2017 From: freeipa-github-notification at redhat.com (alex-zel) Date: Tue, 04 Apr 2017 09:04:25 +0200 Subject: [Freeipa-devel] [freeipa PR#689][opened] Sort SRV records by priority Message-ID: URL: https://github.com/freeipa/freeipa/pull/689 Author: alex-zel Title: #689: Sort SRV records by priority Action: opened PR body: """ In some cases where multiple SRV records are present, LDAP and Kerberos records were returned in different order, causing replication issues in a multi master enviorment. ## Replication: DNS configuration (using PfSense): ``` srv-host=_kerberos._udp.example.com,server01.example.com,88,0,1 srv-host=_kerberos._tcp.example.com,server01.example.com,88,0,1 srv-host=_kerberos-master._tcp.example.com,server01.example.com,88,0,1 srv-host=_kerberos-master._udp.example.com,server01.example.com,88,0,1 srv-host=_kpasswd._tcp.example.com,server01.example.com,88,0,1 srv-host=_kpasswd._udp.example.com,server01.example.com,88,0,1 srv-host=_ldap._tcp.example.com,server01.example.com,389,0,1 srv-host=_kerberos._udp.example.com,server02.example.com,88,0,2 srv-host=_kerberos._tcp.example.com,server02.example.com,88,0,2 srv-host=_kerberos-master._tcp.example.com,server02.example.com,88,0,2 srv-host=_kerberos-master._udp.example.com,server02.example.com,88,0,2 srv-host=_kpasswd._tcp.example.com,server02.example.com,88,0,2 srv-host=_kpasswd._udp.example.com,server02.example.com,88,0,2 srv-host=_ldap._tcp.example.com,server02.example.com,389,0,2 txt-record=_kerberos.example.com,EXAMPLE.COM ``` Client installation: Host record is added beforehand from web UI on server01.example.com ONLY. `/usr/sbin/ipa-client-install --force-join --principal=bind_user --password=bind_pass --hostname=`hostname -f` --unattended` /var/log/ipaclient-install.log: > 2017-04-02T10:54:09Z DEBUG [IPA Discovery] > 2017-04-02T10:54:09Z DEBUG Starting IPA discovery with domain=None, servers=None, hostname=client01.example.com > 2017-04-02T10:54:09Z DEBUG Start searching for LDAP SRV record in "example.com" (domain of the hostname) and its sub-domains > 2017-04-02T10:54:09Z DEBUG Search DNS for SRV record of _ldap._tcp.example.com > 2017-04-02T10:54:09Z DEBUG DNS record found: 0 1 389 server01.example.com. > 2017-04-02T10:54:09Z DEBUG DNS record found: 0 2 389 server02.example.com. > 2017-04-02T10:54:09Z DEBUG [Kerberos realm search] > 2017-04-02T10:54:09Z DEBUG Search DNS for TXT record of _kerberos.example.com > 2017-04-02T10:54:09Z DEBUG DNS record not found: NoAnswer > 2017-04-02T10:54:09Z DEBUG Search DNS for SRV record of _kerberos._udp.example.com > 2017-04-02T10:54:09Z DEBUG DNS record found: 0 2 88 server02.example.com. > 2017-04-02T10:54:09Z DEBUG DNS record found: 0 1 88 server01.example.com. Notice the records are not in the same order, ipa-client-install did not return any error and the client machine could see user, groups, netgroups, but users could not authenticate. Looking at the web UI, server01.example.com shows the client is not enrolled and no kerberos key is present, but server02.example.com shows the client is enrolled and has a key. In cases were either server01 or server02 were returned first in IPA Discovery the installation and replication went fine. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/689/head:pr689 git checkout pr689 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-689.patch Type: text/x-diff Size: 1479 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 4 08:22:42 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 04 Apr 2017 10:22:42 +0200 Subject: [Freeipa-devel] [freeipa PR#684][+pushed] httpinstance: make sure NSS database is backed up In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/684 Title: #684: httpinstance: make sure NSS database is backed up Label: +pushed From freeipa-github-notification at redhat.com Tue Apr 4 08:22:46 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 04 Apr 2017 10:22:46 +0200 Subject: [Freeipa-devel] [freeipa PR#684][comment] httpinstance: make sure NSS database is backed up In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/684 Title: #684: httpinstance: make sure NSS database is backed up HonzaCholasta commented: """ master: * 5f5a3b29dba7cc736ba334aefb55484baeefeb76 httpinstance: make sure NSS database is backed up ipa-4-5: * 471dfcbe1cc3f319da788add3661cb6d63e3c0f0 httpinstance: make sure NSS database is backed up """ See the full comment at https://github.com/freeipa/freeipa/pull/684#issuecomment-291428766 From freeipa-github-notification at redhat.com Tue Apr 4 08:22:50 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 04 Apr 2017 10:22:50 +0200 Subject: [Freeipa-devel] [freeipa PR#684][closed] httpinstance: make sure NSS database is backed up In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/684 Author: HonzaCholasta Title: #684: httpinstance: make sure NSS database is backed up Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/684/head:pr684 git checkout pr684 From freeipa-github-notification at redhat.com Tue Apr 4 09:30:20 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 04 Apr 2017 11:30:20 +0200 Subject: [Freeipa-devel] [freeipa PR#690][opened] server-install: remove broken no-pkinit check Message-ID: URL: https://github.com/freeipa/freeipa/pull/690 Author: stlaz Title: #690: server-install: remove broken no-pkinit check Action: opened PR body: """ Don't check for no-pkinit option in case pkinit cert file was provided. Setting no-pkinit is prohibited in this case, so without this fix we have an impossible option-check if we want to provide an own pkinit certificate and private key. https://pagure.io/freeipa/issue/6807 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/690/head:pr690 git checkout pr690 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-690.patch Type: text/x-diff Size: 1349 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 4 11:23:21 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 04 Apr 2017 13:23:21 +0200 Subject: [Freeipa-devel] [freeipa PR#677][comment] cert: defer cert-find result post-processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/677 Title: #677: cert: defer cert-find result post-processing stlaz commented: """ What worries me the most is that the tests are green even though this is potentially a serious problem. """ See the full comment at https://github.com/freeipa/freeipa/pull/677#issuecomment-291471139 From freeipa-github-notification at redhat.com Tue Apr 4 14:48:47 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 04 Apr 2017 16:48:47 +0200 Subject: [Freeipa-devel] [freeipa PR#667][comment] idrange-mod: properly handle empty --dom-name option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/667 Title: #667: idrange-mod: properly handle empty --dom-name option stlaz commented: """ LGTM, except you're talking about `idrange-mod` in the commit message but are fixing `idrange-add` (`idrange-mod` does not have the option at all). """ See the full comment at https://github.com/freeipa/freeipa/pull/667#issuecomment-291523802 From freeipa-github-notification at redhat.com Tue Apr 4 15:36:29 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 04 Apr 2017 17:36:29 +0200 Subject: [Freeipa-devel] [freeipa PR#667][synchronized] idrange-mod: properly handle empty --dom-name option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/667 Author: flo-renaud Title: #667: idrange-mod: properly handle empty --dom-name option Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/667/head:pr667 git checkout pr667 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-667.patch Type: text/x-diff Size: 1295 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 4 15:37:44 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 04 Apr 2017 17:37:44 +0200 Subject: [Freeipa-devel] [freeipa PR#667][edited] idrange-mod: properly handle empty --dom-name option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/667 Author: flo-renaud Title: #667: idrange-mod: properly handle empty --dom-name option Action: edited Changed field: body Original value: """ When idrange-mod is called with --dom-name=, the CLI exits with ipa: ERROR: an internal error has occurred This happens because the code checks if the option is provided but does not check if the value is None. We need to handle empty dom-name as if the option was not specified. https://pagure.io/freeipa/issue/6404 """ From freeipa-github-notification at redhat.com Tue Apr 4 15:37:50 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 04 Apr 2017 17:37:50 +0200 Subject: [Freeipa-devel] [freeipa PR#667][edited] idrange-add: properly handle empty --dom-name option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/667 Author: flo-renaud Title: #667: idrange-add: properly handle empty --dom-name option Action: edited Changed field: title Original value: """ idrange-mod: properly handle empty --dom-name option """ From freeipa-github-notification at redhat.com Tue Apr 4 15:40:25 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 04 Apr 2017 17:40:25 +0200 Subject: [Freeipa-devel] [freeipa PR#667][comment] idrange-add: properly handle empty --dom-name option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/667 Title: #667: idrange-add: properly handle empty --dom-name option flo-renaud commented: """ Hi @stlaz I fixed the commit message. In contrary to what I told you offline, you need to configure an AD trust with ipa-adtrust-install and ipa trust-add ... in order to reproduce the original issue. My bad... """ See the full comment at https://github.com/freeipa/freeipa/pull/667#issuecomment-291540393 From freeipa-github-notification at redhat.com Tue Apr 4 16:19:51 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Tue, 04 Apr 2017 18:19:51 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys pvoborni commented: """ Shouldn't the ticket number be: https://pagure.io/freeipa/issue/6838 ? """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-291553067 From freeipa-github-notification at redhat.com Tue Apr 4 16:32:49 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 04 Apr 2017 18:32:49 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ Seem like both errors are the same problem. Should we mark 6688 a duplicate of 6838 ? """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-291556956 From freeipa-github-notification at redhat.com Tue Apr 4 16:34:01 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 04 Apr 2017 18:34:01 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ Nevermind they are not duplicates. I'll fix the commit message. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-291557263 From freeipa-github-notification at redhat.com Tue Apr 4 16:36:32 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 04 Apr 2017 18:36:32 +0200 Subject: [Freeipa-devel] [freeipa PR#679][synchronized] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Author: simo5 Title: #679: Make sure remote hosts have our keys Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/679/head:pr679 git checkout pr679 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-679.patch Type: text/x-diff Size: 2869 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 5 06:48:10 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 05 Apr 2017 08:48:10 +0200 Subject: [Freeipa-devel] [freeipa PR#667][comment] idrange-add: properly handle empty --dom-name option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/667 Title: #667: idrange-add: properly handle empty --dom-name option stlaz commented: """ @flo-renaud That's completely OK :) I thought we could probably add an assert to `CIDict.__contains__()` method since I realize the issue was somewhere else than this fixed check, but the current situation fails verbosely enough so that's probably fine. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/667#issuecomment-291770037 From freeipa-github-notification at redhat.com Wed Apr 5 06:48:15 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 05 Apr 2017 08:48:15 +0200 Subject: [Freeipa-devel] [freeipa PR#667][+ack] idrange-add: properly handle empty --dom-name option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/667 Title: #667: idrange-add: properly handle empty --dom-name option Label: +ack From freeipa-github-notification at redhat.com Wed Apr 5 07:29:26 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 05 Apr 2017 09:29:26 +0200 Subject: [Freeipa-devel] [freeipa PR#672][+ack] IPA-KDB: use relative path in ipa-certmap config snippet In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/672 Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet Label: +ack From freeipa-github-notification at redhat.com Wed Apr 5 07:31:35 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 05 Apr 2017 09:31:35 +0200 Subject: [Freeipa-devel] [freeipa PR#672][+pushed] IPA-KDB: use relative path in ipa-certmap config snippet In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/672 Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet Label: +pushed From freeipa-github-notification at redhat.com Wed Apr 5 07:31:38 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 05 Apr 2017 09:31:38 +0200 Subject: [Freeipa-devel] [freeipa PR#672][comment] IPA-KDB: use relative path in ipa-certmap config snippet In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/672 Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet HonzaCholasta commented: """ master: * 6c2772dde52c84024d32533b29e6cbd04c69924a IPA-KDB: use relative path in ipa-certmap config snippet ipa-4-5: * fa46a01c37021e7b2b57fd3092383100e39792fb IPA-KDB: use relative path in ipa-certmap config snippet """ See the full comment at https://github.com/freeipa/freeipa/pull/672#issuecomment-291778291 From freeipa-github-notification at redhat.com Wed Apr 5 07:31:42 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 05 Apr 2017 09:31:42 +0200 Subject: [Freeipa-devel] [freeipa PR#672][closed] IPA-KDB: use relative path in ipa-certmap config snippet In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/672 Author: sumit-bose Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/672/head:pr672 git checkout pr672 From freeipa-github-notification at redhat.com Wed Apr 5 07:38:26 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 05 Apr 2017 09:38:26 +0200 Subject: [Freeipa-devel] [freeipa PR#667][comment] idrange-add: properly handle empty --dom-name option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/667 Title: #667: idrange-add: properly handle empty --dom-name option martbab commented: """ @flo-renaud can you please add a test case for this to `ipatests/test_xmlrpc/test_range_plugin.py` so that we do not regress in the future? """ See the full comment at https://github.com/freeipa/freeipa/pull/667#issuecomment-291779673 From freeipa-github-notification at redhat.com Wed Apr 5 07:48:10 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 05 Apr 2017 09:48:10 +0200 Subject: [Freeipa-devel] [freeipa PR#677][synchronized] cert: defer cert-find result post-processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/677 Author: HonzaCholasta Title: #677: cert: defer cert-find result post-processing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/677/head:pr677 git checkout pr677 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-677.patch Type: text/x-diff Size: 8664 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 5 08:09:09 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 05 Apr 2017 10:09:09 +0200 Subject: [Freeipa-devel] [freeipa PR#687][comment] Add pki_pin only when needed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/687 Title: #687: Add pki_pin only when needed tomaskrizek commented: """ Replica installation with CA and KRA seems to work fine now. """ See the full comment at https://github.com/freeipa/freeipa/pull/687#issuecomment-291786444 From freeipa-github-notification at redhat.com Wed Apr 5 08:09:13 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 05 Apr 2017 10:09:13 +0200 Subject: [Freeipa-devel] [freeipa PR#687][+ack] Add pki_pin only when needed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/687 Title: #687: Add pki_pin only when needed Label: +ack From freeipa-github-notification at redhat.com Wed Apr 5 08:13:32 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 05 Apr 2017 10:13:32 +0200 Subject: [Freeipa-devel] [freeipa PR#687][+pushed] Add pki_pin only when needed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/687 Title: #687: Add pki_pin only when needed Label: +pushed From freeipa-github-notification at redhat.com Wed Apr 5 08:13:39 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 05 Apr 2017 10:13:39 +0200 Subject: [Freeipa-devel] [freeipa PR#687][comment] Add pki_pin only when needed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/687 Title: #687: Add pki_pin only when needed tomaskrizek commented: """ master: * 1aa77fe389e957a652c530ec0456ee05467754b3 Add pki_pin only when needed ipa-4-5: * f53c76b1055d4f7b26fc127852a66f942845cbae Add pki_pin only when needed """ See the full comment at https://github.com/freeipa/freeipa/pull/687#issuecomment-291787403 From freeipa-github-notification at redhat.com Wed Apr 5 08:13:43 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 05 Apr 2017 10:13:43 +0200 Subject: [Freeipa-devel] [freeipa PR#687][closed] Add pki_pin only when needed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/687 Author: stlaz Title: #687: Add pki_pin only when needed Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/687/head:pr687 git checkout pr687 From freeipa-github-notification at redhat.com Wed Apr 5 08:14:46 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 05 Apr 2017 10:14:46 +0200 Subject: [Freeipa-devel] [freeipa PR#691][opened] Add force-join option to replica install Message-ID: URL: https://github.com/freeipa/freeipa/pull/691 Author: stlaz Title: #691: Add force-join option to replica install Action: opened PR body: """ This patchset adds the force-join option to the replica installer. It also tries to improve the developer's experience by narrowing down the scope of originally an all-eating try-except block. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/691/head:pr691 git checkout pr691 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-691.patch Type: text/x-diff Size: 6593 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 5 08:16:36 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 05 Apr 2017 10:16:36 +0200 Subject: [Freeipa-devel] [freeipa PR#667][+pushed] idrange-add: properly handle empty --dom-name option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/667 Title: #667: idrange-add: properly handle empty --dom-name option Label: +pushed From freeipa-github-notification at redhat.com Wed Apr 5 08:16:40 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 05 Apr 2017 10:16:40 +0200 Subject: [Freeipa-devel] [freeipa PR#667][comment] idrange-add: properly handle empty --dom-name option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/667 Title: #667: idrange-add: properly handle empty --dom-name option tomaskrizek commented: """ master: * 70743c8c48db54309a09d510b3a5d8ae86c29e58 idrange-add: properly handle empty --dom-name option ipa-4-5: * 077a61524d79ac5ab6f0eb46450c82ad5594bd2b idrange-add: properly handle empty --dom-name option """ See the full comment at https://github.com/freeipa/freeipa/pull/667#issuecomment-291788105 From freeipa-github-notification at redhat.com Wed Apr 5 08:16:43 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 05 Apr 2017 10:16:43 +0200 Subject: [Freeipa-devel] [freeipa PR#667][closed] idrange-add: properly handle empty --dom-name option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/667 Author: flo-renaud Title: #667: idrange-add: properly handle empty --dom-name option Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/667/head:pr667 git checkout pr667 From freeipa-github-notification at redhat.com Wed Apr 5 08:39:41 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 05 Apr 2017 10:39:41 +0200 Subject: [Freeipa-devel] [freeipa PR#691][synchronized] Add force-join option to replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/691 Author: stlaz Title: #691: Add force-join option to replica install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/691/head:pr691 git checkout pr691 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-691.patch Type: text/x-diff Size: 6587 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 5 10:39:53 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 05 Apr 2017 12:39:53 +0200 Subject: [Freeipa-devel] [freeipa PR#691][synchronized] Add force-join option to replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/691 Author: stlaz Title: #691: Add force-join option to replica install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/691/head:pr691 git checkout pr691 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-691.patch Type: text/x-diff Size: 6229 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 5 12:15:50 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 05 Apr 2017 14:15:50 +0200 Subject: [Freeipa-devel] [freeipa PR#692][opened] tests: add non-reg for idrange-add Message-ID: URL: https://github.com/freeipa/freeipa/pull/692 Author: flo-renaud Title: #692: tests: add non-reg for idrange-add Action: opened PR body: """ Add non regression test for issue 6404: when idrange-add is called with empty dom-name, the command returns ipa: ERROR: an internal error has occurred https://pagure.io/freeipa/issue/6404 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/692/head:pr692 git checkout pr692 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-692.patch Type: text/x-diff Size: 3375 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 5 12:18:09 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 05 Apr 2017 14:18:09 +0200 Subject: [Freeipa-devel] [freeipa PR#667][comment] idrange-add: properly handle empty --dom-name option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/667 Title: #667: idrange-add: properly handle empty --dom-name option flo-renaud commented: """ @martbab thank you for the suggestion. The new test is available in PR #692 """ See the full comment at https://github.com/freeipa/freeipa/pull/667#issuecomment-291843545 From freeipa-github-notification at redhat.com Wed Apr 5 12:54:51 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Wed, 05 Apr 2017 14:54:51 +0200 Subject: [Freeipa-devel] [freeipa PR#688][synchronized] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/688 Author: redhatrises Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/688/head:pr688 git checkout pr688 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-688.patch Type: text/x-diff Size: 4177 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 5 12:55:38 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Wed, 05 Apr 2017 14:55:38 +0200 Subject: [Freeipa-devel] [freeipa PR#688][edited] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/688 Author: redhatrises Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches Action: edited Changed field: body Original value: """ - Update get_attr_filter in LDAPSearch to handle nsaccountlock by setting nsaccountlock=True if `ipa user-find --disabled=False` is entered in the command line and then search for any case where nsaccountlock != True. This handles the case where nsaccountlock may not exist as an attribute or is False. """ From freeipa-github-notification at redhat.com Wed Apr 5 13:13:04 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 05 Apr 2017 15:13:04 +0200 Subject: [Freeipa-devel] [freeipa PR#693][opened] [tests] collect audit.log for easier selinux investigation Message-ID: URL: https://github.com/freeipa/freeipa/pull/693 Author: MartinBasti Title: #693: [tests] collect audit.log for easier selinux investigation Action: opened PR body: """ Audit log contains useful information about selinux issues """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/693/head:pr693 git checkout pr693 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-693.patch Type: text/x-diff Size: 1608 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 5 13:26:18 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Wed, 05 Apr 2017 15:26:18 +0200 Subject: [Freeipa-devel] [freeipa PR#688][synchronized] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/688 Author: redhatrises Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/688/head:pr688 git checkout pr688 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-688.patch Type: text/x-diff Size: 5149 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 5 15:05:13 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 05 Apr 2017 17:05:13 +0200 Subject: [Freeipa-devel] [freeipa PR#675][synchronized] [WIP] Fix PKCS11 helper In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/675 Author: MartinBasti Title: #675: [WIP] Fix PKCS11 helper Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/675/head:pr675 git checkout pr675 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-675.patch Type: text/x-diff Size: 14216 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 5 15:22:47 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 05 Apr 2017 17:22:47 +0200 Subject: [Freeipa-devel] [freeipa PR#694][opened] RFC: implement local PKINIT deployment in server/replica install Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Author: martbab Title: #694: RFC: implement local PKINIT deployment in server/replica install Action: opened PR body: """ This PR implements a basic local PKINIT functionality for server install with '--no-pkinit' specified, and replica install against older masters or with '--no-pkinit'. These patches unblock WebUI logins/password auths on masters/replicas in the cases proper PKINIT was not configured for whatever reasons. Nevertheless, there are following things lacking in this PR that I will either push on top of this one or create a new PR: -[ ] removal of anonymous keytab, asi it is now useless (and always was) -[ ] upgrade and transitions between PKINIT configurations -[ ] reporting PKINIT state in LDAP -[ ] API for querying the PKINIT status on all masters http://www.freeipa.org/page/V4/Kerberos_PKINIT """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/694/head:pr694 git checkout pr694 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-694.patch Type: text/x-diff Size: 26869 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 5 15:27:44 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 05 Apr 2017 17:27:44 +0200 Subject: [Freeipa-devel] [freeipa PR#694][edited] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Author: martbab Title: #694: RFC: implement local PKINIT deployment in server/replica install Action: edited Changed field: body Original value: """ This PR implements a basic local PKINIT functionality for server install with '--no-pkinit' specified, and replica install against older masters or with '--no-pkinit'. These patches unblock WebUI logins/password auths on masters/replicas in the cases proper PKINIT was not configured for whatever reasons. Nevertheless, there are following things lacking in this PR that I will either push on top of this one or create a new PR: -[ ] removal of anonymous keytab, asi it is now useless (and always was) -[ ] upgrade and transitions between PKINIT configurations -[ ] reporting PKINIT state in LDAP -[ ] API for querying the PKINIT status on all masters http://www.freeipa.org/page/V4/Kerberos_PKINIT """ From freeipa-github-notification at redhat.com Wed Apr 5 15:56:17 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 05 Apr 2017 17:56:17 +0200 Subject: [Freeipa-devel] [freeipa PR#675][synchronized] [WIP] Fix PKCS11 helper In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/675 Author: MartinBasti Title: #675: [WIP] Fix PKCS11 helper Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/675/head:pr675 git checkout pr675 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-675.patch Type: text/x-diff Size: 14501 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 5 15:56:53 2017 From: freeipa-github-notification at redhat.com (apophys) Date: Wed, 05 Apr 2017 17:56:53 +0200 Subject: [Freeipa-devel] [freeipa PR#693][+ack] [tests] collect audit.log for easier selinux investigation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/693 Title: #693: [tests] collect audit.log for easier selinux investigation Label: +ack From freeipa-github-notification at redhat.com Wed Apr 5 16:39:06 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 05 Apr 2017 18:39:06 +0200 Subject: [Freeipa-devel] [freeipa PR#675][edited] [4.5, master] Fix PKCS11 helper In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/675 Author: MartinBasti Title: #675: [4.5, master] Fix PKCS11 helper Action: edited Changed field: title Original value: """ [WIP] Fix PKCS11 helper """ From freeipa-github-notification at redhat.com Wed Apr 5 16:40:48 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 05 Apr 2017 18:40:48 +0200 Subject: [Freeipa-devel] [freeipa PR#675][comment] [4.5, master] Fix PKCS11 helper In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/675 Title: #675: [4.5, master] Fix PKCS11 helper MartinBasti commented: """ In 50% cases DNSSEC works for me :-). Ready for review. (The issue was unrelated to PKCS11, I had somehow broken machine probably) """ See the full comment at https://github.com/freeipa/freeipa/pull/675#issuecomment-291921421 From freeipa-github-notification at redhat.com Wed Apr 5 18:52:42 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 05 Apr 2017 20:52:42 +0200 Subject: [Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install MartinBasti commented: """ `upgrade and transitions between PKINIT configurations` does this cover: - CA-less to CA-full upgrade? - installed 4.4.4 --- upgraded ---> 4.5.0 --- upgraded ----> 4.5.1 - installed 4.5.0 --- upgraded ---> 4.5.1 ? """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-291960041 From freeipa-github-notification at redhat.com Wed Apr 5 19:10:22 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 05 Apr 2017 21:10:22 +0200 Subject: [Freeipa-devel] [freeipa PR#695][opened] Fix PKCS11 helper Message-ID: URL: https://github.com/freeipa/freeipa/pull/695 Author: MartinBasti Title: #695: Fix PKCS11 helper Action: opened PR body: """ Slots in HSM are not assigned statically, we have to chose proper slot from token label. Softhsm i2.2.0 changed this behavior and now slots can change over time (it is allowed by pkcs11 standard). Changelog: * created method get_slot() that returns slot number from used label * replaces usage of slot in __init__ method of P11_Helper with label * slot is dynamically detected from token label before session is opened * pkcs11-util --init-token now uses '--free' instead '--slot' which uses first free slot (we don't care about slot numbers anymore) https://pagure.io/freeipa/issue/6692 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/695/head:pr695 git checkout pr695 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-695.patch Type: text/x-diff Size: 14609 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 5 19:10:32 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 05 Apr 2017 21:10:32 +0200 Subject: [Freeipa-devel] [freeipa PR#695][edited] [4.4] Fix PKCS11 helper In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/695 Author: MartinBasti Title: #695: [4.4] Fix PKCS11 helper Action: edited Changed field: title Original value: """ Fix PKCS11 helper """ From freeipa-github-notification at redhat.com Wed Apr 5 19:16:25 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 05 Apr 2017 21:16:25 +0200 Subject: [Freeipa-devel] [freeipa PR#695][synchronized] [4.4] Fix PKCS11 helper In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/695 Author: MartinBasti Title: #695: [4.4] Fix PKCS11 helper Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/695/head:pr695 git checkout pr695 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-695.patch Type: text/x-diff Size: 14574 bytes Desc: not available URL: From fbarreto at redhat.com Wed Apr 5 20:10:28 2017 From: fbarreto at redhat.com (Felipe Barreto Volpone) Date: Wed, 5 Apr 2017 16:10:28 -0400 (EDT) Subject: [Freeipa-devel] FreeIPA health check tool PoC In-Reply-To: <1857159671.9261737.1491422700260.JavaMail.zimbra@redhat.com> Message-ID: <235586757.9262738.1491423028220.JavaMail.zimbra@redhat.com> Hi everyone, Some people of our team are working on a simple tool (a PoC actually) for FreeIPA [1]. The idea is to build a tool that can check the state of FreeIPA. In the PoC we are only focusing on certificate related things. What do we have until now? Ideas and some few lines of code. We need more ideas and opinions about the tool. Even though this is just a PoC, do not limit your ideas and proposals because of that. If you have some idea/feature request you can create an issue here: https://github.com/felipevolpone/freeipa-health-checker/issues Also, you can help the project reviewing the code. Any feedback (and PRs) are welcome. How is this tool different from the Diagnostics Tool [2]? At this point, we have just a PoC and we are testing ideas. A proper IPA health check tool would need a bit of design and research. Now, we are only focusing only the checks themselves. [1] https://github.com/felipevolpone/freeipa-health-checker/ [2] http://www.freeipa.org/page/V4/Diagnostics_Tool Best, Felipe Barreto From freeipa-github-notification at redhat.com Thu Apr 6 07:06:39 2017 From: freeipa-github-notification at redhat.com (alex-zel) Date: Thu, 06 Apr 2017 09:06:39 +0200 Subject: [Freeipa-devel] [freeipa PR#689][synchronized] Sort SRV records by priority In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/689 Author: alex-zel Title: #689: Sort SRV records by priority Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/689/head:pr689 git checkout pr689 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-689.patch Type: text/x-diff Size: 2981 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 6 07:48:31 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 06 Apr 2017 09:48:31 +0200 Subject: [Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install martbab commented: """ @MartinBasti I haven't thought about CA-less -> CA-full but in this case you would have local PKINIT and should configure full PKINIT manually All the other scenarios should be covered by the incoming code. Regarding your comment on the certmonger helper/special CA, we (me and @HonzaCholasta ) decided to remove it and use a self-sign CA instead. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-292096092 From freeipa-github-notification at redhat.com Thu Apr 6 08:09:20 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 06 Apr 2017 10:09:20 +0200 Subject: [Freeipa-devel] [freeipa PR#693][comment] [tests] collect audit.log for easier selinux investigation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/693 Title: #693: [tests] collect audit.log for easier selinux investigation MartinBasti commented: """ master: * fd597f83aed53bf3281ce9ec6b94f601868cfc75 collect audit.log for easier selinux investigation """ See the full comment at https://github.com/freeipa/freeipa/pull/693#issuecomment-292100630 From freeipa-github-notification at redhat.com Thu Apr 6 08:09:24 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 06 Apr 2017 10:09:24 +0200 Subject: [Freeipa-devel] [freeipa PR#693][+pushed] [tests] collect audit.log for easier selinux investigation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/693 Title: #693: [tests] collect audit.log for easier selinux investigation Label: +pushed From freeipa-github-notification at redhat.com Thu Apr 6 08:09:25 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 06 Apr 2017 10:09:25 +0200 Subject: [Freeipa-devel] [freeipa PR#693][closed] [tests] collect audit.log for easier selinux investigation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/693 Author: MartinBasti Title: #693: [tests] collect audit.log for easier selinux investigation Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/693/head:pr693 git checkout pr693 From freeipa-github-notification at redhat.com Thu Apr 6 08:37:53 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 06 Apr 2017 10:37:53 +0200 Subject: [Freeipa-devel] [freeipa PR#671][edited] Slim down dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/671 Author: tiran Title: #671: Slim down dependencies Action: edited Changed field: title Original value: """ [WIP] Slim down dependencies """ From freeipa-github-notification at redhat.com Thu Apr 6 08:39:41 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 06 Apr 2017 10:39:41 +0200 Subject: [Freeipa-devel] [freeipa PR#671][synchronized] Slim down dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/671 Author: tiran Title: #671: Slim down dependencies Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/671/head:pr671 git checkout pr671 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-671.patch Type: text/x-diff Size: 6260 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 6 08:40:21 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 06 Apr 2017 10:40:21 +0200 Subject: [Freeipa-devel] [freeipa PR#671][edited] Slim down dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/671 Author: tiran Title: #671: Slim down dependencies Action: edited Changed field: body Original value: """ * Remove unused install requires * Correct dependencies for yubico otptoken * Properly report optional dependency for yubico otptoken * Make jinja2 an optional dependency and csrgen an optional plugin Signed-off-by: Christian Heimes """ From freeipa-github-notification at redhat.com Thu Apr 6 10:54:06 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 06 Apr 2017 12:54:06 +0200 Subject: [Freeipa-devel] [freeipa PR#689][comment] Sort SRV records by priority In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/689 Title: #689: Sort SRV records by priority MartinBasti commented: """ @alex-zel Please merge your commits into one, thanks. """ See the full comment at https://github.com/freeipa/freeipa/pull/689#issuecomment-292138392 From freeipa-github-notification at redhat.com Thu Apr 6 11:05:01 2017 From: freeipa-github-notification at redhat.com (alex-zel) Date: Thu, 06 Apr 2017 13:05:01 +0200 Subject: [Freeipa-devel] [freeipa PR#689][synchronized] Sort SRV records by priority In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/689 Author: alex-zel Title: #689: Sort SRV records by priority Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/689/head:pr689 git checkout pr689 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-689.patch Type: text/x-diff Size: 4172 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 6 11:05:55 2017 From: freeipa-github-notification at redhat.com (alex-zel) Date: Thu, 06 Apr 2017 13:05:55 +0200 Subject: [Freeipa-devel] [freeipa PR#689][comment] Sort SRV records by priority In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/689 Title: #689: Sort SRV records by priority alex-zel commented: """ Sorry I think I messed up trying to squash the commits """ See the full comment at https://github.com/freeipa/freeipa/pull/689#issuecomment-292140831 From freeipa-github-notification at redhat.com Thu Apr 6 11:13:32 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 06 Apr 2017 13:13:32 +0200 Subject: [Freeipa-devel] [freeipa PR#689][comment] Sort SRV records by priority In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/689 Title: #689: Sort SRV records by priority MartinBasti commented: """ ``` git reset HEAD~3 git commit add -p git commit --amend ``` should help """ See the full comment at https://github.com/freeipa/freeipa/pull/689#issuecomment-292142293 From freeipa-github-notification at redhat.com Thu Apr 6 11:14:06 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 06 Apr 2017 13:14:06 +0200 Subject: [Freeipa-devel] [freeipa PR#677][comment] cert: defer cert-find result post-processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/677 Title: #677: cert: defer cert-find result post-processing stlaz commented: """ The patched IPA works better than the current 4.4 and 4.5 branches in terms of options logic, that's good. From the code I am not sure which searches we do miss, could you elaborate on that a bit, please? """ See the full comment at https://github.com/freeipa/freeipa/pull/677#issuecomment-292142416 From freeipa-github-notification at redhat.com Thu Apr 6 13:01:16 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 06 Apr 2017 15:01:16 +0200 Subject: [Freeipa-devel] [freeipa PR#632][comment] ipa-sam: create the gidNumber attribute in the trusted domain entry In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/632 Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry abbra commented: """ LGTM. `nltest /sc_verify:ipa.example.test` works thanks to this pull request: ``` C:\Users\Administrator>nltest /sc_query:ipa.example.test Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\master.ipa.example.test Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/632#issuecomment-292167012 From freeipa-github-notification at redhat.com Thu Apr 6 13:01:39 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 06 Apr 2017 15:01:39 +0200 Subject: [Freeipa-devel] [freeipa PR#632][+ack] ipa-sam: create the gidNumber attribute in the trusted domain entry In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/632 Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry Label: +ack From freeipa-github-notification at redhat.com Thu Apr 6 13:46:15 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 06 Apr 2017 15:46:15 +0200 Subject: [Freeipa-devel] [freeipa PR#697][opened] Create system users for FreeIPA services during package installation Message-ID: URL: https://github.com/freeipa/freeipa/pull/697 Author: dkupka Title: #697: Create system users for FreeIPA services during package installation Action: opened PR body: """ Previously system users needed by FreeIPA server services was created during ipa-server-install. This led to problem when DBus policy was configured during package installation but the user specified in the policy didn't exist yet (and potentionally similar ones). Now systemd-sysusers service is used to ensure users freeipa-server package needs exist before any installation or configuration begins. https://pagure.io/freeipa/issue/6743 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/697/head:pr697 git checkout pr697 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-697.patch Type: text/x-diff Size: 19334 bytes Desc: not available URL: From bind-dyndb-ldap-github-notification at redhat.com Thu Apr 6 15:03:15 2017 From: bind-dyndb-ldap-github-notification at redhat.com (mingzym) Date: Thu, 06 Apr 2017 17:03:15 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#14][opened] time_t maybe unsigned or long Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/14 Author: mingzym Title: #14: time_t maybe unsigned or long Action: opened PR body: """ when compiling with heimdal, the krb5_timestamp is set to long instead of the unsigned in mit-krb5. """ To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/14/head:pr14 git checkout pr14 -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pr-14.patch Type: text/x-diff Size: 881 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 6 15:42:14 2017 From: freeipa-github-notification at redhat.com (tjaalton) Date: Thu, 06 Apr 2017 17:42:14 +0200 Subject: [Freeipa-devel] [freeipa PR#697][comment] Create system users for FreeIPA services during package installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/697 Title: #697: Create system users for FreeIPA services during package installation tjaalton commented: """ if I understood the sysusers.d file format correctly, ipa.sysusers.debian.conf would need this line added: m www-data ipaapi as you can see from ipaplatform/debian/constants.py. Actually, why not make just one template file ipa.sysusers.conf.in and utilize ipaplatform to substitute values like for most of the conffiles """ See the full comment at https://github.com/freeipa/freeipa/pull/697#issuecomment-292215096 From bind-dyndb-ldap-github-notification at redhat.com Thu Apr 6 15:50:22 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Thu, 06 Apr 2017 17:50:22 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#14][+ack] time_t maybe unsigned or long In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/14 Title: #14: time_t maybe unsigned or long Label: +ack From bind-dyndb-ldap-github-notification at redhat.com Thu Apr 6 15:50:25 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Thu, 06 Apr 2017 17:50:25 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#14][comment] time_t maybe unsigned or long In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/14 Title: #14: time_t maybe unsigned or long tomaskrizek commented: """ Thanks for the contribution! """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/14#issuecomment-292218042 From bind-dyndb-ldap-github-notification at redhat.com Thu Apr 6 15:51:01 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Thu, 06 Apr 2017 17:51:01 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#14][comment] time_t maybe unsigned or long In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/14 Title: #14: time_t maybe unsigned or long tomaskrizek commented: """ master: b81b0a65da908d9c781b1a91a51cad557274d7b9 """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/14#issuecomment-292218247 From bind-dyndb-ldap-github-notification at redhat.com Thu Apr 6 15:51:04 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Thu, 06 Apr 2017 17:51:04 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#14][closed] time_t maybe unsigned or long In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/14 Author: mingzym Title: #14: time_t maybe unsigned or long Action: closed To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/14/head:pr14 git checkout pr14 From bind-dyndb-ldap-github-notification at redhat.com Thu Apr 6 15:51:07 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Thu, 06 Apr 2017 17:51:07 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#14][+pushed] time_t maybe unsigned or long In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/14 Title: #14: time_t maybe unsigned or long Label: +pushed From bind-dyndb-ldap-github-notification at redhat.com Thu Apr 6 15:56:30 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Thu, 06 Apr 2017 17:56:30 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#12][+ack] README.md: fix markdown formatting In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/12 Title: #12: README.md: fix markdown formatting Label: +ack From bind-dyndb-ldap-github-notification at redhat.com Thu Apr 6 15:56:50 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Thu, 06 Apr 2017 17:56:50 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#12][comment] README.md: fix markdown formatting In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/12 Title: #12: README.md: fix markdown formatting tomaskrizek commented: """ master: - a9ffcc8eb190d5dc01e018abb9f8bba2013ab5e2 - 55c2ffc2b3aef3e9cf7c9131e40a1057b032527b """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/12#issuecomment-292220201 From bind-dyndb-ldap-github-notification at redhat.com Thu Apr 6 15:56:53 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Thu, 06 Apr 2017 17:56:53 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#12][closed] README.md: fix markdown formatting In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/12 Author: tomaskrizek Title: #12: README.md: fix markdown formatting Action: closed To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/12/head:pr12 git checkout pr12 From bind-dyndb-ldap-github-notification at redhat.com Thu Apr 6 15:56:56 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Thu, 06 Apr 2017 17:56:56 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#12][+pushed] README.md: fix markdown formatting In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/12 Title: #12: README.md: fix markdown formatting Label: +pushed From bind-dyndb-ldap-github-notification at redhat.com Thu Apr 6 15:57:15 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Thu, 06 Apr 2017 17:57:15 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#11][+ack] Coverity: fix REVERSE_INULL for pevent->inst In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/11 Title: #11: Coverity: fix REVERSE_INULL for pevent->inst Label: +ack From bind-dyndb-ldap-github-notification at redhat.com Thu Apr 6 16:00:58 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Thu, 06 Apr 2017 18:00:58 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#11][comment] Coverity: fix REVERSE_INULL for pevent->inst In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/11 Title: #11: Coverity: fix REVERSE_INULL for pevent->inst tomaskrizek commented: """ master: - 13b185182aeb48562cf63251b84bcf910b57a0fc """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/11#issuecomment-292221521 From bind-dyndb-ldap-github-notification at redhat.com Thu Apr 6 16:01:05 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Thu, 06 Apr 2017 18:01:05 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#11][closed] Coverity: fix REVERSE_INULL for pevent->inst In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/11 Author: tomaskrizek Title: #11: Coverity: fix REVERSE_INULL for pevent->inst Action: closed To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/11/head:pr11 git checkout pr11 From bind-dyndb-ldap-github-notification at redhat.com Thu Apr 6 16:01:10 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Thu, 06 Apr 2017 18:01:10 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#11][+pushed] Coverity: fix REVERSE_INULL for pevent->inst In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/11 Title: #11: Coverity: fix REVERSE_INULL for pevent->inst Label: +pushed From freeipa-github-notification at redhat.com Thu Apr 6 17:47:27 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 06 Apr 2017 19:47:27 +0200 Subject: [Freeipa-devel] [freeipa PR#694][synchronized] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Author: martbab Title: #694: RFC: implement local PKINIT deployment in server/replica install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/694/head:pr694 git checkout pr694 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-694.patch Type: text/x-diff Size: 25427 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 6 17:47:37 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 06 Apr 2017 19:47:37 +0200 Subject: [Freeipa-devel] [freeipa PR#694][edited] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Author: martbab Title: #694: RFC: implement local PKINIT deployment in server/replica install Action: edited Changed field: body Original value: """ This PR implements a basic local PKINIT functionality for server install with '--no-pkinit' specified, and replica install against older masters or with '--no-pkinit'. These patches unblock WebUI logins/password auths on masters/replicas in the cases proper PKINIT was not configured for whatever reasons. Nevertheless, there are following things lacking in this PR that I will either push on top of this one or create a new PR: - [ ] removal of anonymous keytab, asi it is now useless (and always was) - [ ] upgrade and transitions between PKINIT configurations - [ ] reporting PKINIT state in LDAP - [ ] API for querying the PKINIT status on all masters http://www.freeipa.org/page/V4/Kerberos_PKINIT """ From freeipa-github-notification at redhat.com Thu Apr 6 17:47:41 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 06 Apr 2017 19:47:41 +0200 Subject: [Freeipa-devel] [freeipa PR#694][edited] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Author: martbab Title: #694: RFC: implement local PKINIT deployment in server/replica install Action: edited Changed field: body Original value: """ This PR implements a basic local PKINIT functionality for server install with '--no-pkinit' specified, and replica install against older masters or with '--no-pkinit'. These patches unblock WebUI logins/password auths on masters/replicas in the cases proper PKINIT was not configured for whatever reasons. Nevertheless, there are following things lacking in this PR that I will either push on top of this one or create a new PR: - [x] removal of anonymous keytab, asi it is now useless (and always was) - [ ] upgrade and transitions between PKINIT configurations - [ ] reporting PKINIT state in LDAP - [ ] API for querying the PKINIT status on all masters http://www.freeipa.org/page/V4/Kerberos_PKINIT """ From freeipa-github-notification at redhat.com Thu Apr 6 17:47:45 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 06 Apr 2017 19:47:45 +0200 Subject: [Freeipa-devel] [freeipa PR#694][edited] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Author: martbab Title: #694: RFC: implement local PKINIT deployment in server/replica install Action: edited Changed field: body Original value: """ This PR implements a basic local PKINIT functionality for server install with '--no-pkinit' specified, and replica install against older masters or with '--no-pkinit'. These patches unblock WebUI logins/password auths on masters/replicas in the cases proper PKINIT was not configured for whatever reasons. Nevertheless, there are following things lacking in this PR that I will either push on top of this one or create a new PR: - [x] removal of anonymous keytab, asi it is now useless (and always was) - [x] upgrade and transitions between PKINIT configurations - [ ] reporting PKINIT state in LDAP - [ ] API for querying the PKINIT status on all masters http://www.freeipa.org/page/V4/Kerberos_PKINIT """ From freeipa-github-notification at redhat.com Thu Apr 6 17:49:35 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 06 Apr 2017 19:49:35 +0200 Subject: [Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install martbab commented: """ I have re-worked the PR and implemented most of the missing steps (except for API for querying PKINIT status in topology). I have also removed the PKINIT-specific CA and helper. The installer will now call either `IPA` or self-sign CA depending on configuration and passed-in options. The PKINIT state recording was also changed to depend on the KDC certificate tracking status and CA that tracks it. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-292254190 From freeipa-github-notification at redhat.com Thu Apr 6 19:57:08 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Thu, 06 Apr 2017 21:57:08 +0200 Subject: [Freeipa-devel] [freeipa PR#688][comment] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/688 Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches redhatrises commented: """ @HonzaCholasta ready for your review. """ See the full comment at https://github.com/freeipa/freeipa/pull/688#issuecomment-292297176 From freeipa-github-notification at redhat.com Thu Apr 6 19:58:11 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 06 Apr 2017 21:58:11 +0200 Subject: [Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install MartinBasti commented: """ Should be anon keytab removed by upgrade, are there any leftovers in LDAP to be removed during upgrade? """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-292297598 From bind-dyndb-ldap-github-notification at redhat.com Fri Apr 7 02:13:33 2017 From: bind-dyndb-ldap-github-notification at redhat.com (mingzym) Date: Fri, 07 Apr 2017 04:13:33 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#15][opened] ignore what configure and make produced Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/15 Author: mingzym Title: #15: ignore what configure and make produced Action: opened PR body: """ let's ignore all the files configure and make created. """ To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/15/head:pr15 git checkout pr15 -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pr-15.patch Type: text/x-diff Size: 1203 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 7 07:28:22 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 07 Apr 2017 09:28:22 +0200 Subject: [Freeipa-devel] [freeipa PR#697][comment] Create system users for FreeIPA services during package installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/697 Title: #697: Create system users for FreeIPA services during package installation HonzaCholasta commented: """ Note that systemd-sysusers is not available in RHEL and CentOS. It might be better to use the sssd approach: https://github.com/SSSD/sssd/blob/master/contrib/sssd.spec.in#L1228. """ See the full comment at https://github.com/freeipa/freeipa/pull/697#issuecomment-292462863 From freeipa-github-notification at redhat.com Fri Apr 7 07:28:50 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 07 Apr 2017 09:28:50 +0200 Subject: [Freeipa-devel] [freeipa PR#618][synchronized] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Author: tiran Title: #618: Tox testing support for client wheel packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/618/head:pr618 git checkout pr618 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-618.patch Type: text/x-diff Size: 9613 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 7 07:29:58 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 07 Apr 2017 09:29:58 +0200 Subject: [Freeipa-devel] [freeipa PR#618][synchronized] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Author: tiran Title: #618: Tox testing support for client wheel packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/618/head:pr618 git checkout pr618 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-618.patch Type: text/x-diff Size: 9359 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 7 07:36:37 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 07 Apr 2017 09:36:37 +0200 Subject: [Freeipa-devel] [freeipa PR#697][comment] Create system users for FreeIPA services during package installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/697 Title: #697: Create system users for FreeIPA services during package installation tiran commented: """ Originally I used a similar approach for the kdcproxy user based on the snippet https://fedoraproject.org/wiki/Packaging:UsersAndGroups#Soft_static_allocation . You changed it in ticket https://pagure.io/freeipa/issue/5314 because the approach violates packaging guidelines. """ See the full comment at https://github.com/freeipa/freeipa/pull/697#issuecomment-292464389 From bind-dyndb-ldap-github-notification at redhat.com Fri Apr 7 07:38:54 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Fri, 07 Apr 2017 09:38:54 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#15][comment] ignore what configure and make produced In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/15 Title: #15: ignore what configure and make produced tomaskrizek commented: """ I think the *.lo part is needlessly verbose, since we can ignore all generated files anyway. Could you please change the `make` part to ignore the entire extension instead of the individual files? ``` *.la *.lo ``` """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/15#issuecomment-292464848 From freeipa-github-notification at redhat.com Fri Apr 7 07:39:06 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 07 Apr 2017 09:39:06 +0200 Subject: [Freeipa-devel] [freeipa PR#698][opened] install: request service certs after host keytab is set up Message-ID: URL: https://github.com/freeipa/freeipa/pull/698 Author: HonzaCholasta Title: #698: install: request service certs after host keytab is set up Action: opened PR body: """ **dsinstance: reconnect ldap2 after DS is restarted by certmonger** DS is restarted by certmonger in the restart_dirsrv script after the DS certificate is saved. This breaks the ldap2 backend and makes any operation fail with NetworkError until it is reconnected. Reconnect ldap2 after the DS certificate request is finished to fix the issue. Make sure restart_dirsrv waits for the ldapi socket so that the reconnect does not fail. **httpinstance: avoid httpd restart during certificate request** httpd is restarted by certmonger in the restart_httpd script after the httpd certificate is saved if it was previously running. The restart will fail because httpd is not properly configured at this point. Stop httpd at the beginning of httpd install to avoid the restart. **dsinstance, httpinstance: consolidate certificate request code** A different code path is used for DS and httpd certificate requests in replica promotion. This is rather unnecessary and makes the certificate request code not easy to follow. Consolidate the non-promotion and promotion code paths into one. **install: request service certs after host keytab is set up** The certmonger renew agent and restart scripts use host keytab for authentication. When they are executed during a certmonger request before the host keytab is set up, the authentication will fail. Make sure all certmonger requests in the installer are done after the host keytab is set up. **renew agent: revert to host keytab authentication** Fixes an issue where the renew agent uses GSSAPI for LDAP connection but fails because it is not authenticated. This reverts commit 7462adec13c5b25b6868d2863dc38062c97d0ff7. **renew agent, restart scripts: connect to LDAP after kinit** Connect to LDAP after kinit is done, otherwise GSSAPI authentication will fail. https://pagure.io/freeipa/issue/6757 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/698/head:pr698 git checkout pr698 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-698.patch Type: text/x-diff Size: 27725 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 7 07:50:23 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 07 Apr 2017 09:50:23 +0200 Subject: [Freeipa-devel] [freeipa PR#697][comment] Create system users for FreeIPA services during package installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/697 Title: #697: Create system users for FreeIPA services during package installation HonzaCholasta commented: """ Ah, right, rpmdiff complained about that. Well, that was 2 years ago, and if it works for sssd it must also work for us, so I guess we should ignore rpmdiff. """ See the full comment at https://github.com/freeipa/freeipa/pull/697#issuecomment-292467153 From freeipa-github-notification at redhat.com Fri Apr 7 08:38:03 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 07 Apr 2017 10:38:03 +0200 Subject: [Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install martbab commented: """ @MartinBasti I can add some removal logic to upgrader if required. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-292477063 From jhrozek at redhat.com Fri Apr 7 08:38:55 2017 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 7 Apr 2017 10:38:55 +0200 Subject: [Freeipa-devel] [SSSD] [RFC] Matching and Mapping Certificates In-Reply-To: <20161006104930.GC22626@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <20161006104930.GC22626@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <20170407083855.ut62ev3cj5toq62g@hendrix> On Thu, Oct 06, 2016 at 12:49:30PM +0200, Sumit Bose wrote: > Hi, > > I've started to write a SSSD design page about enhancing the current > mapping of certificates to users and how to select/match a suitable > certificate if multiple certificates are on a Smartcard. > > My currently thoughts and idea and be found at > https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates > and for your convenience below as well. > > Comments and suggestions are welcome. Please let me know about concerns, > alternatives and missing use-cases/user-stories. > > bye, > Sumit I converted the page to pagure markdown: https://docs.pagure.org/SSSD.sssd/design_pages/matching_and_mapping_certificates.html There are no changes to the content except for fixing typos. From sbose at redhat.com Fri Apr 7 08:58:30 2017 From: sbose at redhat.com (Sumit Bose) Date: Fri, 7 Apr 2017 10:58:30 +0200 Subject: [Freeipa-devel] [SSSD] [RFC] Matching and Mapping Certificates In-Reply-To: <20170407083855.ut62ev3cj5toq62g@hendrix> References: <20161006104930.GC22626@p.Speedport_W_724V_Typ_A_05011603_00_009> <20170407083855.ut62ev3cj5toq62g@hendrix> Message-ID: <20170407085830.GU3438@p.Speedport_W_724V_Typ_A_05011603_00_011> On Fri, Apr 07, 2017 at 10:38:55AM +0200, Jakub Hrozek wrote: > On Thu, Oct 06, 2016 at 12:49:30PM +0200, Sumit Bose wrote: > > Hi, > > > > I've started to write a SSSD design page about enhancing the current > > mapping of certificates to users and how to select/match a suitable > > certificate if multiple certificates are on a Smartcard. > > > > My currently thoughts and idea and be found at > > https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates > > and for your convenience below as well. > > > > Comments and suggestions are welcome. Please let me know about concerns, > > alternatives and missing use-cases/user-stories. > > > > bye, > > Sumit > > I converted the page to pagure markdown: > https://docs.pagure.org/SSSD.sssd/design_pages/matching_and_mapping_certificates.html > > There are no changes to the content except for fixing typos. Thank you for doing the conversion and fixing the typos. I will now update the page to reflect the current state of the code. bye, Sumit > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From freeipa-github-notification at redhat.com Fri Apr 7 09:09:46 2017 From: freeipa-github-notification at redhat.com (adelton) Date: Fri, 07 Apr 2017 11:09:46 +0200 Subject: [Freeipa-devel] [freeipa PR#697][comment] Create system users for FreeIPA services during package installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/697 Title: #697: Create system users for FreeIPA services during package installation adelton commented: """ > Previously system users needed by FreeIPA server services was created during > ipa-server-install. Actually, for any such case I found I filed bugzilla or ticket to get them created during rpm installation. > This led to problem when DBus policy was configured during > package installation but the user specified in the policy didn't exist yet (and > potentionally similar ones). Now systemd-sysusers service is used to ensure > users freeipa-server package needs exist before any installation or > configuration begins. Please do not use systemd-sysusers, create the group/user entries during rpm installation. """ See the full comment at https://github.com/freeipa/freeipa/pull/697#issuecomment-292483893 From freeipa-github-notification at redhat.com Fri Apr 7 09:28:54 2017 From: freeipa-github-notification at redhat.com (adelton) Date: Fri, 07 Apr 2017 11:28:54 +0200 Subject: [Freeipa-devel] [freeipa PR#697][comment] Create system users for FreeIPA services during package installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/697 Title: #697: Create system users for FreeIPA services during package installation adelton commented: """ > I don't think we should do that and rather fail early if the user is missing. +1 """ See the full comment at https://github.com/freeipa/freeipa/pull/697#issuecomment-292488251 From freeipa-github-notification at redhat.com Fri Apr 7 09:29:57 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 07 Apr 2017 11:29:57 +0200 Subject: [Freeipa-devel] [freeipa PR#697][comment] Create system users for FreeIPA services during package installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/697 Title: #697: Create system users for FreeIPA services during package installation martbab commented: """ Right, we do not have systemd available during Docker image build so some fallback mechanism directly in spec would be great. Otherwise we would have to workaround this in containers and I am not a big fan of that. """ See the full comment at https://github.com/freeipa/freeipa/pull/697#issuecomment-292488467 From bind-dyndb-ldap-github-notification at redhat.com Fri Apr 7 10:20:52 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Fri, 07 Apr 2017 12:20:52 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#16][opened] spec: remove unnecessary bind-pkcs11 dependency Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/16 Author: tomaskrizek Title: #16: spec: remove unnecessary bind-pkcs11 dependency Action: opened PR body: """ The bind-pkcs11 dependency was originally introduced in Fedora specfile in 2014 to help with ipa-server-upgrade. This was a temporary workaround. Since Fedora life cycle is 13 months and this change happened more than two years ago, it is safe to remove the workaround. bind-dyndb-ldap does not actually depend on bind-pkcs11, although it is a dependency that is enforced by freeipa. """ To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/16/head:pr16 git checkout pr16 -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pr-16.patch Type: text/x-diff Size: 1956 bytes Desc: not available URL: From bind-dyndb-ldap-github-notification at redhat.com Fri Apr 7 10:22:24 2017 From: bind-dyndb-ldap-github-notification at redhat.com (MartinBasti) Date: Fri, 07 Apr 2017 12:22:24 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#16][comment] spec: remove unnecessary bind-pkcs11 dependency In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/16 Title: #16: spec: remove unnecessary bind-pkcs11 dependency MartinBasti commented: """ LGTM """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/16#issuecomment-292500650 From bind-dyndb-ldap-github-notification at redhat.com Fri Apr 7 10:24:12 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Fri, 07 Apr 2017 12:24:12 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#16][+ack] spec: remove unnecessary bind-pkcs11 dependency In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/16 Title: #16: spec: remove unnecessary bind-pkcs11 dependency Label: +ack From bind-dyndb-ldap-github-notification at redhat.com Fri Apr 7 10:29:10 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Fri, 07 Apr 2017 12:29:10 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#16][comment] spec: remove unnecessary bind-pkcs11 dependency In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/16 Title: #16: spec: remove unnecessary bind-pkcs11 dependency tomaskrizek commented: """ master: - 4fb51bac7f4f739975a2afb857b686869eff92b6 """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/16#issuecomment-292502794 From bind-dyndb-ldap-github-notification at redhat.com Fri Apr 7 10:29:14 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Fri, 07 Apr 2017 12:29:14 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#16][closed] spec: remove unnecessary bind-pkcs11 dependency In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/16 Author: tomaskrizek Title: #16: spec: remove unnecessary bind-pkcs11 dependency Action: closed To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/16/head:pr16 git checkout pr16 From bind-dyndb-ldap-github-notification at redhat.com Fri Apr 7 10:29:18 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Fri, 07 Apr 2017 12:29:18 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#16][+pushed] spec: remove unnecessary bind-pkcs11 dependency In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/16 Title: #16: spec: remove unnecessary bind-pkcs11 dependency Label: +pushed From freeipa-github-notification at redhat.com Fri Apr 7 10:39:05 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 07 Apr 2017 12:39:05 +0200 Subject: [Freeipa-devel] [freeipa PR#632][+pushed] ipa-sam: create the gidNumber attribute in the trusted domain entry In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/632 Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry Label: +pushed From freeipa-github-notification at redhat.com Fri Apr 7 10:39:12 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 07 Apr 2017 12:39:12 +0200 Subject: [Freeipa-devel] [freeipa PR#632][comment] ipa-sam: create the gidNumber attribute in the trusted domain entry In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/632 Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry MartinBasti commented: """ master: * e052c2dce04f5ce147dc2b6804f44705fa4d69df ipa-sam: create the gidNumber attribute in the trusted domain entry * 5405de5bc15941d71137af10aa66a6cf922d9e6d Upgrade: add gidnumber to trusted domain entry ipa-4-5: * 91d36941653476abfff6a54ba7cb5a9f2c12c22d ipa-sam: create the gidNumber attribute in the trusted domain entry * eddd29f1d52d63ea702437b0dd2a2826df52bc26 Upgrade: add gidnumber to trusted domain entry """ See the full comment at https://github.com/freeipa/freeipa/pull/632#issuecomment-292504625 From freeipa-github-notification at redhat.com Fri Apr 7 10:39:14 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 07 Apr 2017 12:39:14 +0200 Subject: [Freeipa-devel] [freeipa PR#632][closed] ipa-sam: create the gidNumber attribute in the trusted domain entry In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/632 Author: flo-renaud Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/632/head:pr632 git checkout pr632 From freeipa-github-notification at redhat.com Fri Apr 7 10:45:16 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 07 Apr 2017 12:45:16 +0200 Subject: [Freeipa-devel] [freeipa PR#692][+ack] tests: add non-reg for idrange-add In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/692 Title: #692: tests: add non-reg for idrange-add Label: +ack From freeipa-github-notification at redhat.com Fri Apr 7 10:46:06 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 07 Apr 2017 12:46:06 +0200 Subject: [Freeipa-devel] [freeipa PR#692][+pushed] tests: add non-reg for idrange-add In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/692 Title: #692: tests: add non-reg for idrange-add Label: +pushed From freeipa-github-notification at redhat.com Fri Apr 7 10:46:09 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 07 Apr 2017 12:46:09 +0200 Subject: [Freeipa-devel] [freeipa PR#692][comment] tests: add non-reg for idrange-add In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/692 Title: #692: tests: add non-reg for idrange-add martbab commented: """ master: * 342dccea47f6cb14cda63f75789eab51070fb3f6 tests: add non-reg for idrange-add ipa-4-5: * ab2706721db217d55ae549d50a95ace571e65aa6 tests: add non-reg for idrange-add """ See the full comment at https://github.com/freeipa/freeipa/pull/692#issuecomment-292505832 From freeipa-github-notification at redhat.com Fri Apr 7 10:46:12 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 07 Apr 2017 12:46:12 +0200 Subject: [Freeipa-devel] [freeipa PR#692][closed] tests: add non-reg for idrange-add In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/692 Author: flo-renaud Title: #692: tests: add non-reg for idrange-add Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/692/head:pr692 git checkout pr692 From freeipa-github-notification at redhat.com Fri Apr 7 12:05:11 2017 From: freeipa-github-notification at redhat.com (neffs) Date: Fri, 07 Apr 2017 14:05:11 +0200 Subject: [Freeipa-devel] [freeipa PR#699][opened] Fix libkrb5 filename for macOS Message-ID: URL: https://github.com/freeipa/freeipa/pull/699 Author: neffs Title: #699: Fix libkrb5 filename for macOS Action: opened PR body: """ libkrb5.so.3 is called libkrb5.dylib on macOS """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/699/head:pr699 git checkout pr699 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-699.patch Type: text/x-diff Size: 860 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 7 12:29:10 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 07 Apr 2017 14:29:10 +0200 Subject: [Freeipa-devel] [freeipa PR#699][comment] Fix libkrb5 filename for macOS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: Fix libkrb5 filename for macOS abbra commented: """ Thanks. Do you have IPA client code working on Mac OS X? """ See the full comment at https://github.com/freeipa/freeipa/pull/699#issuecomment-292523505 From freeipa-github-notification at redhat.com Fri Apr 7 12:34:05 2017 From: freeipa-github-notification at redhat.com (neffs) Date: Fri, 07 Apr 2017 14:34:05 +0200 Subject: [Freeipa-devel] [freeipa PR#699][comment] Fix libkrb5 filename for macOS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: Fix libkrb5 filename for macOS neffs commented: """ It connects via RPC and user-show works. Didn't check much further. I also created an issue: https://pagure.io/freeipa/issue/6850 """ See the full comment at https://github.com/freeipa/freeipa/pull/699#issuecomment-292524463 From freeipa-github-notification at redhat.com Fri Apr 7 12:37:51 2017 From: freeipa-github-notification at redhat.com (neffs) Date: Fri, 07 Apr 2017 14:37:51 +0200 Subject: [Freeipa-devel] [freeipa PR#699][comment] Fix libkrb5 filename for macOS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: Fix libkrb5 filename for macOS neffs commented: """ It connects via RPC and user-show works. Didn't check much further. I also created an issue: https://pagure.io/freeipa/issue/6850 """ See the full comment at https://github.com/freeipa/freeipa/pull/699#issuecomment-292524463 From freeipa-github-notification at redhat.com Fri Apr 7 12:49:51 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 07 Apr 2017 14:49:51 +0200 Subject: [Freeipa-devel] [freeipa PR#699][comment] Fix libkrb5 filename for macOS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: Fix libkrb5 filename for macOS abbra commented: """ Ok. Let me look at it next week when I'll have time. Could you please add a short step by step instruction how you configured IPA client on Mac OS X? """ See the full comment at https://github.com/freeipa/freeipa/pull/699#issuecomment-292527660 From freeipa-github-notification at redhat.com Fri Apr 7 12:51:25 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 07 Apr 2017 14:51:25 +0200 Subject: [Freeipa-devel] [freeipa PR#699][comment] Fix libkrb5 filename for macOS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: Fix libkrb5 filename for macOS abbra commented: """ There is a PEP8 error: PEP-8 errors: ./ipapython/session_storage.py:11:21: E225 missing whitespace around operator """ See the full comment at https://github.com/freeipa/freeipa/pull/699#issuecomment-292527976 From freeipa-github-notification at redhat.com Fri Apr 7 13:02:14 2017 From: freeipa-github-notification at redhat.com (neffs) Date: Fri, 07 Apr 2017 15:02:14 +0200 Subject: [Freeipa-devel] [freeipa PR#699][synchronized] Fix libkrb5 filename for macOS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/699 Author: neffs Title: #699: Fix libkrb5 filename for macOS Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/699/head:pr699 git checkout pr699 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-699.patch Type: text/x-diff Size: 1578 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 7 13:10:51 2017 From: freeipa-github-notification at redhat.com (neffs) Date: Fri, 07 Apr 2017 15:10:51 +0200 Subject: [Freeipa-devel] [freeipa PR#699][comment] Fix libkrb5 filename for macOS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: Fix libkrb5 filename for macOS neffs commented: """ I added the steps here: https://pagure.io/freeipa/issue/6850 """ See the full comment at https://github.com/freeipa/freeipa/pull/699#issuecomment-292532086 From freeipa-github-notification at redhat.com Fri Apr 7 13:14:35 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 07 Apr 2017 15:14:35 +0200 Subject: [Freeipa-devel] [freeipa PR#700][opened] Use entry_points for ipa CLI Message-ID: URL: https://github.com/freeipa/freeipa/pull/700 Author: tiran Title: #700: Use entry_points for ipa CLI Action: opened PR body: """ Fix problem with hard-coded shebang in ipa command line tool by using a proper setuptools entry point for the console script. ipaclient is now an executable Python package, too. ``` $ python -m ipaclient ping ``` is equivalent to ``` $ ipa ping ``` Related: https://pagure.io/freeipa/issue/6653 Closes: https://pagure.io/freeipa/issue/6850 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/700/head:pr700 git checkout pr700 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-700.patch Type: text/x-diff Size: 2272 bytes Desc: not available URL: From bind-dyndb-ldap-github-notification at redhat.com Fri Apr 7 13:15:55 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Fri, 07 Apr 2017 15:15:55 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#17][opened] settings: skip unconfigured values Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/17 Author: tomaskrizek Title: #17: settings: skip unconfigured values Action: opened PR body: """ When a value is not configured in settings map, it is skipped. If it is the last processed value, the result of ISC_R_NOTFOUND would cause the cleanup section of the function fail. Since unconfigured values are allowed and expected, override the result to ISC_R_SUCCESS in this case to prevent triggerring an error. https://pagure.io/bind-dyndb-ldap/issue/172 --- Also removed obsolete options from the map. """ To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/17/head:pr17 git checkout pr17 -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pr-17.patch Type: text/x-diff Size: 3179 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 7 13:18:24 2017 From: freeipa-github-notification at redhat.com (neffs) Date: Fri, 07 Apr 2017 15:18:24 +0200 Subject: [Freeipa-devel] [freeipa PR#699][synchronized] Fix libkrb5 filename for macOS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/699 Author: neffs Title: #699: Fix libkrb5 filename for macOS Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/699/head:pr699 git checkout pr699 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-699.patch Type: text/x-diff Size: 2455 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 7 13:21:59 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 07 Apr 2017 15:21:59 +0200 Subject: [Freeipa-devel] [freeipa PR#699][comment] Fix libkrb5 filename for macOS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: Fix libkrb5 filename for macOS tiran commented: """ @neffs thanks David. Please squash your commits into a single commit (```git rebase -i @~3``` and use fixup on the 2nd and 3rd commit, then git push --force). """ See the full comment at https://github.com/freeipa/freeipa/pull/699#issuecomment-292534577 From freeipa-github-notification at redhat.com Fri Apr 7 13:23:40 2017 From: freeipa-github-notification at redhat.com (neffs) Date: Fri, 07 Apr 2017 15:23:40 +0200 Subject: [Freeipa-devel] [freeipa PR#699][synchronized] Fix libkrb5 filename for macOS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/699 Author: neffs Title: #699: Fix libkrb5 filename for macOS Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/699/head:pr699 git checkout pr699 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-699.patch Type: text/x-diff Size: 905 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 7 13:33:11 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 07 Apr 2017 15:33:11 +0200 Subject: [Freeipa-devel] [freeipa PR#700][synchronized] Use entry_points for ipa CLI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/700 Author: tiran Title: #700: Use entry_points for ipa CLI Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/700/head:pr700 git checkout pr700 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-700.patch Type: text/x-diff Size: 2244 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 7 14:03:00 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 07 Apr 2017 16:03:00 +0200 Subject: [Freeipa-devel] [freeipa PR#682][synchronized] [WIP] ipserver/dcerpc: unify error processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/682 Author: abbra Title: #682: [WIP] ipserver/dcerpc: unify error processing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/682/head:pr682 git checkout pr682 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-682.patch Type: text/x-diff Size: 7056 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 7 14:05:36 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 07 Apr 2017 16:05:36 +0200 Subject: [Freeipa-devel] [freeipa PR#682][comment] [WIP] ipserver/dcerpc: unify error processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/682 Title: #682: [WIP] ipserver/dcerpc: unify error processing abbra commented: """ Updated patches and descriptions to include bug references. """ See the full comment at https://github.com/freeipa/freeipa/pull/682#issuecomment-292545612 From freeipa-github-notification at redhat.com Fri Apr 7 14:08:25 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 07 Apr 2017 16:08:25 +0200 Subject: [Freeipa-devel] [freeipa PR#618][synchronized] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Author: tiran Title: #618: Tox testing support for client wheel packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/618/head:pr618 git checkout pr618 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-618.patch Type: text/x-diff Size: 9387 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 7 14:10:35 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 07 Apr 2017 16:10:35 +0200 Subject: [Freeipa-devel] [freeipa PR#682][edited] [WIP] ipserver/dcerpc: unify error processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/682 Author: abbra Title: #682: [WIP] ipserver/dcerpc: unify error processing Action: edited Changed field: title Original value: """ [WIP] ipserver/dcerpc: unify error processing """ From freeipa-github-notification at redhat.com Fri Apr 7 14:12:07 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 07 Apr 2017 16:12:07 +0200 Subject: [Freeipa-devel] [freeipa PR#700][comment] Use entry_points for ipa CLI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/700 Title: #700: Use entry_points for ipa CLI tomaskrizek commented: """ Looks good, tested with both rpm and wheels. Ack if the tests pass. """ See the full comment at https://github.com/freeipa/freeipa/pull/700#issuecomment-292547332 From freeipa-github-notification at redhat.com Fri Apr 7 14:31:24 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 07 Apr 2017 16:31:24 +0200 Subject: [Freeipa-devel] [freeipa PR#700][comment] Use entry_points for ipa CLI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/700 Title: #700: Use entry_points for ipa CLI martbab commented: """ I wish all of our scripts could be autogenerated from entry points. Long road ahead for that effort. However, this is a good start IMHO. """ See the full comment at https://github.com/freeipa/freeipa/pull/700#issuecomment-292552603 From freeipa-github-notification at redhat.com Fri Apr 7 15:01:09 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 07 Apr 2017 17:01:09 +0200 Subject: [Freeipa-devel] [freeipa PR#682][comment] ipserver/dcerpc: unify error processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/682 Title: #682: ipserver/dcerpc: unify error processing MartinBasti commented: """ Please fix issues found by pylint ``` ************* Module ipaserver.plugins.trust ipaserver/plugins/trust.py:1753: [W0612(unused-variable), trust_fetch_domains.execute] Unused variable 'trust_direction') ipaserver/plugins/trust.py:1754: [W0612(unused-variable), trust_fetch_domains.execute] Unused variable 'is_nontransitive') ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/682#issuecomment-292560905 From freeipa-github-notification at redhat.com Fri Apr 7 16:08:23 2017 From: freeipa-github-notification at redhat.com (neffs) Date: Fri, 07 Apr 2017 18:08:23 +0200 Subject: [Freeipa-devel] [freeipa PR#699][edited] macOS compatibility fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/699 Author: neffs Title: #699: macOS compatibility fixes Action: edited Changed field: title Original value: """ Fix libkrb5 filename for macOS """ From freeipa-github-notification at redhat.com Fri Apr 7 16:09:01 2017 From: freeipa-github-notification at redhat.com (neffs) Date: Fri, 07 Apr 2017 18:09:01 +0200 Subject: [Freeipa-devel] [freeipa PR#699][edited] ipaclient/ipapython macOS compatibility fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/699 Author: neffs Title: #699: ipaclient/ipapython macOS compatibility fixes Action: edited Changed field: title Original value: """ macOS compatibility fixes """ From freeipa-github-notification at redhat.com Fri Apr 7 16:09:25 2017 From: freeipa-github-notification at redhat.com (neffs) Date: Fri, 07 Apr 2017 18:09:25 +0200 Subject: [Freeipa-devel] [freeipa PR#699][synchronized] ipaclient/ipapython macOS compatibility fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/699 Author: neffs Title: #699: ipaclient/ipapython macOS compatibility fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/699/head:pr699 git checkout pr699 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-699.patch Type: text/x-diff Size: 2404 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 7 16:26:09 2017 From: freeipa-github-notification at redhat.com (neffs) Date: Fri, 07 Apr 2017 18:26:09 +0200 Subject: [Freeipa-devel] [freeipa PR#701][opened] ipa help doesn't always work Message-ID: URL: https://github.com/freeipa/freeipa/pull/701 Author: neffs Title: #701: ipa help doesn't always work Action: opened PR body: """ `ipa help` will not work when calling it when no schema is cached. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/701/head:pr701 git checkout pr701 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-701.patch Type: text/x-diff Size: 1235 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 7 16:52:45 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 07 Apr 2017 18:52:45 +0200 Subject: [Freeipa-devel] [freeipa PR#698][+ack] install: request service certs after host keytab is set up In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/698 Title: #698: install: request service certs after host keytab is set up Label: +ack From freeipa-github-notification at redhat.com Fri Apr 7 16:53:56 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 07 Apr 2017 18:53:56 +0200 Subject: [Freeipa-devel] [freeipa PR#698][+pushed] install: request service certs after host keytab is set up In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/698 Title: #698: install: request service certs after host keytab is set up Label: +pushed From freeipa-github-notification at redhat.com Fri Apr 7 16:54:00 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 07 Apr 2017 18:54:00 +0200 Subject: [Freeipa-devel] [freeipa PR#698][comment] install: request service certs after host keytab is set up In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/698 Title: #698: install: request service certs after host keytab is set up martbab commented: """ master: * b189be12ecd1ba9efa35daf41e7e04a9362c6a5e dsinstance: reconnect ldap2 after DS is restarted by certmonger * 8a8558637946d7dac1d85642baaf9ba7c1be98f8 httpinstance: avoid httpd restart during certificate request * ec52332229672f35af8db5aaf1ed2827a8dd5467 dsinstance, httpinstance: consolidate certificate request code * 181cb94e744c380a823b94d0d5ca088ab3dcca1c install: request service certs after host keytab is set up * 3884a671cb59c360fae67884755fa5779053107a renew agent: revert to host keytab authentication * a6a89e24147d8542fd09cf64e04982599b79e3cc renew agent, restart scripts: connect to LDAP after kinit ipa-4-5: * 3a3cd01161b618dd6836fda7df935dd39adc117b dsinstance: reconnect ldap2 after DS is restarted by certmonger * 029da956be22c9e05a53c7c30e3afcb2c851ad86 httpinstance: avoid httpd restart during certificate request * 3317e172227fd72ad9049f7893d3018043201b3c dsinstance, httpinstance: consolidate certificate request code * cb141b0eb3950bcae1950e6190ba3573f348b1f2 install: request service certs after host keytab is set up * 1a7db624857c46a2c1c091ed4b8d7902a4486596 renew agent: revert to host keytab authentication * e9168e80ddb6066114f9438fa6a7a11b0eaa02cf renew agent, restart scripts: connect to LDAP after kinit """ See the full comment at https://github.com/freeipa/freeipa/pull/698#issuecomment-292591048 From freeipa-github-notification at redhat.com Fri Apr 7 16:54:04 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 07 Apr 2017 18:54:04 +0200 Subject: [Freeipa-devel] [freeipa PR#698][closed] install: request service certs after host keytab is set up In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/698 Author: HonzaCholasta Title: #698: install: request service certs after host keytab is set up Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/698/head:pr698 git checkout pr698 From bind-dyndb-ldap-github-notification at redhat.com Sat Apr 8 11:11:48 2017 From: bind-dyndb-ldap-github-notification at redhat.com (lslebodn) Date: Sat, 08 Apr 2017 13:11:48 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#16][comment] spec: remove unnecessary bind-pkcs11 dependency In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/16 Title: #16: spec: remove unnecessary bind-pkcs11 dependency lslebodn commented: """ I am not sure whether change to "requires" is ideal. Because after installation of freeipa-dns with this spec file system will contain packages: `bind` and `bind-pkcs11`. And I doubt both will be running in the same time. rpm 4.13 is in fedora 24+ and contains boolean dependencies http://rpm.org/user_doc/more_dependencies.html#boolean-dependencies """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/16#issuecomment-292711267 From bind-dyndb-ldap-github-notification at redhat.com Sat Apr 8 14:48:43 2017 From: bind-dyndb-ldap-github-notification at redhat.com (mingzym) Date: Sat, 08 Apr 2017 16:48:43 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#15][synchronized] ignore what configure and make produced In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/15 Author: mingzym Title: #15: ignore what configure and make produced Action: synchronized To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/15/head:pr15 git checkout pr15 -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pr-15.patch Type: text/x-diff Size: 583 bytes Desc: not available URL: From bind-dyndb-ldap-github-notification at redhat.com Sat Apr 8 14:56:12 2017 From: bind-dyndb-ldap-github-notification at redhat.com (mingzym) Date: Sat, 08 Apr 2017 16:56:12 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#15][comment] ignore what configure and make produced In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/15 Title: #15: ignore what configure and make produced mingzym commented: """ aha, this is much better now """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/15#issuecomment-292723135 From bind-dyndb-ldap-github-notification at redhat.com Sat Apr 8 21:02:20 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Sat, 08 Apr 2017 23:02:20 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#16][comment] spec: remove unnecessary bind-pkcs11 dependency In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/16 Title: #16: spec: remove unnecessary bind-pkcs11 dependency tomaskrizek commented: """ @lslebodn The boolean dependencies look interesting. That seems like a better way to handle this `bind` / `bind-pkcs11` issue. I'll take a look at it. """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/16#issuecomment-292745388 From freeipa-github-notification at redhat.com Mon Apr 10 05:34:26 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 10 Apr 2017 07:34:26 +0200 Subject: [Freeipa-devel] [freeipa PR#699][+ack] ipaclient/ipapython macOS compatibility fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: ipaclient/ipapython macOS compatibility fixes Label: +ack From freeipa-github-notification at redhat.com Mon Apr 10 06:21:26 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 10 Apr 2017 08:21:26 +0200 Subject: [Freeipa-devel] [freeipa PR#700][+ack] Use entry_points for ipa CLI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/700 Title: #700: Use entry_points for ipa CLI Label: +ack From freeipa-github-notification at redhat.com Mon Apr 10 06:42:38 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 10 Apr 2017 08:42:38 +0200 Subject: [Freeipa-devel] [freeipa PR#699][-ack] ipaclient/ipapython macOS compatibility fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: ipaclient/ipapython macOS compatibility fixes Label: -ack From freeipa-github-notification at redhat.com Mon Apr 10 06:43:38 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 10 Apr 2017 08:43:38 +0200 Subject: [Freeipa-devel] [freeipa PR#699][comment] ipaclient/ipapython macOS compatibility fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: ipaclient/ipapython macOS compatibility fixes abbra commented: """ Please don't set ACK yet, I'm not finished with review. I do not want to replace fdatasync() with fsync(), this is not correct towards other platforms. I haven't yet tested this pull request against Mac OS X, so do not set ACK yet. """ See the full comment at https://github.com/freeipa/freeipa/pull/699#issuecomment-292862967 From freeipa-github-notification at redhat.com Mon Apr 10 06:51:01 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 10 Apr 2017 08:51:01 +0200 Subject: [Freeipa-devel] [freeipa PR#699][comment] ipaclient/ipapython macOS compatibility fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: ipaclient/ipapython macOS compatibility fixes abbra commented: """ Note that we need something similar to https://github.com/untitaker/python-atomicwrites/commit/2bdd9dae62b7434c7b2383ce45fb515bdf70c3c3 to behave properly on Mac OS X. """ See the full comment at https://github.com/freeipa/freeipa/pull/699#issuecomment-292864166 From freeipa-github-notification at redhat.com Mon Apr 10 06:58:15 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 10 Apr 2017 08:58:15 +0200 Subject: [Freeipa-devel] [freeipa PR#699][comment] ipaclient/ipapython macOS compatibility fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: ipaclient/ipapython macOS compatibility fixes tiran commented: """ I wrote that ```fdatasync``` -> ```fsync``` is fine. It's my code after all. Explanation: fdatasync is a slightly optimized version of fsync that does not flush some metadata to disk, https://linux.die.net/man/2/fdatasync > fdatasync() is similar to fsync(), but does not flush modified metadata unless that metadata is needed in order to allow a subsequent data retrieval to be correctly handled. For example, changes to st_atime or st_mtime (respectively, time of last access and time of last modification; see stat(2)) do not require flushing because they are not necessary for a subsequent data read to be handled correctly. On the other hand, a change to the file size (st_size, as made by say ftruncate(2)), would require a metadata flush. When I write the code, I chose ```fdatasync``` because ```st_mtime``` isn't strictly required for the cache files. ```fdatasync``` is a micro-optimization that fails under macOS. Instead of making the code even more complicated, I have approved the platform agnostic ```fsync``` syscall. It doesn't hurt to flush all data to disk. The files are rarely written anyway. """ See the full comment at https://github.com/freeipa/freeipa/pull/699#issuecomment-292865333 From freeipa-github-notification at redhat.com Mon Apr 10 07:01:56 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 10 Apr 2017 09:01:56 +0200 Subject: [Freeipa-devel] [freeipa PR#699][comment] ipaclient/ipapython macOS compatibility fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: ipaclient/ipapython macOS compatibility fixes tiran commented: """ No, we don't need to sync the directory. These are cache files. It's only important that we don't have half-written cache files on disk. A missing cache file is fine. """ See the full comment at https://github.com/freeipa/freeipa/pull/699#issuecomment-292865960 From bind-dyndb-ldap-github-notification at redhat.com Mon Apr 10 07:17:34 2017 From: bind-dyndb-ldap-github-notification at redhat.com (MartinBasti) Date: Mon, 10 Apr 2017 09:17:34 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#16][comment] spec: remove unnecessary bind-pkcs11 dependency In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/16 Title: #16: spec: remove unnecessary bind-pkcs11 dependency MartinBasti commented: """ @lslebodn `bind-pkcs11` requires `bind` package """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/16#issuecomment-292868635 From freeipa-github-notification at redhat.com Mon Apr 10 07:54:20 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 10 Apr 2017 09:54:20 +0200 Subject: [Freeipa-devel] [freeipa PR#618][synchronized] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Author: tiran Title: #618: Tox testing support for client wheel packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/618/head:pr618 git checkout pr618 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-618.patch Type: text/x-diff Size: 9425 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 10 08:07:43 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 10 Apr 2017 10:07:43 +0200 Subject: [Freeipa-devel] [freeipa PR#702][opened] Correct PyPI package dependencies Message-ID: URL: https://github.com/freeipa/freeipa/pull/702 Author: tiran Title: #702: Correct PyPI package dependencies Action: opened PR body: """ * Remove unused install requires * Correct dependencies for yubico otptoken * Add explicit dependency on cffi for csrgen * Python 2 uses python-ldap, Python 3 pyldap Signed-off-by: Christian Heimes Needs backport to 4.5 for 4.5.1 PyPI packaging. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/702/head:pr702 git checkout pr702 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-702.patch Type: text/x-diff Size: 4921 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 10 08:11:01 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 10 Apr 2017 10:11:01 +0200 Subject: [Freeipa-devel] [freeipa PR#671][synchronized] Slim down dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/671 Author: tiran Title: #671: Slim down dependencies Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/671/head:pr671 git checkout pr671 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-671.patch Type: text/x-diff Size: 7554 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 10 08:14:30 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 10 Apr 2017 10:14:30 +0200 Subject: [Freeipa-devel] [freeipa PR#699][comment] ipaclient/ipapython macOS compatibility fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: ipaclient/ipapython macOS compatibility fixes abbra commented: """ I still need to test the whole set on Mac OS X myself as we have no way to test that in CI. Thus, this PR will depend on me (or some one else from FreeIPA team) to actually test the code on Mac OS X. """ See the full comment at https://github.com/freeipa/freeipa/pull/699#issuecomment-292880002 From freeipa-github-notification at redhat.com Mon Apr 10 10:26:30 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Mon, 10 Apr 2017 12:26:30 +0200 Subject: [Freeipa-devel] [freeipa PR#682][comment] ipserver/dcerpc: unify error processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/682 Title: #682: ipserver/dcerpc: unify error processing pvoborni commented: """ A ticket was created for this PR: https://pagure.io/freeipa/issue/6859 """ See the full comment at https://github.com/freeipa/freeipa/pull/682#issuecomment-292910558 From freeipa-github-notification at redhat.com Mon Apr 10 11:10:23 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Mon, 10 Apr 2017 13:10:23 +0200 Subject: [Freeipa-devel] [freeipa PR#697][synchronized] Create system users for FreeIPA services during package installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/697 Author: dkupka Title: #697: Create system users for FreeIPA services during package installation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/697/head:pr697 git checkout pr697 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-697.patch Type: text/x-diff Size: 15451 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 10 11:40:36 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 10 Apr 2017 13:40:36 +0200 Subject: [Freeipa-devel] [freeipa PR#703][opened] Remove surplus 'the' in output of ipa-adtrust-install Message-ID: URL: https://github.com/freeipa/freeipa/pull/703 Author: MartinBasti Title: #703: Remove surplus 'the' in output of ipa-adtrust-install Action: opened PR body: """ Fixing the typo """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/703/head:pr703 git checkout pr703 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-703.patch Type: text/x-diff Size: 998 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 10 11:54:55 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 10 Apr 2017 13:54:55 +0200 Subject: [Freeipa-devel] [freeipa PR#699][comment] ipaclient/ipapython macOS compatibility fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: ipaclient/ipapython macOS compatibility fixes abbra commented: """ Ok, so far I cannot build a wheel from git repo on Mac OS X as we have a number of limitations ourselves -- we need to fix our configure to allow just generating enough of `ipasetup.py` and make files to run python wheels code. I'll supply a separate PR for this. """ See the full comment at https://github.com/freeipa/freeipa/pull/699#issuecomment-292927905 From freeipa-github-notification at redhat.com Mon Apr 10 13:28:18 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 10 Apr 2017 15:28:18 +0200 Subject: [Freeipa-devel] [freeipa PR#703][+ack] Remove surplus 'the' in output of ipa-adtrust-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/703 Title: #703: Remove surplus 'the' in output of ipa-adtrust-install Label: +ack From freeipa-github-notification at redhat.com Mon Apr 10 13:41:15 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Mon, 10 Apr 2017 15:41:15 +0200 Subject: [Freeipa-devel] [freeipa PR#697][synchronized] Create system users for FreeIPA services during package installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/697 Author: dkupka Title: #697: Create system users for FreeIPA services during package installation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/697/head:pr697 git checkout pr697 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-697.patch Type: text/x-diff Size: 18273 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 10 13:49:02 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Mon, 10 Apr 2017 15:49:02 +0200 Subject: [Freeipa-devel] [freeipa PR#704][opened] WebUI: cert login: Configure name of parameter used to pass username Message-ID: URL: https://github.com/freeipa/freeipa/pull/704 Author: dkupka Title: #704: WebUI: cert login: Configure name of parameter used to pass username Action: opened PR body: """ Directive LookupUserByCertificateParamName tells mod_lookup_identity module the name of GET parameter that is used to provide username in case certificate is mapped to multiple user accounts. Without this directive login with certificate that's mapped to multiple users doesn't work. https://pagure.io/freeipa/issue/6860 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/704/head:pr704 git checkout pr704 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-704.patch Type: text/x-diff Size: 1055 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 10 14:16:58 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Mon, 10 Apr 2017 16:16:58 +0200 Subject: [Freeipa-devel] [freeipa PR#705][opened] ipatests: Add krbpasswordexpiration tests Message-ID: URL: https://github.com/freeipa/freeipa/pull/705 Author: redhatrises Title: #705: ipatests: Add krbpasswordexpiration tests Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/705/head:pr705 git checkout pr705 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-705.patch Type: text/x-diff Size: 1316 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 10 14:37:22 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 10 Apr 2017 16:37:22 +0200 Subject: [Freeipa-devel] [freeipa PR#704][comment] WebUI: cert login: Configure name of parameter used to pass username In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/704 Title: #704: WebUI: cert login: Configure name of parameter used to pass username flo-renaud commented: """ Hi @dkupka thank you for the patch, everything works as expected with a single certificate mapped to multiple users. """ See the full comment at https://github.com/freeipa/freeipa/pull/704#issuecomment-292969006 From freeipa-github-notification at redhat.com Mon Apr 10 14:37:34 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 10 Apr 2017 16:37:34 +0200 Subject: [Freeipa-devel] [freeipa PR#704][+ack] WebUI: cert login: Configure name of parameter used to pass username In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/704 Title: #704: WebUI: cert login: Configure name of parameter used to pass username Label: +ack From freeipa-github-notification at redhat.com Mon Apr 10 15:16:47 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Mon, 10 Apr 2017 17:16:47 +0200 Subject: [Freeipa-devel] [freeipa PR#705][synchronized] ipatests: Add krbpasswordexpiration tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/705 Author: redhatrises Title: #705: ipatests: Add krbpasswordexpiration tests Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/705/head:pr705 git checkout pr705 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-705.patch Type: text/x-diff Size: 1315 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 10 16:54:44 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Mon, 10 Apr 2017 18:54:44 +0200 Subject: [Freeipa-devel] [freeipa PR#705][synchronized] ipatests: Add krbpasswordexpiration tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/705 Author: redhatrises Title: #705: ipatests: Add krbpasswordexpiration tests Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/705/head:pr705 git checkout pr705 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-705.patch Type: text/x-diff Size: 1652 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 10 17:30:21 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Mon, 10 Apr 2017 19:30:21 +0200 Subject: [Freeipa-devel] [freeipa PR#705][synchronized] ipatests: Add krbpasswordexpiration tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/705 Author: redhatrises Title: #705: ipatests: Add krbpasswordexpiration tests Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/705/head:pr705 git checkout pr705 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-705.patch Type: text/x-diff Size: 1679 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 11 05:16:59 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Tue, 11 Apr 2017 07:16:59 +0200 Subject: [Freeipa-devel] [freeipa PR#682][synchronized] ipserver/dcerpc: unify error processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/682 Author: abbra Title: #682: ipserver/dcerpc: unify error processing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/682/head:pr682 git checkout pr682 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-682.patch Type: text/x-diff Size: 7109 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 11 05:17:39 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Tue, 11 Apr 2017 07:17:39 +0200 Subject: [Freeipa-devel] [freeipa PR#682][synchronized] ipserver/dcerpc: unify error processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/682 Author: abbra Title: #682: ipserver/dcerpc: unify error processing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/682/head:pr682 git checkout pr682 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-682.patch Type: text/x-diff Size: 7110 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 11 05:17:51 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Tue, 11 Apr 2017 07:17:51 +0200 Subject: [Freeipa-devel] [freeipa PR#682][edited] ipaserver/dcerpc: unify error processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/682 Author: abbra Title: #682: ipaserver/dcerpc: unify error processing Action: edited Changed field: title Original value: """ ipserver/dcerpc: unify error processing """ From freeipa-github-notification at redhat.com Tue Apr 11 06:07:56 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Tue, 11 Apr 2017 08:07:56 +0200 Subject: [Freeipa-devel] [freeipa PR#682][synchronized] ipaserver/dcerpc: unify error processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/682 Author: abbra Title: #682: ipaserver/dcerpc: unify error processing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/682/head:pr682 git checkout pr682 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-682.patch Type: text/x-diff Size: 7498 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 11 07:54:19 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 11 Apr 2017 09:54:19 +0200 Subject: [Freeipa-devel] [freeipa PR#675][comment] [4.5, master] Fix PKCS11 helper In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/675 Title: #675: [4.5, master] Fix PKCS11 helper stlaz commented: """ I ran the integration test and the result was fine, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/675#issuecomment-293180206 From freeipa-github-notification at redhat.com Tue Apr 11 07:54:25 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 11 Apr 2017 09:54:25 +0200 Subject: [Freeipa-devel] [freeipa PR#675][+ack] [4.5, master] Fix PKCS11 helper In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/675 Title: #675: [4.5, master] Fix PKCS11 helper Label: +ack From freeipa-github-notification at redhat.com Tue Apr 11 08:25:26 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 11 Apr 2017 10:25:26 +0200 Subject: [Freeipa-devel] [freeipa PR#706][opened] Fix CA-less to CA-full upgrade Message-ID: URL: https://github.com/freeipa/freeipa/pull/706 Author: stlaz Title: #706: Fix CA-less to CA-full upgrade Action: opened PR body: """ CertDB would have always created a directory on initialization. This behavior changes here by replacing the truncate argument with create which will only create the database when really required. https://pagure.io/freeipa/issue/6853 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/706/head:pr706 git checkout pr706 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-706.patch Type: text/x-diff Size: 4283 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 11 08:28:05 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 11 Apr 2017 10:28:05 +0200 Subject: [Freeipa-devel] [freeipa PR#706][comment] Fix CA-less to CA-full upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/706 Title: #706: Fix CA-less to CA-full upgrade stlaz commented: """ I am not a big fan of creating directories on object initialization, thus this change. Another way of doing this would be of course to check whether the pki-tomcat/alias dir exists in the first place and not create the CertDB there. """ See the full comment at https://github.com/freeipa/freeipa/pull/706#issuecomment-293187666 From freeipa-github-notification at redhat.com Tue Apr 11 08:53:52 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 11 Apr 2017 10:53:52 +0200 Subject: [Freeipa-devel] [freeipa PR#686][synchronized] Stabilize make pypi_packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/686 Author: tiran Title: #686: Stabilize make pypi_packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/686/head:pr686 git checkout pr686 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-686.patch Type: text/x-diff Size: 2398 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 11 08:53:56 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 11 Apr 2017 10:53:56 +0200 Subject: [Freeipa-devel] [freeipa PR#686][edited] Stabilize make pypi_packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/686 Author: tiran Title: #686: Stabilize make pypi_packages Action: edited Changed field: body Original value: """ Parallel make or flags like IPA_OMIT_INSTALL and IPA_SERVER_WHEELS could like to bad packages for PyPI. Only build the packages we want with correct flags. Signed-off-by: Christian Heimes """ From freeipa-github-notification at redhat.com Tue Apr 11 08:58:22 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 11 Apr 2017 10:58:22 +0200 Subject: [Freeipa-devel] [freeipa PR#671][comment] Slim down dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/671 Title: #671: Slim down dependencies tiran commented: """ Now depends on PR #702 """ See the full comment at https://github.com/freeipa/freeipa/pull/671#issuecomment-293195296 From freeipa-github-notification at redhat.com Tue Apr 11 09:20:27 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 11 Apr 2017 11:20:27 +0200 Subject: [Freeipa-devel] [freeipa PR#703][comment] Remove surplus 'the' in output of ipa-adtrust-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/703 Title: #703: Remove surplus 'the' in output of ipa-adtrust-install stlaz commented: """ We just got an issue opened, you can add it: https://pagure.io/freeipa/issue/6864. """ See the full comment at https://github.com/freeipa/freeipa/pull/703#issuecomment-293200633 From freeipa-github-notification at redhat.com Tue Apr 11 09:27:43 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 11 Apr 2017 11:27:43 +0200 Subject: [Freeipa-devel] [freeipa PR#703][synchronized] Remove surplus 'the' in output of ipa-adtrust-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/703 Author: MartinBasti Title: #703: Remove surplus 'the' in output of ipa-adtrust-install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/703/head:pr703 git checkout pr703 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-703.patch Type: text/x-diff Size: 1036 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 11 09:58:26 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 11 Apr 2017 11:58:26 +0200 Subject: [Freeipa-devel] [freeipa PR#697][synchronized] Create system users for FreeIPA services during package installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/697 Author: dkupka Title: #697: Create system users for FreeIPA services during package installation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/697/head:pr697 git checkout pr697 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-697.patch Type: text/x-diff Size: 15464 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 11 10:10:50 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Tue, 11 Apr 2017 12:10:50 +0200 Subject: [Freeipa-devel] [freeipa PR#707][opened] Minor typo fixes Message-ID: URL: https://github.com/freeipa/freeipa/pull/707 Author: Akasurde Title: #707: Minor typo fixes Action: opened PR body: """ Fixes https://pagure.io/freeipa/issue/6865 Signed-off-by: Abhijeet Kasurde """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/707/head:pr707 git checkout pr707 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-707.patch Type: text/x-diff Size: 2927 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 11 10:28:01 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 11 Apr 2017 12:28:01 +0200 Subject: [Freeipa-devel] [freeipa PR#707][+ack] Minor typo fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/707 Title: #707: Minor typo fixes Label: +ack From freeipa-github-notification at redhat.com Tue Apr 11 10:32:19 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 11 Apr 2017 12:32:19 +0200 Subject: [Freeipa-devel] [freeipa PR#697][synchronized] Create system users for FreeIPA services during package installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/697 Author: dkupka Title: #697: Create system users for FreeIPA services during package installation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/697/head:pr697 git checkout pr697 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-697.patch Type: text/x-diff Size: 15474 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 11 10:34:27 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 11 Apr 2017 12:34:27 +0200 Subject: [Freeipa-devel] [freeipa PR#707][-ack] Minor typo fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/707 Title: #707: Minor typo fixes Label: -ack From freeipa-github-notification at redhat.com Tue Apr 11 10:39:47 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Tue, 11 Apr 2017 12:39:47 +0200 Subject: [Freeipa-devel] [freeipa PR#707][synchronized] Minor typo fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/707 Author: Akasurde Title: #707: Minor typo fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/707/head:pr707 git checkout pr707 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-707.patch Type: text/x-diff Size: 2927 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 11 10:45:17 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 11 Apr 2017 12:45:17 +0200 Subject: [Freeipa-devel] [freeipa PR#702][comment] Correct PyPI package dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/702 Title: #702: Correct PyPI package dependencies MartinBasti commented: """ For backport to 4.5 ticket and agreement on ticket triage must be done """ See the full comment at https://github.com/freeipa/freeipa/pull/702#issuecomment-293220360 From freeipa-github-notification at redhat.com Tue Apr 11 11:07:23 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 11 Apr 2017 13:07:23 +0200 Subject: [Freeipa-devel] [freeipa PR#703][+pushed] Remove surplus 'the' in output of ipa-adtrust-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/703 Title: #703: Remove surplus 'the' in output of ipa-adtrust-install Label: +pushed From freeipa-github-notification at redhat.com Tue Apr 11 11:07:31 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 11 Apr 2017 13:07:31 +0200 Subject: [Freeipa-devel] [freeipa PR#703][comment] Remove surplus 'the' in output of ipa-adtrust-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/703 Title: #703: Remove surplus 'the' in output of ipa-adtrust-install MartinBasti commented: """ master: * bad0f608c4f44cb36556f305f1290020d37439c6 Remove surplus 'the' in output of ipa-adtrust-install ipa-4-5: * e85795d4546847969ce8d0a38e6ac97c4366cfc7 Remove surplus 'the' in output of ipa-adtrust-install """ See the full comment at https://github.com/freeipa/freeipa/pull/703#issuecomment-293224623 From freeipa-github-notification at redhat.com Tue Apr 11 11:07:33 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 11 Apr 2017 13:07:33 +0200 Subject: [Freeipa-devel] [freeipa PR#703][closed] Remove surplus 'the' in output of ipa-adtrust-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/703 Author: MartinBasti Title: #703: Remove surplus 'the' in output of ipa-adtrust-install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/703/head:pr703 git checkout pr703 From freeipa-github-notification at redhat.com Tue Apr 11 11:07:48 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Tue, 11 Apr 2017 13:07:48 +0200 Subject: [Freeipa-devel] [freeipa PR#682][synchronized] ipaserver/dcerpc: unify error processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/682 Author: abbra Title: #682: ipaserver/dcerpc: unify error processing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/682/head:pr682 git checkout pr682 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-682.patch Type: text/x-diff Size: 7577 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 11 11:13:04 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Tue, 11 Apr 2017 13:13:04 +0200 Subject: [Freeipa-devel] [freeipa PR#707][synchronized] Minor typo fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/707 Author: Akasurde Title: #707: Minor typo fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/707/head:pr707 git checkout pr707 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-707.patch Type: text/x-diff Size: 2931 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 11 11:13:20 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 11 Apr 2017 13:13:20 +0200 Subject: [Freeipa-devel] [freeipa PR#707][comment] Minor typo fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/707 Title: #707: Minor typo fixes stlaz commented: """ Thanks, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/707#issuecomment-293225820 From freeipa-github-notification at redhat.com Tue Apr 11 11:13:25 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 11 Apr 2017 13:13:25 +0200 Subject: [Freeipa-devel] [freeipa PR#707][+ack] Minor typo fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/707 Title: #707: Minor typo fixes Label: +ack From freeipa-github-notification at redhat.com Tue Apr 11 11:16:00 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 11 Apr 2017 13:16:00 +0200 Subject: [Freeipa-devel] [freeipa PR#697][comment] Create system users for FreeIPA services during package installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/697 Title: #697: Create system users for FreeIPA services during package installation stlaz commented: """ Travis reports wrong usage of the `useradd` command. """ See the full comment at https://github.com/freeipa/freeipa/pull/697#issuecomment-293226318 From pvomacka at redhat.com Tue Apr 11 11:18:07 2017 From: pvomacka at redhat.com (Pavel Vomacka) Date: Tue, 11 Apr 2017 13:18:07 +0200 Subject: [Freeipa-devel] Checking OCSP and CRL during certificate login Message-ID: <4d592ea0-4b26-4d23-8dd9-d171d8097aee@redhat.com> Hello, With the recent addition of certificate mapping and certificate login support into WebUI, we need to handle also revoking of certificates which are used for login. There is ticket which requests this functionality: https://pagure.io/freeipa/issue/6370 We (me, David and Jan) are thinking about how to achieve this and the way we found is following: We mark the server cert in HTTP NSS DB as trusted peer ('P,,') to avoid chicken and egg problem when we will need to contact the OCSP responder when httpd is starting. And then set NSSOCSP On directive in /etc/httpd/conf.d/nss.conf . The known downside of OCSP is that when OCSP responder is not reachable, then the certificate cannot be checked and login is not allowed. Should we document it, or is that acceptable behavior? Is it OK to just fail? Another thing is checking CRL. The main issue here is that we don't have mechanism which would fetch CRL periodically from the source and therefore the CRL would has to be updated manually. Therefore I would go only with OCSP now. Do you think that this make sense? Comments and suggestions are more than welcome. -- Pavel^3 Vomacka From freeipa-github-notification at redhat.com Tue Apr 11 11:31:16 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 11 Apr 2017 13:31:16 +0200 Subject: [Freeipa-devel] [freeipa PR#700][+pushed] Use entry_points for ipa CLI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/700 Title: #700: Use entry_points for ipa CLI Label: +pushed From freeipa-github-notification at redhat.com Tue Apr 11 11:31:20 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 11 Apr 2017 13:31:20 +0200 Subject: [Freeipa-devel] [freeipa PR#700][comment] Use entry_points for ipa CLI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/700 Title: #700: Use entry_points for ipa CLI MartinBasti commented: """ master: * bf67974459f093487a1c5a49234769803780ecbe Use entry_points for ipa CLI ipa-4-5: * 1e1e4e8ef2d2486068e17228c8a0f8b1a2b099f5 Use entry_points for ipa CLI """ See the full comment at https://github.com/freeipa/freeipa/pull/700#issuecomment-293229445 From freeipa-github-notification at redhat.com Tue Apr 11 11:31:23 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 11 Apr 2017 13:31:23 +0200 Subject: [Freeipa-devel] [freeipa PR#700][closed] Use entry_points for ipa CLI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/700 Author: tiran Title: #700: Use entry_points for ipa CLI Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/700/head:pr700 git checkout pr700 From freeipa-github-notification at redhat.com Tue Apr 11 11:35:29 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 11 Apr 2017 13:35:29 +0200 Subject: [Freeipa-devel] [freeipa PR#697][synchronized] Create system users for FreeIPA services during package installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/697 Author: dkupka Title: #697: Create system users for FreeIPA services during package installation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/697/head:pr697 git checkout pr697 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-697.patch Type: text/x-diff Size: 15474 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 11 12:08:39 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Tue, 11 Apr 2017 14:08:39 +0200 Subject: [Freeipa-devel] [freeipa PR#705][edited] [WIP] ipatests: Add krbpasswordexpiration tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/705 Author: redhatrises Title: #705: [WIP] ipatests: Add krbpasswordexpiration tests Action: edited Changed field: title Original value: """ ipatests: Add krbpasswordexpiration tests """ From freeipa-github-notification at redhat.com Tue Apr 11 12:15:22 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 11 Apr 2017 14:15:22 +0200 Subject: [Freeipa-devel] [freeipa PR#682][comment] ipaserver/dcerpc: unify error processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/682 Title: #682: ipaserver/dcerpc: unify error processing MartinBasti commented: """ Code LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/682#issuecomment-293241513 From freeipa-github-notification at redhat.com Tue Apr 11 12:15:27 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 11 Apr 2017 14:15:27 +0200 Subject: [Freeipa-devel] [freeipa PR#682][+ack] ipaserver/dcerpc: unify error processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/682 Title: #682: ipaserver/dcerpc: unify error processing Label: +ack From abokovoy at redhat.com Tue Apr 11 12:16:22 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 11 Apr 2017 15:16:22 +0300 Subject: [Freeipa-devel] Checking OCSP and CRL during certificate login In-Reply-To: <4d592ea0-4b26-4d23-8dd9-d171d8097aee@redhat.com> References: <4d592ea0-4b26-4d23-8dd9-d171d8097aee@redhat.com> Message-ID: <20170411121622.65y4zjrvob6uymtz@redhat.com> On ti, 11 huhti 2017, Pavel Vomacka wrote: >Hello, > >With the recent addition of certificate mapping and certificate login >support into WebUI, we need to handle also revoking of certificates >which are used for login. There is ticket which requests this >functionality: https://pagure.io/freeipa/issue/6370 > >We (me, David and Jan) are thinking about how to achieve this and the >way we found is following: We mark the server cert in HTTP NSS DB as >trusted peer ('P,,') to avoid chicken and egg problem when we will >need to contact the OCSP responder when httpd is starting. And then >set NSSOCSP On directive in /etc/httpd/conf.d/nss.conf . The known >downside of OCSP is that when OCSP responder is not reachable, then >the certificate cannot be checked and login is not allowed. Should we >document it, or is that acceptable behavior? Is it OK to just fail? > >Another thing is checking CRL. The main issue here is that we don't >have mechanism which would fetch CRL periodically from the source and >therefore the CRL would has to be updated manually. Therefore I would >go only with OCSP now. > >Do you think that this make sense? Comments and suggestions are more >than welcome. Thanks for starting discussion. Below are few unsorted thoughts. I'm fine with the trusted peer mark on the server certificate in HTTP NSS DB. This is the certificate we have private key of, we already use it for our own operations, so marking it as trusted peer is not going to break the world. I'm also OK with defaulting to OCSP only. One issue we need to solve with regards to trust is what to do with third-party certificates provided by and used for login purposes by users. Their CA anchors might not be known to IPA master(s) and in general we were treating them as external material stored in LDAP. For x509 client authentication, however, Apache modules would need to know about the anchors in the same way as we do with our own (or third-part provided) HTTP certificate anchors. This means such root certificates need to be easily installable to all IPA masters, both for HTTP and PKINIT. Given that a (chain) of trust for them most likely does not end at our own CA, we should be OK with OCSP for them at startup and not marking them as trusted peers. -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Tue Apr 11 12:17:36 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 11 Apr 2017 14:17:36 +0200 Subject: [Freeipa-devel] [freeipa PR#682][+pushed] ipaserver/dcerpc: unify error processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/682 Title: #682: ipaserver/dcerpc: unify error processing Label: +pushed From freeipa-github-notification at redhat.com Tue Apr 11 12:17:39 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 11 Apr 2017 14:17:39 +0200 Subject: [Freeipa-devel] [freeipa PR#682][comment] ipaserver/dcerpc: unify error processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/682 Title: #682: ipaserver/dcerpc: unify error processing MartinBasti commented: """ master: * aef77b3529540ad12939a2cc54996c341c5d49d3 ipaserver/dcerpc: unify error processing * e560899cce20ca7773a5ce46a1c29db1349e8ec7 trust: always use oddjobd helper for fetching trust information ipa-4-5: * bbb23fc87a51218960d54f9eccc23405c5c5ded6 ipaserver/dcerpc: unify error processing * 45e1998c51e281c8371ae31762016cb1ddec406f trust: always use oddjobd helper for fetching trust information """ See the full comment at https://github.com/freeipa/freeipa/pull/682#issuecomment-293242018 From freeipa-github-notification at redhat.com Tue Apr 11 12:17:41 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 11 Apr 2017 14:17:41 +0200 Subject: [Freeipa-devel] [freeipa PR#682][closed] ipaserver/dcerpc: unify error processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/682 Author: abbra Title: #682: ipaserver/dcerpc: unify error processing Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/682/head:pr682 git checkout pr682 From freeipa-github-notification at redhat.com Tue Apr 11 12:23:59 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Tue, 11 Apr 2017 14:23:59 +0200 Subject: [Freeipa-devel] [freeipa PR#708][opened] Minor typo in details.js Message-ID: URL: https://github.com/freeipa/freeipa/pull/708 Author: Akasurde Title: #708: Minor typo in details.js Action: opened PR body: """ Fixes: https://pagure.io/freeipa/issue/6863 Signed-off-by: Abhijeet Kasurde """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/708/head:pr708 git checkout pr708 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-708.patch Type: text/x-diff Size: 970 bytes Desc: not available URL: From rcritten at redhat.com Tue Apr 11 13:24:51 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 11 Apr 2017 09:24:51 -0400 Subject: [Freeipa-devel] Checking OCSP and CRL during certificate login In-Reply-To: <4d592ea0-4b26-4d23-8dd9-d171d8097aee@redhat.com> References: <4d592ea0-4b26-4d23-8dd9-d171d8097aee@redhat.com> Message-ID: <839e2449-4713-b997-7266-b88d88f87e03@redhat.com> Pavel Vomacka wrote: > Hello, > > With the recent addition of certificate mapping and certificate login > support into WebUI, we need to handle also revoking of certificates > which are used for login. There is ticket which requests this > functionality: https://pagure.io/freeipa/issue/6370 > > We (me, David and Jan) are thinking about how to achieve this and the > way we found is following: We mark the server cert in HTTP NSS DB as > trusted peer ('P,,') to avoid chicken and egg problem when we will need > to contact the OCSP responder when httpd is starting. And then set > NSSOCSP On directive in /etc/httpd/conf.d/nss.conf . The known downside > of OCSP is that when OCSP responder is not reachable, then the > certificate cannot be checked and login is not allowed. Should we > document it, or is that acceptable behavior? Is it OK to just fail? > > Another thing is checking CRL. The main issue here is that we don't have > mechanism which would fetch CRL periodically from the source and > therefore the CRL would has to be updated manually. Therefore I would go > only with OCSP now. mod_revocator does exactly what you are looking for. rob From freeipa-github-notification at redhat.com Tue Apr 11 13:30:17 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 11 Apr 2017 15:30:17 +0200 Subject: [Freeipa-devel] [freeipa PR#704][+pushed] WebUI: cert login: Configure name of parameter used to pass username In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/704 Title: #704: WebUI: cert login: Configure name of parameter used to pass username Label: +pushed From freeipa-github-notification at redhat.com Tue Apr 11 13:30:22 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 11 Apr 2017 15:30:22 +0200 Subject: [Freeipa-devel] [freeipa PR#704][comment] WebUI: cert login: Configure name of parameter used to pass username In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/704 Title: #704: WebUI: cert login: Configure name of parameter used to pass username pvomacka commented: """ ipa-4-5: * a9721e529e7a02eeb40d29cb7820e69cd86d9337 WebUI: cert login: Configure name of parameter used to pass username master: * 157831a287c64106eed4da4ace5228d7e369ae2f WebUI: cert login: Configure name of parameter used to pass username """ See the full comment at https://github.com/freeipa/freeipa/pull/704#issuecomment-293263171 From freeipa-github-notification at redhat.com Tue Apr 11 13:30:25 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 11 Apr 2017 15:30:25 +0200 Subject: [Freeipa-devel] [freeipa PR#704][closed] WebUI: cert login: Configure name of parameter used to pass username In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/704 Author: dkupka Title: #704: WebUI: cert login: Configure name of parameter used to pass username Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/704/head:pr704 git checkout pr704 From freeipa-github-notification at redhat.com Tue Apr 11 13:38:57 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 11 Apr 2017 15:38:57 +0200 Subject: [Freeipa-devel] [freeipa PR#708][+ack] Minor typo in details.js In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/708 Title: #708: Minor typo in details.js Label: +ack From freeipa-github-notification at redhat.com Tue Apr 11 14:19:26 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 11 Apr 2017 16:19:26 +0200 Subject: [Freeipa-devel] [freeipa PR#695][+ack] [4.4] Fix PKCS11 helper In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/695 Title: #695: [4.4] Fix PKCS11 helper Label: +ack From freeipa-github-notification at redhat.com Tue Apr 11 15:03:25 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 11 Apr 2017 17:03:25 +0200 Subject: [Freeipa-devel] [freeipa PR#697][synchronized] Create system users for FreeIPA services during package installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/697 Author: dkupka Title: #697: Create system users for FreeIPA services during package installation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/697/head:pr697 git checkout pr697 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-697.patch Type: text/x-diff Size: 15546 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 11 15:34:14 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 11 Apr 2017 17:34:14 +0200 Subject: [Freeipa-devel] [freeipa PR#697][comment] Create system users for FreeIPA services during package installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/697 Title: #697: Create system users for FreeIPA services during package installation stlaz commented: """ While I don't like to omit @adelton comments, this is a test blocker for us. I propose going with @dkupka's comment on adding the GID/UID later when we get it or if someone could make a PR making this a bit better, that would be nice too. In the meantime, I have to ACK this. """ See the full comment at https://github.com/freeipa/freeipa/pull/697#issuecomment-293302227 From freeipa-github-notification at redhat.com Tue Apr 11 15:34:21 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 11 Apr 2017 17:34:21 +0200 Subject: [Freeipa-devel] [freeipa PR#697][+ack] Create system users for FreeIPA services during package installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/697 Title: #697: Create system users for FreeIPA services during package installation Label: +ack From freeipa-github-notification at redhat.com Tue Apr 11 15:35:33 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 11 Apr 2017 17:35:33 +0200 Subject: [Freeipa-devel] [freeipa PR#709][opened] Fix s4u2self with adtrust Message-ID: URL: https://github.com/freeipa/freeipa/pull/709 Author: simo5 Title: #709: Fix s4u2self with adtrust Action: opened PR body: """ When ADtrust is installed we add a PAC to all tickets, during protocol transition we need to generate a new PAC for the requested user ticket, not check the existing PAC on the requestor ticket. https://pagure.io/freeipa/issue/6862 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/709/head:pr709 git checkout pr709 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-709.patch Type: text/x-diff Size: 2222 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 11 15:55:13 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 11 Apr 2017 17:55:13 +0200 Subject: [Freeipa-devel] [freeipa PR#697][comment] Create system users for FreeIPA services during package installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/697 Title: #697: Create system users for FreeIPA services during package installation pvomacka commented: """ ipa-4-5: * e8a429d9e170955919f2e53e66b580be95e908d9 Create system users for FreeIPA services during package installation master: * a726e98f034347227765d7303a033a0538f5d8a1 Create system users for FreeIPA services during package installation """ See the full comment at https://github.com/freeipa/freeipa/pull/697#issuecomment-293308834 From freeipa-github-notification at redhat.com Tue Apr 11 15:55:34 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 11 Apr 2017 17:55:34 +0200 Subject: [Freeipa-devel] [freeipa PR#697][+pushed] Create system users for FreeIPA services during package installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/697 Title: #697: Create system users for FreeIPA services during package installation Label: +pushed From freeipa-github-notification at redhat.com Tue Apr 11 15:55:43 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 11 Apr 2017 17:55:43 +0200 Subject: [Freeipa-devel] [freeipa PR#697][-ack] Create system users for FreeIPA services during package installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/697 Title: #697: Create system users for FreeIPA services during package installation Label: -ack From freeipa-github-notification at redhat.com Tue Apr 11 15:55:48 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 11 Apr 2017 17:55:48 +0200 Subject: [Freeipa-devel] [freeipa PR#697][+ack] Create system users for FreeIPA services during package installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/697 Title: #697: Create system users for FreeIPA services during package installation Label: +ack From freeipa-github-notification at redhat.com Tue Apr 11 15:55:51 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 11 Apr 2017 17:55:51 +0200 Subject: [Freeipa-devel] [freeipa PR#697][closed] Create system users for FreeIPA services during package installation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/697 Author: dkupka Title: #697: Create system users for FreeIPA services during package installation Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/697/head:pr697 git checkout pr697 From freeipa-github-notification at redhat.com Tue Apr 11 15:57:28 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 11 Apr 2017 17:57:28 +0200 Subject: [Freeipa-devel] [freeipa PR#709][comment] Fix s4u2self with adtrust In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/709 Title: #709: Fix s4u2self with adtrust flo-renaud commented: """ Hi @simo5, I tested webUI authentication with a IPA user and it is working with this patch. """ See the full comment at https://github.com/freeipa/freeipa/pull/709#issuecomment-293309605 From freeipa-github-notification at redhat.com Tue Apr 11 16:23:58 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Tue, 11 Apr 2017 18:23:58 +0200 Subject: [Freeipa-devel] [freeipa PR#709][+ack] Fix s4u2self with adtrust In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/709 Title: #709: Fix s4u2self with adtrust Label: +ack From freeipa-github-notification at redhat.com Wed Apr 12 07:47:27 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 12 Apr 2017 09:47:27 +0200 Subject: [Freeipa-devel] [freeipa PR#709][+pushed] Fix s4u2self with adtrust In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/709 Title: #709: Fix s4u2self with adtrust Label: +pushed From freeipa-github-notification at redhat.com Wed Apr 12 07:47:32 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 12 Apr 2017 09:47:32 +0200 Subject: [Freeipa-devel] [freeipa PR#709][comment] Fix s4u2self with adtrust In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/709 Title: #709: Fix s4u2self with adtrust pvomacka commented: """ ipa-4-5: * b5114070ae55bcc7ec1abe57b4c303cee4822930 Fix s4u2self with adtrust master: * e88d5e815ea440bcef4acdc5f8fcb3a29e6eaec9 Fix s4u2self with adtrust """ See the full comment at https://github.com/freeipa/freeipa/pull/709#issuecomment-293500560 From freeipa-github-notification at redhat.com Wed Apr 12 07:47:33 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 12 Apr 2017 09:47:33 +0200 Subject: [Freeipa-devel] [freeipa PR#709][closed] Fix s4u2self with adtrust In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/709 Author: simo5 Title: #709: Fix s4u2self with adtrust Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/709/head:pr709 git checkout pr709 From freeipa-github-notification at redhat.com Wed Apr 12 07:53:43 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 09:53:43 +0200 Subject: [Freeipa-devel] [freeipa PR#695][+pushed] [4.4] Fix PKCS11 helper In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/695 Title: #695: [4.4] Fix PKCS11 helper Label: +pushed From freeipa-github-notification at redhat.com Wed Apr 12 07:53:46 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 09:53:46 +0200 Subject: [Freeipa-devel] [freeipa PR#695][comment] [4.4] Fix PKCS11 helper In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/695 Title: #695: [4.4] Fix PKCS11 helper MartinBasti commented: """ ipa-4-4: * 07df61b7814db08d81e1ff92f58b24e5d852fdf8 Fix PKCS11 helper """ See the full comment at https://github.com/freeipa/freeipa/pull/695#issuecomment-293501844 From freeipa-github-notification at redhat.com Wed Apr 12 07:53:49 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 09:53:49 +0200 Subject: [Freeipa-devel] [freeipa PR#695][closed] [4.4] Fix PKCS11 helper In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/695 Author: MartinBasti Title: #695: [4.4] Fix PKCS11 helper Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/695/head:pr695 git checkout pr695 From freeipa-github-notification at redhat.com Wed Apr 12 07:54:52 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 09:54:52 +0200 Subject: [Freeipa-devel] [freeipa PR#675][comment] [4.5, master] Fix PKCS11 helper In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/675 Title: #675: [4.5, master] Fix PKCS11 helper MartinBasti commented: """ ipa-4-5: * e6b2ed6b68589ff7ee39b95559836af54f39e2de Fix PKCS11 helper master: * e8f2a415b3dcba30b0c39cd542acd6b459f46957 Fix PKCS11 helper """ See the full comment at https://github.com/freeipa/freeipa/pull/675#issuecomment-293502061 From freeipa-github-notification at redhat.com Wed Apr 12 07:54:56 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 09:54:56 +0200 Subject: [Freeipa-devel] [freeipa PR#675][+pushed] [4.5, master] Fix PKCS11 helper In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/675 Title: #675: [4.5, master] Fix PKCS11 helper Label: +pushed From freeipa-github-notification at redhat.com Wed Apr 12 07:55:00 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 09:55:00 +0200 Subject: [Freeipa-devel] [freeipa PR#675][closed] [4.5, master] Fix PKCS11 helper In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/675 Author: MartinBasti Title: #675: [4.5, master] Fix PKCS11 helper Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/675/head:pr675 git checkout pr675 From freeipa-github-notification at redhat.com Wed Apr 12 08:32:34 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 10:32:34 +0200 Subject: [Freeipa-devel] [freeipa PR#618][comment] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Title: #618: Tox testing support for client wheel packages MartinBasti commented: """ I ran `tox` and I received following output: ``` ERROR: py27: could not install deps [ipaclient, ipatests]; v = InvocationError('/tmp/freeipa/.tox-install.sh wheel_bundle /tmp/freeipa/.tox/py27/bin/python /tmp/freeipa/.tox/py27/lib/python2.7/site-packages ipaclient ipatests (see /tmp/freeipa/.tox/py27/log/py27-1.log)', 2) ERROR: py35: could not install deps [ipaclient, ipatests]; v = InvocationError('/tmp/freeipa/.tox-install.sh wheel_bundle /tmp/freeipa/.tox/py35/bin/python /tmp/freeipa/.tox/py35/lib/python3.5/site-packages ipaclient ipatests (see /tmp/freeipa/.tox/py35/log/py35-1.log)', 2) ERROR: py36: could not install deps [ipaclient, ipatests]; v = InvocationError('/tmp/freeipa/.tox-install.sh wheel_bundle /tmp/freeipa/.tox/py36/bin/python /tmp/freeipa/.tox/py36/lib/python3.6/site-packages ipaclient ipatests (see /tmp/freeipa/.tox/py36/log/py36-1.log)', 2) ERROR: pylint2: could not install deps [ipaclient, ipapython[certmonger], pylint]; v = InvocationError('/tmp/freeipa/.tox-install.sh wheel_bundle /tmp/freeipa/.tox/pylint2/bin/python /tmp/freeipa/.tox/pylint2/lib/python2.7/site-packages ipaclient ipapython[certmonger] pylint (see /tmp/freeipa/.tox/pylint2/log/pylint2-1.log)', 2) ERROR: pylint3: could not install deps [ipaclient, ipapython[certmonger], pylint]; v = InvocationError('/tmp/freeipa/.tox-install.sh wheel_bundle /tmp/freeipa/.tox/pylint3/bin/python /tmp/freeipa/.tox/pylint3/lib/python3.5/site-packages ipaclient ipapython[certmonger] pylint (see /tmp/freeipa/.tox/pylint3/log/pylint3-1.log)', 2) pypi: commands succeeded ``` Is it expected? I had applied following patches: * Correct PyPI package dependencies * Stabilize make pypi_packages * Replace hard-coded kdcproxy path with WSGI script """ See the full comment at https://github.com/freeipa/freeipa/pull/618#issuecomment-293510308 From freeipa-github-notification at redhat.com Wed Apr 12 08:35:57 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 10:35:57 +0200 Subject: [Freeipa-devel] [freeipa PR#690][+ack] server-install: remove broken no-pkinit check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/690 Title: #690: server-install: remove broken no-pkinit check Label: +ack From freeipa-github-notification at redhat.com Wed Apr 12 08:53:22 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 10:53:22 +0200 Subject: [Freeipa-devel] [freeipa PR#674][+ack] Replace hard-coded kdcproxy path with WSGI script In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/674 Title: #674: Replace hard-coded kdcproxy path with WSGI script Label: +ack From freeipa-github-notification at redhat.com Wed Apr 12 08:59:52 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 12 Apr 2017 10:59:52 +0200 Subject: [Freeipa-devel] [freeipa PR#618][comment] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Title: #618: Tox testing support for client wheel packages tiran commented: """ Why are you mixing PRs? Don't mix PRs. """ See the full comment at https://github.com/freeipa/freeipa/pull/618#issuecomment-293516717 From freeipa-github-notification at redhat.com Wed Apr 12 11:03:34 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 13:03:34 +0200 Subject: [Freeipa-devel] [freeipa PR#690][+pushed] server-install: remove broken no-pkinit check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/690 Title: #690: server-install: remove broken no-pkinit check Label: +pushed From freeipa-github-notification at redhat.com Wed Apr 12 11:03:38 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 13:03:38 +0200 Subject: [Freeipa-devel] [freeipa PR#690][comment] server-install: remove broken no-pkinit check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/690 Title: #690: server-install: remove broken no-pkinit check MartinBasti commented: """ master: * 1160dc5d8bacea42a7ada45a10bf1019a3af5aca server-install: remove broken no-pkinit check ipa-4-5: * 1eb681ec7d4f6f42e733463f29374f0fecee4e68 server-install: remove broken no-pkinit check """ See the full comment at https://github.com/freeipa/freeipa/pull/690#issuecomment-293544267 From freeipa-github-notification at redhat.com Wed Apr 12 11:03:39 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 13:03:39 +0200 Subject: [Freeipa-devel] [freeipa PR#690][closed] server-install: remove broken no-pkinit check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/690 Author: stlaz Title: #690: server-install: remove broken no-pkinit check Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/690/head:pr690 git checkout pr690 From freeipa-github-notification at redhat.com Wed Apr 12 11:06:03 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 13:06:03 +0200 Subject: [Freeipa-devel] [freeipa PR#674][+pushed] Replace hard-coded kdcproxy path with WSGI script In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/674 Title: #674: Replace hard-coded kdcproxy path with WSGI script Label: +pushed From freeipa-github-notification at redhat.com Wed Apr 12 11:06:06 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 13:06:06 +0200 Subject: [Freeipa-devel] [freeipa PR#674][comment] Replace hard-coded kdcproxy path with WSGI script In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/674 Title: #674: Replace hard-coded kdcproxy path with WSGI script MartinBasti commented: """ master: * 2cd6788c3f52a9b87f24b9b3e57d66a864397966 Replace hard-coded kdcproxy path with WSGI script """ See the full comment at https://github.com/freeipa/freeipa/pull/674#issuecomment-293544760 From freeipa-github-notification at redhat.com Wed Apr 12 11:06:12 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 13:06:12 +0200 Subject: [Freeipa-devel] [freeipa PR#674][closed] Replace hard-coded kdcproxy path with WSGI script In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/674 Author: tiran Title: #674: Replace hard-coded kdcproxy path with WSGI script Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/674/head:pr674 git checkout pr674 From freeipa-github-notification at redhat.com Wed Apr 12 11:36:13 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 12 Apr 2017 13:36:13 +0200 Subject: [Freeipa-devel] [freeipa PR#706][+ack] Fix CA-less to CA-full upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/706 Title: #706: Fix CA-less to CA-full upgrade Label: +ack From bind-dyndb-ldap-github-notification at redhat.com Wed Apr 12 11:46:44 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Wed, 12 Apr 2017 13:46:44 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#17][comment] settings: skip unconfigured values In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/17 Title: #17: settings: skip unconfigured values tomaskrizek commented: """ @MartinBasti Would you please test this PR? You can just install IPA with DNS and then remove `server_id` from `named.conf`. With this patch, it should be possible to sucessfully restart named-pkcs11. Before, it failed. """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/17#issuecomment-293552509 From freeipa-github-notification at redhat.com Wed Apr 12 12:25:30 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 12 Apr 2017 14:25:30 +0200 Subject: [Freeipa-devel] [freeipa PR#691][+ack] Add force-join option to replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/691 Title: #691: Add force-join option to replica install Label: +ack From freeipa-github-notification at redhat.com Wed Apr 12 12:34:50 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 12 Apr 2017 14:34:50 +0200 Subject: [Freeipa-devel] [freeipa PR#618][synchronized] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Author: tiran Title: #618: Tox testing support for client wheel packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/618/head:pr618 git checkout pr618 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-618.patch Type: text/x-diff Size: 9425 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 12 12:35:46 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 12 Apr 2017 14:35:46 +0200 Subject: [Freeipa-devel] [freeipa PR#618][comment] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Title: #618: Tox testing support for client wheel packages tiran commented: """ I've rebased the branch on master, just in case. Tox works for me before and after rebase. ``` $ git clean -xdf $ tox ... py27: commands succeeded py35: commands succeeded py36: commands succeeded pylint2: commands succeeded pylint3: commands succeeded pypi: commands succeeded congratulations :) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/618#issuecomment-293562432 From freeipa-github-notification at redhat.com Wed Apr 12 12:44:37 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 12 Apr 2017 14:44:37 +0200 Subject: [Freeipa-devel] [freeipa PR#680][comment] ipa-otpd.socket.in: Use a platform specific value for KDC service file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/680 Title: #680: ipa-otpd.socket.in: Use a platform specific value for KDC service file tomaskrizek commented: """ I believe Christian's suggestion in the updated commit. Looks good to me. """ See the full comment at https://github.com/freeipa/freeipa/pull/680#issuecomment-293564424 From freeipa-github-notification at redhat.com Wed Apr 12 12:44:42 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 12 Apr 2017 14:44:42 +0200 Subject: [Freeipa-devel] [freeipa PR#680][+ack] ipa-otpd.socket.in: Use a platform specific value for KDC service file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/680 Title: #680: ipa-otpd.socket.in: Use a platform specific value for KDC service file Label: +ack From freeipa-github-notification at redhat.com Wed Apr 12 12:44:59 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 12 Apr 2017 14:44:59 +0200 Subject: [Freeipa-devel] [freeipa PR#680][comment] ipa-otpd.socket.in: Use a platform specific value for KDC service file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/680 Title: #680: ipa-otpd.socket.in: Use a platform specific value for KDC service file tomaskrizek commented: """ I believe Christian's suggestion was addressed in the updated commit. Looks good to me. """ See the full comment at https://github.com/freeipa/freeipa/pull/680#issuecomment-293564424 From freeipa-github-notification at redhat.com Wed Apr 12 12:59:33 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 12 Apr 2017 14:59:33 +0200 Subject: [Freeipa-devel] [freeipa PR#618][synchronized] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Author: tiran Title: #618: Tox testing support for client wheel packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/618/head:pr618 git checkout pr618 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-618.patch Type: text/x-diff Size: 9891 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 12 13:01:38 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 12 Apr 2017 15:01:38 +0200 Subject: [Freeipa-devel] [freeipa PR#618][comment] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Title: #618: Tox testing support for client wheel packages tiran commented: """ I added tox to wheel build requirements. Now you can install all dependencies with dnf builddep. ``` $ sudo dnf copr enable @freeipa/freeipa-master $ sudo dnf install redhat-rpm-config $ sudo dnf builddep --spec freeipa.spec.in --define "with_wheels 1" $ tox ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/618#issuecomment-293568255 From freeipa-github-notification at redhat.com Wed Apr 12 13:03:17 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 12 Apr 2017 15:03:17 +0200 Subject: [Freeipa-devel] [freeipa PR#708][+pushed] Minor typo in details.js In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/708 Title: #708: Minor typo in details.js Label: +pushed From freeipa-github-notification at redhat.com Wed Apr 12 13:03:20 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 12 Apr 2017 15:03:20 +0200 Subject: [Freeipa-devel] [freeipa PR#708][comment] Minor typo in details.js In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/708 Title: #708: Minor typo in details.js tomaskrizek commented: """ master: * 0f20eca3f58b59ed15a5acd69b3d763bf19f26f1 Minor typo in details.js """ See the full comment at https://github.com/freeipa/freeipa/pull/708#issuecomment-293568665 From freeipa-github-notification at redhat.com Wed Apr 12 13:03:24 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 12 Apr 2017 15:03:24 +0200 Subject: [Freeipa-devel] [freeipa PR#708][closed] Minor typo in details.js In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/708 Author: Akasurde Title: #708: Minor typo in details.js Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/708/head:pr708 git checkout pr708 From freeipa-github-notification at redhat.com Wed Apr 12 13:29:09 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Wed, 12 Apr 2017 15:29:09 +0200 Subject: [Freeipa-devel] [freeipa PR#708][comment] Minor typo in details.js In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/708 Title: #708: Minor typo in details.js Akasurde commented: """ @tomaskrizek @stlaz Thanks. """ See the full comment at https://github.com/freeipa/freeipa/pull/708#issuecomment-293575976 From freeipa-github-notification at redhat.com Wed Apr 12 13:42:59 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 12 Apr 2017 15:42:59 +0200 Subject: [Freeipa-devel] [freeipa PR#707][comment] Minor typo fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/707 Title: #707: Minor typo fixes tomaskrizek commented: """ master: * cb869314729022d4c16339bb08b79c5c30fe29df Minor typo fixes """ See the full comment at https://github.com/freeipa/freeipa/pull/707#issuecomment-293580581 From freeipa-github-notification at redhat.com Wed Apr 12 13:43:09 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 12 Apr 2017 15:43:09 +0200 Subject: [Freeipa-devel] [freeipa PR#707][+pushed] Minor typo fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/707 Title: #707: Minor typo fixes Label: +pushed From freeipa-github-notification at redhat.com Wed Apr 12 13:43:14 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 12 Apr 2017 15:43:14 +0200 Subject: [Freeipa-devel] [freeipa PR#707][closed] Minor typo fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/707 Author: Akasurde Title: #707: Minor typo fixes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/707/head:pr707 git checkout pr707 From freeipa-github-notification at redhat.com Wed Apr 12 13:46:19 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 15:46:19 +0200 Subject: [Freeipa-devel] [freeipa PR#686][+ack] Stabilize make pypi_packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/686 Title: #686: Stabilize make pypi_packages Label: +ack From freeipa-github-notification at redhat.com Wed Apr 12 13:47:27 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 15:47:27 +0200 Subject: [Freeipa-devel] [freeipa PR#686][+pushed] Stabilize make pypi_packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/686 Title: #686: Stabilize make pypi_packages Label: +pushed From freeipa-github-notification at redhat.com Wed Apr 12 13:47:34 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 15:47:34 +0200 Subject: [Freeipa-devel] [freeipa PR#686][comment] Stabilize make pypi_packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/686 Title: #686: Stabilize make pypi_packages MartinBasti commented: """ master: * d0c36b9c2eae1298604ec8ad4597e19e20365e11 Stabilize make pypi_packages """ See the full comment at https://github.com/freeipa/freeipa/pull/686#issuecomment-293581818 From freeipa-github-notification at redhat.com Wed Apr 12 13:47:40 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 15:47:40 +0200 Subject: [Freeipa-devel] [freeipa PR#686][closed] Stabilize make pypi_packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/686 Author: tiran Title: #686: Stabilize make pypi_packages Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/686/head:pr686 git checkout pr686 From freeipa-github-notification at redhat.com Wed Apr 12 13:53:30 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 12 Apr 2017 15:53:30 +0200 Subject: [Freeipa-devel] [freeipa PR#691][comment] Add force-join option to replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/691 Title: #691: Add force-join option to replica install tomaskrizek commented: """ master: * 87051f51c695afa3e9ba072da7005cf1a4194668 Add the force-join option to replica install * db84516d23d3a6e53e95881828d494fb80647602 replicainstall: better client install exception handling ipa-4-5: * 72f0ecde783be7d304044eff60c8c85e160d65d8 Add the force-join option to replica install * 534df55ea5ae736db832e0885520a6dfbd09299a replicainstall: better client install exception handling """ See the full comment at https://github.com/freeipa/freeipa/pull/691#issuecomment-293583996 From freeipa-github-notification at redhat.com Wed Apr 12 13:53:35 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 12 Apr 2017 15:53:35 +0200 Subject: [Freeipa-devel] [freeipa PR#691][+pushed] Add force-join option to replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/691 Title: #691: Add force-join option to replica install Label: +pushed From freeipa-github-notification at redhat.com Wed Apr 12 13:53:40 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 12 Apr 2017 15:53:40 +0200 Subject: [Freeipa-devel] [freeipa PR#691][closed] Add force-join option to replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/691 Author: stlaz Title: #691: Add force-join option to replica install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/691/head:pr691 git checkout pr691 From freeipa-github-notification at redhat.com Wed Apr 12 14:01:39 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 16:01:39 +0200 Subject: [Freeipa-devel] [freeipa PR#618][comment] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Title: #618: Tox testing support for client wheel packages MartinBasti commented: """ Thanks, I'll try again, it needs rebase again """ See the full comment at https://github.com/freeipa/freeipa/pull/618#issuecomment-293586483 From freeipa-github-notification at redhat.com Wed Apr 12 14:09:26 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 12 Apr 2017 16:09:26 +0200 Subject: [Freeipa-devel] [freeipa PR#618][synchronized] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Author: tiran Title: #618: Tox testing support for client wheel packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/618/head:pr618 git checkout pr618 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-618.patch Type: text/x-diff Size: 8941 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 12 14:18:20 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 12 Apr 2017 16:18:20 +0200 Subject: [Freeipa-devel] [freeipa PR#680][+pushed] ipa-otpd.socket.in: Use a platform specific value for KDC service file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/680 Title: #680: ipa-otpd.socket.in: Use a platform specific value for KDC service file Label: +pushed From freeipa-github-notification at redhat.com Wed Apr 12 14:18:23 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 12 Apr 2017 16:18:23 +0200 Subject: [Freeipa-devel] [freeipa PR#680][comment] ipa-otpd.socket.in: Use a platform specific value for KDC service file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/680 Title: #680: ipa-otpd.socket.in: Use a platform specific value for KDC service file tomaskrizek commented: """ master: * 076eb409a032cbd689f1d5e298c1009e80168e34 ipa-otpd.socket.in: Use a platform specific value for KDC service file """ See the full comment at https://github.com/freeipa/freeipa/pull/680#issuecomment-293591604 From freeipa-github-notification at redhat.com Wed Apr 12 14:18:26 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 12 Apr 2017 16:18:26 +0200 Subject: [Freeipa-devel] [freeipa PR#680][closed] ipa-otpd.socket.in: Use a platform specific value for KDC service file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/680 Author: tjaalton Title: #680: ipa-otpd.socket.in: Use a platform specific value for KDC service file Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/680/head:pr680 git checkout pr680 From freeipa-github-notification at redhat.com Wed Apr 12 14:18:37 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 12 Apr 2017 16:18:37 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ Fails with ```2017-04-12T14:16:14Z DEBUG The ipa-replica-install command failed, exception: ValueError: Incorrect number of results (0) searching forpublic key for host/vm-225.abc.idm.lab.eng.brq.redhat.com at DOM-096.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM ``` on first replica, every try. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-293591724 From freeipa-github-notification at redhat.com Wed Apr 12 14:18:46 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 12 Apr 2017 16:18:46 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ Fails with ```2017-04-12T14:16:14Z DEBUG The ipa-replica-install command failed, exception: ValueError: Incorrect number of results (0) searching forpublic key for host/vm-225.abc.idm.lab.eng.brq.redhat.com at DOM-096.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM ``` on first replica, every try. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-293591724 From freeipa-github-notification at redhat.com Wed Apr 12 14:22:21 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 12 Apr 2017 16:22:21 +0200 Subject: [Freeipa-devel] [freeipa PR#706][+pushed] Fix CA-less to CA-full upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/706 Title: #706: Fix CA-less to CA-full upgrade Label: +pushed From freeipa-github-notification at redhat.com Wed Apr 12 14:22:26 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 12 Apr 2017 16:22:26 +0200 Subject: [Freeipa-devel] [freeipa PR#706][comment] Fix CA-less to CA-full upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/706 Title: #706: Fix CA-less to CA-full upgrade tomaskrizek commented: """ master: * 9ac56e47d78582fbc2911f67a7344bcce321842f Fix CA-less to CA-full upgrade ipa-4-5: * 7a6f78bab8f9f76bf37fb105ec2537676d889cc2 Fix CA-less to CA-full upgrade """ See the full comment at https://github.com/freeipa/freeipa/pull/706#issuecomment-293593075 From freeipa-github-notification at redhat.com Wed Apr 12 14:22:31 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 12 Apr 2017 16:22:31 +0200 Subject: [Freeipa-devel] [freeipa PR#706][closed] Fix CA-less to CA-full upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/706 Author: stlaz Title: #706: Fix CA-less to CA-full upgrade Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/706/head:pr706 git checkout pr706 From freeipa-github-notification at redhat.com Wed Apr 12 14:42:58 2017 From: freeipa-github-notification at redhat.com (Rezney) Date: Wed, 12 Apr 2017 16:42:58 +0200 Subject: [Freeipa-devel] [freeipa PR#710][opened] [ipatests] - added krb5kdc.log to pytest logging Message-ID: URL: https://github.com/freeipa/freeipa/pull/710 Author: Rezney Title: #710: [ipatests] - added krb5kdc.log to pytest logging Action: opened PR body: """ KRB5KDC_LOG = '/var/log/krb5kdc.log' added to paths host.collect_log(paths.KRB5KDC_LOG) added to tasks.py Signed-off-by: Michal Reznik """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/710/head:pr710 git checkout pr710 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-710.patch Type: text/x-diff Size: 1414 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 12 14:43:10 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 16:43:10 +0200 Subject: [Freeipa-devel] [freeipa PR#618][comment] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Title: #618: Tox testing support for client wheel packages MartinBasti commented: """ Thnks, works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/618#issuecomment-293599732 From freeipa-github-notification at redhat.com Wed Apr 12 14:43:16 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 16:43:16 +0200 Subject: [Freeipa-devel] [freeipa PR#618][+ack] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Title: #618: Tox testing support for client wheel packages Label: +ack From freeipa-github-notification at redhat.com Wed Apr 12 14:53:55 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 16:53:55 +0200 Subject: [Freeipa-devel] [freeipa PR#618][+pushed] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Title: #618: Tox testing support for client wheel packages Label: +pushed From freeipa-github-notification at redhat.com Wed Apr 12 14:54:00 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 16:54:00 +0200 Subject: [Freeipa-devel] [freeipa PR#618][comment] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Title: #618: Tox testing support for client wheel packages MartinBasti commented: """ master: * 3a5b3be8b92a509d207d814c9fe294ee7b4e81c4 tox testing support for client wheel packages """ See the full comment at https://github.com/freeipa/freeipa/pull/618#issuecomment-293603161 From freeipa-github-notification at redhat.com Wed Apr 12 14:54:06 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 16:54:06 +0200 Subject: [Freeipa-devel] [freeipa PR#618][closed] Tox testing support for client wheel packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/618 Author: tiran Title: #618: Tox testing support for client wheel packages Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/618/head:pr618 git checkout pr618 From freeipa-github-notification at redhat.com Wed Apr 12 14:57:10 2017 From: freeipa-github-notification at redhat.com (Rezney) Date: Wed, 12 Apr 2017 16:57:10 +0200 Subject: [Freeipa-devel] [freeipa PR#710][synchronized] [ipatests] - added krb5kdc.log to pytest logging In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/710 Author: Rezney Title: #710: [ipatests] - added krb5kdc.log to pytest logging Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/710/head:pr710 git checkout pr710 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-710.patch Type: text/x-diff Size: 1534 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 12 15:19:57 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 17:19:57 +0200 Subject: [Freeipa-devel] [freeipa PR#710][+ack] [ipatests] - added krb5kdc.log to pytest logging In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/710 Title: #710: [ipatests] - added krb5kdc.log to pytest logging Label: +ack From freeipa-github-notification at redhat.com Wed Apr 12 15:34:58 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 17:34:58 +0200 Subject: [Freeipa-devel] [freeipa PR#710][+pushed] [ipatests] - added krb5kdc.log to pytest logging In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/710 Title: #710: [ipatests] - added krb5kdc.log to pytest logging Label: +pushed From freeipa-github-notification at redhat.com Wed Apr 12 15:35:01 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 17:35:01 +0200 Subject: [Freeipa-devel] [freeipa PR#710][comment] [ipatests] - added krb5kdc.log to pytest logging In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/710 Title: #710: [ipatests] - added krb5kdc.log to pytest logging MartinBasti commented: """ master: * 2493f812048f191225eefc07abd91090dee47653 - added krb5kdc.log to pytest logging """ See the full comment at https://github.com/freeipa/freeipa/pull/710#issuecomment-293617444 From freeipa-github-notification at redhat.com Wed Apr 12 15:35:06 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 12 Apr 2017 17:35:06 +0200 Subject: [Freeipa-devel] [freeipa PR#710][closed] [ipatests] - added krb5kdc.log to pytest logging In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/710 Author: Rezney Title: #710: [ipatests] - added krb5kdc.log to pytest logging Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/710/head:pr710 git checkout pr710 From freeipa-github-notification at redhat.com Wed Apr 12 15:40:30 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 12 Apr 2017 17:40:30 +0200 Subject: [Freeipa-devel] [freeipa PR#702][synchronized] Correct PyPI package dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/702 Author: tiran Title: #702: Correct PyPI package dependencies Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/702/head:pr702 git checkout pr702 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-702.patch Type: text/x-diff Size: 5272 bytes Desc: not available URL: From pvomacka at redhat.com Wed Apr 12 16:33:32 2017 From: pvomacka at redhat.com (Pavel Vomacka) Date: Wed, 12 Apr 2017 18:33:32 +0200 Subject: [Freeipa-devel] Checking OCSP and CRL during certificate login In-Reply-To: <20170411121622.65y4zjrvob6uymtz@redhat.com> References: <4d592ea0-4b26-4d23-8dd9-d171d8097aee@redhat.com> <20170411121622.65y4zjrvob6uymtz@redhat.com> Message-ID: <98357769-ab65-b53c-eacd-0ee6ec8df832@redhat.com> On 04/11/2017 02:16 PM, Alexander Bokovoy wrote: > On ti, 11 huhti 2017, Pavel Vomacka wrote: >> Hello, >> >> With the recent addition of certificate mapping and certificate login >> support into WebUI, we need to handle also revoking of certificates >> which are used for login. There is ticket which requests this >> functionality: https://pagure.io/freeipa/issue/6370 >> >> We (me, David and Jan) are thinking about how to achieve this and the >> way we found is following: We mark the server cert in HTTP NSS DB as >> trusted peer ('P,,') to avoid chicken and egg problem when we will >> need to contact the OCSP responder when httpd is starting. And then >> set NSSOCSP On directive in /etc/httpd/conf.d/nss.conf . The known >> downside of OCSP is that when OCSP responder is not reachable, then >> the certificate cannot be checked and login is not allowed. Should we >> document it, or is that acceptable behavior? Is it OK to just fail? >> >> Another thing is checking CRL. The main issue here is that we don't >> have mechanism which would fetch CRL periodically from the source and >> therefore the CRL would has to be updated manually. Therefore I would >> go only with OCSP now. >> >> Do you think that this make sense? Comments and suggestions are more >> than welcome. > Thanks for starting discussion. Below are few unsorted thoughts. Thank you for the answer. > > I'm fine with the trusted peer mark on the server certificate in HTTP > NSS DB. This is the certificate we have private key of, we already use > it for our own operations, so marking it as trusted peer is not going to > break the world. I'm also OK with defaulting to OCSP only. Ok, I'll go this way. > > One issue we need to solve with regards to trust is what to do with > third-party certificates provided by and used for login purposes by > users. Their CA anchors might not be known to IPA master(s) and in > general we were treating them as external material stored in LDAP. I think that in these situation when CA anchor is not known then the login should not be possible - or at least I would expect that. Or am I missing something? > > For x509 client authentication, however, Apache modules would need to > know about the anchors in the same way as we do with our own (or > third-part provided) HTTP certificate anchors. This means such root > certificates need to be easily installable to all IPA masters, both for > HTTP and PKINIT. Given that a (chain) of trust for them most likely does > not end at our own CA, we should be OK with OCSP for them at startup and > not marking them as trusted peers. > Could the installation of certificates be handled by using any of our command (ipa-cacertmanage)? -- Pavel^3 Vomacka From pvomacka at redhat.com Wed Apr 12 16:36:19 2017 From: pvomacka at redhat.com (Pavel Vomacka) Date: Wed, 12 Apr 2017 18:36:19 +0200 Subject: [Freeipa-devel] Checking OCSP and CRL during certificate login In-Reply-To: <839e2449-4713-b997-7266-b88d88f87e03@redhat.com> References: <4d592ea0-4b26-4d23-8dd9-d171d8097aee@redhat.com> <839e2449-4713-b997-7266-b88d88f87e03@redhat.com> Message-ID: On 04/11/2017 03:24 PM, Rob Crittenden wrote: > Pavel Vomacka wrote: >> Hello, >> >> With the recent addition of certificate mapping and certificate login >> support into WebUI, we need to handle also revoking of certificates >> which are used for login. There is ticket which requests this >> functionality: https://pagure.io/freeipa/issue/6370 >> >> We (me, David and Jan) are thinking about how to achieve this and the >> way we found is following: We mark the server cert in HTTP NSS DB as >> trusted peer ('P,,') to avoid chicken and egg problem when we will need >> to contact the OCSP responder when httpd is starting. And then set >> NSSOCSP On directive in /etc/httpd/conf.d/nss.conf . The known downside >> of OCSP is that when OCSP responder is not reachable, then the >> certificate cannot be checked and login is not allowed. Should we >> document it, or is that acceptable behavior? Is it OK to just fail? >> >> Another thing is checking CRL. The main issue here is that we don't have >> mechanism which would fetch CRL periodically from the source and >> therefore the CRL would has to be updated manually. Therefore I would go >> only with OCSP now. > mod_revocator does exactly what you are looking for. > > rob Thank you for mentioning mod_revocator. Is there any other documentation then this one: https://pagure.io/mod_revocator ? I found several more pages but they were not available. -- Pavel^3 Vomacka From freeipa-github-notification at redhat.com Wed Apr 12 17:06:11 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Wed, 12 Apr 2017 19:06:11 +0200 Subject: [Freeipa-devel] [freeipa PR#707][comment] Minor typo fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/707 Title: #707: Minor typo fixes Akasurde commented: """ @stlaz @tomaskrizek Thanks. """ See the full comment at https://github.com/freeipa/freeipa/pull/707#issuecomment-293644671 From rcritten at redhat.com Wed Apr 12 17:24:32 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Apr 2017 13:24:32 -0400 Subject: [Freeipa-devel] Checking OCSP and CRL during certificate login In-Reply-To: References: <4d592ea0-4b26-4d23-8dd9-d171d8097aee@redhat.com> <839e2449-4713-b997-7266-b88d88f87e03@redhat.com> Message-ID: <37a09399-c209-5da3-7d6c-613b7fbada13@redhat.com> Pavel Vomacka wrote: > > > On 04/11/2017 03:24 PM, Rob Crittenden wrote: >> Pavel Vomacka wrote: >>> Hello, >>> >>> With the recent addition of certificate mapping and certificate login >>> support into WebUI, we need to handle also revoking of certificates >>> which are used for login. There is ticket which requests this >>> functionality: https://pagure.io/freeipa/issue/6370 >>> >>> We (me, David and Jan) are thinking about how to achieve this and the >>> way we found is following: We mark the server cert in HTTP NSS DB as >>> trusted peer ('P,,') to avoid chicken and egg problem when we will need >>> to contact the OCSP responder when httpd is starting. And then set >>> NSSOCSP On directive in /etc/httpd/conf.d/nss.conf . The known downside >>> of OCSP is that when OCSP responder is not reachable, then the >>> certificate cannot be checked and login is not allowed. Should we >>> document it, or is that acceptable behavior? Is it OK to just fail? >>> >>> Another thing is checking CRL. The main issue here is that we don't have >>> mechanism which would fetch CRL periodically from the source and >>> therefore the CRL would has to be updated manually. Therefore I would go >>> only with OCSP now. >> mod_revocator does exactly what you are looking for. >> >> rob > Thank you for mentioning mod_revocator. > Is there any other documentation then this one: > https://pagure.io/mod_revocator ? > I found several more pages but they were not available. > No, that's pretty much it. Let me know if you have any questions. rob From bind-dyndb-ldap-github-notification at redhat.com Thu Apr 13 08:54:02 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Thu, 13 Apr 2017 10:54:02 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#15][+ack] ignore what configure and make produced In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/15 Title: #15: ignore what configure and make produced Label: +ack From bind-dyndb-ldap-github-notification at redhat.com Thu Apr 13 08:54:21 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Thu, 13 Apr 2017 10:54:21 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#15][comment] ignore what configure and make produced In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/15 Title: #15: ignore what configure and make produced tomaskrizek commented: """ Thanks! master: - aadb92bb90f842e89b0465e3c519dbb0d24fec73 """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/15#issuecomment-293832066 From bind-dyndb-ldap-github-notification at redhat.com Thu Apr 13 08:54:22 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Thu, 13 Apr 2017 10:54:22 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#15][closed] ignore what configure and make produced In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/15 Author: mingzym Title: #15: ignore what configure and make produced Action: closed To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/15/head:pr15 git checkout pr15 From bind-dyndb-ldap-github-notification at redhat.com Thu Apr 13 08:54:26 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Thu, 13 Apr 2017 10:54:26 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#15][+pushed] ignore what configure and make produced In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/15 Title: #15: ignore what configure and make produced Label: +pushed From freeipa-github-notification at redhat.com Thu Apr 13 10:04:01 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 13 Apr 2017 12:04:01 +0200 Subject: [Freeipa-devel] [freeipa PR#711][opened] Move the compat plugin setup at the end of install Message-ID: URL: https://github.com/freeipa/freeipa/pull/711 Author: stlaz Title: #711: Move the compat plugin setup at the end of install Action: opened PR body: """ The compat plugin was causing deadlocks with the topology plugin. Move its setup at the end of the installation and remove the cn=topology,cn=ipa,cn=etc subtree from its scope. https://pagure.io/freeipa/issue/6821 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/711/head:pr711 git checkout pr711 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-711.patch Type: text/x-diff Size: 20902 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 13 12:43:02 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 13 Apr 2017 14:43:02 +0200 Subject: [Freeipa-devel] [freeipa PR#712][opened] WebUI: Coverity fixes Message-ID: URL: https://github.com/freeipa/freeipa/pull/712 Author: pvomacka Title: #712: WebUI: Coverity fixes Action: opened PR body: """ Several fixes: - null pointer exception - add explicit object - removes identical branches of if statement """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/712/head:pr712 git checkout pr712 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-712.patch Type: text/x-diff Size: 6299 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 13 13:47:35 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 13 Apr 2017 15:47:35 +0200 Subject: [Freeipa-devel] [freeipa PR#702][comment] Correct PyPI package dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/702 Title: #702: Correct PyPI package dependencies tiran commented: """ With recent changes, 4.5 needs a different patch. Let's merge this one and I'll prepare a new one with a ticket another time. """ See the full comment at https://github.com/freeipa/freeipa/pull/702#issuecomment-293900251 From freeipa-github-notification at redhat.com Thu Apr 13 15:27:17 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 13 Apr 2017 17:27:17 +0200 Subject: [Freeipa-devel] [freeipa PR#713][opened] WebUI: fix showing required asterisk '*' Message-ID: URL: https://github.com/freeipa/freeipa/pull/713 Author: pvomacka Title: #713: WebUI: fix showing required asterisk '*' Action: opened PR body: """ There was a bug that when user switch between two facets where is required field and in one of them is writable and in second one is not writable, then the asterisk which marks required field is not shown. i.e. admin vs. user details page or global_passwd_policy vs. other_passwd_policy details page. That was caused by incorrect evaluation of required state of field. Evaluation works that way: evaluate old required state, then evaluate current required state and if states has changed then emit change event. The evaluation depends on writable and read_only state of field. Those two states are set before evaluation of required state, but their old values (for evaluating previous required stated) were not stored anywhere. This commit adds two attributes which stores old writable and read_only states. The required asterisk is then shown correctly. https://pagure.io/freeipa/issue/6849 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/713/head:pr713 git checkout pr713 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-713.patch Type: text/x-diff Size: 4264 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sat Apr 15 11:57:20 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Sat, 15 Apr 2017 13:57:20 +0200 Subject: [Freeipa-devel] [freeipa PR#714][opened] fix minor typo in ipa-adtrust-install.1 Message-ID: URL: https://github.com/freeipa/freeipa/pull/714 Author: realsobek Title: #714: fix minor typo in ipa-adtrust-install.1 Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/714/head:pr714 git checkout pr714 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-714.patch Type: text/x-diff Size: 1051 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sat Apr 15 12:19:17 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Sat, 15 Apr 2017 14:19:17 +0200 Subject: [Freeipa-devel] [freeipa PR#714][edited] fix minor typo in ipa-adtrust-install.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/714 Author: realsobek Title: #714: fix minor typo in ipa-adtrust-install.1 Action: edited Changed field: body Original value: """ """ From freeipa-github-notification at redhat.com Sat Apr 15 21:13:02 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Sat, 15 Apr 2017 23:13:02 +0200 Subject: [Freeipa-devel] [freeipa PR#715][opened] use correct option name Message-ID: URL: https://github.com/freeipa/freeipa/pull/715 Author: realsobek Title: #715: use correct option name Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/715/head:pr715 git checkout pr715 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-715.patch Type: text/x-diff Size: 3396 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sat Apr 15 21:15:28 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Sat, 15 Apr 2017 23:15:28 +0200 Subject: [Freeipa-devel] [freeipa PR#716][opened] Fix minor typos Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Author: realsobek Title: #716: Fix minor typos Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/716/head:pr716 git checkout pr716 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-716.patch Type: text/x-diff Size: 22333 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sun Apr 16 13:54:11 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Sun, 16 Apr 2017 15:54:11 +0200 Subject: [Freeipa-devel] [freeipa PR#716][synchronized] Fix minor typos In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Author: realsobek Title: #716: Fix minor typos Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/716/head:pr716 git checkout pr716 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-716.patch Type: text/x-diff Size: 23033 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sun Apr 16 15:44:16 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Sun, 16 Apr 2017 17:44:16 +0200 Subject: [Freeipa-devel] [freeipa PR#716][synchronized] Fix minor typos In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Author: realsobek Title: #716: Fix minor typos Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/716/head:pr716 git checkout pr716 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-716.patch Type: text/x-diff Size: 23820 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sun Apr 16 15:45:55 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Sun, 16 Apr 2017 17:45:55 +0200 Subject: [Freeipa-devel] [freeipa PR#716][synchronized] Fix minor typos In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Author: realsobek Title: #716: Fix minor typos Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/716/head:pr716 git checkout pr716 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-716.patch Type: text/x-diff Size: 24607 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sun Apr 16 15:46:36 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Sun, 16 Apr 2017 17:46:36 +0200 Subject: [Freeipa-devel] [freeipa PR#716][synchronized] Fix minor typos In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Author: realsobek Title: #716: Fix minor typos Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/716/head:pr716 git checkout pr716 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-716.patch Type: text/x-diff Size: 25394 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sun Apr 16 15:47:25 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Sun, 16 Apr 2017 17:47:25 +0200 Subject: [Freeipa-devel] [freeipa PR#716][synchronized] Fix minor typos In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Author: realsobek Title: #716: Fix minor typos Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/716/head:pr716 git checkout pr716 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-716.patch Type: text/x-diff Size: 26116 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sun Apr 16 16:00:50 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Sun, 16 Apr 2017 18:00:50 +0200 Subject: [Freeipa-devel] [freeipa PR#716][synchronized] Fix minor typos In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Author: realsobek Title: #716: Fix minor typos Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/716/head:pr716 git checkout pr716 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-716.patch Type: text/x-diff Size: 28180 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sun Apr 16 16:03:39 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Sun, 16 Apr 2017 18:03:39 +0200 Subject: [Freeipa-devel] [freeipa PR#716][synchronized] Fix minor typos In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Author: realsobek Title: #716: Fix minor typos Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/716/head:pr716 git checkout pr716 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-716.patch Type: text/x-diff Size: 29124 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sun Apr 16 16:24:43 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Sun, 16 Apr 2017 18:24:43 +0200 Subject: [Freeipa-devel] [freeipa PR#715][synchronized] use correct option name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/715 Author: realsobek Title: #715: use correct option name Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/715/head:pr715 git checkout pr715 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-715.patch Type: text/x-diff Size: 4594 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sun Apr 16 20:26:04 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Sun, 16 Apr 2017 22:26:04 +0200 Subject: [Freeipa-devel] [freeipa PR#716][synchronized] Fix minor typos In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Author: realsobek Title: #716: Fix minor typos Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/716/head:pr716 git checkout pr716 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-716.patch Type: text/x-diff Size: 44588 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sun Apr 16 20:46:02 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Sun, 16 Apr 2017 22:46:02 +0200 Subject: [Freeipa-devel] [freeipa PR#716][comment] Fix minor typos In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Title: #716: Fix minor typos realsobek commented: """ There are 353 occurrences of 'plugable'. 2 in file names. 351 in code. I can make the change in a separate branch. But I cannot evaluate the outcome. Hence I would like to have your opinion before jumping to conclusions. Can I go ahead and make the change? """ See the full comment at https://github.com/freeipa/freeipa/pull/716#issuecomment-294373325 From freeipa-github-notification at redhat.com Sun Apr 16 23:02:29 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Mon, 17 Apr 2017 01:02:29 +0200 Subject: [Freeipa-devel] [freeipa PR#717][opened] csrgen: Finish NSS support Message-ID: URL: https://github.com/freeipa/freeipa/pull/717 Author: LiptonB Title: #717: csrgen: Finish NSS support Action: opened PR body: """ I took the approach of generating a new key for each request, as keys already stored in a database are difficult to name precisely. I also had to add another hook to `CSRLibraryAdaptor` that is called after the cert is returned from the server, so that we could add the cert to the database as desired. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/717/head:pr717 git checkout pr717 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-717.patch Type: text/x-diff Size: 9464 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sun Apr 16 23:49:02 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Mon, 17 Apr 2017 01:49:02 +0200 Subject: [Freeipa-devel] [freeipa PR#433][synchronized] csrgen: Allow some certificate fields to be specified by the user In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/433 Author: LiptonB Title: #433: csrgen: Allow some certificate fields to be specified by the user Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/433/head:pr433 git checkout pr433 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-433.patch Type: text/x-diff Size: 10068 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 17 05:28:28 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 17 Apr 2017 07:28:28 +0200 Subject: [Freeipa-devel] [freeipa PR#716][comment] Fix minor typos In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Title: #716: Fix minor typos abbra commented: """ Thanks for this pull request. There are no tickets associated with these changes. The changes themselves are controversial. Do not change `--forwarder-*` to `--forward-*` because you are dealing with well-known DNS term here, not a simple word. Please normalize your `From:` line to be from the same email address. We do not accept something like `From: user ` Updates to translations should be done via https://fedora.zanata.org/project/view/freeipa?dswid=2118, see https://fedoraproject.org/wiki/L10N/Translate_on_Zanata for details. Changes like `plugable` -> `pluggable` may be OK in the text when they are part of a normal sentence. However, do not change the code itself and references in the text to those code names. These constitute part of a released plugin API and should not be changed. """ See the full comment at https://github.com/freeipa/freeipa/pull/716#issuecomment-294407938 From freeipa-github-notification at redhat.com Mon Apr 17 20:46:27 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Mon, 17 Apr 2017 22:46:27 +0200 Subject: [Freeipa-devel] [freeipa PR#715][synchronized] use correct option name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/715 Author: realsobek Title: #715: use correct option name Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/715/head:pr715 git checkout pr715 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-715.patch Type: text/x-diff Size: 4573 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 17 21:45:48 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Mon, 17 Apr 2017 23:45:48 +0200 Subject: [Freeipa-devel] [freeipa PR#716][comment] Fix minor typos In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Title: #716: Fix minor typos realsobek commented: """ Thank you for guiding me. :) > There are no tickets associated with these changes. In the sense of: http://www.freeipa.org/page/Contribute/Code#Update_Trac_ticket I consider my code changes small and omitted the ticket. Shall I create a ticket to associate the changes with? > Do not change --forwarder-* to --forward-* because you are dealing with well-known DNS term here, not a simple word. As far as I can see in FreeIPA there is no '--forwarder-policy' option. '--forward-policy' and '--forwarder' options are present. > Please normalize your From: line to be from the same email address. That is my fault. It is fixed in my fork now, but the change is not reflected in the pull request. How can I fix this? What I did to fix the author of the commit on my computer: $ cd freeipa ; git checkout fix-uk-forwarder-policy $ git log # output has been shortened manually commit 2c3db7b6645868d8d41b8bf6039228214f4f6660 realsobek add empty lines to be consistent commit cb4250afda73a1ad3b3fb1d8a94f04b6dd944c72 user use correct option name commit 703691c605b39e08ce3aff4623c90edafa0bca53 realsobek fix minor typo in ipa-adtrust-install.1 $ git rebase -i -p 703691c605b39e08ce3aff4623c90edafa0bca53 # change file to: edit cb4250af keep 2c3db7b6 Stopped at cb4250afda73a1ad3b3fb1d8a94f04b6dd944c72... $ git commit --amend --reset-author [detached HEAD 23a1023] use correct option name 1 file changed, 4 insertions(+), 4 deletions(-) $ git rebase --continue Successfully rebased and updated refs/heads/fix-uk-forwarder-policy. $ git log # output has been shortened manually commit 7aa5ce36bd98dd8bafa06fe962ae994cad585c51 realsobek add empty lines to be consistent commit 23a1023100c969e2d3b2482f991a707349233bd0 realsobek use correct option name commit 703691c605b39e08ce3aff4623c90edafa0bca53 realsobek fix minor typo in ipa-adtrust-install.1 $ git commit -a On branch fix-uk-forwarder-policy Your branch and 'origin/fix-uk-forwarder-policy' have diverged, and have 2 and 2 different commits each, respectively. (use "git pull" to merge the remote branch into yours) nothing to commit, working directory clean $ git push To https://github.com/realsobek/freeipa.git ! [rejected] fix-uk-forwarder-policy -> fix-uk-forwarder-policy (non-fast-forward) error: failed to push some refs to 'https://github.com/realsobek/freeipa.git' hint: Updates were rejected because the tip of your current branch is behind hint: its remote counterpart. Integrate the remote changes (e.g. hint: 'git pull ...') before pushing again. hint: See the 'Note about fast-forwards' in 'git push --help' for details. $ git push -f Counting objects: 8, done. Delta compression using up to 2 threads. Compressing objects: 100% (5/5), done. Writing objects: 100% (8/8), 892 bytes | 0 bytes/s, done. Total 8 (delta 6), reused 3 (delta 3) remote: Resolving deltas: 100% (6/6), completed with 3 local objects. To https://github.com/realsobek/freeipa.git + 2c3db7b...7aa5ce3 fix-uk-forwarder-policy -> fix-uk-forwarder-policy (forced update) > Updates to translations should be done via ... I will do after the '--forwarder-policy' discussion is resolved. > Change like plugable -> pluggable ... No normal sentence, it is all code. Maybe it can be changed in the future with the release of a major new version? """ See the full comment at https://github.com/freeipa/freeipa/pull/716#issuecomment-294603758 From freeipa-github-notification at redhat.com Tue Apr 18 08:50:35 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 18 Apr 2017 10:50:35 +0200 Subject: [Freeipa-devel] [freeipa PR#677][synchronized] cert: defer cert-find result post-processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/677 Author: HonzaCholasta Title: #677: cert: defer cert-find result post-processing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/677/head:pr677 git checkout pr677 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-677.patch Type: text/x-diff Size: 8664 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 18 12:19:09 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 18 Apr 2017 14:19:09 +0200 Subject: [Freeipa-devel] [freeipa PR#718][opened] configure: fix AC_CHECK_LIB usage Message-ID: URL: https://github.com/freeipa/freeipa/pull/718 Author: HonzaCholasta Title: #718: configure: fix AC_CHECK_LIB usage Action: opened PR body: """ Replace empty string with a single space in the third argument of `AC_CHECK_LIB` (`action-if-found`) where applicable. Empty string in the argument causes `AC_CHECK_LIB` to use the default action when a library is found which includes adding the library to `LIBS`, which specifies libraries to be linked in every binary and library in the project. This fixes libkrad, liblber, libldap_r and libsss_nss_idmap being linked to every binary and library in IPA, even where unused. https://pagure.io/freeipa/issue/6846 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/718/head:pr718 git checkout pr718 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-718.patch Type: text/x-diff Size: 2326 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 18 12:38:49 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 18 Apr 2017 14:38:49 +0200 Subject: [Freeipa-devel] [freeipa PR#718][comment] configure: fix AC_CHECK_LIB usage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/718 Title: #718: configure: fix AC_CHECK_LIB usage tiran commented: """ Is this peculiar behavior of ```AC_CHECK_LIB``` documented somewhere? """ See the full comment at https://github.com/freeipa/freeipa/pull/718#issuecomment-294823623 From freeipa-github-notification at redhat.com Tue Apr 18 12:44:21 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 18 Apr 2017 14:44:21 +0200 Subject: [Freeipa-devel] [freeipa PR#718][comment] configure: fix AC_CHECK_LIB usage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/718 Title: #718: configure: fix AC_CHECK_LIB usage HonzaCholasta commented: """ `info autoconf Libraries` says: > If ACTION-IF-FOUND is not > specified, the default action prepends `-lLIBRARY' to `LIBS' and > defines `HAVE_LIBLIBRARY' (in all capitals). It does not explicitly say what constitutes an unspecified value though. """ See the full comment at https://github.com/freeipa/freeipa/pull/718#issuecomment-294825956 From freeipa-github-notification at redhat.com Tue Apr 18 13:28:56 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Tue, 18 Apr 2017 15:28:56 +0200 Subject: [Freeipa-devel] [freeipa PR#718][comment] configure: fix AC_CHECK_LIB usage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/718 Title: #718: configure: fix AC_CHECK_LIB usage lslebodn commented: """ >It does not explicitly say what constitutes an unspecified value though. ```[]``` means default action. BTW it is not peculiar behaviour because most project define custom LIBS using the 3rd argument and not after invocation of macro. e.g. ``` AC_CHECK_HEADER(krad.h, [], [AC_MSG_ERROR([krad.h not found])]) -AC_CHECK_LIB(krad, main, [], [AC_MSG_ERROR([libkrad not found])]) +AC_CHECK_LIB(krad, main, [KRAD_LIBS="-lkrad"], [AC_MSG_ERROR([libkrad not found])]) -KRAD_LIBS="-lkrad" ``` And link to online documentation https://www.gnu.org/software/autoconf/manual/autoconf.html#Libraries """ See the full comment at https://github.com/freeipa/freeipa/pull/718#issuecomment-294844095 From freeipa-github-notification at redhat.com Tue Apr 18 13:30:33 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Tue, 18 Apr 2017 15:30:33 +0200 Subject: [Freeipa-devel] [freeipa PR#718][comment] configure: fix AC_CHECK_LIB usage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/718 Title: #718: configure: fix AC_CHECK_LIB usage lslebodn commented: """ >It does not explicitly say what constitutes an unspecified value though. ```, , ``` or ``` , [] ,``` are considered as unspecified values and therefore default action was used. BTW it is not peculiar behaviour because most project define custom LIBS using the 3rd argument and not after invocation of macro. e.g. ``` AC_CHECK_HEADER(krad.h, [], [AC_MSG_ERROR([krad.h not found])]) -AC_CHECK_LIB(krad, main, [], [AC_MSG_ERROR([libkrad not found])]) +AC_CHECK_LIB(krad, main, [KRAD_LIBS="-lkrad"], [AC_MSG_ERROR([libkrad not found])]) -KRAD_LIBS="-lkrad" ``` And link to online documentation https://www.gnu.org/software/autoconf/manual/autoconf.html#Libraries """ See the full comment at https://github.com/freeipa/freeipa/pull/718#issuecomment-294844095 From freeipa-github-notification at redhat.com Tue Apr 18 13:34:33 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Tue, 18 Apr 2017 15:34:33 +0200 Subject: [Freeipa-devel] [freeipa PR#718][comment] configure: fix AC_CHECK_LIB usage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/718 Title: #718: configure: fix AC_CHECK_LIB usage lslebodn commented: """ A little bit offtopic. It is interesting that you look for the function `main` in libkrad. Because it does not exist there. I've just noticed it. ``` sh# nm --defined-only --dynamic /usr/lib64/libkrad.so 0000000000000000 A HIDDEN 0000000000000000 A krad_0_MIT 0000000000002540 T krad_attr_name2num 00000000000025d0 T krad_attr_num2name 0000000000002780 T krad_attrset_add 0000000000002850 T krad_attrset_add_number 0000000000002a00 T krad_attrset_copy 00000000000028b0 T krad_attrset_del 00000000000026a0 T krad_attrset_free 0000000000002990 T krad_attrset_get 0000000000002630 T krad_attrset_new 0000000000003310 T krad_client_free 00000000000032a0 T krad_client_new 0000000000003380 T krad_client_send 00000000000036c0 T krad_code_name2num 0000000000003750 T krad_code_num2name 0000000000003940 T krad_packet_bytes_needed 0000000000003f70 T krad_packet_decode_request 0000000000004040 T krad_packet_decode_response 00000000000041a0 T krad_packet_encode 00000000000039c0 T krad_packet_free 0000000000004220 T krad_packet_get_attr 00000000000041e0 T krad_packet_get_code 0000000000003b20 T krad_packet_new_request 0000000000003e10 T krad_packet_new_response ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/718#issuecomment-294845871 From freeipa-github-notification at redhat.com Tue Apr 18 14:47:59 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 18 Apr 2017 16:47:59 +0200 Subject: [Freeipa-devel] [freeipa PR#694][synchronized] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Author: martbab Title: #694: RFC: implement local PKINIT deployment in server/replica install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/694/head:pr694 git checkout pr694 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-694.patch Type: text/x-diff Size: 26201 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 18 14:49:24 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 18 Apr 2017 16:49:24 +0200 Subject: [Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install martbab commented: """ I have added comments to the "hidden" PKINIT setup steps. I would also like @simo5 and @abbra to answer further comments regarding thid PR. It was on ice for nearly two weeks and we should really have it merged soon. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-294869009 From freeipa-github-notification at redhat.com Tue Apr 18 15:22:00 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 18 Apr 2017 17:22:00 +0200 Subject: [Freeipa-devel] [freeipa PR#719][opened] External CA fixes Message-ID: URL: https://github.com/freeipa/freeipa/pull/719 Author: stlaz Title: #719: External CA fixes Action: opened PR body: """ External CA installation would have failed for 2 reasons: - Trying to perform Kerberos install twice (for some reason our QA forgot to tell us that) - Rewriting the CA cert file with each consecutive certificate in the certificate chain instead of appending them This patchset fixes that behavior. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/719/head:pr719 git checkout pr719 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-719.patch Type: text/x-diff Size: 3065 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 18 19:42:19 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Tue, 18 Apr 2017 21:42:19 +0200 Subject: [Freeipa-devel] [freeipa PR#716][comment] Fix minor typos In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Title: #716: Fix minor typos realsobek commented: """ > There are no tickets associated with these changes. On the other hand, if the ticket is required for giving attribution, I will create it. """ See the full comment at https://github.com/freeipa/freeipa/pull/716#issuecomment-294957570 From freeipa-github-notification at redhat.com Tue Apr 18 19:42:39 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Tue, 18 Apr 2017 21:42:39 +0200 Subject: [Freeipa-devel] [freeipa PR#716][comment] Fix minor typos In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Title: #716: Fix minor typos realsobek commented: """ > There are no tickets associated with these changes. On the other hand, if the ticket is required for giving attribution, I will create it. """ See the full comment at https://github.com/freeipa/freeipa/pull/716#issuecomment-294957570 From freeipa-github-notification at redhat.com Wed Apr 19 06:16:41 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 19 Apr 2017 08:16:41 +0200 Subject: [Freeipa-devel] [freeipa PR#719][edited] External CA fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/719 Author: stlaz Title: #719: External CA fixes Action: edited Changed field: body Original value: """ External CA installation would have failed for 2 reasons: - Trying to perform Kerberos install twice (for some reason our QA forgot to tell us that) - Rewriting the CA cert file with each consecutive certificate in the certificate chain instead of appending them This patchset fixes that behavior. """ From freeipa-github-notification at redhat.com Wed Apr 19 07:32:05 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 19 Apr 2017 09:32:05 +0200 Subject: [Freeipa-devel] [freeipa PR#719][synchronized] External CA fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/719 Author: stlaz Title: #719: External CA fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/719/head:pr719 git checkout pr719 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-719.patch Type: text/x-diff Size: 3065 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 19 09:00:22 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 19 Apr 2017 11:00:22 +0200 Subject: [Freeipa-devel] [freeipa PR#720][opened] tox: use pylint 1.6.x for now Message-ID: URL: https://github.com/freeipa/freeipa/pull/720 Author: tiran Title: #720: tox: use pylint 1.6.x for now Action: opened PR body: """ FreeIPA is not yet compatible with pylint 1.7.1+. Enforce pylint 1.6.x until all issues have been addressed. Related: https://pagure.io/freeipa/issue/6874 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/720/head:pr720 git checkout pr720 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-720.patch Type: text/x-diff Size: 816 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 19 09:01:03 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 19 Apr 2017 11:01:03 +0200 Subject: [Freeipa-devel] [freeipa PR#720][comment] tox: use pylint 1.6.x for now In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/720 Title: #720: tox: use pylint 1.6.x for now tiran commented: """ Needs rebase to 4.5 **or** 4.5 must be made compatible with pylint 1.7 before 4.5.1 is released. """ See the full comment at https://github.com/freeipa/freeipa/pull/720#issuecomment-295174341 From freeipa-github-notification at redhat.com Wed Apr 19 09:15:49 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 19 Apr 2017 11:15:49 +0200 Subject: [Freeipa-devel] [freeipa PR#702][synchronized] Correct PyPI package dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/702 Author: tiran Title: #702: Correct PyPI package dependencies Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/702/head:pr702 git checkout pr702 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-702.patch Type: text/x-diff Size: 5496 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 19 09:50:43 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 19 Apr 2017 11:50:43 +0200 Subject: [Freeipa-devel] [freeipa PR#699][comment] ipaclient/ipapython macOS compatibility fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: ipaclient/ipapython macOS compatibility fixes tiran commented: """ @abbra is there any reason to delay the merge? I like to get the fixes into 4.5 for the upcoming 4.5.1 release. This commit may not be sufficient for full macOS support, but it's definitely required for macOS support. There is no harm to commit it now and fix remaining issues later. """ See the full comment at https://github.com/freeipa/freeipa/pull/699#issuecomment-295193893 From freeipa-github-notification at redhat.com Wed Apr 19 09:54:02 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 19 Apr 2017 11:54:02 +0200 Subject: [Freeipa-devel] [freeipa PR#699][comment] ipaclient/ipapython macOS compatibility fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: ipaclient/ipapython macOS compatibility fixes abbra commented: """ Well, given that it is not officially supported yet, go ahead. """ See the full comment at https://github.com/freeipa/freeipa/pull/699#issuecomment-295195255 From freeipa-github-notification at redhat.com Wed Apr 19 10:28:24 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 19 Apr 2017 12:28:24 +0200 Subject: [Freeipa-devel] [freeipa PR#721][opened] Fix RA cert import during DL0 replication Message-ID: URL: https://github.com/freeipa/freeipa/pull/721 Author: stlaz Title: #721: Fix RA cert import during DL0 replication Action: opened PR body: """ Previous versions of FreeIPA add password to the ra.p12 file contained in the password-protected tarball. This was forgotten about in the recent changes and fixed now. https://pagure.io/freeipa/issue/6878 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/721/head:pr721 git checkout pr721 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-721.patch Type: text/x-diff Size: 2800 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 19 10:36:46 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 19 Apr 2017 12:36:46 +0200 Subject: [Freeipa-devel] [freeipa PR#699][comment] ipaclient/ipapython macOS compatibility fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: ipaclient/ipapython macOS compatibility fixes pvoborni commented: """ IMO this can be put to 4.5.1 (ipa-4-5 branch) but in order to do it, according to FreeIPA devel processes, it needs to be attached (have a ticket link in commit message) to opened issue in 4.5.1 milestone. Otherwise it will go only to master branch (future 4.6). If this fixes 6850, then it can be reopended for it. Otherwise please [open a new issue](https://pagure.io/freeipa/new_issue) with reasoning. """ See the full comment at https://github.com/freeipa/freeipa/pull/699#issuecomment-295209903 From freeipa-github-notification at redhat.com Wed Apr 19 10:43:08 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 19 Apr 2017 12:43:08 +0200 Subject: [Freeipa-devel] [freeipa PR#677][+ack] cert: defer cert-find result post-processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/677 Title: #677: cert: defer cert-find result post-processing Label: +ack From freeipa-github-notification at redhat.com Wed Apr 19 10:44:04 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 19 Apr 2017 12:44:04 +0200 Subject: [Freeipa-devel] [freeipa PR#677][comment] cert: defer cert-find result post-processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/677 Title: #677: cert: defer cert-find result post-processing stlaz commented: """ We may need these changes in 4.5 and 4.4, too since `cert-find` is rather broken there, too. """ See the full comment at https://github.com/freeipa/freeipa/pull/677#issuecomment-295212663 From freeipa-github-notification at redhat.com Wed Apr 19 11:23:05 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 19 Apr 2017 13:23:05 +0200 Subject: [Freeipa-devel] [freeipa PR#677][comment] cert: defer cert-find result post-processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/677 Title: #677: cert: defer cert-find result post-processing HonzaCholasta commented: """ That might require backporting [issue 6564](https://pagure.io/freeipa/issue/6564) as well. """ See the full comment at https://github.com/freeipa/freeipa/pull/677#issuecomment-295226720 From freeipa-github-notification at redhat.com Wed Apr 19 11:29:12 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 19 Apr 2017 13:29:12 +0200 Subject: [Freeipa-devel] [freeipa PR#677][comment] cert: defer cert-find result post-processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/677 Title: #677: cert: defer cert-find result post-processing HonzaCholasta commented: """ master: * eb6d4c3037d0cc269a7924745f1cbd8f647e6e1a cert: defer cert-find result post-processing ipa-4-5: * 49f9d799c171c7ae2ac546a33a353c2c40b4719c cert: defer cert-find result post-processing """ See the full comment at https://github.com/freeipa/freeipa/pull/677#issuecomment-295228772 From freeipa-github-notification at redhat.com Wed Apr 19 11:29:16 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 19 Apr 2017 13:29:16 +0200 Subject: [Freeipa-devel] [freeipa PR#677][+pushed] cert: defer cert-find result post-processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/677 Title: #677: cert: defer cert-find result post-processing Label: +pushed From freeipa-github-notification at redhat.com Wed Apr 19 11:29:18 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 19 Apr 2017 13:29:18 +0200 Subject: [Freeipa-devel] [freeipa PR#677][closed] cert: defer cert-find result post-processing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/677 Author: HonzaCholasta Title: #677: cert: defer cert-find result post-processing Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/677/head:pr677 git checkout pr677 From freeipa-github-notification at redhat.com Wed Apr 19 11:32:22 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 19 Apr 2017 13:32:22 +0200 Subject: [Freeipa-devel] [freeipa PR#719][synchronized] External CA fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/719 Author: stlaz Title: #719: External CA fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/719/head:pr719 git checkout pr719 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-719.patch Type: text/x-diff Size: 2894 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 19 11:32:54 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 19 Apr 2017 13:32:54 +0200 Subject: [Freeipa-devel] [freeipa PR#721][comment] Fix RA cert import during DL0 replication In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/721 Title: #721: Fix RA cert import during DL0 replication HonzaCholasta commented: """ `ipa-replica-install` fails for me: ``` [2/2]: importing RA certificate from PKCS #12 file [error] CalledProcessError: Command '/usr/bin/openssl pkcs12 -in /tmp/tmpPLwmXjipa/realm_info/ra.p12 -nocerts -nodes -out /var/lib/ipa/ra-agent.key -passin file:/tmp/tmpuzigru' returned non-zero exit status 1 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Command '/usr/bin/openssl pkcs12 -in /tmp/tmpPLwmXjipa/realm_info/ra.p12 -nocerts -nodes -out /var/lib/ipa/ra-agent.key -passin file:/tmp/tmpuzigru' returned non-zero exit status 1 ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information ``` `ipareplica-install.log` says: ``` 2017-04-19T11:28:53Z DEBUG [2/2]: importing RA certificate from PKCS #12 file 2017-04-19T11:28:53Z DEBUG Starting external process 2017-04-19T11:28:53Z DEBUG args=/usr/bin/openssl pkcs12 -in /tmp/tmpPLwmXjipa/realm_info/ra.p12 -nocerts -nodes -out /var/lib/ipa/ra-agent.key -passin file:/tmp/tmpuzigru 2017-04-19T11:28:53Z DEBUG Process finished, return code=1 2017-04-19T11:28:53Z DEBUG stdout= 2017-04-19T11:28:53Z DEBUG stderr=Mac verify error: invalid password? ``` ?? """ See the full comment at https://github.com/freeipa/freeipa/pull/721#issuecomment-295230168 From freeipa-github-notification at redhat.com Wed Apr 19 11:37:41 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 19 Apr 2017 13:37:41 +0200 Subject: [Freeipa-devel] [freeipa PR#721][comment] Fix RA cert import during DL0 replication In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/721 Title: #721: Fix RA cert import during DL0 replication HonzaCholasta commented: """ ... because you need to apply the same fix to `ReplicaPrepare.export_ra_pkcs12` as well. """ See the full comment at https://github.com/freeipa/freeipa/pull/721#issuecomment-295231831 From freeipa-github-notification at redhat.com Wed Apr 19 11:57:58 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 19 Apr 2017 13:57:58 +0200 Subject: [Freeipa-devel] [freeipa PR#721][comment] Fix RA cert import during DL0 replication In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/721 Title: #721: Fix RA cert import during DL0 replication stlaz commented: """ Silly me ? """ See the full comment at https://github.com/freeipa/freeipa/pull/721#issuecomment-295238665 From freeipa-github-notification at redhat.com Wed Apr 19 12:00:47 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 19 Apr 2017 14:00:47 +0200 Subject: [Freeipa-devel] [freeipa PR#719][+ack] External CA fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/719 Title: #719: External CA fixes Label: +ack From freeipa-github-notification at redhat.com Wed Apr 19 12:01:19 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 19 Apr 2017 14:01:19 +0200 Subject: [Freeipa-devel] [freeipa PR#719][+pushed] External CA fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/719 Title: #719: External CA fixes Label: +pushed From freeipa-github-notification at redhat.com Wed Apr 19 12:01:44 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 19 Apr 2017 14:01:44 +0200 Subject: [Freeipa-devel] [freeipa PR#719][comment] External CA fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/719 Title: #719: External CA fixes HonzaCholasta commented: """ master: * 25a33ce8b1c77b0d957772143affd7085757bccb server-install: No double Kerberos install * 7b8503173b253860c1059bd40858f2fdffb4ae33 ext. CA: correctly write the cert chain ipa-4-5: * 2144eaf25ef1148c9353dfb2680f8811fd8c21aa server-install: No double Kerberos install * a6af0033a4d0af387eebdd6500eb1e74c5c29ce7 ext. CA: correctly write the cert chain """ See the full comment at https://github.com/freeipa/freeipa/pull/719#issuecomment-295239924 From freeipa-github-notification at redhat.com Wed Apr 19 12:02:15 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 19 Apr 2017 14:02:15 +0200 Subject: [Freeipa-devel] [freeipa PR#719][closed] External CA fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/719 Author: stlaz Title: #719: External CA fixes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/719/head:pr719 git checkout pr719 From freeipa-github-notification at redhat.com Wed Apr 19 12:05:05 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 19 Apr 2017 14:05:05 +0200 Subject: [Freeipa-devel] [freeipa PR#721][synchronized] Fix RA cert import during DL0 replication In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/721 Author: stlaz Title: #721: Fix RA cert import during DL0 replication Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/721/head:pr721 git checkout pr721 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-721.patch Type: text/x-diff Size: 4977 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 19 12:36:11 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 19 Apr 2017 14:36:11 +0200 Subject: [Freeipa-devel] [freeipa PR#721][+ack] Fix RA cert import during DL0 replication In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/721 Title: #721: Fix RA cert import during DL0 replication Label: +ack From freeipa-github-notification at redhat.com Wed Apr 19 12:37:19 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 19 Apr 2017 14:37:19 +0200 Subject: [Freeipa-devel] [freeipa PR#721][comment] Fix RA cert import during DL0 replication In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/721 Title: #721: Fix RA cert import during DL0 replication HonzaCholasta commented: """ master: * 6f0a622d83ee22ce712a380d1701cb1f383689e4 Fix RA cert import during DL0 replication ipa-4-5: * 3f70baf2a4811e3eee341aee6da99dfa80c092e6 Fix RA cert import during DL0 replication """ See the full comment at https://github.com/freeipa/freeipa/pull/721#issuecomment-295253863 From freeipa-github-notification at redhat.com Wed Apr 19 12:37:22 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 19 Apr 2017 14:37:22 +0200 Subject: [Freeipa-devel] [freeipa PR#721][+pushed] Fix RA cert import during DL0 replication In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/721 Title: #721: Fix RA cert import during DL0 replication Label: +pushed From freeipa-github-notification at redhat.com Wed Apr 19 12:37:26 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 19 Apr 2017 14:37:26 +0200 Subject: [Freeipa-devel] [freeipa PR#721][closed] Fix RA cert import during DL0 replication In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/721 Author: stlaz Title: #721: Fix RA cert import during DL0 replication Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/721/head:pr721 git checkout pr721 From freeipa-github-notification at redhat.com Wed Apr 19 13:50:07 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 19 Apr 2017 15:50:07 +0200 Subject: [Freeipa-devel] [freeipa PR#718][comment] configure: fix AC_CHECK_LIB usage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/718 Title: #718: configure: fix AC_CHECK_LIB usage stlaz commented: """ This patch seems to have fixed the problem, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/718#issuecomment-295276975 From freeipa-github-notification at redhat.com Wed Apr 19 13:50:11 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 19 Apr 2017 15:50:11 +0200 Subject: [Freeipa-devel] [freeipa PR#718][+ack] configure: fix AC_CHECK_LIB usage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/718 Title: #718: configure: fix AC_CHECK_LIB usage Label: +ack From freeipa-github-notification at redhat.com Wed Apr 19 13:57:13 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 19 Apr 2017 15:57:13 +0200 Subject: [Freeipa-devel] [freeipa PR#718][comment] configure: fix AC_CHECK_LIB usage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/718 Title: #718: configure: fix AC_CHECK_LIB usage HonzaCholasta commented: """ master: * 4322b57e313105611df39e99097993ba4161ab42 configure: fix AC_CHECK_LIB usage ipa-4-5: * 207864a61a748a9032e67bf0f1782379e44fb5aa configure: fix AC_CHECK_LIB usage """ See the full comment at https://github.com/freeipa/freeipa/pull/718#issuecomment-295279306 From freeipa-github-notification at redhat.com Wed Apr 19 13:57:17 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 19 Apr 2017 15:57:17 +0200 Subject: [Freeipa-devel] [freeipa PR#718][+pushed] configure: fix AC_CHECK_LIB usage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/718 Title: #718: configure: fix AC_CHECK_LIB usage Label: +pushed From freeipa-github-notification at redhat.com Wed Apr 19 13:57:20 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 19 Apr 2017 15:57:20 +0200 Subject: [Freeipa-devel] [freeipa PR#718][closed] configure: fix AC_CHECK_LIB usage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/718 Author: HonzaCholasta Title: #718: configure: fix AC_CHECK_LIB usage Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/718/head:pr718 git checkout pr718 From freeipa-github-notification at redhat.com Wed Apr 19 16:56:35 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Wed, 19 Apr 2017 18:56:35 +0200 Subject: [Freeipa-devel] [freeipa PR#590][comment] Validate user input for cert-get-requestdata In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/590 Title: #590: Validate user input for cert-get-requestdata Akasurde commented: """ Bump for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/590#issuecomment-295343818 From freeipa-github-notification at redhat.com Thu Apr 20 07:21:17 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 20 Apr 2017 09:21:17 +0200 Subject: [Freeipa-devel] [freeipa PR#715][comment] use correct option name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/715 Title: #715: use correct option name stlaz commented: """ Since the changes here are part of https://github.com/freeipa/freeipa/pull/716, I am going to close this PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/715#issuecomment-295607975 From freeipa-github-notification at redhat.com Thu Apr 20 07:21:26 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 20 Apr 2017 09:21:26 +0200 Subject: [Freeipa-devel] [freeipa PR#715][+rejected] use correct option name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/715 Title: #715: use correct option name Label: +rejected From freeipa-github-notification at redhat.com Thu Apr 20 07:21:29 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 20 Apr 2017 09:21:29 +0200 Subject: [Freeipa-devel] [freeipa PR#715][closed] use correct option name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/715 Author: realsobek Title: #715: use correct option name Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/715/head:pr715 git checkout pr715 From freeipa-github-notification at redhat.com Thu Apr 20 07:43:58 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 20 Apr 2017 09:43:58 +0200 Subject: [Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install abbra commented: """ I read through the code and I believe it addresses all use cases we have been discussing. LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-295613748 From freeipa-github-notification at redhat.com Thu Apr 20 07:44:44 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 20 Apr 2017 09:44:44 +0200 Subject: [Freeipa-devel] [freeipa PR#694][+ack] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install Label: +ack From freeipa-github-notification at redhat.com Thu Apr 20 08:21:51 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 20 Apr 2017 10:21:51 +0200 Subject: [Freeipa-devel] [freeipa PR#722][opened] Fix server upgrade Message-ID: URL: https://github.com/freeipa/freeipa/pull/722 Author: stlaz Title: #722: Fix server upgrade Action: opened PR body: """ OpenSSL can't cope with empty files, add a newline after each password https://pagure.io/freeipa/issue/6878 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/722/head:pr722 git checkout pr722 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-722.patch Type: text/x-diff Size: 993 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 20 08:41:08 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 20 Apr 2017 10:41:08 +0200 Subject: [Freeipa-devel] [freeipa PR#723][opened] Store GSSAPI session key in /var/run/httpd Message-ID: URL: https://github.com/freeipa/freeipa/pull/723 Author: MartinBasti Title: #723: Store GSSAPI session key in /var/run/httpd Action: opened PR body: """ Runtime data should be stored in /var/run instead of /etc/httpd/alias. This change is also compatible with selinux policy. https://pagure.io/freeipa/issue/6880 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/723/head:pr723 git checkout pr723 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-723.patch Type: text/x-diff Size: 1428 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 20 08:59:50 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 20 Apr 2017 10:59:50 +0200 Subject: [Freeipa-devel] [freeipa PR#723][comment] Store GSSAPI session key in /var/run/httpd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd HonzaCholasta commented: """ Could we put the mod_auth_gssapi session key in `/var/run/ipa/session.key`? `/var/run/ipa` is where we store IPA-specific stuff, including mod_auth_gssapi ccaches. """ See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-295641802 From freeipa-github-notification at redhat.com Thu Apr 20 09:04:04 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 20 Apr 2017 11:04:04 +0200 Subject: [Freeipa-devel] [freeipa PR#723][comment] Store GSSAPI session key in /var/run/httpd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd MartinBasti commented: """ Sure """ See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-295643034 From freeipa-github-notification at redhat.com Thu Apr 20 10:11:30 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 20 Apr 2017 12:11:30 +0200 Subject: [Freeipa-devel] [freeipa PR#723][synchronized] Store GSSAPI session key in /var/run/httpd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/723 Author: MartinBasti Title: #723: Store GSSAPI session key in /var/run/httpd Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/723/head:pr723 git checkout pr723 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-723.patch Type: text/x-diff Size: 1416 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 20 10:20:33 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 20 Apr 2017 12:20:33 +0200 Subject: [Freeipa-devel] [freeipa PR#722][+ack] Fix server upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/722 Title: #722: Fix server upgrade Label: +ack From freeipa-github-notification at redhat.com Thu Apr 20 10:21:05 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 20 Apr 2017 12:21:05 +0200 Subject: [Freeipa-devel] [freeipa PR#722][comment] Fix server upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/722 Title: #722: Fix server upgrade HonzaCholasta commented: """ master: * b38750eaa82025aad56f8eca849f47775b2cbc75 Fix CAInstance.import_ra_cert for empty passwords ipa-4-5: * e3f2878909c1f92a0d92ed2a8ce00c96135e1346 Fix CAInstance.import_ra_cert for empty passwords """ See the full comment at https://github.com/freeipa/freeipa/pull/722#issuecomment-295669731 From freeipa-github-notification at redhat.com Thu Apr 20 10:21:08 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 20 Apr 2017 12:21:08 +0200 Subject: [Freeipa-devel] [freeipa PR#722][+pushed] Fix server upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/722 Title: #722: Fix server upgrade Label: +pushed From freeipa-github-notification at redhat.com Thu Apr 20 10:21:12 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 20 Apr 2017 12:21:12 +0200 Subject: [Freeipa-devel] [freeipa PR#722][closed] Fix server upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/722 Author: stlaz Title: #722: Fix server upgrade Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/722/head:pr722 git checkout pr722 From freeipa-github-notification at redhat.com Thu Apr 20 11:21:38 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 20 Apr 2017 13:21:38 +0200 Subject: [Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install martbab commented: """ @abbra I received an interactive review from @HonzaCholasta today and he is not very keen on idea of having ternary (absent/local/external/full) PKINIT configuration. He suggests to only have it absent/off (local implementation)/on and thus drop differentiation between PKINIT configured with IPA CA issued or 3rd party certificates. The main concern here is that the 'local' PKINIT configuration is actually an implementation detail we should not leak to clients, they should be only able to tell if it is configured for them or not. If you look into the design page, the two states (full/external) behave the same during replica installation and upgrade so the differentiation does not bring much new information to the users. So a simple on/off switch (something like pkinitStatus: off/on) could be enough and it could simplify the transition and UX. What do you think? """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-295692167 From freeipa-github-notification at redhat.com Thu Apr 20 11:34:10 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 20 Apr 2017 13:34:10 +0200 Subject: [Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install abbra commented: """ I agree that it is internal detail whether we use local pkinit or not. However, we need to know that it is existing as oposed to not existing at all for older systems where we are going to perform upgrades. However, as you can derive this information by presence or lack of actual KDC certificate file in the file system during upgrade, this can be reduced, indeed. One more detail: we already have pkinit plugin (`ipaserver/plugins/pkinit.py`) which has `ipa pkinit-anonymous enable/disable` command. This command cannot now be used because even for 'local' case we require anonymous PKINIT to be usable and this means we cannot disable the principal. Perhaps, you can remove this command and add instead `ipa pkinit-status` command to show the status? It would show list of KDCs and their status. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-295696911 From freeipa-github-notification at redhat.com Thu Apr 20 12:17:51 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Thu, 20 Apr 2017 14:17:51 +0200 Subject: [Freeipa-devel] [freeipa PR#688][comment] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/688 Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches redhatrises commented: """ Bump for review """ See the full comment at https://github.com/freeipa/freeipa/pull/688#issuecomment-295713616 From freeipa-github-notification at redhat.com Thu Apr 20 12:18:31 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Thu, 20 Apr 2017 14:18:31 +0200 Subject: [Freeipa-devel] [freeipa PR#688][comment] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/688 Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches redhatrises commented: """ Should this also go into the 4.5 branch? """ See the full comment at https://github.com/freeipa/freeipa/pull/688#issuecomment-295713837 From freeipa-github-notification at redhat.com Thu Apr 20 12:54:30 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 20 Apr 2017 14:54:30 +0200 Subject: [Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install martbab commented: """ We can query that PKINIT was not configured at all by a) checking the presence of KDC keypair, b) checking the sysupgrade (no presence of pkinit flag implies no configuration is present), and c) querying LDAP (no presence of ipaConfigString) so we have multiple redundant ways to determine that PKINIT is not configured at all. As for the removal of pkinit status, I intend to replace the existing command by `ipa pkinit-status` as a follow-up PR once this one is merged. I will then update the design page to reflect this discussion and update the implementation in this PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-295727092 From freeipa-github-notification at redhat.com Thu Apr 20 13:08:03 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 20 Apr 2017 15:08:03 +0200 Subject: [Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install abbra commented: """ Yep. Then this PR can be merged once you removed distinction external/full. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-295731813 From freeipa-github-notification at redhat.com Thu Apr 20 14:12:08 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 20 Apr 2017 16:12:08 +0200 Subject: [Freeipa-devel] [freeipa PR#679][edited] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Author: simo5 Title: #679: Make sure remote hosts have our keys Action: edited Changed field: body Original value: """ In complex replication setups a replica may try to obtain CA keys from a host that is not the master we initially create the keys against. In this case race conditions may happen due to replication. So we need to make sure the server we are contacting to get the CA keys has our keys in LDAP. We do this by waiting to positively fetch our encryption public key (the last one we create) from the target host LDAP server. Fixes: https://pagure.io/freeipa/issue/6688 Signed-off-by: Simo Sorce """ From freeipa-github-notification at redhat.com Thu Apr 20 15:30:11 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Thu, 20 Apr 2017 17:30:11 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23724=5D=5Bopened=5D_upgr?= =?utf-8?q?ade=3A_adtrust_update=5Ftdo=5Fgidnumber_plugin_must_check_if_ad?= =?utf-8?b?dHJ1c3QgaXPigKY=?= Message-ID: URL: https://github.com/freeipa/freeipa/pull/724 Author: flo-renaud Title: #724: upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is? Action: opened PR body: """ ? installed During upgrade, the plugin update_tdo_gidnumber is launched in order to add a gidnumber to the Trusted Domain Object. This plugin should not be run when ad trust is not installed, otherwise an error message is displayed. https://pagure.io/freeipa/issue/6881 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/724/head:pr724 git checkout pr724 From pvoborni at redhat.com Thu Apr 20 16:06:27 2017 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 20 Apr 2017 18:06:27 +0200 Subject: [Freeipa-devel] Pagure issue template Message-ID: <2283c9ea-f838-adb3-050e-86a0219af59a@redhat.com> Hi all, I'd like to improve quality of bug reports and RFEs. A possibility I see is to create and issue template [1]. What do you think of the following template? Should we use it? """" ### Request for enhancement As , I want so that . ### Bug #### What doesn't work (what was the goal) #### Steps to Reproduce #### Actual results #### Expected results #### Version/Release/Distribution $ rpm -q freeipa-server ipa-server 389-ds-base pki-ca krb5-server #### Additional info: """" [1] https://docs.pagure.org/pagure/usage/ticket_templates.html -- Petr Vobornik From freeipa-github-notification at redhat.com Thu Apr 20 18:50:45 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 20 Apr 2017 20:50:45 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23724=5D=5Bcomment=5D_upg?= =?utf-8?q?rade=3A_adtrust_update=5Ftdo=5Fgidnumber_plugin_must_check_if_a?= =?utf-8?b?ZHRydXN0IGlz4oCm?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/724 Title: #724: upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is? abbra commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/724#issuecomment-295855495 From freeipa-github-notification at redhat.com Thu Apr 20 18:50:55 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 20 Apr 2017 20:50:55 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23724=5D=5B+ack=5D_upgrad?= =?utf-8?q?e=3A_adtrust_update=5Ftdo=5Fgidnumber_plugin_must_check_if_adtr?= =?utf-8?b?dXN0IGlz4oCm?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/724 Title: #724: upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is? Label: +ack From abokovoy at redhat.com Thu Apr 20 18:52:59 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 20 Apr 2017 21:52:59 +0300 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23724=5D=5Bopened=5D_upgr?= =?utf-8?q?ade=3A_adtrust_update=5Ftdo=5Fgidnumber_plugin_must_check_if_ad?= =?utf-8?b?dHJ1c3QgaXPigKY=?= In-Reply-To: References: Message-ID: <20170420185239.vh3mxmkeezb3nkny@redhat.com> On to, 20 huhti 2017, flo-renaud wrote: > URL: https://github.com/freeipa/freeipa/pull/724 >Author: flo-renaud > Title: #724: upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is? >Action: opened > >PR body: >""" >? installed > >During upgrade, the plugin update_tdo_gidnumber is launched in order to >add a gidnumber to the Trusted Domain Object. >This plugin should not be run when ad trust is not installed, otherwise an >error message is displayed. > >https://pagure.io/freeipa/issue/6881 >""" > >To pull the PR as Git branch: >git remote add ghfreeipa https://github.com/freeipa/freeipa >git fetch ghfreeipa pull/724/head:pr724 >git checkout pr724 I acked this PR on github but it looks like email hook is broken. There was no patch attached to this email. -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Fri Apr 21 04:37:37 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Fri, 21 Apr 2017 06:37:37 +0200 Subject: [Freeipa-devel] [freeipa PR#725][opened] Fix certificate_out check in CertRetrieveOverride Message-ID: URL: https://github.com/freeipa/freeipa/pull/725 Author: Akasurde Title: #725: Fix certificate_out check in CertRetrieveOverride Action: opened PR body: """ Fixes: https://pagure.io/freeipa/issue/6885 Signed-off-by: Abhijeet Kasurde """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/725/head:pr725 git checkout pr725 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-725.patch Type: text/x-diff Size: 969 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 21 04:43:16 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Fri, 21 Apr 2017 06:43:16 +0200 Subject: [Freeipa-devel] [freeipa PR#726][opened] Add check for directory name Message-ID: URL: https://github.com/freeipa/freeipa/pull/726 Author: Akasurde Title: #726: Add check for directory name Action: opened PR body: """ Fix adds check to verify if user provided input is not a directory when filename is required. Fixes: https://pagure.io/freeipa/issue/6883 Signed-off-by: Abhijeet Kasurde """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/726/head:pr726 git checkout pr726 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-726.patch Type: text/x-diff Size: 992 bytes Desc: not available URL: From akasurde at redhat.com Fri Apr 21 06:12:33 2017 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Fri, 21 Apr 2017 11:42:33 +0530 Subject: [Freeipa-devel] Pagure issue template In-Reply-To: <2283c9ea-f838-adb3-050e-86a0219af59a@redhat.com> References: <2283c9ea-f838-adb3-050e-86a0219af59a@redhat.com> Message-ID: <38899fa2-21be-0162-5da2-75ca8e81a20b@redhat.com> +1 On 20/04/17 9:36 PM, Petr Vobornik wrote: > Hi all, > > I'd like to improve quality of bug reports and RFEs. > > A possibility I see is to create and issue template [1]. > > What do you think of the following template? Should we use it? > > """" > ### Request for enhancement > As , I want so that . > > ### Bug > #### What doesn't work (what was the goal) > > #### Steps to Reproduce > > #### Actual results > > #### Expected results > > #### Version/Release/Distribution > $ rpm -q freeipa-server ipa-server 389-ds-base pki-ca krb5-server > > #### Additional info: > > """" > 1. Can we add pre-defined set of components in title ? for example, [CERT] some_cert_related bug description [installer] some installer related bug description 2. Also, Having a bot in place which will enforce or atleast suggest reporter to modify bug report. > [1] https://docs.pagure.org/pagure/usage/ticket_templates.html -- Abhijeet Kasurde Red Hat Identity management, RHCSA, Red Hat APAC akasurde at redhat.com www.redhat.com | TRIED. TESTED. TRUSTED. | redhat.com/trusted From slaznick at redhat.com Fri Apr 21 06:49:04 2017 From: slaznick at redhat.com (Standa Laznicka) Date: Fri, 21 Apr 2017 08:49:04 +0200 Subject: [Freeipa-devel] Pagure issue template In-Reply-To: <38899fa2-21be-0162-5da2-75ca8e81a20b@redhat.com> References: <2283c9ea-f838-adb3-050e-86a0219af59a@redhat.com> <38899fa2-21be-0162-5da2-75ca8e81a20b@redhat.com> Message-ID: <0a29f331-d65b-c688-ea3f-51f2f8e69e11@redhat.com> On 04/21/2017 08:12 AM, Abhijeet Kasurde wrote: > +1 > > On 20/04/17 9:36 PM, Petr Vobornik wrote: >> Hi all, >> >> I'd like to improve quality of bug reports and RFEs. >> >> A possibility I see is to create and issue template [1]. Sounds like a good idea! Please see my comments. >> >> What do you think of the following template? Should we use it? >> >> """" >> ### Request for enhancement >> As , I want so that . This sounds very labored. How about using: "I am a and I want ..." >> >> ### Bug >> #### What doesn't work (what was the goal) "What's not working" proposes the situation will change and sounds better IMO >> >> >> #### Steps to Reproduce >> >> #### Actual results >> >> #### Expected results >> >> #### Version/Release/Distribution >> $ rpm -q freeipa-server ipa-server 389-ds-base pki-ca krb5-server >> >> #### Additional info: >> >> """" >> > > 1. Can we add pre-defined set of components in title ? for example, > > [CERT] some_cert_related bug description > [installer] some installer related bug description This is what Pagure has tags for. But you're right we might be missing some, although "CERT" is probably not a good example, installer is. On the other hand, "userstory" is a tag I will myself never use on purpose. > > 2. Also, Having a bot in place which will enforce or atleast suggest > reporter to modify bug report. > >> [1] https://docs.pagure.org/pagure/usage/ticket_templates.html > My hope is that the issue template should do itself. For the record, I love the way Atom guides you through their issue creation: https://github.com/atom/atom/issues/new. From mbasti at redhat.com Fri Apr 21 06:49:45 2017 From: mbasti at redhat.com (=?UTF-8?Q?Martin_Ba=c5=a1ti?=) Date: Fri, 21 Apr 2017 08:49:45 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23724=5D=5Bopened=5D_upgr?= =?utf-8?q?ade=3A_adtrust_update=5Ftdo=5Fgidnumber_plugin_must_check_if_ad?= =?utf-8?b?dHJ1c3QgaXPigKY=?= In-Reply-To: <20170420185239.vh3mxmkeezb3nkny@redhat.com> References: <20170420185239.vh3mxmkeezb3nkny@redhat.com> Message-ID: On 20.04.2017 20:52, Alexander Bokovoy wrote: > On to, 20 huhti 2017, flo-renaud wrote: >> URL: https://github.com/freeipa/freeipa/pull/724 >> Author: flo-renaud >> Title: #724: upgrade: adtrust update_tdo_gidnumber plugin must check >> if adtrust is? >> Action: opened >> >> PR body: >> """ >> ? installed >> >> During upgrade, the plugin update_tdo_gidnumber is launched in order to >> add a gidnumber to the Trusted Domain Object. >> This plugin should not be run when ad trust is not installed, >> otherwise an >> error message is displayed. >> >> https://pagure.io/freeipa/issue/6881 >> """ >> >> To pull the PR as Git branch: >> git remote add ghfreeipa https://github.com/freeipa/freeipa >> git fetch ghfreeipa pull/724/head:pr724 >> git checkout pr724 > > I acked this PR on github but it looks like email hook is broken. There > was no patch attached to this email. > Thanks for reporting this, it was just temporal issue, github returned 404 instead of patch, but so far I don't see more errors in logs than this particular one for #724 [freeipagithubconsumer ERROR]: Cannot download patch: https://github.com/freeipa/freeipa/pull/724.patch ... HTTPError: HTTP Error 404: Not Found -- Martin Ba?ti Software Engineer Red Hat Czech From freeipa-github-notification at redhat.com Fri Apr 21 07:51:53 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 21 Apr 2017 09:51:53 +0200 Subject: [Freeipa-devel] [freeipa PR#711][synchronized] Move the compat plugin setup at the end of install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/711 Author: stlaz Title: #711: Move the compat plugin setup at the end of install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/711/head:pr711 git checkout pr711 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-711.patch Type: text/x-diff Size: 41979 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 21 07:56:41 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 21 Apr 2017 09:56:41 +0200 Subject: [Freeipa-devel] [freeipa PR#711][edited] Compat-plugin related fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/711 Author: stlaz Title: #711: Compat-plugin related fixes Action: edited Changed field: title Original value: """ Move the compat plugin setup at the end of install """ From freeipa-github-notification at redhat.com Fri Apr 21 07:58:19 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 21 Apr 2017 09:58:19 +0200 Subject: [Freeipa-devel] [freeipa PR#711][comment] Compat-plugin related fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/711 Title: #711: Compat-plugin related fixes stlaz commented: """ The latest patchset fixes also problems with ipa-compat-manage which would behave differently for root/other-users (check the commit message), and updates the link to slapi-nis project in the compat plugin update file to the correct one. """ See the full comment at https://github.com/freeipa/freeipa/pull/711#issuecomment-296116091 From pvoborni at redhat.com Fri Apr 21 08:17:54 2017 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 21 Apr 2017 10:17:54 +0200 Subject: [Freeipa-devel] Pagure issue template In-Reply-To: <0a29f331-d65b-c688-ea3f-51f2f8e69e11@redhat.com> References: <2283c9ea-f838-adb3-050e-86a0219af59a@redhat.com> <38899fa2-21be-0162-5da2-75ca8e81a20b@redhat.com> <0a29f331-d65b-c688-ea3f-51f2f8e69e11@redhat.com> Message-ID: <049b5fec-f70f-8fed-72e7-e127ff61dfec@redhat.com> On 04/21/2017 08:49 AM, Standa Laznicka wrote: > On 04/21/2017 08:12 AM, Abhijeet Kasurde wrote: >> +1 >> >> On 20/04/17 9:36 PM, Petr Vobornik wrote: >>> Hi all, >>> >>> I'd like to improve quality of bug reports and RFEs. >>> >>> A possibility I see is to create and issue template [1]. > Sounds like a good idea! Please see my comments. >>> >>> What do you think of the following template? Should we use it? >>> >>> """" >>> ### Request for enhancement >>> As , I want so that . > This sounds very labored. How about using: > "I am a and I want ..." >>> >>> ### Bug >>> #### What doesn't work (what was the goal) > "What's not working" proposes the situation will change and > sounds better IMO >>> I took some inspiration from the Atom template. But tried to keep it shorter. As a bonus I added a link where people can find log files and a link to troubleshooting page. New one: """ ### Request for enhancement As , I want so that . ### Issue [description of the issue] #### Steps to Reproduce 1. 2. 3. #### Actual behavior (what happens) #### Expected behavior (what do you expect to happen) #### Version/Release/Distribution $ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server #### Additional info: Any additional information, configuration, data or log snippets that is needed for reproduction or investigation of the issue. Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting """ >>> >> >> 1. Can we add pre-defined set of components in title ? for example, I don't know if it is possible. Probably not. >> >> [CERT] some_cert_related bug description >> [installer] some installer related bug description > This is what Pagure has tags for. But you're right we might be missing > some, although "CERT" is probably not a good example, installer is. On > the other hand, "userstory" is a tag I will myself never use on purpose. >> >> 2. Also, Having a bot in place which will enforce or atleast suggest >> reporter to modify bug report. Could you elaborate? >> >>> [1] https://docs.pagure.org/pagure/usage/ticket_templates.html >> > My hope is that the issue template should do itself. > > For the record, I love the way Atom guides you through their issue > creation: https://github.com/atom/atom/issues/new. > -- Petr Vobornik Associate Manager, Engineering, Identity Management Red Hat From freeipa-github-notification at redhat.com Fri Apr 21 08:34:05 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Fri, 21 Apr 2017 10:34:05 +0200 Subject: [Freeipa-devel] [freeipa PR#726][synchronized] Add check for directory name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/726 Author: Akasurde Title: #726: Add check for directory name Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/726/head:pr726 git checkout pr726 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-726.patch Type: text/x-diff Size: 1014 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 21 10:33:46 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 21 Apr 2017 12:33:46 +0200 Subject: [Freeipa-devel] [freeipa PR#711][synchronized] Compat-plugin related fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/711 Author: stlaz Title: #711: Compat-plugin related fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/711/head:pr711 git checkout pr711 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-711.patch Type: text/x-diff Size: 42296 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 21 12:06:36 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Fri, 21 Apr 2017 14:06:36 +0200 Subject: [Freeipa-devel] [freeipa PR#726][synchronized] Add check for directory name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/726 Author: Akasurde Title: #726: Add check for directory name Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/726/head:pr726 git checkout pr726 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-726.patch Type: text/x-diff Size: 1015 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 21 12:39:13 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 21 Apr 2017 14:39:13 +0200 Subject: [Freeipa-devel] [freeipa PR#723][comment] Store GSSAPI session key in /var/run/httpd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd tomaskrizek commented: """ Functional ACK. There was a concern in the ticket's discussion about reboots - are we going to handle them? """ See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-296179626 From freeipa-github-notification at redhat.com Sun Apr 23 18:12:18 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Sun, 23 Apr 2017 20:12:18 +0200 Subject: [Freeipa-devel] [freeipa PR#714][synchronized] fix minor typo in ipa-adtrust-install.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/714 Author: realsobek Title: #714: fix minor typo in ipa-adtrust-install.1 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/714/head:pr714 git checkout pr714 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-714.patch Type: text/x-diff Size: 2129 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sun Apr 23 18:47:26 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Sun, 23 Apr 2017 20:47:26 +0200 Subject: [Freeipa-devel] [freeipa PR#714][comment] fix minor typo in ipa-adtrust-install.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/714 Title: #714: fix minor typo in ipa-adtrust-install.1 realsobek commented: """ fix has been added """ See the full comment at https://github.com/freeipa/freeipa/pull/714#issuecomment-296477544 From freeipa-github-notification at redhat.com Sun Apr 23 19:45:52 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Sun, 23 Apr 2017 21:45:52 +0200 Subject: [Freeipa-devel] [freeipa PR#716][synchronized] Fix minor typos In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Author: realsobek Title: #716: Fix minor typos Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/716/head:pr716 git checkout pr716 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-716.patch Type: text/x-diff Size: 51287 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sun Apr 23 21:34:15 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Sun, 23 Apr 2017 23:34:15 +0200 Subject: [Freeipa-devel] [freeipa PR#716][synchronized] Fix minor typos In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Author: realsobek Title: #716: Fix minor typos Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/716/head:pr716 git checkout pr716 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-716.patch Type: text/x-diff Size: 54646 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sun Apr 23 21:51:50 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Sun, 23 Apr 2017 23:51:50 +0200 Subject: [Freeipa-devel] [freeipa PR#716][comment] Fix minor typos In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Title: #716: Fix minor typos realsobek commented: """ I cannot get rid of commit cb4250a to normalize `From:`. Hence I am going to close this PR soon. Afterwards I will create a new branch in my fork, copy all changes (excluding changes to PO files) to it and open a new PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/716#issuecomment-296491394 From freeipa-github-notification at redhat.com Mon Apr 24 05:57:11 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 24 Apr 2017 07:57:11 +0200 Subject: [Freeipa-devel] [freeipa PR#714][comment] fix minor typo in ipa-adtrust-install.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/714 Title: #714: fix minor typo in ipa-adtrust-install.1 stlaz commented: """ Thanks, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/714#issuecomment-296531049 From freeipa-github-notification at redhat.com Mon Apr 24 05:57:18 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 24 Apr 2017 07:57:18 +0200 Subject: [Freeipa-devel] [freeipa PR#714][+ack] fix minor typo in ipa-adtrust-install.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/714 Title: #714: fix minor typo in ipa-adtrust-install.1 Label: +ack From freeipa-github-notification at redhat.com Mon Apr 24 06:00:04 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 24 Apr 2017 08:00:04 +0200 Subject: [Freeipa-devel] [freeipa PR#716][comment] Fix minor typos In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Title: #716: Fix minor typos stlaz commented: """ Please, see what `git rebase -i master` will do for you. """ See the full comment at https://github.com/freeipa/freeipa/pull/716#issuecomment-296531382 From freeipa-github-notification at redhat.com Mon Apr 24 06:00:47 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 24 Apr 2017 08:00:47 +0200 Subject: [Freeipa-devel] [freeipa PR#716][comment] Fix minor typos In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Title: #716: Fix minor typos stlaz commented: """ Please, see what `git rebase -i master` will do for you. """ See the full comment at https://github.com/freeipa/freeipa/pull/716#issuecomment-296531382 From freeipa-github-notification at redhat.com Mon Apr 24 06:05:07 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 24 Apr 2017 08:05:07 +0200 Subject: [Freeipa-devel] [freeipa PR#716][comment] Fix minor typos In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Title: #716: Fix minor typos stlaz commented: """ Please, see what `git rebase -i master` will do for you, along with `git commit --amend --author="Author Name "`. """ See the full comment at https://github.com/freeipa/freeipa/pull/716#issuecomment-296531382 From freeipa-github-notification at redhat.com Mon Apr 24 06:05:23 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 24 Apr 2017 08:05:23 +0200 Subject: [Freeipa-devel] [freeipa PR#716][comment] Fix minor typos In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Title: #716: Fix minor typos stlaz commented: """ Please, see what `git rebase -i master` will do for you, along with `git commit --amend --author="Author Name "`. **edit:** I see a lot of confusion in your commits in this PR, some commits appear multiple times, there are revert and merge commits and that makes this PR simply unmergable. Please not that you don't have to make a new PR, but you can make a new local branch with the changes you want and simply do `git push newbranch:fix-minor-typos` """ See the full comment at https://github.com/freeipa/freeipa/pull/716#issuecomment-296531382 From freeipa-github-notification at redhat.com Mon Apr 24 06:52:11 2017 From: freeipa-github-notification at redhat.com (alex-zel) Date: Mon, 24 Apr 2017 08:52:11 +0200 Subject: [Freeipa-devel] [freeipa PR#689][synchronized] Sort SRV records by priority In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/689 Author: alex-zel Title: #689: Sort SRV records by priority Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/689/head:pr689 git checkout pr689 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-689.patch Type: text/x-diff Size: 4172 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 24 08:21:04 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 24 Apr 2017 10:21:04 +0200 Subject: [Freeipa-devel] [freeipa PR#726][comment] Add check for directory name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/726 Title: #726: Add check for directory name tiran commented: """ What about other types that might cause trouble, e.g. socket, fifo, device files, dangling symlinks? """ See the full comment at https://github.com/freeipa/freeipa/pull/726#issuecomment-296572324 From freeipa-github-notification at redhat.com Mon Apr 24 08:23:51 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 24 Apr 2017 10:23:51 +0200 Subject: [Freeipa-devel] [freeipa PR#714][-ack] fix minor typo in ipa-adtrust-install.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/714 Title: #714: fix minor typo in ipa-adtrust-install.1 Label: -ack From freeipa-github-notification at redhat.com Mon Apr 24 08:24:46 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 24 Apr 2017 10:24:46 +0200 Subject: [Freeipa-devel] [freeipa PR#714][comment] fix minor typo in ipa-adtrust-install.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/714 Title: #714: fix minor typo in ipa-adtrust-install.1 stlaz commented: """ Ah, I did not notice you made a second commit for this. Please, squash them. """ See the full comment at https://github.com/freeipa/freeipa/pull/714#issuecomment-296573574 From freeipa-github-notification at redhat.com Mon Apr 24 08:43:14 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Mon, 24 Apr 2017 10:43:14 +0200 Subject: [Freeipa-devel] [freeipa PR#726][comment] Add check for directory name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/726 Title: #726: Add check for directory name Akasurde commented: """ @tiran Do you think we should allow only files here ? """ See the full comment at https://github.com/freeipa/freeipa/pull/726#issuecomment-296579941 From freeipa-github-notification at redhat.com Mon Apr 24 08:49:59 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Mon, 24 Apr 2017 10:49:59 +0200 Subject: [Freeipa-devel] [freeipa PR#726][synchronized] Add check for directory name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/726 Author: Akasurde Title: #726: Add check for directory name Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/726/head:pr726 git checkout pr726 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-726.patch Type: text/x-diff Size: 1029 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 24 09:19:57 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 24 Apr 2017 11:19:57 +0200 Subject: [Freeipa-devel] [freeipa PR#727][opened] Regenerate ASN.1 code with asn1c 0.9.28 Message-ID: URL: https://github.com/freeipa/freeipa/pull/727 Author: tiran Title: #727: Regenerate ASN.1 code with asn1c 0.9.28 Action: opened PR body: """ Regenerate ASN.1 code with asn1c 0.9.28 https://pagure.io/freeipa/issue/6818 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/727/head:pr727 git checkout pr727 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-727.patch Type: text/x-diff Size: 100757 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 24 09:54:59 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 24 Apr 2017 11:54:59 +0200 Subject: [Freeipa-devel] [freeipa PR#712][+ack] WebUI: Coverity fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/712 Title: #712: WebUI: Coverity fixes Label: +ack From freeipa-github-notification at redhat.com Mon Apr 24 10:27:19 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 24 Apr 2017 12:27:19 +0200 Subject: [Freeipa-devel] [freeipa PR#694][synchronized] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Author: martbab Title: #694: RFC: implement local PKINIT deployment in server/replica install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/694/head:pr694 git checkout pr694 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-694.patch Type: text/x-diff Size: 26589 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 24 10:37:27 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 24 Apr 2017 12:37:27 +0200 Subject: [Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install martbab commented: """ I have rewritten the PKINIT state reporting code as agreed with @abbra and also re-factored the installation/upgrade logic. @HonzaCholasta also requested to remove the local PKINIT check completely and have a test suite for that. On the one hand I tend to agree, on the other I would keep the check there for now until the password authentication test is implemented. Then remove the checks once we have coverage for it. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-296613316 From bind-dyndb-ldap-github-notification at redhat.com Mon Apr 24 10:48:42 2017 From: bind-dyndb-ldap-github-notification at redhat.com (MartinBasti) Date: Mon, 24 Apr 2017 12:48:42 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#17][comment] settings: skip unconfigured values In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/17 Title: #17: settings: skip unconfigured values MartinBasti commented: """ LGTM """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/17#issuecomment-296617030 From freeipa-github-notification at redhat.com Mon Apr 24 10:52:36 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 24 Apr 2017 12:52:36 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23724=5D=5B+pushed=5D_upg?= =?utf-8?q?rade=3A_adtrust_update=5Ftdo=5Fgidnumber_plugin_must_check_if_a?= =?utf-8?b?ZHRydXN0IGlz4oCm?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/724 Title: #724: upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is? Label: +pushed From freeipa-github-notification at redhat.com Mon Apr 24 10:52:39 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 24 Apr 2017 12:52:39 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23724=5D=5Bcomment=5D_upg?= =?utf-8?q?rade=3A_adtrust_update=5Ftdo=5Fgidnumber_plugin_must_check_if_a?= =?utf-8?b?ZHRydXN0IGlz4oCm?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/724 Title: #724: upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is? MartinBasti commented: """ master: * 434d9e539d24fe0110c5d6bf4a4342daf40d15d5 upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is installed ipa-4-5: * c05bd60585fb80e061b8582a648a65204c709f51 upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is installed """ See the full comment at https://github.com/freeipa/freeipa/pull/724#issuecomment-296617979 From freeipa-github-notification at redhat.com Mon Apr 24 10:52:40 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 24 Apr 2017 12:52:40 +0200 Subject: [Freeipa-devel] =?utf-8?q?=5Bfreeipa_PR=23724=5D=5Bclosed=5D_upgr?= =?utf-8?q?ade=3A_adtrust_update=5Ftdo=5Fgidnumber_plugin_must_check_if_ad?= =?utf-8?b?dHJ1c3QgaXPigKY=?= In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/724 Author: flo-renaud Title: #724: upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is? Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/724/head:pr724 git checkout pr724 From freeipa-github-notification at redhat.com Mon Apr 24 11:19:12 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 24 Apr 2017 13:19:12 +0200 Subject: [Freeipa-devel] [freeipa PR#720][comment] tox: use pylint 1.6.x for now In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/720 Title: #720: tox: use pylint 1.6.x for now MartinBasti commented: """ pylint and pylint3 targets are failing ``` MAKEFLAGS= /tmp/freeipa/.tox/pylint2/bin/python -m pip wheel \ --disable-pip-version-check \ --constraint .wheelconstraints \ --find-links ./dist/wheels \ --find-links ./dist/bundle \ --wheel-dir ./dist/bundle \ ipaclient ipalib ipapython ipaclient ipapython[certmonger] pylint < 1.7 /bin/sh: 1.7: No such file or directory Makefile:1249: recipe for target 'wheel_bundle' failed make: *** [wheel_bundle] Error 1 make: Leaving directory '/tmp/freeipa' ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/720#issuecomment-296624447 From freeipa-github-notification at redhat.com Mon Apr 24 11:26:30 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 24 Apr 2017 13:26:30 +0200 Subject: [Freeipa-devel] [freeipa PR#720][synchronized] tox: use pylint 1.6.x for now In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/720 Author: tiran Title: #720: tox: use pylint 1.6.x for now Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/720/head:pr720 git checkout pr720 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-720.patch Type: text/x-diff Size: 764 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 24 14:20:07 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 24 Apr 2017 16:20:07 +0200 Subject: [Freeipa-devel] [freeipa PR#720][+ack] tox: use pylint 1.6.x for now In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/720 Title: #720: tox: use pylint 1.6.x for now Label: +ack From freeipa-github-notification at redhat.com Mon Apr 24 15:00:54 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 24 Apr 2017 17:00:54 +0200 Subject: [Freeipa-devel] [freeipa PR#711][+ack] Compat-plugin related fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/711 Title: #711: Compat-plugin related fixes Label: +ack From freeipa-github-notification at redhat.com Mon Apr 24 15:07:11 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 24 Apr 2017 17:07:11 +0200 Subject: [Freeipa-devel] [freeipa PR#727][+ack] Regenerate ASN.1 code with asn1c 0.9.28 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/727 Title: #727: Regenerate ASN.1 code with asn1c 0.9.28 Label: +ack From freeipa-github-notification at redhat.com Mon Apr 24 15:09:27 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 24 Apr 2017 17:09:27 +0200 Subject: [Freeipa-devel] [freeipa PR#727][+pushed] Regenerate ASN.1 code with asn1c 0.9.28 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/727 Title: #727: Regenerate ASN.1 code with asn1c 0.9.28 Label: +pushed From freeipa-github-notification at redhat.com Mon Apr 24 15:09:30 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 24 Apr 2017 17:09:30 +0200 Subject: [Freeipa-devel] [freeipa PR#727][comment] Regenerate ASN.1 code with asn1c 0.9.28 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/727 Title: #727: Regenerate ASN.1 code with asn1c 0.9.28 MartinBasti commented: """ master: * ad0843047779b55848425eaba0385034d6893446 Regenerate ASN.1 code with asn1c 0.9.28 * 9b443b908fe6fb9c11f9b76552bf4fef2c3b2be5 Replace _BSD_SOURCE with _DEFAULT_SOURCE """ See the full comment at https://github.com/freeipa/freeipa/pull/727#issuecomment-296699132 From freeipa-github-notification at redhat.com Mon Apr 24 15:09:32 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 24 Apr 2017 17:09:32 +0200 Subject: [Freeipa-devel] [freeipa PR#727][closed] Regenerate ASN.1 code with asn1c 0.9.28 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/727 Author: tiran Title: #727: Regenerate ASN.1 code with asn1c 0.9.28 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/727/head:pr727 git checkout pr727 From freeipa-github-notification at redhat.com Mon Apr 24 15:13:08 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 24 Apr 2017 17:13:08 +0200 Subject: [Freeipa-devel] [freeipa PR#711][+pushed] Compat-plugin related fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/711 Title: #711: Compat-plugin related fixes Label: +pushed From freeipa-github-notification at redhat.com Mon Apr 24 15:13:13 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 24 Apr 2017 17:13:13 +0200 Subject: [Freeipa-devel] [freeipa PR#711][comment] Compat-plugin related fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/711 Title: #711: Compat-plugin related fixes MartinBasti commented: """ master: * 0c0af8cf7adf61ef03ba1240ecbdecef7fa15275 compat-manage: behave the same for all users * ddbbb1c58e8a4fec8129e7d1e941c54660af6a69 Move the compat plugin setup at the end of install * 645615958d4b0f9e6dd8a5ff2541952abb588d55 compat: ignore cn=topology,cn=ipa,cn=etc subtree * 68c8ddf1871efe7ef78ce153573d522aefecfdfa compat plugin: Update link to slapi-nis project ipa-4-5: * 4fa7718c6ad03a7cf534313d5c50d78d4863fe6e compat-manage: behave the same for all users * 7364c1360c4e2271667f3a08d8d504b3cd813e2f Move the compat plugin setup at the end of install * e691877c24e722d4fc91fed34cd31cc102879c1a compat: ignore cn=topology,cn=ipa,cn=etc subtree * efe096040aefdeea37afcf2671506982d8522f47 compat plugin: Update link to slapi-nis project """ See the full comment at https://github.com/freeipa/freeipa/pull/711#issuecomment-296700686 From freeipa-github-notification at redhat.com Mon Apr 24 15:13:14 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 24 Apr 2017 17:13:14 +0200 Subject: [Freeipa-devel] [freeipa PR#711][closed] Compat-plugin related fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/711 Author: stlaz Title: #711: Compat-plugin related fixes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/711/head:pr711 git checkout pr711 From freeipa-github-notification at redhat.com Mon Apr 24 15:39:29 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 24 Apr 2017 17:39:29 +0200 Subject: [Freeipa-devel] [freeipa PR#728][opened] ipa-cacert-manage: add --external-ca-type Message-ID: URL: https://github.com/freeipa/freeipa/pull/728 Author: HonzaCholasta Title: #728: ipa-cacert-manage: add --external-ca-type Action: opened PR body: """ **server upgrade: always fix certmonger tracking request** Fix certmonger tracking requests on every run of ipa-server-upgrade rather than only when the tracking configuration has changed and the requests have not yet been updated. This allows fixing broken tracking requests just by re-running ipa-server-upgrade. **cainstance: use correct profile for lightweight CA certificates** Use Dogtag's `caCACert` CA certificate profile rather than the `ipaCACertRenewal` virtual profile for lightweight CA certificates. The `ipaCACertRenewal` virtual profile adds special handling of externally signed CA certificates and LDAP replication of issued certificates on top of `caCACert`, neither of which is relevant for lightweight CA certificates. Remove all of the special casing of lightweight CA certificates from dogtag-ipa-ca-renew-agent-submit. Make sure existing lightweight CA certmonger tracking requests are updated on server upgrade. **renew agent: allow reusing existing certs** Add a switch which makes `dogtag-ipa-ca-renew-agent-submit` reuse the existing certificate rather than request a new one from the CA while maintaining LDAP replication of the certificate. Make this available as a new `dogtag-ipa-ca-renew-agent-reuse` certmonger CA. This allows redoing the LDAP replication and reexecuting pre- and post-save commands of a tracking request without reissuing the certificate. **renew agent: always export CSR on IPA CA certificate renewal** Make sure a CSR is exported for the IPA CA whenever certmonger detects that the CA certificate is about to expire. This is a pre-requisite for using the `dogtag-ipa-ca-renew-agent-reuse` CA instead of the `ipaCSRExport` virtual profile to export the CSR. **renew agent: get rid of virtual profiles** Replace all uses of virtual profiles with `dogtag-ipa-ca-renew-agent-reuse` and remove profile from the IPA CA certificate tracking request. This prevents virtual profiles from making their way into CSRs and in turn being rejected by certain CAs. This affected the IPA CA CSR with Microsoft CS in particular. **ipa-cacert-manage: add --external-ca-type** Add the `--external-ca-type`, as known from `ipa-server-install` and `ipa-ca-install`, to `ipa-cacert-manage`. This allows creating IPA CA CSRs suitable for use with Microsoft CS using `ipa-cacert-manage`: ``` ipa-cacert-manage renew --external-ca --external-ca-type=ms-cs ``` https://pagure.io/freeipa/issue/5799 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/728/head:pr728 git checkout pr728 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-728.patch Type: text/x-diff Size: 37531 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 24 20:37:35 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Mon, 24 Apr 2017 22:37:35 +0200 Subject: [Freeipa-devel] [freeipa PR#714][synchronized] fix minor typo in ipa-adtrust-install.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/714 Author: realsobek Title: #714: fix minor typo in ipa-adtrust-install.1 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/714/head:pr714 git checkout pr714 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-714.patch Type: text/x-diff Size: 1051 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Apr 24 21:09:38 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Mon, 24 Apr 2017 23:09:38 +0200 Subject: [Freeipa-devel] [freeipa PR#714][comment] fix minor typo in ipa-adtrust-install.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/714 Title: #714: fix minor typo in ipa-adtrust-install.1 realsobek commented: """ It was my fault. I knew how to squash two unpushed commits, but squashing two pushed commits was beyond me. Thanks for your comment in #716 I had a look again and I managed it this time. :) I squashed the last two commits (see `git log`) in my branch with `git rebase --interactive HEAD~2` and pushed the result to my fork with `git push origin master --force` """ See the full comment at https://github.com/freeipa/freeipa/pull/714#issuecomment-296823122 From freeipa-github-notification at redhat.com Tue Apr 25 05:39:18 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 25 Apr 2017 07:39:18 +0200 Subject: [Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install HonzaCholasta commented: """ @martbab, this sounds like a typical instance of a we will do it later = we will do it never situation. IMO we should remove the superfluous check right away, as that would give us more incentive to actually implement the test. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-296916627 From freeipa-github-notification at redhat.com Tue Apr 25 05:58:29 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 25 Apr 2017 07:58:29 +0200 Subject: [Freeipa-devel] [freeipa PR#714][comment] fix minor typo in ipa-adtrust-install.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/714 Title: #714: fix minor typo in ipa-adtrust-install.1 stlaz commented: """ Thanks, now this is ready to be pushed :) """ See the full comment at https://github.com/freeipa/freeipa/pull/714#issuecomment-296920348 From freeipa-github-notification at redhat.com Tue Apr 25 05:58:34 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 25 Apr 2017 07:58:34 +0200 Subject: [Freeipa-devel] [freeipa PR#714][+ack] fix minor typo in ipa-adtrust-install.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/714 Title: #714: fix minor typo in ipa-adtrust-install.1 Label: +ack From freeipa-github-notification at redhat.com Tue Apr 25 06:50:42 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 25 Apr 2017 08:50:42 +0200 Subject: [Freeipa-devel] [freeipa PR#688][comment] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/688 Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches HonzaCholasta commented: """ I guess it should. Could you please file a ticket? """ See the full comment at https://github.com/freeipa/freeipa/pull/688#issuecomment-296931927 From freeipa-github-notification at redhat.com Tue Apr 25 10:21:10 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 25 Apr 2017 12:21:10 +0200 Subject: [Freeipa-devel] [freeipa PR#714][+pushed] fix minor typo in ipa-adtrust-install.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/714 Title: #714: fix minor typo in ipa-adtrust-install.1 Label: +pushed From freeipa-github-notification at redhat.com Tue Apr 25 10:21:13 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 25 Apr 2017 12:21:13 +0200 Subject: [Freeipa-devel] [freeipa PR#714][comment] fix minor typo in ipa-adtrust-install.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/714 Title: #714: fix minor typo in ipa-adtrust-install.1 MartinBasti commented: """ master: * 298f725e5b2f820369c337dd1ab4bfd9ad3cd01f fix minor typos in ipa-adtrust-install.1 """ See the full comment at https://github.com/freeipa/freeipa/pull/714#issuecomment-296987097 From freeipa-github-notification at redhat.com Tue Apr 25 10:21:16 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 25 Apr 2017 12:21:16 +0200 Subject: [Freeipa-devel] [freeipa PR#714][closed] fix minor typo in ipa-adtrust-install.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/714 Author: realsobek Title: #714: fix minor typo in ipa-adtrust-install.1 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/714/head:pr714 git checkout pr714 From freeipa-github-notification at redhat.com Tue Apr 25 10:23:37 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 25 Apr 2017 12:23:37 +0200 Subject: [Freeipa-devel] [freeipa PR#712][+pushed] WebUI: Coverity fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/712 Title: #712: WebUI: Coverity fixes Label: +pushed From freeipa-github-notification at redhat.com Tue Apr 25 10:23:41 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 25 Apr 2017 12:23:41 +0200 Subject: [Freeipa-devel] [freeipa PR#712][comment] WebUI: Coverity fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/712 Title: #712: WebUI: Coverity fixes MartinBasti commented: """ master: * b54ceae9616b733c35ce7928309b8ab93527110b WebUI: Coverity - add explicit window object to alert methods * 5ba7957450ebe78c67cf675855f4f4c3a34fab54 WebUI - Coverity: fixed null pointer exception * 01516e58c8fc71985c538136b2286198765da296 WebUI - Coverity: fix identical branches of if statement """ See the full comment at https://github.com/freeipa/freeipa/pull/712#issuecomment-296987672 From freeipa-github-notification at redhat.com Tue Apr 25 10:23:44 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 25 Apr 2017 12:23:44 +0200 Subject: [Freeipa-devel] [freeipa PR#712][closed] WebUI: Coverity fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/712 Author: pvomacka Title: #712: WebUI: Coverity fixes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/712/head:pr712 git checkout pr712 From freeipa-github-notification at redhat.com Tue Apr 25 10:26:06 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 25 Apr 2017 12:26:06 +0200 Subject: [Freeipa-devel] [freeipa PR#720][+pushed] tox: use pylint 1.6.x for now In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/720 Title: #720: tox: use pylint 1.6.x for now Label: +pushed From freeipa-github-notification at redhat.com Tue Apr 25 10:26:11 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 25 Apr 2017 12:26:11 +0200 Subject: [Freeipa-devel] [freeipa PR#720][comment] tox: use pylint 1.6.x for now In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/720 Title: #720: tox: use pylint 1.6.x for now MartinBasti commented: """ master: * b64ec757883284a765745ef4fbd78fb55bf0e228 tox: use pylint 1.6.x for now """ See the full comment at https://github.com/freeipa/freeipa/pull/720#issuecomment-296988196 From freeipa-github-notification at redhat.com Tue Apr 25 10:26:14 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 25 Apr 2017 12:26:14 +0200 Subject: [Freeipa-devel] [freeipa PR#720][closed] tox: use pylint 1.6.x for now In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/720 Author: tiran Title: #720: tox: use pylint 1.6.x for now Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/720/head:pr720 git checkout pr720 From freeipa-github-notification at redhat.com Tue Apr 25 10:49:11 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 25 Apr 2017 12:49:11 +0200 Subject: [Freeipa-devel] [freeipa PR#702][comment] Correct PyPI package dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/702 Title: #702: Correct PyPI package dependencies MartinBasti commented: """ Pylint targets are failing with following errror ``` Collecting pyusb; extra == "otptoken_yubikey" (from ipaclient==4.5.90.dev201704251040+git0ebdd30->-c /tmp/freeipa/.wheelconstraints (line 5)) Could not find a version that satisfies the requirement pyusb; extra == "otptoken_yubikey" (from ipaclient==4.5.90.dev201704251040+git0ebdd30->-c /tmp/freeipa/.wheelconstraints (line 5)) (from versions: ) No matching distribution found for pyusb; extra == "otptoken_yubikey" (from ipaclient==4.5.90.dev201704251040+git0ebdd30->-c /tmp/freeipa/.wheelconstraints (line 5)) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/702#issuecomment-296992860 From freeipa-github-notification at redhat.com Tue Apr 25 11:11:18 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 25 Apr 2017 13:11:18 +0200 Subject: [Freeipa-devel] [freeipa PR#729][opened] Turn on NSSOCSP check in mod_nss conf Message-ID: URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: opened PR body: """ Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. https://pagure.io/freeipa/issue/6370 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-729.patch Type: text/x-diff Size: 5977 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 25 11:18:13 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 25 Apr 2017 13:18:13 +0200 Subject: [Freeipa-devel] [freeipa PR#702][synchronized] Correct PyPI package dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/702 Author: tiran Title: #702: Correct PyPI package dependencies Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/702/head:pr702 git checkout pr702 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-702.patch Type: text/x-diff Size: 6724 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 25 11:20:16 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 25 Apr 2017 13:20:16 +0200 Subject: [Freeipa-devel] [freeipa PR#702][comment] Correct PyPI package dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/702 Title: #702: Correct PyPI package dependencies tiran commented: """ You are running into a pip bug. I've added band-aid for the issue. To speed up testing, tox caches packages. I guess I never ran into the problem because I had the packages pre-build and cached. """ See the full comment at https://github.com/freeipa/freeipa/pull/702#issuecomment-296999123 From freeipa-github-notification at redhat.com Tue Apr 25 11:24:05 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 25 Apr 2017 13:24:05 +0200 Subject: [Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install martbab commented: """ @HonzaCholasta Then the best course of action is to remove the PKINIT check and raise the priority of the issue for test case. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-296999874 From freeipa-github-notification at redhat.com Tue Apr 25 12:17:52 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 25 Apr 2017 14:17:52 +0200 Subject: [Freeipa-devel] [freeipa PR#730][opened] spec file: bump python-netaddr Requires Message-ID: URL: https://github.com/freeipa/freeipa/pull/730 Author: HonzaCholasta Title: #730: spec file: bump python-netaddr Requires Action: opened PR body: """ Bump python-netaddr Requires to the version which has correct private and reserved IPv4 address ranges. This fixes DNS server install failure when 0.0.0.0 is entered as a forwarder. https://pagure.io/freeipa/issue/6894 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/730/head:pr730 git checkout pr730 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-730.patch Type: text/x-diff Size: 1829 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 25 12:23:14 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 25 Apr 2017 14:23:14 +0200 Subject: [Freeipa-devel] [freeipa PR#725][comment] Fix certificate_out check in CertRetrieveOverride In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/725 Title: #725: Fix certificate_out check in CertRetrieveOverride HonzaCholasta commented: """ NACK: ``` $ ipa cert-show 1 ipa: ERROR: Filename is empty ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/725#issuecomment-297013050 From freeipa-github-notification at redhat.com Tue Apr 25 12:43:53 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 25 Apr 2017 14:43:53 +0200 Subject: [Freeipa-devel] [freeipa PR#731][opened] spec file: bump krb5 Requires for certauth fixes Message-ID: URL: https://github.com/freeipa/freeipa/pull/731 Author: HonzaCholasta Title: #731: spec file: bump krb5 Requires for certauth fixes Action: opened PR body: """ Bump krb5-* Requires to the version which includes the final version of certauth support. https://pagure.io/freeipa/issue/4905 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/731/head:pr731 git checkout pr731 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-731.patch Type: text/x-diff Size: 2459 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 25 13:02:52 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 25 Apr 2017 15:02:52 +0200 Subject: [Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-729.patch Type: text/x-diff Size: 6047 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 25 13:05:19 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Tue, 25 Apr 2017 15:05:19 +0200 Subject: [Freeipa-devel] [freeipa PR#688][edited] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/688 Author: redhatrises Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches Action: edited Changed field: body Original value: """ - Update get_attr_filter in LDAPSearch to handle nsaccountlock by setting the default value for nsaccountlock to false as well as update the filter to check for the default value """ From freeipa-github-notification at redhat.com Tue Apr 25 13:05:28 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Tue, 25 Apr 2017 15:05:28 +0200 Subject: [Freeipa-devel] [freeipa PR#688][edited] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/688 Author: redhatrises Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches Action: edited Changed field: body Original value: """ - Update get_attr_filter in LDAPSearch to handle nsaccountlock by setting the default value for nsaccountlock to false as well as update the filter to check for the default value https://pagure.io/freeipa/issue/6896 """ From freeipa-github-notification at redhat.com Tue Apr 25 13:05:44 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Tue, 25 Apr 2017 15:05:44 +0200 Subject: [Freeipa-devel] [freeipa PR#688][comment] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/688 Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches redhatrises commented: """ @HonzaCholasta done. https://pagure.io/freeipa/issue/6896 """ See the full comment at https://github.com/freeipa/freeipa/pull/688#issuecomment-297023523 From freeipa-github-notification at redhat.com Tue Apr 25 13:08:19 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 25 Apr 2017 15:08:19 +0200 Subject: [Freeipa-devel] [freeipa PR#688][comment] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/688 Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches HonzaCholasta commented: """ Thanks! """ See the full comment at https://github.com/freeipa/freeipa/pull/688#issuecomment-297024230 From freeipa-github-notification at redhat.com Tue Apr 25 13:09:30 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 25 Apr 2017 15:09:30 +0200 Subject: [Freeipa-devel] [freeipa PR#688][+ack] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/688 Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches Label: +ack From freeipa-github-notification at redhat.com Tue Apr 25 13:10:54 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 25 Apr 2017 15:10:54 +0200 Subject: [Freeipa-devel] [freeipa PR#688][-ack] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/688 Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches Label: -ack From freeipa-github-notification at redhat.com Tue Apr 25 13:12:48 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 25 Apr 2017 15:12:48 +0200 Subject: [Freeipa-devel] [freeipa PR#732][opened] ipa-custodia: use Dogtag's alias/pwdfile.txt Message-ID: URL: https://github.com/freeipa/freeipa/pull/732 Author: tiran Title: #732: ipa-custodia: use Dogtag's alias/pwdfile.txt Action: opened PR body: """ /etc/pki/pki-tomcat/password.conf contains additional passwords like replicadb. ipa-custodia does not need these passwords. /etc/pki/pki-tomcat/alias/pwdfile.txt holds the passphrase for Tomcat's NSSDB. The file also simplifies implementation because it removes another temporary file. pwdfile.txt is created by CAInstance.create_certstore_passwdfile() Related: https://pagure.io/freeipa/issue/6888 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/732/head:pr732 git checkout pr732 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-732.patch Type: text/x-diff Size: 5708 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 25 13:13:49 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 25 Apr 2017 15:13:49 +0200 Subject: [Freeipa-devel] [freeipa PR#688][comment] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/688 Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches HonzaCholasta commented: """ Actually, please remove the change in `VERSION.m4`, as it is not necessary and prevents the patch from applying cleanly on top of ipa-4-5. Also please add the ticket link to commit messages. """ See the full comment at https://github.com/freeipa/freeipa/pull/688#issuecomment-297025571 From freeipa-github-notification at redhat.com Tue Apr 25 13:30:58 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 25 Apr 2017 15:30:58 +0200 Subject: [Freeipa-devel] [freeipa PR#679][synchronized] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Author: simo5 Title: #679: Make sure remote hosts have our keys Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/679/head:pr679 git checkout pr679 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-679.patch Type: text/x-diff Size: 3212 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 25 13:53:26 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Tue, 25 Apr 2017 15:53:26 +0200 Subject: [Freeipa-devel] [freeipa PR#688][synchronized] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/688 Author: redhatrises Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/688/head:pr688 git checkout pr688 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-688.patch Type: text/x-diff Size: 4399 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Apr 25 13:54:33 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Tue, 25 Apr 2017 15:54:33 +0200 Subject: [Freeipa-devel] [freeipa PR#688][comment] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/688 Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches redhatrises commented: """ @HonzaCholasta I removed the change to `VERSION.m4` """ See the full comment at https://github.com/freeipa/freeipa/pull/688#issuecomment-297037487 From mbasti at redhat.com Tue Apr 25 14:57:17 2017 From: mbasti at redhat.com (=?UTF-8?Q?Martin_Ba=c5=a1ti?=) Date: Tue, 25 Apr 2017 16:57:17 +0200 Subject: [Freeipa-devel] KDC proxy URI records Message-ID: Hello all, I'm going to implement automatic URI records for kdc proxy and I'd like to clarify if following URI records are the right one. _kerberos-adm.example.com. IN URI 0 "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy" _krb5kdc.example.com. IN URI 0 "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy" _kpasswd.example.com. IN URI 0 "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy" I assume we want to use "kkdcp" and "https", and "M" flag as all IPA servers are masters, please confirm. Sources: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery https://tools.ietf.org/id/draft-mccallum-kitten-krb-service-discovery-02.txt Thank you -- Martin Ba?ti Software Engineer Red Hat Czech From freeipa-github-notification at redhat.com Wed Apr 26 06:35:58 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 26 Apr 2017 08:35:58 +0200 Subject: [Freeipa-devel] [freeipa PR#733][opened] [4.5] Fix CA/server cert validation in FIPS Message-ID: URL: https://github.com/freeipa/freeipa/pull/733 Author: stlaz Title: #733: [4.5] Fix CA/server cert validation in FIPS Action: opened PR body: """ In FIPS, the NSS library needs to be passed passwords to perform certificate validation. Should we not have passed it and the NSS guys have not fixed this yet, we would get SEC_ERROR_BAD_SIGNATURE which is completely different error than one would expect but that's just how things are with NSS right now. https://pagure.io/freeipa/issue/6897 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/733/head:pr733 git checkout pr733 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-733.patch Type: text/x-diff Size: 2787 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 26 07:38:12 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 26 Apr 2017 09:38:12 +0200 Subject: [Freeipa-devel] [freeipa PR#734][opened] kerberos session: use CA cert with full cert chain for obtaining cookie Message-ID: URL: https://github.com/freeipa/freeipa/pull/734 Author: pvoborni Title: #734: kerberos session: use CA cert with full cert chain for obtaining cookie Action: opened PR body: """ Http request performed in finalize_kerberos_acquisition doesn't use CA certificate/certificate store with full certificate chain of IPA server. So it might happen that in case that IPA is installed with externally signed CA certificate, the call can fail because of certificate validation and e.g. prevent session acquisition. If it will fail for sure is not known - the use case was not discovered, but it is faster and safer to fix preemptively. https://pagure.io/freeipa/issue/6876 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/734/head:pr734 git checkout pr734 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-734.patch Type: text/x-diff Size: 1549 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 26 10:18:54 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 26 Apr 2017 12:18:54 +0200 Subject: [Freeipa-devel] [freeipa PR#702][+ack] Correct PyPI package dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/702 Title: #702: Correct PyPI package dependencies Label: +ack From freeipa-github-notification at redhat.com Wed Apr 26 10:20:39 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 26 Apr 2017 12:20:39 +0200 Subject: [Freeipa-devel] [freeipa PR#688][+ack] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/688 Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches Label: +ack From freeipa-github-notification at redhat.com Wed Apr 26 10:21:19 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 26 Apr 2017 12:21:19 +0200 Subject: [Freeipa-devel] [freeipa PR#688][+pushed] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/688 Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches Label: +pushed From freeipa-github-notification at redhat.com Wed Apr 26 10:21:22 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 26 Apr 2017 12:21:22 +0200 Subject: [Freeipa-devel] [freeipa PR#688][comment] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/688 Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches HonzaCholasta commented: """ master: * 38276d3473ecf2a4cc5b5e2a107347f046625626 Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches ipa-4-5: * dc4d60c9665408666ab3dfab7023a578c34d65a2 Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches """ See the full comment at https://github.com/freeipa/freeipa/pull/688#issuecomment-297338734 From freeipa-github-notification at redhat.com Wed Apr 26 10:21:23 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 26 Apr 2017 12:21:23 +0200 Subject: [Freeipa-devel] [freeipa PR#688][closed] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/688 Author: redhatrises Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/688/head:pr688 git checkout pr688 From freeipa-github-notification at redhat.com Wed Apr 26 10:26:44 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 26 Apr 2017 12:26:44 +0200 Subject: [Freeipa-devel] [freeipa PR#730][+ack] spec file: bump python-netaddr Requires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/730 Title: #730: spec file: bump python-netaddr Requires Label: +ack From freeipa-github-notification at redhat.com Wed Apr 26 10:32:03 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 26 Apr 2017 12:32:03 +0200 Subject: [Freeipa-devel] [freeipa PR#702][+pushed] Correct PyPI package dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/702 Title: #702: Correct PyPI package dependencies Label: +pushed From freeipa-github-notification at redhat.com Wed Apr 26 10:32:07 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 26 Apr 2017 12:32:07 +0200 Subject: [Freeipa-devel] [freeipa PR#702][comment] Correct PyPI package dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/702 Title: #702: Correct PyPI package dependencies MartinBasti commented: """ master: * 26ab51ddf47f421f3404709052db89f08c05adaa Correct PyPI package dependencies * 994d24d288080e924e039ca0a7b0b0dfc2355ac1 Band-aid for pip dependency bug """ See the full comment at https://github.com/freeipa/freeipa/pull/702#issuecomment-297343667 From freeipa-github-notification at redhat.com Wed Apr 26 10:32:09 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 26 Apr 2017 12:32:09 +0200 Subject: [Freeipa-devel] [freeipa PR#702][closed] Correct PyPI package dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/702 Author: tiran Title: #702: Correct PyPI package dependencies Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/702/head:pr702 git checkout pr702 From freeipa-github-notification at redhat.com Wed Apr 26 10:36:38 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 26 Apr 2017 12:36:38 +0200 Subject: [Freeipa-devel] [freeipa PR#730][comment] spec file: bump python-netaddr Requires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/730 Title: #730: spec file: bump python-netaddr Requires MartinBasti commented: """ master: * 0784e53f7f8a323acafbbff26a9d1c0276a229b0 spec file: bump python-netaddr Requires """ See the full comment at https://github.com/freeipa/freeipa/pull/730#issuecomment-297345694 From freeipa-github-notification at redhat.com Wed Apr 26 10:36:41 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 26 Apr 2017 12:36:41 +0200 Subject: [Freeipa-devel] [freeipa PR#730][+pushed] spec file: bump python-netaddr Requires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/730 Title: #730: spec file: bump python-netaddr Requires Label: +pushed From freeipa-github-notification at redhat.com Wed Apr 26 10:36:44 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 26 Apr 2017 12:36:44 +0200 Subject: [Freeipa-devel] [freeipa PR#730][closed] spec file: bump python-netaddr Requires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/730 Author: HonzaCholasta Title: #730: spec file: bump python-netaddr Requires Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/730/head:pr730 git checkout pr730 From freeipa-github-notification at redhat.com Wed Apr 26 10:39:30 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 26 Apr 2017 12:39:30 +0200 Subject: [Freeipa-devel] [freeipa PR#730][comment] spec file: bump python-netaddr Requires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/730 Title: #730: spec file: bump python-netaddr Requires MartinBasti commented: """ If this should go into 4.5 please open a new PR """ See the full comment at https://github.com/freeipa/freeipa/pull/730#issuecomment-297346926 From freeipa-github-notification at redhat.com Wed Apr 26 10:52:40 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 26 Apr 2017 12:52:40 +0200 Subject: [Freeipa-devel] [freeipa PR#694][synchronized] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Author: martbab Title: #694: RFC: implement local PKINIT deployment in server/replica install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/694/head:pr694 git checkout pr694 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-694.patch Type: text/x-diff Size: 23092 bytes Desc: not available URL: From mbasti at redhat.com Wed Apr 26 10:57:10 2017 From: mbasti at redhat.com (=?UTF-8?Q?Martin_Ba=c5=a1ti?=) Date: Wed, 26 Apr 2017 12:57:10 +0200 Subject: [Freeipa-devel] KDC proxy URI records In-Reply-To: References: Message-ID: On 25.04.2017 16:57, Martin Ba?ti wrote: > Hello all, > > I'm going to implement automatic URI records for kdc proxy and I'd > like to clarify if following URI records are the right one. > > > _kerberos-adm.example.com. IN URI 0 > "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy" > > _krb5kdc.example.com. IN URI 0 > "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy" > > _kpasswd.example.com. IN URI 0 > "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy" > > > I assume we want to use "kkdcp" and "https", and "M" flag as all IPA > servers are masters, please confirm. > > > Sources: > > https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery > > https://tools.ietf.org/id/draft-mccallum-kitten-krb-service-discovery-02.txt > > > > Thank you > I found out that wiki page differs from the RFC draft and from the source in git There is "_kerberos.REALM" record instead of "_krb5kdc.REALM" And I'm not sure if _kerberos-adm should be included as we don't really support kadmin. -- Martin Ba?ti Software Engineer Red Hat Czech From bind-dyndb-ldap-github-notification at redhat.com Wed Apr 26 11:17:49 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Wed, 26 Apr 2017 13:17:49 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#17][+ack] settings: skip unconfigured values In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/17 Title: #17: settings: skip unconfigured values Label: +ack From bind-dyndb-ldap-github-notification at redhat.com Wed Apr 26 11:19:13 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Wed, 26 Apr 2017 13:19:13 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#17][comment] settings: skip unconfigured values In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/17 Title: #17: settings: skip unconfigured values tomaskrizek commented: """ master - 41461fc444170ffd9b5459e2f0b2480f3288cc1d - 7a67f77b66a680df1c21429e7c4e2dd001e86046 """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/17#issuecomment-297364657 From bind-dyndb-ldap-github-notification at redhat.com Wed Apr 26 11:19:16 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Wed, 26 Apr 2017 13:19:16 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#17][closed] settings: skip unconfigured values In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/17 Author: tomaskrizek Title: #17: settings: skip unconfigured values Action: closed To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/17/head:pr17 git checkout pr17 From bind-dyndb-ldap-github-notification at redhat.com Wed Apr 26 11:19:19 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Wed, 26 Apr 2017 13:19:19 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#17][+pushed] settings: skip unconfigured values In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/17 Title: #17: settings: skip unconfigured values Label: +pushed From freeipa-github-notification at redhat.com Wed Apr 26 13:34:22 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 26 Apr 2017 15:34:22 +0200 Subject: [Freeipa-devel] [freeipa PR#731][synchronized] spec file: bump krb5 Requires for certauth fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/731 Author: HonzaCholasta Title: #731: spec file: bump krb5 Requires for certauth fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/731/head:pr731 git checkout pr731 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-731.patch Type: text/x-diff Size: 2555 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 26 13:47:04 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 26 Apr 2017 15:47:04 +0200 Subject: [Freeipa-devel] [freeipa PR#731][synchronized] spec file: bump krb5 Requires for certauth fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/731 Author: HonzaCholasta Title: #731: spec file: bump krb5 Requires for certauth fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/731/head:pr731 git checkout pr731 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-731.patch Type: text/x-diff Size: 2477 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 26 13:50:17 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 26 Apr 2017 15:50:17 +0200 Subject: [Freeipa-devel] [freeipa PR#735][opened] automount install: do not wait for sssd restart on uninstallation Message-ID: URL: https://github.com/freeipa/freeipa/pull/735 Author: pvoborni Title: #735: automount install: do not wait for sssd restart on uninstallation Action: opened PR body: """ Change in 2d4d1a9dc0ef2bbe86751768d6e6b009a52c0dc9 no longer initializes api in `ipa-client-automount --uninstallation` Which caused error in wait_for_sssd which gets realm from initialized API. In my opinion, there is no reason to check working sssd after uninstallation by running id command. If anything depends on running sssd then it should do the check. Also fix call of xxx_service_class_factory which requires api as param. https://pagure.io/freeipa/issue/6861 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/735/head:pr735 git checkout pr735 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-735.patch Type: text/x-diff Size: 1894 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 26 14:09:28 2017 From: freeipa-github-notification at redhat.com (rcritten) Date: Wed, 26 Apr 2017 16:09:28 +0200 Subject: [Freeipa-devel] [freeipa PR#735][comment] automount install: do not wait for sssd restart on uninstallation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/735 Title: #735: automount install: do not wait for sssd restart on uninstallation rcritten commented: """ I guess I have more issues with the commit message than the patch content. What would you suggest ensure that sssd is up? A typical user wouldn't notice until an nss lookup failed which likely means a login was rejected. The wait for restart was there to ensure, in interactive sessions at least, that unconfiguring automount didn't hose the system. To me is another example of how wrong it is to require a ticket to initialize an API. """ See the full comment at https://github.com/freeipa/freeipa/pull/735#issuecomment-297420281 From freeipa-github-notification at redhat.com Wed Apr 26 14:12:02 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Wed, 26 Apr 2017 16:12:02 +0200 Subject: [Freeipa-devel] [freeipa PR#736][opened] Fixing the cert-request command comparing whole email address case-sensitively. Message-ID: URL: https://github.com/freeipa/freeipa/pull/736 Author: felipevolpone Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. Action: opened PR body: """ Now, the cert-request command compares the domain part of the email case-insensitively. Fixes: [https://pagure.io/freeipa/issue/5919](https://pagure.io/freeipa/issue/5919) """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/736/head:pr736 git checkout pr736 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-736.patch Type: text/x-diff Size: 3528 bytes Desc: not available URL: From pvoborni at redhat.com Wed Apr 26 14:56:36 2017 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 26 Apr 2017 16:56:36 +0200 Subject: [Freeipa-devel] [HEADSUP] 389-ds-base-1.3.6.4-1.fc26. and 389-ds-base-1.3.5.17-1.fc25 breaks server installation Message-ID: <00039d7f-2c67-208a-01a3-a62ce0bf92f8@redhat.com> New builds of 389 on F25 and F26 breaks server installation. Or at least I think it's 389 issue on f26. f25 https://bodhi.fedoraproject.org/updates/FEDORA-2017-8bb5a83e04 f26: https://bodhi.fedoraproject.org/updates/FEDORA-2017-7f0a10c808 https://bugzilla.redhat.com/show_bug.cgi?id=1445776 -- Petr Vobornik From freeipa-github-notification at redhat.com Wed Apr 26 15:00:47 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 26 Apr 2017 17:00:47 +0200 Subject: [Freeipa-devel] [freeipa PR#694][synchronized] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Author: martbab Title: #694: RFC: implement local PKINIT deployment in server/replica install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/694/head:pr694 git checkout pr694 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-694.patch Type: text/x-diff Size: 23092 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 26 15:48:18 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 26 Apr 2017 17:48:18 +0200 Subject: [Freeipa-devel] [freeipa PR#731][+ack] spec file: bump krb5 Requires for certauth fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/731 Title: #731: spec file: bump krb5 Requires for certauth fixes Label: +ack From freeipa-github-notification at redhat.com Wed Apr 26 15:50:20 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 26 Apr 2017 17:50:20 +0200 Subject: [Freeipa-devel] [freeipa PR#731][comment] spec file: bump krb5 Requires for certauth fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/731 Title: #731: spec file: bump krb5 Requires for certauth fixes martbab commented: """ We will need a separate PR for ipa-4-5 branch. """ See the full comment at https://github.com/freeipa/freeipa/pull/731#issuecomment-297455136 From freeipa-github-notification at redhat.com Wed Apr 26 16:00:45 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 26 Apr 2017 18:00:45 +0200 Subject: [Freeipa-devel] [freeipa PR#735][synchronized] automount install: do not wait for sssd restart on uninstallation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/735 Author: pvoborni Title: #735: automount install: do not wait for sssd restart on uninstallation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/735/head:pr735 git checkout pr735 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-735.patch Type: text/x-diff Size: 2923 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 26 16:01:37 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 26 Apr 2017 18:01:37 +0200 Subject: [Freeipa-devel] [freeipa PR#735][comment] automount install: do not wait for sssd restart on uninstallation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/735 Title: #735: automount install: do not wait for sssd restart on uninstallation pvoborni commented: """ Thanks Rob, this reason for the wait didn't occurred to me. New patch changes api initialization so that it works for both install and uninstall even without user's Kerberos credentials and with cleared cache, """ See the full comment at https://github.com/freeipa/freeipa/pull/735#issuecomment-297458891 From freeipa-github-notification at redhat.com Wed Apr 26 16:03:58 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 26 Apr 2017 18:03:58 +0200 Subject: [Freeipa-devel] [freeipa PR#735][synchronized] automount install: do not wait for sssd restart on uninstallation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/735 Author: pvoborni Title: #735: automount install: do not wait for sssd restart on uninstallation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/735/head:pr735 git checkout pr735 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-735.patch Type: text/x-diff Size: 2925 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 26 16:19:49 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 26 Apr 2017 18:19:49 +0200 Subject: [Freeipa-devel] [freeipa PR#737][opened] Vault: Explicitly default to 3DES CBC Message-ID: URL: https://github.com/freeipa/freeipa/pull/737 Author: tiran Title: #737: Vault: Explicitly default to 3DES CBC Action: opened PR body: """ The server-side plugin for IPA Vault relied on the fact that the default oid for encryption algorithm is 3DES in CBC mode (DES-EDE3-CBC). Dogtag 10.4 has changed the default from 3DES to AES. Pass the correct algorithm OID to KeyClient.archive_encrypted_data(). Closes: https://pagure.io/freeipa/issue/6899 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/737/head:pr737 git checkout pr737 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-737.patch Type: text/x-diff Size: 1562 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 26 16:19:59 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 26 Apr 2017 18:19:59 +0200 Subject: [Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-729.patch Type: text/x-diff Size: 5993 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 26 16:22:10 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 26 Apr 2017 18:22:10 +0200 Subject: [Freeipa-devel] [freeipa PR#737][comment] Vault: Explicitly default to 3DES CBC In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/737 Title: #737: Vault: Explicitly default to 3DES CBC tiran commented: """ * I haven't verified that the patch actually solves the problem * Needs backport to at least 4.5 * Either needs backport to 4.4 or 4.4 must required Dogtag < 10.4 """ See the full comment at https://github.com/freeipa/freeipa/pull/737#issuecomment-297465052 From freeipa-github-notification at redhat.com Wed Apr 26 16:35:04 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 26 Apr 2017 18:35:04 +0200 Subject: [Freeipa-devel] [freeipa PR#737][comment] Vault: Explicitly default to 3DES CBC In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/737 Title: #737: Vault: Explicitly default to 3DES CBC pvoborni commented: """ Should go to 4.4.5 unless pki-core-10.4.0-1 is removed from f25. Blocking new Dogtag update in 4.4 doesn't seem right to me. """ See the full comment at https://github.com/freeipa/freeipa/pull/737#issuecomment-297468723 From freeipa-github-notification at redhat.com Wed Apr 26 17:08:03 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 26 Apr 2017 19:08:03 +0200 Subject: [Freeipa-devel] [freeipa PR#738][opened] restore: restart gssproxy after restore Message-ID: URL: https://github.com/freeipa/freeipa/pull/738 Author: pvoborni Title: #738: restore: restart gssproxy after restore Action: opened PR body: """ So that gssproxy picks up new configuration and therefore related usages like authentication of CLI against server works https://pagure.io/freeipa/issue/6902 @simo5 btw, what is the proper name of gssproxy? Is it GSSAPI proxy, gss-proxy or gssproxy? Note: if this patch is wrong, feel free to take over and abolish this PR. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/738/head:pr738 git checkout pr738 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-738.patch Type: text/x-diff Size: 1101 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Apr 26 17:31:56 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 26 Apr 2017 19:31:56 +0200 Subject: [Freeipa-devel] [freeipa PR#738][comment] restore: restart gssproxy after restore In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/738 Title: #738: restore: restart gssproxy after restore simo5 commented: """ The name of the project is GSS-Proxy, the package name is gssproxy. """ See the full comment at https://github.com/freeipa/freeipa/pull/738#issuecomment-297484796 From simo at redhat.com Wed Apr 26 18:41:47 2017 From: simo at redhat.com (Simo Sorce) Date: Wed, 26 Apr 2017 14:41:47 -0400 Subject: [Freeipa-devel] KDC proxy URI records In-Reply-To: References: Message-ID: <1493232107.18022.22.camel@redhat.com> On Wed, 2017-04-26 at 12:57 +0200, Martin Ba?ti wrote: > > On 25.04.2017 16:57, Martin Ba?ti wrote: > > Hello all, > > > > I'm going to implement automatic URI records for kdc proxy and I'd > > like to clarify if following URI records are the right one. > > > > > > _kerberos-adm.example.com. IN URI 0 > > "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy" > > > > _krb5kdc.example.com. IN URI 0 > > "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy" > > > > _kpasswd.example.com. IN URI 0 > > "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy" > > > > > > I assume we want to use "kkdcp" and "https", and "M" flag as all IPA > > servers are masters, please confirm. > > > > > > Sources: > > > > https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery > > > > https://tools.ietf.org/id/draft-mccallum-kitten-krb-service-discovery-02.txt > > > > > > > > Thank you > > > > I found out that wiki page differs from the RFC draft and from the > source in git > > There is "_kerberos.REALM" record instead of "_krb5kdc.REALM" > > > And I'm not sure if _kerberos-adm should be included as we don't really > support kadmin. We shouldn't. Simo. -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc From simo at redhat.com Wed Apr 26 18:41:51 2017 From: simo at redhat.com (Simo Sorce) Date: Wed, 26 Apr 2017 14:41:51 -0400 Subject: [Freeipa-devel] Pagure issue template In-Reply-To: <049b5fec-f70f-8fed-72e7-e127ff61dfec@redhat.com> References: <2283c9ea-f838-adb3-050e-86a0219af59a@redhat.com> <38899fa2-21be-0162-5da2-75ca8e81a20b@redhat.com> <0a29f331-d65b-c688-ea3f-51f2f8e69e11@redhat.com> <049b5fec-f70f-8fed-72e7-e127ff61dfec@redhat.com> Message-ID: <1493232111.18022.23.camel@redhat.com> On Fri, 2017-04-21 at 10:17 +0200, Petr Vobornik wrote: > On 04/21/2017 08:49 AM, Standa Laznicka wrote: > > On 04/21/2017 08:12 AM, Abhijeet Kasurde wrote: > >> +1 > >> > >> On 20/04/17 9:36 PM, Petr Vobornik wrote: > >>> Hi all, > >>> > >>> I'd like to improve quality of bug reports and RFEs. > >>> > >>> A possibility I see is to create and issue template [1]. > > Sounds like a good idea! Please see my comments. > >>> > >>> What do you think of the following template? Should we use it? > >>> > >>> """" > >>> ### Request for enhancement > >>> As , I want so that . > > This sounds very labored. How about using: > > "I am a and I want ..." > >>> > >>> ### Bug > >>> #### What doesn't work (what was the goal) > > "What's not working" proposes the situation will change and > > sounds better IMO > >>> > > I took some inspiration from the Atom template. But tried to keep it > shorter. As a bonus I added a link where people can find log files and a > link to troubleshooting page. > > New one: > """ > ### Request for enhancement > As , I want so that . > > ### Issue > [description of the issue] > > #### Steps to Reproduce > 1. > 2. > 3. > > #### Actual behavior > (what happens) > > #### Expected behavior > (what do you expect to happen) > > #### Version/Release/Distribution > $ rpm -q freeipa-server freeipa-client ipa-server ipa-client > 389-ds-base pki-ca krb5-server > > #### Additional info: > Any additional information, configuration, data or log snippets that is > needed for reproduction or investigation of the issue. > > Log file locations: > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html > Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting > """ +1 > > >>> > >> > >> 1. Can we add pre-defined set of components in title ? for example, > > I don't know if it is possible. Probably not. > > >> > >> [CERT] some_cert_related bug description > >> [installer] some installer related bug description > > This is what Pagure has tags for. But you're right we might be missing > > some, although "CERT" is probably not a good example, installer is. On > > the other hand, "userstory" is a tag I will myself never use on purpose. > >> > >> 2. Also, Having a bot in place which will enforce or atleast suggest > >> reporter to modify bug report. > > Could you elaborate? > > >> > >>> [1] https://docs.pagure.org/pagure/usage/ticket_templates.html > >> > > My hope is that the issue template should do itself. > > > > For the record, I love the way Atom guides you through their issue > > creation: https://github.com/atom/atom/issues/new. > > > > -- > Petr Vobornik > > Associate Manager, Engineering, Identity Management > Red Hat > -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc From freeipa-github-notification at redhat.com Wed Apr 26 21:15:33 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 26 Apr 2017 23:15:33 +0200 Subject: [Freeipa-devel] [freeipa PR#738][comment] restore: restart gssproxy after restore In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/738 Title: #738: restore: restart gssproxy after restore simo5 commented: """ will a "systemctl reload gssproxy" do the right thing @frozencemetery ? """ See the full comment at https://github.com/freeipa/freeipa/pull/738#issuecomment-297543414 From freeipa-github-notification at redhat.com Thu Apr 27 00:49:19 2017 From: freeipa-github-notification at redhat.com (frozencemetery) Date: Thu, 27 Apr 2017 02:49:19 +0200 Subject: [Freeipa-devel] [freeipa PR#738][comment] restore: restart gssproxy after restore In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/738 Title: #738: restore: restart gssproxy after restore frozencemetery commented: """ The systemd-portable way to do this is as I understand it is `systemctl try-reload-or-restart gssproxy` (unless you want to start it if it's not running, at which point you'd do `systemctl reload-or-restart gssproxy`). Then you're not dependent on how the distro maintainer decides to handle it (which varies between distros here due to reasons). That is something of an orthogonal consideration though - digging further into the code, it doesn't look like there's a `reload`-style verb of any kind in the services abstraction layer? (I see `is_running()` and `restart()`, but no `reload()` in services.py.) I don't know how you want to address this; whether it makes sense to extend the abstraction, or whether since no one else uses it gssproxy can just be `restart`ed. """ See the full comment at https://github.com/freeipa/freeipa/pull/738#issuecomment-297580677 From freeipa-github-notification at redhat.com Thu Apr 27 05:23:19 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 27 Apr 2017 07:23:19 +0200 Subject: [Freeipa-devel] [freeipa PR#739][opened] [4.5] spec file: bump krb5 Requires for certauth fixes Message-ID: URL: https://github.com/freeipa/freeipa/pull/739 Author: HonzaCholasta Title: #739: [4.5] spec file: bump krb5 Requires for certauth fixes Action: opened PR body: """ Bump krb5-* Requires to the version which includes the final version of certauth support. https://pagure.io/freeipa/issue/4905 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/739/head:pr739 git checkout pr739 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-739.patch Type: text/x-diff Size: 2381 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 27 05:23:32 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 27 Apr 2017 07:23:32 +0200 Subject: [Freeipa-devel] [freeipa PR#731][comment] spec file: bump krb5 Requires for certauth fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/731 Title: #731: spec file: bump krb5 Requires for certauth fixes HonzaCholasta commented: """ @martbab, #739. """ See the full comment at https://github.com/freeipa/freeipa/pull/731#issuecomment-297614960 From freeipa-github-notification at redhat.com Thu Apr 27 06:17:22 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 27 Apr 2017 08:17:22 +0200 Subject: [Freeipa-devel] [freeipa PR#739][+ack] [4.5] spec file: bump krb5 Requires for certauth fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/739 Title: #739: [4.5] spec file: bump krb5 Requires for certauth fixes Label: +ack From freeipa-github-notification at redhat.com Thu Apr 27 07:18:18 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 27 Apr 2017 09:18:18 +0200 Subject: [Freeipa-devel] [freeipa PR#731][comment] spec file: bump krb5 Requires for certauth fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/731 Title: #731: spec file: bump krb5 Requires for certauth fixes martbab commented: """ master: * 0f42670afa935801c25bc66f733a8d1b90ea5a0b spec file: bump krb5 Requires for certauth fixes """ See the full comment at https://github.com/freeipa/freeipa/pull/731#issuecomment-297632322 From freeipa-github-notification at redhat.com Thu Apr 27 07:18:26 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 27 Apr 2017 09:18:26 +0200 Subject: [Freeipa-devel] [freeipa PR#731][closed] spec file: bump krb5 Requires for certauth fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/731 Author: HonzaCholasta Title: #731: spec file: bump krb5 Requires for certauth fixes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/731/head:pr731 git checkout pr731 From freeipa-github-notification at redhat.com Thu Apr 27 07:18:29 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 27 Apr 2017 09:18:29 +0200 Subject: [Freeipa-devel] [freeipa PR#731][+pushed] spec file: bump krb5 Requires for certauth fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/731 Title: #731: spec file: bump krb5 Requires for certauth fixes Label: +pushed From freeipa-github-notification at redhat.com Thu Apr 27 07:19:13 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 27 Apr 2017 09:19:13 +0200 Subject: [Freeipa-devel] [freeipa PR#739][+pushed] [4.5] spec file: bump krb5 Requires for certauth fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/739 Title: #739: [4.5] spec file: bump krb5 Requires for certauth fixes Label: +pushed From freeipa-github-notification at redhat.com Thu Apr 27 07:19:19 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 27 Apr 2017 09:19:19 +0200 Subject: [Freeipa-devel] [freeipa PR#739][comment] [4.5] spec file: bump krb5 Requires for certauth fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/739 Title: #739: [4.5] spec file: bump krb5 Requires for certauth fixes martbab commented: """ ipa-4-5: * ec3a2a6063beb4ec96796b66abb82476a5c7bd0f spec file: bump krb5 Requires for certauth fixes """ See the full comment at https://github.com/freeipa/freeipa/pull/739#issuecomment-297632489 From freeipa-github-notification at redhat.com Thu Apr 27 07:19:23 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 27 Apr 2017 09:19:23 +0200 Subject: [Freeipa-devel] [freeipa PR#739][closed] [4.5] spec file: bump krb5 Requires for certauth fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/739 Author: HonzaCholasta Title: #739: [4.5] spec file: bump krb5 Requires for certauth fixes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/739/head:pr739 git checkout pr739 From freeipa-github-notification at redhat.com Thu Apr 27 07:22:45 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Thu, 27 Apr 2017 09:22:45 +0200 Subject: [Freeipa-devel] [freeipa PR#735][synchronized] automount install: do not wait for sssd restart on uninstallation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/735 Author: pvoborni Title: #735: automount install: do not wait for sssd restart on uninstallation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/735/head:pr735 git checkout pr735 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-735.patch Type: text/x-diff Size: 2792 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 27 07:24:49 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Thu, 27 Apr 2017 09:24:49 +0200 Subject: [Freeipa-devel] [freeipa PR#735][comment] automount install: do not wait for sssd restart on uninstallation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/735 Title: #735: automount install: do not wait for sssd restart on uninstallation pvoborni commented: """ The error message was reverted to original (I was fixing the comment below and wondered why it was not fixed, now I know). """ See the full comment at https://github.com/freeipa/freeipa/pull/735#issuecomment-297633491 From freeipa-github-notification at redhat.com Thu Apr 27 07:56:23 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 27 Apr 2017 09:56:23 +0200 Subject: [Freeipa-devel] [freeipa PR#694][synchronized] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Author: martbab Title: #694: RFC: implement local PKINIT deployment in server/replica install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/694/head:pr694 git checkout pr694 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-694.patch Type: text/x-diff Size: 31450 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 27 08:14:40 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 27 Apr 2017 10:14:40 +0200 Subject: [Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install HonzaCholasta commented: """ LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-297645225 From freeipa-github-notification at redhat.com Thu Apr 27 08:42:27 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 27 Apr 2017 10:42:27 +0200 Subject: [Freeipa-devel] [freeipa PR#723][+ack] Store GSSAPI session key in /var/run/httpd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd Label: +ack From freeipa-github-notification at redhat.com Thu Apr 27 08:42:43 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 27 Apr 2017 10:42:43 +0200 Subject: [Freeipa-devel] [freeipa PR#723][comment] Store GSSAPI session key in /var/run/httpd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd MartinBasti commented: """ This approach was agreed on devel meeting """ See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-297651621 From freeipa-github-notification at redhat.com Thu Apr 27 10:33:24 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 27 Apr 2017 12:33:24 +0200 Subject: [Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install martbab commented: """ Any volunteer to do a functional review? """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-297677004 From freeipa-github-notification at redhat.com Thu Apr 27 10:33:48 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Thu, 27 Apr 2017 12:33:48 +0200 Subject: [Freeipa-devel] [freeipa PR#733][+ack] [4.5] Fix CA/server cert validation in FIPS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/733 Title: #733: [4.5] Fix CA/server cert validation in FIPS Label: +ack From freeipa-github-notification at redhat.com Thu Apr 27 10:36:11 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 27 Apr 2017 12:36:11 +0200 Subject: [Freeipa-devel] [freeipa PR#723][comment] Store GSSAPI session key in /var/run/httpd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd martbab commented: """ master: * 2bab2d4963daa99742875f3633a99966bc56f5a3 Store GSSAPI session key in /var/run/ipa ipa-4-5: * b2aa3ed0bc9f5385ab6e8b1720d9f1d33136e5dc Store GSSAPI session key in /var/run/ipa """ See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-297677527 From freeipa-github-notification at redhat.com Thu Apr 27 10:36:19 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 27 Apr 2017 12:36:19 +0200 Subject: [Freeipa-devel] [freeipa PR#723][+pushed] Store GSSAPI session key in /var/run/httpd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd Label: +pushed From freeipa-github-notification at redhat.com Thu Apr 27 10:36:22 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 27 Apr 2017 12:36:22 +0200 Subject: [Freeipa-devel] [freeipa PR#723][closed] Store GSSAPI session key in /var/run/httpd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/723 Author: MartinBasti Title: #723: Store GSSAPI session key in /var/run/httpd Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/723/head:pr723 git checkout pr723 From freeipa-github-notification at redhat.com Thu Apr 27 10:40:21 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 27 Apr 2017 12:40:21 +0200 Subject: [Freeipa-devel] [freeipa PR#733][synchronized] [4.5] Fix CA/server cert validation in FIPS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/733 Author: stlaz Title: #733: [4.5] Fix CA/server cert validation in FIPS Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/733/head:pr733 git checkout pr733 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-733.patch Type: text/x-diff Size: 2769 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 27 10:42:10 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 27 Apr 2017 12:42:10 +0200 Subject: [Freeipa-devel] [freeipa PR#733][comment] [4.5] Fix CA/server cert validation in FIPS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/733 Title: #733: [4.5] Fix CA/server cert validation in FIPS stlaz commented: """ Made a quickfix according to @tiran, the ACK can stay. Thanks, I was being paranoid. """ See the full comment at https://github.com/freeipa/freeipa/pull/733#issuecomment-297678732 From freeipa-github-notification at redhat.com Thu Apr 27 10:56:10 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Thu, 27 Apr 2017 12:56:10 +0200 Subject: [Freeipa-devel] [freeipa PR#740][opened] [4.5]Hide PKI Client database password in log file Message-ID: URL: https://github.com/freeipa/freeipa/pull/740 Author: Akasurde Title: #740: [4.5]Hide PKI Client database password in log file Action: opened PR body: """ This fix masks PKI client database password from showing in CA/KRA installer log file Fixes https://pagure.io/freeipa/issue/6904 Signed-off-by: Abhijeet Kasurde """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/740/head:pr740 git checkout pr740 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-740.patch Type: text/x-diff Size: 2688 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 27 11:04:14 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 27 Apr 2017 13:04:14 +0200 Subject: [Freeipa-devel] [freeipa PR#741][opened] Migration Message-ID: URL: https://github.com/freeipa/freeipa/pull/741 Author: stlaz Title: #741: Migration Action: opened PR body: """ **Allow rewriting of cached properties** Cached property should not be treated anyway special from a normal property. If we need to rewrite/remove it, we should be able to do just so. **Refresh Dogtag RestClient.ca_host property** Refresh the ca_host property of the Dogtag's RestClient class when it's requested as a context manager. This solves the problem which would occur on DL0 when installing CA against an old master which does not have port 8443 accessible. The setup tries to update the cert profiles via this port but fail. This operation should be performed against the local instance anyway. https://pagure.io/freeipa/issue/6878 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/741/head:pr741 git checkout pr741 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-741.patch Type: text/x-diff Size: 2826 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 27 11:04:38 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 27 Apr 2017 13:04:38 +0200 Subject: [Freeipa-devel] [freeipa PR#741][edited] Migration In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/741 Author: stlaz Title: #741: Migration Action: edited Changed field: title Original value: """ Migration """ From freeipa-github-notification at redhat.com Thu Apr 27 11:17:51 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 27 Apr 2017 13:17:51 +0200 Subject: [Freeipa-devel] [freeipa PR#741][synchronized] 6.9 -> 7.4 migration fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/741 Author: stlaz Title: #741: 6.9 -> 7.4 migration fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/741/head:pr741 git checkout pr741 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-741.patch Type: text/x-diff Size: 2359 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 27 11:19:56 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 27 Apr 2017 13:19:56 +0200 Subject: [Freeipa-devel] [freeipa PR#740][+ack] [4.5]Hide PKI Client database password in log file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/740 Title: #740: [4.5]Hide PKI Client database password in log file Label: +ack From freeipa-github-notification at redhat.com Thu Apr 27 11:30:37 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 27 Apr 2017 13:30:37 +0200 Subject: [Freeipa-devel] [freeipa PR#740][comment] [4.5]Hide PKI Client database password in log file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/740 Title: #740: [4.5]Hide PKI Client database password in log file martbab commented: """ ipa-4-5: * 1d911fc2186da1c6566648f94a6819c4e7a2a72b Hide PKI Client database password in log file """ See the full comment at https://github.com/freeipa/freeipa/pull/740#issuecomment-297688104 From freeipa-github-notification at redhat.com Thu Apr 27 11:30:40 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 27 Apr 2017 13:30:40 +0200 Subject: [Freeipa-devel] [freeipa PR#740][+pushed] [4.5]Hide PKI Client database password in log file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/740 Title: #740: [4.5]Hide PKI Client database password in log file Label: +pushed From freeipa-github-notification at redhat.com Thu Apr 27 11:30:43 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 27 Apr 2017 13:30:43 +0200 Subject: [Freeipa-devel] [freeipa PR#740][closed] [4.5]Hide PKI Client database password in log file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/740 Author: Akasurde Title: #740: [4.5]Hide PKI Client database password in log file Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/740/head:pr740 git checkout pr740 From mbasti at redhat.com Thu Apr 27 12:00:35 2017 From: mbasti at redhat.com (=?UTF-8?Q?Martin_Ba=c5=a1ti?=) Date: Thu, 27 Apr 2017 14:00:35 +0200 Subject: [Freeipa-devel] KDC proxy URI records In-Reply-To: <1493232107.18022.22.camel@redhat.com> References: <1493232107.18022.22.camel@redhat.com> Message-ID: <38da11c5-a7f9-3c35-b402-f33f10e0032e@redhat.com> On 26.04.2017 20:41, Simo Sorce wrote: > On Wed, 2017-04-26 at 12:57 +0200, Martin Ba?ti wrote: >> On 25.04.2017 16:57, Martin Ba?ti wrote: >>> Hello all, >>> >>> I'm going to implement automatic URI records for kdc proxy and I'd >>> like to clarify if following URI records are the right one. >>> >>> >>> _kerberos-adm.example.com. IN URI 0 >>> "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy" >>> >>> _krb5kdc.example.com. IN URI 0 >>> "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy" >>> >>> _kpasswd.example.com. IN URI 0 >>> "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy" >>> >>> >>> I assume we want to use "kkdcp" and "https", and "M" flag as all IPA >>> servers are masters, please confirm. >>> >>> >>> Sources: >>> >>> https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery >>> >>> https://tools.ietf.org/id/draft-mccallum-kitten-krb-service-discovery-02.txt >>> >>> >>> >>> Thank you >>> >> I found out that wiki page differs from the RFC draft and from the >> source in git >> >> There is "_kerberos.REALM" record instead of "_krb5kdc.REALM" >> >> >> And I'm not sure if _kerberos-adm should be included as we don't really >> support kadmin. > We shouldn't. > > Simo. > I would like to discuss consequences of adding kdc URI records: 1. basically all ipa clients enrolled using autodiscovery will use kdcproxy instead of KDC on port 88, because URI takes precedence over SRV in KRB5 client implementation. Are we ok with such a big change? 2. probably client installer must be updated because currently with CA-full installation it is not working. ipa-client-install (with autodiscovery) failed on kinit, see KRB5_TRACE bellow that it refuses self signed certificate .... Realm: IPA.TEST DNS Domain: ipa.test IPA Server: master.ipa.test BaseDN: dc=ipa,dc=test Continue to configure the system with these values? [no]: y Skipping synchronizing time with NTP server. User authorized to enroll computers: admin Password for admin at IPA.TEST: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.TEST Issuer: CN=Certificate Authority,O=IPA.TEST Valid From: 2017-04-27 11:02:28 Valid Until: 2037-04-27 11:02:28 Enrolled in IPA realm IPA.TEST Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm IPA.TEST trying https://master.ipa.test/ipa/json Forwarding 'schema' to json server 'https://master.ipa.test/ipa/json' Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'IPA.TEST' The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information [root at client1 ~]# KRB5_TRACE=/dev/stderr kinit admin [25690] 1493293387.746616: Getting initial credentials for admin at IPA.TEST [25690] 1493293387.750307: Sending request (164 bytes) to IPA.TEST [25690] 1493293387.751468: Resolving hostname master.ipa.test [25690] 1493293387.765261: TLS certificate error at 1 (O=IPA.TEST, CN=Certificate Authority): 19 (self signed certificate in certificate chain) [25690] 1493293387.765680: TLS error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed [25690] 1493293387.765807: HTTPS error sending to https 192.168.138.101:443 [25690] 1493293387.766873: Terminating TCP connection to https 192.168.138.101:443 kinit: Cannot contact any KDC for realm 'IPA.TEST' while getting initial credentials IMHO we have to update krb5.conf or add IPA CA cert to trusted certificates, I'm afraid that URI records may break already installed clients (when updated to krb5-workstation), I have to test it. -- Martin Ba?ti Software Engineer Red Hat Czech From cheimes at redhat.com Thu Apr 27 12:19:03 2017 From: cheimes at redhat.com (Christian Heimes) Date: Thu, 27 Apr 2017 14:19:03 +0200 Subject: [Freeipa-devel] KDC proxy URI records In-Reply-To: <38da11c5-a7f9-3c35-b402-f33f10e0032e@redhat.com> References: <1493232107.18022.22.camel@redhat.com> <38da11c5-a7f9-3c35-b402-f33f10e0032e@redhat.com> Message-ID: <90d08477-0018-a556-1030-449319be2caf@redhat.com> On 2017-04-27 14:00, Martin Ba?ti wrote: > I would like to discuss consequences of adding kdc URI records: > > 1. basically all ipa clients enrolled using autodiscovery will use > kdcproxy instead of KDC on port 88, because URI takes precedence over > SRV in KRB5 client implementation. Are we ok with such a big change? Does the client also prefer KKDCP if you give the Kerberos 88/UDP and 88/TCP URIs a higher priority than the KKDCP HTTPS URIs? > 2. probably client installer must be updated because currently with > CA-full installation it is not working. > > ipa-client-install (with autodiscovery) failed on kinit, see KRB5_TRACE > bellow that it refuses self signed certificate Actually it is not a self-sigend EE certificate. The validation message is bogus because FreeIPA TLS configuration is slightly buggy. We send the trust anchor (root CA) although a server should not include its trust anchor in its ServerHello message. OpenSSL detects an untrusted root CA in the ServerHello peer chain and emits the message. If I read the 600 lines (!) function ipaclient.install.client._install correctly, then ipa-client-install first attempts to negotiate a TGT and then installs the trust anchor in the global trust store. It should be enough to reverse the order and inject the trust anchor first. Christian -- Christian Heimes Senior Software Engineer, Identity Management and Platform Security Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From simo at redhat.com Thu Apr 27 12:28:39 2017 From: simo at redhat.com (Simo Sorce) Date: Thu, 27 Apr 2017 08:28:39 -0400 Subject: [Freeipa-devel] [freeipa PR#723][+ack] Store GSSAPI session key in /var/run/httpd In-Reply-To: References: Message-ID: <1493296119.8926.9.camel@redhat.com> On Thu, 2017-04-27 at 10:42 +0200, MartinBasti wrote: > ? URL: https://github.com/freeipa/freeipa/pull/723 > Title: #723: Store GSSAPI session key in /var/run/httpd > > Label: +ack Guys I explained in the bug[1] that this is wrong, why was this acked and pushed ? Besides how does this even work ? /var/run/ipa is owned by root and apache has no rights to create files there and the patch does not address any permission problem. I assume what happens is that now mod_auth_gssapi is runnig with an ephemeral in-process key, which means any reload or restart of apache will change the key. Please revert! Simo. [1] https://pagure.io/freeipa/issue/6880#comment-437767 From freeipa-github-notification at redhat.com Thu Apr 27 12:30:21 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 27 Apr 2017 14:30:21 +0200 Subject: [Freeipa-devel] [freeipa PR#723][comment] Store GSSAPI session key in /var/run/httpd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd simo5 commented: """ This patch is wrong please revert """ See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-297699615 From freeipa-github-notification at redhat.com Thu Apr 27 12:30:28 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 27 Apr 2017 14:30:28 +0200 Subject: [Freeipa-devel] [freeipa PR#723][reopened] Store GSSAPI session key in /var/run/httpd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/723 Author: MartinBasti Title: #723: Store GSSAPI session key in /var/run/httpd Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/723/head:pr723 git checkout pr723 From freeipa-github-notification at redhat.com Thu Apr 27 12:37:23 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 27 Apr 2017 14:37:23 +0200 Subject: [Freeipa-devel] [freeipa PR#742][opened] Revert "Store GSSAPI session key in /var/run/ipa" Message-ID: URL: https://github.com/freeipa/freeipa/pull/742 Author: martbab Title: #742: Revert "Store GSSAPI session key in /var/run/ipa" Action: opened PR body: """ This reverts commit 2bab2d4963daa99742875f3633a99966bc56f5a3. It was pointed out that apache has no access to /var/lib/ipa directry breaking the session handling. https://pagure.io/freeipa/issue/6880 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/742/head:pr742 git checkout pr742 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-742.patch Type: text/x-diff Size: 1470 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 27 12:38:04 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 27 Apr 2017 14:38:04 +0200 Subject: [Freeipa-devel] [freeipa PR#723][comment] Store GSSAPI session key in /var/run/httpd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd simo5 commented: """ As I noted in the ticket: "At most you may want to store it in /var/lib/ipa/somewhere, but we do not want to break sessions (there are people using APIs from non-interactive scripts) just because you needed to restart a service/server quickly. These keys are considered long term keys, and should not be thrown away at each reboot." Let me also add that: 1. the directory needs to be writable by the apache user as the key is created the first time the server is started 2. only the apache user must be able to read this key """ See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-297701218 From freeipa-github-notification at redhat.com Thu Apr 27 12:39:02 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 27 Apr 2017 14:39:02 +0200 Subject: [Freeipa-devel] [freeipa PR#723][comment] Store GSSAPI session key in /var/run/httpd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd simo5 commented: """ The current patch moved the key in a place where apache cannot write, resulting in an ephemeral key that is thrown away each time apache is restarted/reloaded. """ See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-297701456 From freeipa-github-notification at redhat.com Thu Apr 27 12:39:13 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 27 Apr 2017 14:39:13 +0200 Subject: [Freeipa-devel] [freeipa PR#743][opened] [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa" Message-ID: URL: https://github.com/freeipa/freeipa/pull/743 Author: martbab Title: #743: [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa" Action: opened PR body: """ This reverts commit 2bab2d4. It was pointed out that apache has no access to /var/lib/ipa directry breaking the session handling. https://pagure.io/freeipa/issue/6880 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/743/head:pr743 git checkout pr743 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-743.patch Type: text/x-diff Size: 1447 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 27 12:40:25 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 27 Apr 2017 14:40:25 +0200 Subject: [Freeipa-devel] [freeipa PR#742][+ack] Revert "Store GSSAPI session key in /var/run/ipa" In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/742 Title: #742: Revert "Store GSSAPI session key in /var/run/ipa" Label: +ack From freeipa-github-notification at redhat.com Thu Apr 27 12:40:59 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 27 Apr 2017 14:40:59 +0200 Subject: [Freeipa-devel] [freeipa PR#742][-ack] Revert "Store GSSAPI session key in /var/run/ipa" In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/742 Title: #742: Revert "Store GSSAPI session key in /var/run/ipa" Label: -ack From freeipa-github-notification at redhat.com Thu Apr 27 12:41:32 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 27 Apr 2017 14:41:32 +0200 Subject: [Freeipa-devel] [freeipa PR#743][+ack] [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa" In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/743 Title: #743: [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa" Label: +ack From freeipa-github-notification at redhat.com Thu Apr 27 12:41:52 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 27 Apr 2017 14:41:52 +0200 Subject: [Freeipa-devel] [freeipa PR#742][+ack] Revert "Store GSSAPI session key in /var/run/ipa" In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/742 Title: #742: Revert "Store GSSAPI session key in /var/run/ipa" Label: +ack From freeipa-github-notification at redhat.com Thu Apr 27 12:51:35 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 27 Apr 2017 14:51:35 +0200 Subject: [Freeipa-devel] [freeipa PR#743][synchronized] [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa" In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/743 Author: martbab Title: #743: [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa" Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/743/head:pr743 git checkout pr743 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-743.patch Type: text/x-diff Size: 1448 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 27 12:52:12 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 27 Apr 2017 14:52:12 +0200 Subject: [Freeipa-devel] [freeipa PR#742][synchronized] Revert "Store GSSAPI session key in /var/run/ipa" In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/742 Author: martbab Title: #742: Revert "Store GSSAPI session key in /var/run/ipa" Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/742/head:pr742 git checkout pr742 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-742.patch Type: text/x-diff Size: 1471 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 27 13:04:10 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 27 Apr 2017 15:04:10 +0200 Subject: [Freeipa-devel] [freeipa PR#744][opened] [4.5] Correct PyPI package dependencies Message-ID: URL: https://github.com/freeipa/freeipa/pull/744 Author: tiran Title: #744: [4.5] Correct PyPI package dependencies Action: opened PR body: """ * Remove unused install requires from ipapython * Add missing requirements to ipaserver * Correct dependencies for yubico otptoken * Python 2 uses python-ldap, Python 3 pyldap https://pagure.io/freeipa/issue/6875 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/744/head:pr744 git checkout pr744 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-744.patch Type: text/x-diff Size: 5514 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 27 13:18:58 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 27 Apr 2017 15:18:58 +0200 Subject: [Freeipa-devel] [freeipa PR#671][synchronized] Slim down dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/671 Author: tiran Title: #671: Slim down dependencies Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/671/head:pr671 git checkout pr671 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-671.patch Type: text/x-diff Size: 2641 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 27 13:19:34 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 27 Apr 2017 15:19:34 +0200 Subject: [Freeipa-devel] [freeipa PR#671][synchronized] Slim down dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/671 Author: tiran Title: #671: Slim down dependencies Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/671/head:pr671 git checkout pr671 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-671.patch Type: text/x-diff Size: 2639 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 27 13:19:49 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 27 Apr 2017 15:19:49 +0200 Subject: [Freeipa-devel] [freeipa PR#671][edited] Slim down dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/671 Author: tiran Title: #671: Slim down dependencies Action: edited Changed field: body Original value: """ * Remove unused install requires * Correct dependencies for yubico otptoken * Properly report optional dependency for yubico otptoken * Make jinja2 an optional dependency and csrgen an optional plugin * Add explicit dependency on cffi for csrgen * Python 2 uses python-ldap, Python 3 pyldap Signed-off-by: Christian Heimes """ From freeipa-github-notification at redhat.com Thu Apr 27 13:37:18 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 27 Apr 2017 15:37:18 +0200 Subject: [Freeipa-devel] [freeipa PR#743][+pushed] [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa" In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/743 Title: #743: [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa" Label: +pushed From freeipa-github-notification at redhat.com Thu Apr 27 13:37:23 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 27 Apr 2017 15:37:23 +0200 Subject: [Freeipa-devel] [freeipa PR#743][comment] [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa" In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/743 Title: #743: [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa" martbab commented: """ ipa-4-5: * a4e1ab6c893182b8b3610c0b45120194be4a0376 Revert "Store GSSAPI session key in /var/run/ipa" """ See the full comment at https://github.com/freeipa/freeipa/pull/743#issuecomment-297715320 From freeipa-github-notification at redhat.com Thu Apr 27 13:37:24 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 27 Apr 2017 15:37:24 +0200 Subject: [Freeipa-devel] [freeipa PR#743][closed] [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa" In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/743 Author: martbab Title: #743: [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa" Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/743/head:pr743 git checkout pr743 From freeipa-github-notification at redhat.com Thu Apr 27 13:40:17 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 27 Apr 2017 15:40:17 +0200 Subject: [Freeipa-devel] [freeipa PR#742][comment] Revert "Store GSSAPI session key in /var/run/ipa" In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/742 Title: #742: Revert "Store GSSAPI session key in /var/run/ipa" martbab commented: """ master: * 50f6883662e258b0335c8b3cb69946d6dcbf206c Revert "Store GSSAPI session key in /var/run/ipa" """ See the full comment at https://github.com/freeipa/freeipa/pull/742#issuecomment-297716105 From freeipa-github-notification at redhat.com Thu Apr 27 13:40:20 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 27 Apr 2017 15:40:20 +0200 Subject: [Freeipa-devel] [freeipa PR#742][+pushed] Revert "Store GSSAPI session key in /var/run/ipa" In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/742 Title: #742: Revert "Store GSSAPI session key in /var/run/ipa" Label: +pushed From freeipa-github-notification at redhat.com Thu Apr 27 13:40:23 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 27 Apr 2017 15:40:23 +0200 Subject: [Freeipa-devel] [freeipa PR#742][closed] Revert "Store GSSAPI session key in /var/run/ipa" In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/742 Author: martbab Title: #742: Revert "Store GSSAPI session key in /var/run/ipa" Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/742/head:pr742 git checkout pr742 From freeipa-github-notification at redhat.com Thu Apr 27 13:53:46 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 27 Apr 2017 15:53:46 +0200 Subject: [Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-729.patch Type: text/x-diff Size: 6441 bytes Desc: not available URL: From pvoborni at redhat.com Thu Apr 27 13:56:40 2017 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 27 Apr 2017 15:56:40 +0200 Subject: [Freeipa-devel] KDC proxy URI records In-Reply-To: <90d08477-0018-a556-1030-449319be2caf@redhat.com> References: <1493232107.18022.22.camel@redhat.com> <38da11c5-a7f9-3c35-b402-f33f10e0032e@redhat.com> <90d08477-0018-a556-1030-449319be2caf@redhat.com> Message-ID: <8873b3bb-c6a5-bb03-324c-5626da168ed8@redhat.com> On 04/27/2017 02:19 PM, Christian Heimes wrote: > On 2017-04-27 14:00, Martin Ba?ti wrote: >> I would like to discuss consequences of adding kdc URI records: >> >> 1. basically all ipa clients enrolled using autodiscovery will use >> kdcproxy instead of KDC on port 88, because URI takes precedence over >> SRV in KRB5 client implementation. Are we ok with such a big change? > > Does the client also prefer KKDCP if you give the Kerberos 88/UDP and > 88/TCP URIs a higher priority than the KKDCP HTTPS URIs? > >> 2. probably client installer must be updated because currently with >> CA-full installation it is not working. >> >> ipa-client-install (with autodiscovery) failed on kinit, see KRB5_TRACE >> bellow that it refuses self signed certificate > > Actually it is not a self-sigend EE certificate. The validation message > is bogus because FreeIPA TLS configuration is slightly buggy. We send > the trust anchor (root CA) although a server should not include its > trust anchor in its ServerHello message. OpenSSL detects an untrusted > root CA in the ServerHello peer chain and emits the message. > > If I read the 600 lines (!) function ipaclient.install.client._install > correctly, then ipa-client-install first attempts to negotiate a TGT and > then installs the trust anchor in the global trust store. It should be > enough to reverse the order and inject the trust anchor first. > > Christian > By reading this, even if we do the change in client install, I'd rather not generate the DNS records in 4.5.1 release and rather make sure that everything works during 4.6 development. The reason is that there might also be something else not working and it is better to time test it + the fix would not fix older clients. If anybody wants to use/try it, then the records can be created manually. -- Petr Vobornik From mbasti at redhat.com Thu Apr 27 14:16:07 2017 From: mbasti at redhat.com (=?UTF-8?Q?Martin_Ba=c5=a1ti?=) Date: Thu, 27 Apr 2017 16:16:07 +0200 Subject: [Freeipa-devel] KDC proxy URI records In-Reply-To: <90d08477-0018-a556-1030-449319be2caf@redhat.com> References: <1493232107.18022.22.camel@redhat.com> <38da11c5-a7f9-3c35-b402-f33f10e0032e@redhat.com> <90d08477-0018-a556-1030-449319be2caf@redhat.com> Message-ID: <98dfb3c4-7995-206b-aad9-585c33f40998@redhat.com> On 27.04.2017 14:19, Christian Heimes wrote: > On 2017-04-27 14:00, Martin Ba?ti wrote: >> I would like to discuss consequences of adding kdc URI records: >> >> 1. basically all ipa clients enrolled using autodiscovery will use >> kdcproxy instead of KDC on port 88, because URI takes precedence over >> SRV in KRB5 client implementation. Are we ok with such a big change? > Does the client also prefer KKDCP if you give the Kerberos 88/UDP and > 88/TCP URIs a higher priority than the KKDCP HTTPS URIs? It should use 88/TCP, 88/UDP then, it can be a way how to avoid issues with clients. > >> 2. probably client installer must be updated because currently with >> CA-full installation it is not working. >> >> ipa-client-install (with autodiscovery) failed on kinit, see KRB5_TRACE >> bellow that it refuses self signed certificate > Actually it is not a self-sigend EE certificate. The validation message > is bogus because FreeIPA TLS configuration is slightly buggy. We send > the trust anchor (root CA) although a server should not include its > trust anchor in its ServerHello message. OpenSSL detects an untrusted > root CA in the ServerHello peer chain and emits the message. > > If I read the 600 lines (!) function ipaclient.install.client._install > correctly, then ipa-client-install first attempts to negotiate a TGT and > then installs the trust anchor in the global trust store. It should be > enough to reverse the order and inject the trust anchor first. Most likely, I haven't checked deeper > > Christian > > -- Martin Ba?ti Software Engineer Red Hat Czech From simo at redhat.com Thu Apr 27 14:16:23 2017 From: simo at redhat.com (Simo Sorce) Date: Thu, 27 Apr 2017 10:16:23 -0400 Subject: [Freeipa-devel] KDC proxy URI records In-Reply-To: <8873b3bb-c6a5-bb03-324c-5626da168ed8@redhat.com> References: <1493232107.18022.22.camel@redhat.com> <38da11c5-a7f9-3c35-b402-f33f10e0032e@redhat.com> <90d08477-0018-a556-1030-449319be2caf@redhat.com> <8873b3bb-c6a5-bb03-324c-5626da168ed8@redhat.com> Message-ID: <1493302583.8926.10.camel@redhat.com> On Thu, 2017-04-27 at 15:56 +0200, Petr Vobornik wrote: > On 04/27/2017 02:19 PM, Christian Heimes wrote: > > On 2017-04-27 14:00, Martin Ba?ti wrote: > > > I would like to discuss consequences of adding kdc URI records: > > > > > > 1. basically all ipa clients enrolled using autodiscovery will > > > use > > > kdcproxy instead of KDC on port 88, because URI takes precedence > > > over > > > SRV in KRB5 client implementation. Are we ok with such a big > > > change? > > > > Does the client also prefer KKDCP if you give the Kerberos 88/UDP > > and > > 88/TCP URIs a higher priority than the KKDCP HTTPS URIs? > > > > > 2. probably client installer must be updated because currently > > > with > > > CA-full installation it is not working. > > > > > > ipa-client-install (with autodiscovery) failed on kinit, see > > > KRB5_TRACE > > > bellow that it refuses self signed certificate > > > > Actually it is not a self-sigend EE certificate. The validation > > message > > is bogus because FreeIPA TLS configuration is slightly buggy. We > > send > > the trust anchor (root CA) although a server should not include its > > trust anchor in its ServerHello message. OpenSSL detects an > > untrusted > > root CA in the ServerHello peer chain and emits the message. > > > > If I read the 600 lines (!) function > > ipaclient.install.client._install > > correctly, then ipa-client-install first attempts to negotiate a > > TGT and > > then installs the trust anchor in the global trust store. It should > > be > > enough to reverse the order and inject the trust anchor first. > > > > Christian > > > > By reading this, even if we do the change in client install, I'd > rather? > not generate the DNS records in 4.5.1 release and rather make sure > that? > everything works during 4.6 development. > > The reason is that there might also be something else not working and > it? > is better to time test it + the fix would not fix older clients. > > If anybody wants to use/try it, then the records can be created > manually. We need to ix clients regardless, o someone enabling it will find the same issues. Simo. From cheimes at redhat.com Thu Apr 27 15:12:25 2017 From: cheimes at redhat.com (Christian Heimes) Date: Thu, 27 Apr 2017 17:12:25 +0200 Subject: [Freeipa-devel] KDC proxy URI records In-Reply-To: <98dfb3c4-7995-206b-aad9-585c33f40998@redhat.com> References: <1493232107.18022.22.camel@redhat.com> <38da11c5-a7f9-3c35-b402-f33f10e0032e@redhat.com> <90d08477-0018-a556-1030-449319be2caf@redhat.com> <98dfb3c4-7995-206b-aad9-585c33f40998@redhat.com> Message-ID: On 2017-04-27 16:16, Martin Ba?ti wrote: > > > On 27.04.2017 14:19, Christian Heimes wrote: >> On 2017-04-27 14:00, Martin Ba?ti wrote: >>> I would like to discuss consequences of adding kdc URI records: >>> >>> 1. basically all ipa clients enrolled using autodiscovery will use >>> kdcproxy instead of KDC on port 88, because URI takes precedence over >>> SRV in KRB5 client implementation. Are we ok with such a big change? >> Does the client also prefer KKDCP if you give the Kerberos 88/UDP and >> 88/TCP URIs a higher priority than the KKDCP HTTPS URIs? > > It should use 88/TCP, 88/UDP then, it can be a way how to avoid issues > with clients. Small correction: Kerberos should prefer UDP over TCP. Christian -- Christian Heimes Senior Software Engineer, Identity Management and Platform Security Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Thu Apr 27 15:29:12 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 27 Apr 2017 17:29:12 +0200 Subject: [Freeipa-devel] [freeipa PR#737][comment] Vault: Explicitly default to 3DES CBC In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/737 Title: #737: Vault: Explicitly default to 3DES CBC tiran commented: """ I talked to Matt. Dogtag 10.4 will not be pushed to F25 and F26, only rawhide/F27. Additionally, Ade will also address the bug in Dogtag. The next 10.4 release will have a fix, too. """ See the full comment at https://github.com/freeipa/freeipa/pull/737#issuecomment-297749374 From freeipa-github-notification at redhat.com Thu Apr 27 15:50:50 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 27 Apr 2017 17:50:50 +0200 Subject: [Freeipa-devel] [freeipa PR#745][opened] tests: add missing dependency iptables Message-ID: URL: https://github.com/freeipa/freeipa/pull/745 Author: MartinBasti Title: #745: tests: add missing dependency iptables Action: opened PR body: """ KDC proxy tests are using iptables, but this is optional package in at least Fedora cloud image, thus we must have it in dependencies """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/745/head:pr745 git checkout pr745 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-745.patch Type: text/x-diff Size: 1043 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 27 16:11:57 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 27 Apr 2017 18:11:57 +0200 Subject: [Freeipa-devel] [freeipa PR#746][opened] KDC proxy URI records Message-ID: URL: https://github.com/freeipa/freeipa/pull/746 Author: MartinBasti Title: #746: KDC proxy URI records Action: opened PR body: """ Automatic creation of KDC proxy URI records Enables creation of following KDC proxy URL records per each replica: _kerberos.example.com. IN URI krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy" _kpasswd.example.com. IN URI "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy" Records are created for each replica in topology as KDC proxy is enabled by default. (If KDC proxy is manually disabled this record will be created anyway) URI records for kadmin discovery are not created because FreeIPA doesn't support kadmin. See: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery https://pagure.io/freeipa/issue/6337 ### TODO [ ] Add URI records for 88/UDP, 88/TCP with higher priority to keep client ask directly KDC first [ ] Add URI records for HTTPS only when kdc proxy is enabled on server (requires to update server roles with role attribute KDC proxy) [ ] Fix https://pagure.io/freeipa/issue/6906 to allow enroll FreeIPA clients using HTTPS KDC proxy """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/746/head:pr746 git checkout pr746 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-746.patch Type: text/x-diff Size: 10568 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 27 16:12:01 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 27 Apr 2017 18:12:01 +0200 Subject: [Freeipa-devel] [freeipa PR#746][+postponed] KDC proxy URI records In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/746 Title: #746: KDC proxy URI records Label: +postponed From freeipa-github-notification at redhat.com Thu Apr 27 16:14:45 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 27 Apr 2017 18:14:45 +0200 Subject: [Freeipa-devel] [freeipa PR#746][edited] KDC proxy URI records In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/746 Author: MartinBasti Title: #746: KDC proxy URI records Action: edited Changed field: body Original value: """ Automatic creation of KDC proxy URI records Enables creation of following KDC proxy URL records per each replica: _kerberos.example.com. IN URI krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy" _kpasswd.example.com. IN URI "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy" Records are created for each replica in topology as KDC proxy is enabled by default. (If KDC proxy is manually disabled this record will be created anyway) URI records for kadmin discovery are not created because FreeIPA doesn't support kadmin. See: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery https://pagure.io/freeipa/issue/6337 ### TODO [ ] Add URI records for 88/UDP, 88/TCP with higher priority to keep client ask directly KDC first [ ] Add URI records for HTTPS only when kdc proxy is enabled on server (requires to update server roles with role attribute KDC proxy) [ ] Fix https://pagure.io/freeipa/issue/6906 to allow enroll FreeIPA clients using HTTPS KDC proxy """ From freeipa-github-notification at redhat.com Thu Apr 27 17:26:26 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Thu, 27 Apr 2017 19:26:26 +0200 Subject: [Freeipa-devel] [freeipa PR#747][opened] vault: piped input for ipa vault-add fails Message-ID: URL: https://github.com/freeipa/freeipa/pull/747 Author: flo-renaud Title: #747: vault: piped input for ipa vault-add fails Action: opened PR body: """ An exception is raised when using echo "Secret123\n" | ipa vault-add myvault This happens because the code is using (string).decode(sys.stdin.encoding) and sys.stdin.encoding is None when the input is read from a pipe. The fix is using the prompt_password method defined by Backend.textui, which gracefully handles this issue. https://bugzilla.redhat.com/show_bug.cgi?id=1445358 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/747/head:pr747 git checkout pr747 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-747.patch Type: text/x-diff Size: 3276 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Apr 27 19:35:57 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Thu, 27 Apr 2017 21:35:57 +0200 Subject: [Freeipa-devel] [freeipa PR#737][+blocker] Vault: Explicitly default to 3DES CBC In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/737 Title: #737: Vault: Explicitly default to 3DES CBC Label: +blocker From freeipa-github-notification at redhat.com Fri Apr 28 01:56:39 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Fri, 28 Apr 2017 03:56:39 +0200 Subject: [Freeipa-devel] [freeipa PR#737][+ack] Vault: Explicitly default to 3DES CBC In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/737 Title: #737: Vault: Explicitly default to 3DES CBC Label: +ack From freeipa-github-notification at redhat.com Fri Apr 28 01:57:42 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Fri, 28 Apr 2017 03:57:42 +0200 Subject: [Freeipa-devel] [freeipa PR#737][comment] Vault: Explicitly default to 3DES CBC In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/737 Title: #737: Vault: Explicitly default to 3DES CBC frasertweedale commented: """ Tested; fix makes it work again against Dogtag (where Dogtag does not contain Ade's fix). ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/737#issuecomment-297886621 From freeipa-github-notification at redhat.com Fri Apr 28 05:52:35 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Fri, 28 Apr 2017 07:52:35 +0200 Subject: [Freeipa-devel] [freeipa PR#747][+ack] vault: piped input for ipa vault-add fails In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/747 Title: #747: vault: piped input for ipa vault-add fails Label: +ack From freeipa-github-notification at redhat.com Fri Apr 28 06:25:54 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 28 Apr 2017 08:25:54 +0200 Subject: [Freeipa-devel] [freeipa PR#737][comment] Vault: Explicitly default to 3DES CBC In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/737 Title: #737: Vault: Explicitly default to 3DES CBC MartinBasti commented: """ master: * 5197422ef65e7239fc56c562ab87d99388a38a8d Vault: Explicitly default to 3DES CBC ipa-4-5: * e94a1d18653fe2e9558ac0b70bdf2ddd1f78d150 Vault: Explicitly default to 3DES CBC """ See the full comment at https://github.com/freeipa/freeipa/pull/737#issuecomment-297917887 From freeipa-github-notification at redhat.com Fri Apr 28 06:25:59 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 28 Apr 2017 08:25:59 +0200 Subject: [Freeipa-devel] [freeipa PR#737][+pushed] Vault: Explicitly default to 3DES CBC In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/737 Title: #737: Vault: Explicitly default to 3DES CBC Label: +pushed From freeipa-github-notification at redhat.com Fri Apr 28 06:26:02 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 28 Apr 2017 08:26:02 +0200 Subject: [Freeipa-devel] [freeipa PR#737][closed] Vault: Explicitly default to 3DES CBC In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/737 Author: tiran Title: #737: Vault: Explicitly default to 3DES CBC Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/737/head:pr737 git checkout pr737 From freeipa-github-notification at redhat.com Fri Apr 28 06:27:53 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 28 Apr 2017 08:27:53 +0200 Subject: [Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/729 Title: #729: Turn on NSSOCSP check in mod_nss conf HonzaCholasta commented: """ @pvomacka, CI fails because you forgot to include python-augeas in lint BuildRequires. """ See the full comment at https://github.com/freeipa/freeipa/pull/729#issuecomment-297918182 From freeipa-github-notification at redhat.com Fri Apr 28 06:31:08 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 28 Apr 2017 08:31:08 +0200 Subject: [Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/729 Title: #729: Turn on NSSOCSP check in mod_nss conf HonzaCholasta commented: """ @pvomacka, CI fails because you forgot to include python-augeas in lint BuildRequires. """ See the full comment at https://github.com/freeipa/freeipa/pull/729#issuecomment-297918182 From mkosek at redhat.com Fri Apr 28 07:32:20 2017 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 28 Apr 2017 09:32:20 +0200 Subject: [Freeipa-devel] KDC proxy URI records In-Reply-To: <1493302583.8926.10.camel@redhat.com> References: <1493232107.18022.22.camel@redhat.com> <38da11c5-a7f9-3c35-b402-f33f10e0032e@redhat.com> <90d08477-0018-a556-1030-449319be2caf@redhat.com> <8873b3bb-c6a5-bb03-324c-5626da168ed8@redhat.com> <1493302583.8926.10.camel@redhat.com> Message-ID: <1c44e805-5f43-12c8-e1b2-56aac2bd1d16@redhat.com> On 04/27/2017 04:16 PM, Simo Sorce wrote: > On Thu, 2017-04-27 at 15:56 +0200, Petr Vobornik wrote: >> On 04/27/2017 02:19 PM, Christian Heimes wrote: >>> On 2017-04-27 14:00, Martin Ba?ti wrote: >>>> I would like to discuss consequences of adding kdc URI records: >>>> >>>> 1. basically all ipa clients enrolled using autodiscovery will >>>> use >>>> kdcproxy instead of KDC on port 88, because URI takes precedence >>>> over >>>> SRV in KRB5 client implementation. Are we ok with such a big >>>> change? >>> >>> Does the client also prefer KKDCP if you give the Kerberos 88/UDP >>> and >>> 88/TCP URIs a higher priority than the KKDCP HTTPS URIs? >>> >>>> 2. probably client installer must be updated because currently >>>> with >>>> CA-full installation it is not working. >>>> >>>> ipa-client-install (with autodiscovery) failed on kinit, see >>>> KRB5_TRACE >>>> bellow that it refuses self signed certificate >>> >>> Actually it is not a self-sigend EE certificate. The validation >>> message >>> is bogus because FreeIPA TLS configuration is slightly buggy. We >>> send >>> the trust anchor (root CA) although a server should not include its >>> trust anchor in its ServerHello message. OpenSSL detects an >>> untrusted >>> root CA in the ServerHello peer chain and emits the message. >>> >>> If I read the 600 lines (!) function >>> ipaclient.install.client._install >>> correctly, then ipa-client-install first attempts to negotiate a >>> TGT and >>> then installs the trust anchor in the global trust store. It should >>> be >>> enough to reverse the order and inject the trust anchor first. >>> >>> Christian >>> >> >> By reading this, even if we do the change in client install, I'd >> rather >> not generate the DNS records in 4.5.1 release and rather make sure >> that >> everything works during 4.6 development. I agree. My original assumption why I suggested this RFE was that it would be very contained change and only used only by clients that do not have classic Kerberos ports available. Given how much it influences rest of the framework, we indeed should not push on it in a bugfix release. >> The reason is that there might also be something else not working and >> it >> is better to time test it + the fix would not fix older clients. >> >> If anybody wants to use/try it, then the records can be created >> manually. > > > > We need to ix clients regardless, o someone enabling it will find the > same issues. Right. Can someone please file the ticket so that it can be triaged later? Thanks, Martin From mbasti at redhat.com Fri Apr 28 07:34:25 2017 From: mbasti at redhat.com (=?UTF-8?Q?Martin_Ba=c5=a1ti?=) Date: Fri, 28 Apr 2017 09:34:25 +0200 Subject: [Freeipa-devel] KDC proxy URI records In-Reply-To: <1c44e805-5f43-12c8-e1b2-56aac2bd1d16@redhat.com> References: <1493232107.18022.22.camel@redhat.com> <38da11c5-a7f9-3c35-b402-f33f10e0032e@redhat.com> <90d08477-0018-a556-1030-449319be2caf@redhat.com> <8873b3bb-c6a5-bb03-324c-5626da168ed8@redhat.com> <1493302583.8926.10.camel@redhat.com> <1c44e805-5f43-12c8-e1b2-56aac2bd1d16@redhat.com> Message-ID: On 28.04.2017 09:32, Martin Kosek wrote: > On 04/27/2017 04:16 PM, Simo Sorce wrote: >> On Thu, 2017-04-27 at 15:56 +0200, Petr Vobornik wrote: >>> On 04/27/2017 02:19 PM, Christian Heimes wrote: >>>> On 2017-04-27 14:00, Martin Ba?ti wrote: >>>>> I would like to discuss consequences of adding kdc URI records: >>>>> >>>>> 1. basically all ipa clients enrolled using autodiscovery will >>>>> use >>>>> kdcproxy instead of KDC on port 88, because URI takes precedence >>>>> over >>>>> SRV in KRB5 client implementation. Are we ok with such a big >>>>> change? >>>> Does the client also prefer KKDCP if you give the Kerberos 88/UDP >>>> and >>>> 88/TCP URIs a higher priority than the KKDCP HTTPS URIs? >>>> >>>>> 2. probably client installer must be updated because currently >>>>> with >>>>> CA-full installation it is not working. >>>>> >>>>> ipa-client-install (with autodiscovery) failed on kinit, see >>>>> KRB5_TRACE >>>>> bellow that it refuses self signed certificate >>>> Actually it is not a self-sigend EE certificate. The validation >>>> message >>>> is bogus because FreeIPA TLS configuration is slightly buggy. We >>>> send >>>> the trust anchor (root CA) although a server should not include its >>>> trust anchor in its ServerHello message. OpenSSL detects an >>>> untrusted >>>> root CA in the ServerHello peer chain and emits the message. >>>> >>>> If I read the 600 lines (!) function >>>> ipaclient.install.client._install >>>> correctly, then ipa-client-install first attempts to negotiate a >>>> TGT and >>>> then installs the trust anchor in the global trust store. It should >>>> be >>>> enough to reverse the order and inject the trust anchor first. >>>> >>>> Christian >>>> >>> By reading this, even if we do the change in client install, I'd >>> rather >>> not generate the DNS records in 4.5.1 release and rather make sure >>> that >>> everything works during 4.6 development. > I agree. My original assumption why I suggested this RFE was that it would be > very contained change and only used only by clients that do not have classic > Kerberos ports available. Given how much it influences rest of the framework, > we indeed should not push on it in a bugfix release. > >>> The reason is that there might also be something else not working and >>> it >>> is better to time test it + the fix would not fix older clients. >>> >>> If anybody wants to use/try it, then the records can be created >>> manually. >> >> >> We need to ix clients regardless, o someone enabling it will find the >> same issues. > Right. Can someone please file the ticket so that it can be triaged later? ticket is here https://pagure.io/freeipa/issue/6906 > > Thanks, > Martin -- Martin Ba?ti Software Engineer Red Hat Czech From freeipa-github-notification at redhat.com Fri Apr 28 07:39:48 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 28 Apr 2017 09:39:48 +0200 Subject: [Freeipa-devel] [freeipa PR#741][synchronized] 6.9 -> 7.4 migration fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/741 Author: stlaz Title: #741: 6.9 -> 7.4 migration fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/741/head:pr741 git checkout pr741 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-741.patch Type: text/x-diff Size: 5054 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 28 07:53:57 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 28 Apr 2017 09:53:57 +0200 Subject: [Freeipa-devel] [freeipa PR#694][+blocker] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install Label: +blocker From freeipa-github-notification at redhat.com Fri Apr 28 07:54:01 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 28 Apr 2017 09:54:01 +0200 Subject: [Freeipa-devel] [freeipa PR#747][-ack] vault: piped input for ipa vault-add fails In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/747 Title: #747: vault: piped input for ipa vault-add fails Label: -ack From freeipa-github-notification at redhat.com Fri Apr 28 07:54:35 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 28 Apr 2017 09:54:35 +0200 Subject: [Freeipa-devel] [freeipa PR#741][+blocker] 6.9 -> 7.4 migration fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/741 Title: #741: 6.9 -> 7.4 migration fixes Label: +blocker From freeipa-github-notification at redhat.com Fri Apr 28 07:55:01 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 28 Apr 2017 09:55:01 +0200 Subject: [Freeipa-devel] [freeipa PR#747][comment] vault: piped input for ipa vault-add fails In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/747 Title: #747: vault: piped input for ipa vault-add fails stlaz commented: """ @Akasurde: Don't add ACK label when the PR is not OK! @flo-renaud: You will need to specify a ticket for this PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/747#issuecomment-297933288 From freeipa-github-notification at redhat.com Fri Apr 28 08:02:59 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Fri, 28 Apr 2017 10:02:59 +0200 Subject: [Freeipa-devel] [freeipa PR#747][synchronized] vault: piped input for ipa vault-add fails In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/747 Author: flo-renaud Title: #747: vault: piped input for ipa vault-add fails Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/747/head:pr747 git checkout pr747 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-747.patch Type: text/x-diff Size: 3261 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 28 08:04:32 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Fri, 28 Apr 2017 10:04:32 +0200 Subject: [Freeipa-devel] [freeipa PR#747][comment] vault: piped input for ipa vault-add fails In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/747 Title: #747: vault: piped input for ipa vault-add fails flo-renaud commented: """ @stlaz Thank you for the reminder. Commit msg updated with issue 6907 """ See the full comment at https://github.com/freeipa/freeipa/pull/747#issuecomment-297935155 From freeipa-github-notification at redhat.com Fri Apr 28 08:05:51 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 28 Apr 2017 10:05:51 +0200 Subject: [Freeipa-devel] [freeipa PR#747][comment] vault: piped input for ipa vault-add fails In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/747 Title: #747: vault: piped input for ipa vault-add fails stlaz commented: """ Thank you for the brief action taken. Re-adding the ACK label. """ See the full comment at https://github.com/freeipa/freeipa/pull/747#issuecomment-297935390 From freeipa-github-notification at redhat.com Fri Apr 28 08:05:59 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 28 Apr 2017 10:05:59 +0200 Subject: [Freeipa-devel] [freeipa PR#747][+ack] vault: piped input for ipa vault-add fails In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/747 Title: #747: vault: piped input for ipa vault-add fails Label: +ack From freeipa-github-notification at redhat.com Fri Apr 28 08:11:09 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 28 Apr 2017 10:11:09 +0200 Subject: [Freeipa-devel] [freeipa PR#723][-ack] Store GSSAPI session key in /var/run/httpd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd Label: -ack From freeipa-github-notification at redhat.com Fri Apr 28 08:11:17 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 28 Apr 2017 10:11:17 +0200 Subject: [Freeipa-devel] [freeipa PR#723][-pushed] Store GSSAPI session key in /var/run/httpd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd Label: -pushed From pvoborni at redhat.com Fri Apr 28 08:15:53 2017 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 28 Apr 2017 10:15:53 +0200 Subject: [Freeipa-devel] "blocker" tag for pull request Message-ID: <3344f815-4060-790f-5028-830bf3373d4c@redhat.com> Hi all, I created "blocker" tag for FreeIPA Git Hub PRs. It is should be used to mark PRs which solves test blocker or other functional blockers - e.g. blocks creation of demo. I.e. should be used rather rarely. I don't like the tag name, but I couldn't find better. Note: blocker priority in pagure doesn't imply blocker tag in PR. But testblocker tag in pagure does. Actually I'm thinking about changing Pagure priority names to: "highest, high, medium, low, patchwelcome" -- Petr Vobornik From freeipa-github-notification at redhat.com Fri Apr 28 08:33:44 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 28 Apr 2017 10:33:44 +0200 Subject: [Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install HonzaCholasta commented: """ Works for me, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-297940885 From cheimes at redhat.com Fri Apr 28 08:34:27 2017 From: cheimes at redhat.com (Christian Heimes) Date: Fri, 28 Apr 2017 10:34:27 +0200 Subject: [Freeipa-devel] KDC proxy URI records In-Reply-To: <38da11c5-a7f9-3c35-b402-f33f10e0032e@redhat.com> References: <1493232107.18022.22.camel@redhat.com> <38da11c5-a7f9-3c35-b402-f33f10e0032e@redhat.com> Message-ID: On 2017-04-27 14:00, Martin Ba?ti wrote: > > > On 26.04.2017 20:41, Simo Sorce wrote: >> On Wed, 2017-04-26 at 12:57 +0200, Martin Ba?ti wrote: >>> On 25.04.2017 16:57, Martin Ba?ti wrote: >>>> Hello all, >>>> >>>> I'm going to implement automatic URI records for kdc proxy and I'd >>>> like to clarify if following URI records are the right one. >>>> >>>> >>>> _kerberos-adm.example.com. IN URI 0 >>>> "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy" >>>> >>>> _krb5kdc.example.com. IN URI 0 >>>> "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy" >>>> >>>> _kpasswd.example.com. IN URI 0 >>>> "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy" >>>> >>>> >>>> I assume we want to use "kkdcp" and "https", and "M" flag as all IPA >>>> servers are masters, please confirm. >>>> >>>> >>>> Sources: >>>> >>>> https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery >>>> >>>> https://tools.ietf.org/id/draft-mccallum-kitten-krb-service-discovery-02.txt >>>> >>>> >>>> >>>> >>>> Thank you >>>> >>> I found out that wiki page differs from the RFC draft and from the >>> source in git >>> >>> There is "_kerberos.REALM" record instead of "_krb5kdc.REALM" >>> >>> >>> And I'm not sure if _kerberos-adm should be included as we don't really >>> support kadmin. >> We shouldn't. >> >> Simo. >> > > I would like to discuss consequences of adding kdc URI records: > > 1. basically all ipa clients enrolled using autodiscovery will use > kdcproxy instead of KDC on port 88, because URI takes precedence over > SRV in KRB5 client implementation. Are we ok with such a big change? Update: It's correct that URI records have a higher priority than SRV records. A client with URI discovery support will never check SRV records when it is able to retrieve URI records. For newer clients we have to include TCP and UDP URI records, too. I did some testing. MIT KRB5 prefers UDP/TCP over MSKKDP for records with same priority. That fact is not stated in the RFC. I'm writing a mail to Nathaniel and Simo to discuss the matter. Christian -- Christian Heimes Senior Software Engineer, Identity Management and Platform Security Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Fri Apr 28 08:38:17 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 28 Apr 2017 10:38:17 +0200 Subject: [Freeipa-devel] [freeipa PR#694][+ack] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install Label: +ack From freeipa-github-notification at redhat.com Fri Apr 28 08:39:05 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 28 Apr 2017 10:39:05 +0200 Subject: [Freeipa-devel] [freeipa PR#694][+pushed] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install Label: +pushed From freeipa-github-notification at redhat.com Fri Apr 28 08:39:11 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 28 Apr 2017 10:39:11 +0200 Subject: [Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install HonzaCholasta commented: """ master: * b1a1e104391c84cb9af7b0a7c8748c8652442ddb separate function to set ipaConfigString values on service entry * fb52f7a1f328b126626525179d5250692daca2cd Allow for configuration of all three PKINIT variants when deploying KDC * 86972299d937960bcb713fc73b447cddb4ea44bd API for retrieval of master's PKINIT status and publishing it in LDAP * 3adb9ca875f8eb99e99a29e17a471a2b6f408a4a Use only anonymous PKINIT to fetch armor ccache * 68c6a4d4e1340ce01bdc7ec5dd394604a3da7688 Stop requesting anonymous keytab and purge all references of it * 2374b648d0dfd08ec4cfbcc35f7987fa8b8a6ffa Use local anchor when armoring password requests * a194055c92c7ca4eba29323f990ec3b92026221b Upgrade: configure local/full PKINIT depending on the master status * 960e361f68a3d7acd9bcf16ec6fe8f6d5376c4ae Do not test anonymous PKINIT after install/upgrade ipa-4-5: * 31a24436592304db6e84270e4a95df34d1e0af46 separate function to set ipaConfigString values on service entry * b49e075c90a7ab43e82f422aa11dc7540e2fb2c0 Allow for configuration of all three PKINIT variants when deploying KDC * a0e2a09292ffa2adbf97c2e7e4facc9693dbc311 API for retrieval of master's PKINIT status and publishing it in LDAP * fca378c9a65f582ac3dcda4b6201e8847ed9e512 Use only anonymous PKINIT to fetch armor ccache * 9fcc794dac6ffb1f1cc6c92a588ea0911be5ba14 Stop requesting anonymous keytab and purge all references of it * 5031929b6d710336f6308d7f46779c9e8e98103a Use local anchor when armoring password requests * 2452e6e5f3a7e7a25eadf5243a28da75a47f9d2c Upgrade: configure local/full PKINIT depending on the master status * d497c4589cc7506ef9a88b691b8b1d97ad1f1009 Do not test anonymous PKINIT after install/upgrade """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-297941980 From freeipa-github-notification at redhat.com Fri Apr 28 08:39:13 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 28 Apr 2017 10:39:13 +0200 Subject: [Freeipa-devel] [freeipa PR#694][closed] RFC: implement local PKINIT deployment in server/replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/694 Author: martbab Title: #694: RFC: implement local PKINIT deployment in server/replica install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/694/head:pr694 git checkout pr694 From freeipa-github-notification at redhat.com Fri Apr 28 10:14:16 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 28 Apr 2017 12:14:16 +0200 Subject: [Freeipa-devel] [freeipa PR#748][opened] restore: restart/reload gssproxy after restore Message-ID: URL: https://github.com/freeipa/freeipa/pull/748 Author: pvoborni Title: #748: restore: restart/reload gssproxy after restore Action: opened PR body: """ So that gssproxy picks up new configuration and therefore related usages like authentication of CLI against server works https://pagure.io/freeipa/issue/6902 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/748/head:pr748 git checkout pr748 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-748.patch Type: text/x-diff Size: 2987 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 28 10:14:46 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 28 Apr 2017 12:14:46 +0200 Subject: [Freeipa-devel] [freeipa PR#748][comment] restore: restart/reload gssproxy after restore In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/748 Title: #748: restore: restart/reload gssproxy after restore pvoborni commented: """ Obsoletes PR #738 """ See the full comment at https://github.com/freeipa/freeipa/pull/748#issuecomment-297962322 From freeipa-github-notification at redhat.com Fri Apr 28 10:16:22 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 28 Apr 2017 12:16:22 +0200 Subject: [Freeipa-devel] [freeipa PR#738][comment] restore: restart gssproxy after restore In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/738 Title: #738: restore: restart gssproxy after restore pvoborni commented: """ PR #748 obsoletes this one - this PR was created badly and so I cannot force update it. New one uses reload-or-restart """ See the full comment at https://github.com/freeipa/freeipa/pull/738#issuecomment-297962651 From freeipa-github-notification at redhat.com Fri Apr 28 10:16:26 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 28 Apr 2017 12:16:26 +0200 Subject: [Freeipa-devel] [freeipa PR#738][closed] restore: restart gssproxy after restore In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/738 Author: pvoborni Title: #738: restore: restart gssproxy after restore Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/738/head:pr738 git checkout pr738 From freeipa-github-notification at redhat.com Fri Apr 28 10:16:38 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 28 Apr 2017 12:16:38 +0200 Subject: [Freeipa-devel] [freeipa PR#738][+rejected] restore: restart gssproxy after restore In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/738 Title: #738: restore: restart gssproxy after restore Label: +rejected From freeipa-github-notification at redhat.com Fri Apr 28 10:42:26 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Fri, 28 Apr 2017 12:42:26 +0200 Subject: [Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-729.patch Type: text/x-diff Size: 8613 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 28 10:59:17 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 28 Apr 2017 12:59:17 +0200 Subject: [Freeipa-devel] [freeipa PR#741][comment] 6.9 -> 7.4 migration fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/741 Title: #741: 6.9 -> 7.4 migration fixes stlaz commented: """ For the record - the tests are passing on my machine, etwas stimmt hier nicht. """ See the full comment at https://github.com/freeipa/freeipa/pull/741#issuecomment-297969953 From freeipa-github-notification at redhat.com Fri Apr 28 11:20:58 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 28 Apr 2017 13:20:58 +0200 Subject: [Freeipa-devel] [freeipa PR#747][comment] vault: piped input for ipa vault-add fails In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/747 Title: #747: vault: piped input for ipa vault-add fails MartinBasti commented: """ master: * d5c41ed4ad370c7d74296a830993a5bd3fd32e5f vault: piped input for ipa vault-add fails ipa-4-5: * c8ca0f89a68b5d57c56344fdeb12fd436976c726 vault: piped input for ipa vault-add fails """ See the full comment at https://github.com/freeipa/freeipa/pull/747#issuecomment-297973494 From freeipa-github-notification at redhat.com Fri Apr 28 11:21:02 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 28 Apr 2017 13:21:02 +0200 Subject: [Freeipa-devel] [freeipa PR#747][+pushed] vault: piped input for ipa vault-add fails In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/747 Title: #747: vault: piped input for ipa vault-add fails Label: +pushed From freeipa-github-notification at redhat.com Fri Apr 28 11:21:05 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 28 Apr 2017 13:21:05 +0200 Subject: [Freeipa-devel] [freeipa PR#747][closed] vault: piped input for ipa vault-add fails In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/747 Author: flo-renaud Title: #747: vault: piped input for ipa vault-add fails Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/747/head:pr747 git checkout pr747 From freeipa-github-notification at redhat.com Fri Apr 28 11:21:59 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 28 Apr 2017 13:21:59 +0200 Subject: [Freeipa-devel] [freeipa PR#735][+ack] automount install: do not wait for sssd restart on uninstallation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/735 Title: #735: automount install: do not wait for sssd restart on uninstallation Label: +ack From freeipa-github-notification at redhat.com Fri Apr 28 11:30:39 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 28 Apr 2017 13:30:39 +0200 Subject: [Freeipa-devel] [freeipa PR#733][synchronized] [4.5] Fix CA/server cert validation in FIPS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/733 Author: stlaz Title: #733: [4.5] Fix CA/server cert validation in FIPS Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/733/head:pr733 git checkout pr733 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-733.patch Type: text/x-diff Size: 2769 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 28 11:42:47 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 28 Apr 2017 13:42:47 +0200 Subject: [Freeipa-devel] [freeipa PR#735][comment] automount install: do not wait for sssd restart on uninstallation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/735 Title: #735: automount install: do not wait for sssd restart on uninstallation MartinBasti commented: """ master: * b4e447fa6fc7d659ae6a3b6285d4ddda0baa0be4 automount install: fix checking of SSSD functionality on uninstall ipa-4-5: * ff513d6b20ee0a2ca90b06b8c114386f1e5751d9 automount install: fix checking of SSSD functionality on uninstall """ See the full comment at https://github.com/freeipa/freeipa/pull/735#issuecomment-297977040 From freeipa-github-notification at redhat.com Fri Apr 28 11:42:51 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 28 Apr 2017 13:42:51 +0200 Subject: [Freeipa-devel] [freeipa PR#735][closed] automount install: do not wait for sssd restart on uninstallation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/735 Author: pvoborni Title: #735: automount install: do not wait for sssd restart on uninstallation Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/735/head:pr735 git checkout pr735 From freeipa-github-notification at redhat.com Fri Apr 28 11:42:54 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 28 Apr 2017 13:42:54 +0200 Subject: [Freeipa-devel] [freeipa PR#735][+pushed] automount install: do not wait for sssd restart on uninstallation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/735 Title: #735: automount install: do not wait for sssd restart on uninstallation Label: +pushed From freeipa-github-notification at redhat.com Fri Apr 28 12:01:36 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 28 Apr 2017 14:01:36 +0200 Subject: [Freeipa-devel] [freeipa PR#748][comment] restore: restart/reload gssproxy after restore In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/748 Title: #748: restore: restart/reload gssproxy after restore tomaskrizek commented: """ How is this patch going to work for Debian? Shouldn't we also implement `reload_or_restart` for `DebianSysvService`? """ See the full comment at https://github.com/freeipa/freeipa/pull/748#issuecomment-297980381 From freeipa-github-notification at redhat.com Fri Apr 28 12:11:30 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 28 Apr 2017 14:11:30 +0200 Subject: [Freeipa-devel] [freeipa PR#733][+pushed] [4.5] Fix CA/server cert validation in FIPS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/733 Title: #733: [4.5] Fix CA/server cert validation in FIPS Label: +pushed From freeipa-github-notification at redhat.com Fri Apr 28 12:11:35 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 28 Apr 2017 14:11:35 +0200 Subject: [Freeipa-devel] [freeipa PR#733][comment] [4.5] Fix CA/server cert validation in FIPS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/733 Title: #733: [4.5] Fix CA/server cert validation in FIPS MartinBasti commented: """ ipa-4-5: * 651d132b701b773b2bbeb41496d6c5ddbf6d19b3 Fix CA/server cert validation in FIPS """ See the full comment at https://github.com/freeipa/freeipa/pull/733#issuecomment-297982146 From freeipa-github-notification at redhat.com Fri Apr 28 12:11:39 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 28 Apr 2017 14:11:39 +0200 Subject: [Freeipa-devel] [freeipa PR#733][closed] [4.5] Fix CA/server cert validation in FIPS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/733 Author: stlaz Title: #733: [4.5] Fix CA/server cert validation in FIPS Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/733/head:pr733 git checkout pr733 From tkrizek at redhat.com Fri Apr 28 12:17:37 2017 From: tkrizek at redhat.com (Tomas Krizek) Date: Fri, 28 Apr 2017 14:17:37 +0200 Subject: [Freeipa-devel] "blocker" tag for pull request In-Reply-To: <3344f815-4060-790f-5028-830bf3373d4c@redhat.com> References: <3344f815-4060-790f-5028-830bf3373d4c@redhat.com> Message-ID: <385c9b72-e29c-7ecd-6ce9-e72ff61c54b1@redhat.com> On 04/28/2017 10:15 AM, Petr Vobornik wrote: > Hi all, > > I created "blocker" tag for FreeIPA Git Hub PRs. > > It is should be used to mark PRs which solves test blocker or other > functional blockers - e.g. blocks creation of demo. I.e. should be > used rather rarely. > > I don't like the tag name, but I couldn't find better. I think we could use the name "high-priority". It could have other uses besides marking a blocker, e.g. requesting prompt execution of tests in PR CI. > > Note: blocker priority in pagure doesn't imply blocker tag in PR. But > testblocker tag in pagure does. Actually I'm thinking about changing > Pagure priority names to: "highest, high, medium, low, patchwelcome" > +1, but I'd prefer "critical" instead of "highest" -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Fri Apr 28 12:34:39 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Fri, 28 Apr 2017 14:34:39 +0200 Subject: [Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-729.patch Type: text/x-diff Size: 6961 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 28 12:39:41 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 28 Apr 2017 14:39:41 +0200 Subject: [Freeipa-devel] [freeipa PR#748][comment] restore: restart/reload gssproxy after restore In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/748 Title: #748: restore: restart/reload gssproxy after restore pvoborni commented: """ Should work: ``` def debian_service_class_factory(name, api=None): if name == 'dirsrv': return redhat_services.RedHatDirectoryService(name, api) if name == 'domainname': return DebianNoService(name, api) if name == 'ipa': return redhat_services.RedHatIPAService(name, api) if name == 'messagebus': return DebianNoService(name, api) if name == 'ntpd': return DebianSysvService("ntp", api) return DebianService(name, api) ``` so it's `DebianService` ``` class DebianService(redhat_services.RedHatService): system_units = debian_system_units ``` then ``` class RedHatService(base_services.SystemdService): ``` I.e. it is not `DebianSysvService` """ See the full comment at https://github.com/freeipa/freeipa/pull/748#issuecomment-297987349 From mbasti at redhat.com Fri Apr 28 12:41:04 2017 From: mbasti at redhat.com (=?UTF-8?Q?Martin_Ba=c5=a1ti?=) Date: Fri, 28 Apr 2017 14:41:04 +0200 Subject: [Freeipa-devel] "blocker" tag for pull request In-Reply-To: <385c9b72-e29c-7ecd-6ce9-e72ff61c54b1@redhat.com> References: <3344f815-4060-790f-5028-830bf3373d4c@redhat.com> <385c9b72-e29c-7ecd-6ce9-e72ff61c54b1@redhat.com> Message-ID: On 28.04.2017 14:17, Tomas Krizek wrote: > On 04/28/2017 10:15 AM, Petr Vobornik wrote: >> Hi all, >> >> I created "blocker" tag for FreeIPA Git Hub PRs. >> >> It is should be used to mark PRs which solves test blocker or other >> functional blockers - e.g. blocks creation of demo. I.e. should be >> used rather rarely. >> >> I don't like the tag name, but I couldn't find better. > I think we could use the name "high-priority". It could have other uses > besides marking a blocker, e.g. requesting prompt execution of tests in > PR CI. Sounds good or maybe "prioritized", IMHO "blocker" word is overused. >> Note: blocker priority in pagure doesn't imply blocker tag in PR. But >> testblocker tag in pagure does. Actually I'm thinking about changing >> Pagure priority names to: "highest, high, medium, low, patchwelcome" >> > +1, but I'd prefer "critical" instead of "highest" > > > +1 for critical pyldap uses "help wanted" instead "patchwelcome", it sounds better to me. I'd use it as separate tag instead of priority. Even high prioritized issues can be made by contributors in early phase of development if they are easy enough. Martin^2 -- Martin Ba?ti Software Engineer Red Hat Czech -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Fri Apr 28 12:46:45 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 28 Apr 2017 14:46:45 +0200 Subject: [Freeipa-devel] [freeipa PR#732][+postponed] ipa-custodia: use Dogtag's alias/pwdfile.txt In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/732 Title: #732: ipa-custodia: use Dogtag's alias/pwdfile.txt Label: +postponed From freeipa-github-notification at redhat.com Fri Apr 28 12:47:09 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 28 Apr 2017 14:47:09 +0200 Subject: [Freeipa-devel] [freeipa PR#732][comment] ipa-custodia: use Dogtag's alias/pwdfile.txt In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/732 Title: #732: ipa-custodia: use Dogtag's alias/pwdfile.txt MartinBasti commented: """ Postponing, ticket milestone is 4.7 """ See the full comment at https://github.com/freeipa/freeipa/pull/732#issuecomment-297988800 From freeipa-github-notification at redhat.com Fri Apr 28 12:49:29 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 28 Apr 2017 14:49:29 +0200 Subject: [Freeipa-devel] [freeipa PR#744][+ack] [4.5] Correct PyPI package dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/744 Title: #744: [4.5] Correct PyPI package dependencies Label: +ack From freeipa-github-notification at redhat.com Fri Apr 28 12:53:40 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 28 Apr 2017 14:53:40 +0200 Subject: [Freeipa-devel] [freeipa PR#748][comment] restore: restart/reload gssproxy after restore In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/748 Title: #748: restore: restart/reload gssproxy after restore tomaskrizek commented: """ Ok, everything looks good then. """ See the full comment at https://github.com/freeipa/freeipa/pull/748#issuecomment-297990127 From freeipa-github-notification at redhat.com Fri Apr 28 12:53:46 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 28 Apr 2017 14:53:46 +0200 Subject: [Freeipa-devel] [freeipa PR#748][+ack] restore: restart/reload gssproxy after restore In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/748 Title: #748: restore: restart/reload gssproxy after restore Label: +ack From freeipa-github-notification at redhat.com Fri Apr 28 12:56:49 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 28 Apr 2017 14:56:49 +0200 Subject: [Freeipa-devel] [freeipa PR#748][+pushed] restore: restart/reload gssproxy after restore In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/748 Title: #748: restore: restart/reload gssproxy after restore Label: +pushed From freeipa-github-notification at redhat.com Fri Apr 28 12:56:52 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 28 Apr 2017 14:56:52 +0200 Subject: [Freeipa-devel] [freeipa PR#748][comment] restore: restart/reload gssproxy after restore In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/748 Title: #748: restore: restart/reload gssproxy after restore tomaskrizek commented: """ master: * 3a4c8e39c3e38ec651cfcbb3cac59e0e92e04fe0 restore: restart/reload gssproxy after restore ipa-4-5: * 04ed1fa3acdf002ecc37dde4f5d226c0fbe5aa30 restore: restart/reload gssproxy after restore """ See the full comment at https://github.com/freeipa/freeipa/pull/748#issuecomment-297990747 From freeipa-github-notification at redhat.com Fri Apr 28 12:56:54 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 28 Apr 2017 14:56:54 +0200 Subject: [Freeipa-devel] [freeipa PR#748][closed] restore: restart/reload gssproxy after restore In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/748 Author: pvoborni Title: #748: restore: restart/reload gssproxy after restore Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/748/head:pr748 git checkout pr748 From freeipa-github-notification at redhat.com Fri Apr 28 12:59:50 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 28 Apr 2017 14:59:50 +0200 Subject: [Freeipa-devel] [freeipa PR#744][+pushed] [4.5] Correct PyPI package dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/744 Title: #744: [4.5] Correct PyPI package dependencies Label: +pushed From freeipa-github-notification at redhat.com Fri Apr 28 12:59:54 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 28 Apr 2017 14:59:54 +0200 Subject: [Freeipa-devel] [freeipa PR#744][comment] [4.5] Correct PyPI package dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/744 Title: #744: [4.5] Correct PyPI package dependencies tomaskrizek commented: """ ipa-4-5: * b91ee1294bb3139f3d9df62c75dd429a5821bf40 Correct PyPI package dependencies """ See the full comment at https://github.com/freeipa/freeipa/pull/744#issuecomment-297991379 From freeipa-github-notification at redhat.com Fri Apr 28 12:59:55 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 28 Apr 2017 14:59:55 +0200 Subject: [Freeipa-devel] [freeipa PR#744][closed] [4.5] Correct PyPI package dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/744 Author: tiran Title: #744: [4.5] Correct PyPI package dependencies Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/744/head:pr744 git checkout pr744 From freeipa-github-notification at redhat.com Fri Apr 28 14:23:17 2017 From: freeipa-github-notification at redhat.com (olivergs) Date: Fri, 28 Apr 2017 16:23:17 +0200 Subject: [Freeipa-devel] [freeipa PR#749][opened] Added plugins directory to python2-ipaclient subpackage Message-ID: URL: https://github.com/freeipa/freeipa/pull/749 Author: olivergs Title: #749: Added plugins directory to python2-ipaclient subpackage Action: opened PR body: """ Subpackage does not own that directory and could create conflicts if a plugin creates it on its onwn """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/749/head:pr749 git checkout pr749 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-749.patch Type: text/x-diff Size: 790 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 28 14:43:38 2017 From: freeipa-github-notification at redhat.com (tscherf) Date: Fri, 28 Apr 2017 16:43:38 +0200 Subject: [Freeipa-devel] [freeipa PR#750][opened] Fixed typo in ipa-client-install help output Message-ID: URL: https://github.com/freeipa/freeipa/pull/750 Author: tscherf Title: #750: Fixed typo in ipa-client-install help output Action: opened PR body: """ Fixed typo in option "--all-ip-addresses" from "ipa-client-install". """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/750/head:pr750 git checkout pr750 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-750.patch Type: text/x-diff Size: 821 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 28 14:46:54 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 28 Apr 2017 16:46:54 +0200 Subject: [Freeipa-devel] [freeipa PR#750][+ack] Fixed typo in ipa-client-install help output In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/750 Title: #750: Fixed typo in ipa-client-install help output Label: +ack From freeipa-github-notification at redhat.com Fri Apr 28 15:09:33 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 28 Apr 2017 17:09:33 +0200 Subject: [Freeipa-devel] [freeipa PR#746][synchronized] KDC proxy URI records In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/746 Author: MartinBasti Title: #746: KDC proxy URI records Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/746/head:pr746 git checkout pr746 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-746.patch Type: text/x-diff Size: 10206 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 28 15:19:25 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 28 Apr 2017 17:19:25 +0200 Subject: [Freeipa-devel] [freeipa PR#746][synchronized] KDC proxy URI records In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/746 Author: MartinBasti Title: #746: KDC proxy URI records Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/746/head:pr746 git checkout pr746 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-746.patch Type: text/x-diff Size: 10206 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 28 15:23:33 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 28 Apr 2017 17:23:33 +0200 Subject: [Freeipa-devel] [freeipa PR#746][edited] KDC proxy URI records In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/746 Author: MartinBasti Title: #746: KDC proxy URI records Action: edited Changed field: body Original value: """ Automatic creation of KDC proxy URI records Enables creation of following KDC proxy URL records per each replica: ``` _kerberos.example.com. IN URI "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy" _kpasswd.example.com. IN URI "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy" ``` Records are created for each replica in topology as KDC proxy is enabled by default. (If KDC proxy is manually disabled this record will be created anyway) URI records for kadmin discovery are not created because FreeIPA doesn't support kadmin. See: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery https://pagure.io/freeipa/issue/6337 ### TODO - [ ] Add URI records for 88/UDP, 88/TCP with higher priority to keep client asking directly KDC first - [ ] Add URI records for HTTPS only when kdc proxy is enabled on server (requires to update server roles with role attribute KDC proxy) - [ ] Fix https://pagure.io/freeipa/issue/6906 to allow enroll FreeIPA clients using HTTPS KDC proxy """ From freeipa-github-notification at redhat.com Fri Apr 28 15:42:36 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 28 Apr 2017 17:42:36 +0200 Subject: [Freeipa-devel] [freeipa PR#746][comment] KDC proxy URI records In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/746 Title: #746: KDC proxy URI records simo5 commented: """ I am not entirely sure we want to care for the cse where an admin disables KDC Proxy in an automatic fashion; otherwise we would also need to check if TCP or UDP are disabled and change that too. FreeIPA as a product enables TCP/UDP and proxy and an admin that wants to change this by manually changing configurations should also take care of manually changing the URI records in DNS I think. Just like they would need to change records in DNS if either TCP or UDP protocols were disabled. However if it is overly simple to detect and update records based on enabled protocols I am not against doing so. """ See the full comment at https://github.com/freeipa/freeipa/pull/746#issuecomment-298032999 From freeipa-github-notification at redhat.com Fri Apr 28 15:46:19 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 28 Apr 2017 17:46:19 +0200 Subject: [Freeipa-devel] [freeipa PR#746][comment] KDC proxy URI records In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/746 Title: #746: KDC proxy URI records MartinBasti commented: """ @simo5 we don't support manual changes of IPA system records, it is regenerated automatically, so any manual changes are overwritten when: new replica is added/replica is removed/user executes manually `ipa dns-update-system-records` """ See the full comment at https://github.com/freeipa/freeipa/pull/746#issuecomment-298034002 From freeipa-github-notification at redhat.com Fri Apr 28 16:00:10 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 28 Apr 2017 18:00:10 +0200 Subject: [Freeipa-devel] [freeipa PR#746][comment] KDC proxy URI records In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/746 Title: #746: KDC proxy URI records simo5 commented: """ @MartinBasti In this case we need a way to tell the system what are the priorities and which protocols are enabled, priorities are important too, admins need to be able to change them as they see fit. """ See the full comment at https://github.com/freeipa/freeipa/pull/746#issuecomment-298037434 From freeipa-github-notification at redhat.com Fri Apr 28 16:06:46 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 28 Apr 2017 18:06:46 +0200 Subject: [Freeipa-devel] [freeipa PR#746][comment] KDC proxy URI records In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/746 Title: #746: KDC proxy URI records MartinBasti commented: """ @simo5 not really a 4.5 material then """ See the full comment at https://github.com/freeipa/freeipa/pull/746#issuecomment-298039065 From freeipa-github-notification at redhat.com Fri Apr 28 16:14:16 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 28 Apr 2017 18:14:16 +0200 Subject: [Freeipa-devel] [freeipa PR#746][synchronized] KDC proxy URI records In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/746 Author: MartinBasti Title: #746: KDC proxy URI records Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/746/head:pr746 git checkout pr746 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-746.patch Type: text/x-diff Size: 10339 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Apr 28 16:15:26 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 28 Apr 2017 18:15:26 +0200 Subject: [Freeipa-devel] [freeipa PR#746][edited] KDC proxy URI records In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/746 Author: MartinBasti Title: #746: KDC proxy URI records Action: edited Changed field: body Original value: """ Automatic creation of KDC proxy URI records Enables creation of following KDC proxy URL records per each replica: ``` _kerberos.example.com. IN URI "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy" _kpasswd.example.com. IN URI "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy" ``` Records are created for each replica in topology as KDC proxy is enabled by default. (If KDC proxy is manually disabled this record will be created anyway) URI records for kadmin discovery are not created because FreeIPA doesn't support kadmin. See: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery https://pagure.io/freeipa/issue/6337 ### TODO - [x] Add URI records for 88/UDP, 88/TCP with higher priority to keep client asking directly KDC first - [ ] Add URI records for HTTPS only when kdc proxy is enabled on server (requires to update server roles with role attribute KDC proxy) - [ ] Update release notes - `Postponed`: Fix https://pagure.io/freeipa/issue/6906 to allow enroll FreeIPA clients using HTTPS KDC proxy """ From freeipa-github-notification at redhat.com Fri Apr 28 19:34:16 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 28 Apr 2017 21:34:16 +0200 Subject: [Freeipa-devel] [freeipa PR#746][comment] KDC proxy URI records In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/746 Title: #746: KDC proxy URI records simo5 commented: """ We can probably defer. """ See the full comment at https://github.com/freeipa/freeipa/pull/746#issuecomment-298087667 From abokovoy at redhat.com Fri Apr 28 20:46:16 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 28 Apr 2017 23:46:16 +0300 Subject: [Freeipa-devel] Blog post: Debugging FreeIPA 4.5 privilege separation code Message-ID: <20170428204616.rwrattuiuwcsfvzm@redhat.com> Hi, Simo and I wrote an article on how to debug FreeIPA 4.5 privilege separation code. It is not about debugging, in fact, but on where to look for various types of logs and how to interpret them. The article also provides a high level explanation of how privilege separation in FreeIPA works and what it allows us to achieve. You can read the article here: https://vda.li/en/docs/freeipa-debug-privsep/ -- / Alexander Bokovoy From awilliam at redhat.com Sat Apr 29 00:07:45 2017 From: awilliam at redhat.com (Adam Williamson) Date: Fri, 28 Apr 2017 17:07:45 -0700 Subject: [Freeipa-devel] Automated Fedora update testing Message-ID: <1493424465.2859.29.camel@redhat.com> Hi folks! I thought this might be of interest to the FreeIPA community, so I thought I'd write it up here in case anyone missed it elsewhere. I work on the Fedora QA team, and we have been using the openQA automated test system (developed by our friends at SUSE) to run various functional tests on Fedora composes for the last couple of years. As FreeIPA is considered a critical part of Fedora Server, we run a few tests that exercise FreeIPA. The tests set up a FreeIPA server, run some basic checks on it, and also enrol two systems as clients of the domain, one using the 'realm join' command directly, one using Cockpit. The client tests do some basic client functionality testing (getent, logging in as a domain user, changing passwords, etc.) and also test the web UI to some extent. Until recently we ran these tests only on Fedora's nightly development release distribution composes. Recently, though, we deployed some enhancements to our openQA setup that let us run tests on Fedora distribution updates as well, and have the results made visible through the Fedora update system (Bodhi). The tests are automatically run on any critical path package, and as of today, they are also run on any update containing any of a manually-tended list of FreeIPA-related packages: 389-ds 389-ds-base bind bind-dyndb-ldap certmonger ding-libs freeipa krb5-server pki-core sssd tomcat cockpit This means that for any Fedora update containing one of these or any critical path package, Fedora's openQA FreeIPA tests should run, and you should see the results in the Fedora update system (Bodhi). You can see the results in Bodhi by clicking the Automated Updates tab for any update. For instance, here's a recent 389-ds-base update for Fedora 26: https://bodhi.fedoraproject.org/updates/FEDORA-2017-15e2a038b2 If you look at the Automated Tests tab, you can see passes for: update.server_role_deploy_domain_controller update.realmd_join_cockpit update.realmd_join_sssd indicating that this update didn't cause any problems for FreeIPA. Clicking on any test result will take you to the openQA page for the test, where you can diagnose failures and so on (explaining how to do this is a bit beyond the scope of this mail, please do ask me if you're interested!) I hope this stuff will help us avoid shipping updates that break FreeIPA (and other key components). If you have any questions, concerns, comments, or suggestions, please do ask! To anticipate one question: you can cause *all* the tests for an update to be re-run by editing the update in any way (you don't have to change the package loadout, just changing a single character in the description or something will do). If you think just one test result is bogus and want it re-run, currently, you'll have to ask someone with the necessary power - either me or Jan Sedlak (garretraziel on IRC). I'm in North America and he's in Europe, so we should have most timezones covered between us. We're hoping to set up a better mechanism for this in future. Note, if you're interested in the results for the nightly Fedora distribution composes, an email summary of the results for those is sent each time they're run to the Fedora test@ and devel@ lists, look for mails with "compose check report" in the subject. Any time any of the FreeIPA tests fails, the failure will be listed in the mail (passed tests are not specifically listed, just a count of them). I usually keep an eye on those results and analyze failures and file bugs, though. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net From freeipa-github-notification at redhat.com Sat Apr 29 18:31:14 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Sat, 29 Apr 2017 20:31:14 +0200 Subject: [Freeipa-devel] [freeipa PR#716][synchronized] Fix minor typos In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Author: realsobek Title: #716: Fix minor typos Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/716/head:pr716 git checkout pr716 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-716.patch Type: text/x-diff Size: 33994 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sat Apr 29 20:36:02 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Sat, 29 Apr 2017 22:36:02 +0200 Subject: [Freeipa-devel] [freeipa PR#716][synchronized] Fix minor typos In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Author: realsobek Title: #716: Fix minor typos Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/716/head:pr716 git checkout pr716 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-716.patch Type: text/x-diff Size: 33981 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sat Apr 29 20:59:47 2017 From: freeipa-github-notification at redhat.com (realsobek) Date: Sat, 29 Apr 2017 22:59:47 +0200 Subject: [Freeipa-devel] [freeipa PR#716][comment] Fix minor typos In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Title: #716: Fix minor typos realsobek commented: """ For some commits the titles were the same, but the contents were different. That was due to my working habit. The messy `git log` output was due to my attempts to fix the problems. `git rebase -i HEAD~27` worked wonders to beautify the commits. I can squash the two remaining commits, if required. `git push newbranch:fix-minor-typos` worked fine too. """ See the full comment at https://github.com/freeipa/freeipa/pull/716#issuecomment-298194339