From lslebodn at redhat.com Mon May 1 08:58:53 2017 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Mon, 1 May 2017 10:58:53 +0200 Subject: [Freeipa-devel] Automated Fedora update testing In-Reply-To: <1493424465.2859.29.camel@redhat.com> References: <1493424465.2859.29.camel@redhat.com> Message-ID: <20170501085841.GA22762@10.4.128.1> On (28/04/17 17:07), Adam Williamson wrote: >Hi folks! I thought this might be of interest to the FreeIPA community, >so I thought I'd write it up here in case anyone missed it elsewhere. > >I work on the Fedora QA team, and we have been using the openQA >automated test system (developed by our friends at SUSE) to run various >functional tests on Fedora composes for the last couple of years. > >As FreeIPA is considered a critical part of Fedora Server, we run a few >tests that exercise FreeIPA. The tests set up a FreeIPA server, run >some basic checks on it, and also enrol two systems as clients of the >domain, one using the 'realm join' command directly, one using Cockpit. >The client tests do some basic client functionality testing (getent, >logging in as a domain user, changing passwords, etc.) and also test >the web UI to some extent. > >Until recently we ran these tests only on Fedora's nightly development >release distribution composes. Recently, though, we deployed some >enhancements to our openQA setup that let us run tests on Fedora >distribution updates as well, and have the results made visible through >the Fedora update system (Bodhi). The tests are automatically run on >any critical path package, and as of today, they are also run on any >update containing any of a manually-tended list of FreeIPA-related >packages: > >389-ds >389-ds-base >bind >bind-dyndb-ldap >certmonger >ding-libs >freeipa >krb5-server >pki-core >sssd >tomcat >cockpit > >This means that for any Fedora update containing one of these or any >critical path package, Fedora's openQA FreeIPA tests should run, and >you should see the results in the Fedora update system (Bodhi). You can >see the results in Bodhi by clicking the Automated Updates tab for any >update. For instance, here's a recent 389-ds-base update for Fedora 26: > >https://bodhi.fedoraproject.org/updates/FEDORA-2017-15e2a038b2 > >If you look at the Automated Tests tab, you can see passes for: > >update.server_role_deploy_domain_controller >update.realmd_join_cockpit >update.realmd_join_sssd > >indicating that this update didn't cause any problems for FreeIPA. >Clicking on any test result will take you to the openQA page for the >test, where you can diagnose failures and so on (explaining how to do >this is a bit beyond the scope of this mail, please do ask me if you're >interested!) > >I hope this stuff will help us avoid shipping updates that break >FreeIPA (and other key components). If you have any questions, >concerns, comments, or suggestions, please do ask! > >To anticipate one question: you can cause *all* the tests for an update >to be re-run by editing the update in any way (you don't have to change >the package loadout, just changing a single character in the >description or something will do). If you think just one test result is >bogus and want it re-run, currently, you'll have to ask someone with >the necessary power - either me or Jan Sedlak (garretraziel on IRC). >I'm in North America and he's in Europe, so we should have most >timezones covered between us. We're hoping to set up a better mechanism >for this in future. > >Note, if you're interested in the results for the nightly Fedora >distribution composes, an email summary of the results for those is >sent each time they're run to the Fedora test@ and devel@ lists, look >for mails with "compose check report" in the subject. Any time any of >the FreeIPA tests fails, the failure will be listed in the mail (passed >tests are not specifically listed, just a count of them). I usually >keep an eye on those results and analyze failures and file bugs, >though. Tested with sssd and it passed as well. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8addfc0188 freeIPA has also upstream integration tests packaged in python{2,3}-ipatests. They use pytest + python-pytest-multihost. Will it be possible to run some of them in openQA? e.g. test_installation.py ( LS From simo at redhat.com Mon May 1 15:32:06 2017 From: simo at redhat.com (Simo Sorce) Date: Mon, 01 May 2017 11:32:06 -0400 Subject: [Freeipa-devel] Automated Fedora update testing In-Reply-To: <1493424465.2859.29.camel@redhat.com> References: <1493424465.2859.29.camel@redhat.com> Message-ID: <1493652726.8926.41.camel@redhat.com> Top posting FTW! (sorry) Excellent news Adam, this is awesome! Simo. On Fri, 2017-04-28 at 17:07 -0700, Adam Williamson wrote: > Hi folks! I thought this might be of interest to the FreeIPA > community, > so I thought I'd write it up here in case anyone missed it elsewhere. > > I work on the Fedora QA team, and we have been using the openQA > automated test system (developed by our friends at SUSE) to run > various > functional tests on Fedora composes for the last couple of years. > > As FreeIPA is considered a critical part of Fedora Server, we run a > few > tests that exercise FreeIPA. The tests set up a FreeIPA server, run > some basic checks on it, and also enrol two systems as clients of the > domain, one using the 'realm join' command directly, one using > Cockpit. > The client tests do some basic client functionality testing (getent, > logging in as a domain user, changing passwords, etc.) and also test > the web UI to some extent. > > Until recently we ran these tests only on Fedora's nightly > development > release distribution composes. Recently, though, we deployed some > enhancements to our openQA setup that let us run tests on Fedora > distribution updates as well, and have the results made visible > through > the Fedora update system (Bodhi). The tests are automatically run on > any critical path package, and as of today, they are also run on any > update containing any of a manually-tended list of FreeIPA-related > packages: > > 389-ds > 389-ds-base > bind > bind-dyndb-ldap > certmonger > ding-libs > freeipa > krb5-server > pki-core > sssd > tomcat > cockpit > > This means that for any Fedora update containing one of these or any > critical path package, Fedora's openQA FreeIPA tests should run, and > you should see the results in the Fedora update system (Bodhi). You > can > see the results in Bodhi by clicking the Automated Updates tab for > any > update. For instance, here's a recent 389-ds-base update for Fedora > 26: > > https://bodhi.fedoraproject.org/updates/FEDORA-2017-15e2a038b2 > > If you look at the Automated Tests tab, you can see passes for: > > update.server_role_deploy_domain_controller > update.realmd_join_cockpit > update.realmd_join_sssd > > indicating that this update didn't cause any problems for FreeIPA. > Clicking on any test result will take you to the openQA page for the > test, where you can diagnose failures and so on (explaining how to do > this is a bit beyond the scope of this mail, please do ask me if > you're > interested!) > > I hope this stuff will help us avoid shipping updates that break > FreeIPA (and other key components). If you have any questions, > concerns, comments, or suggestions, please do ask! > > To anticipate one question: you can cause *all* the tests for an > update > to be re-run by editing the update in any way (you don't have to > change > the package loadout, just changing a single character in the > description or something will do). If you think just one test result > is > bogus and want it re-run, currently, you'll have to ask someone with > the necessary power - either me or Jan Sedlak (garretraziel on IRC). > I'm in North America and he's in Europe, so we should have most > timezones covered between us. We're hoping to set up a better > mechanism > for this in future. > > Note, if you're interested in the results for the nightly Fedora > distribution composes, an email summary of the results for those is > sent each time they're run to the Fedora test@ and devel@ lists, look > for mails with "compose check report" in the subject. Any time any of > the FreeIPA tests fails, the failure will be listed in the mail > (passed > tests are not specifically listed, just a count of them). I usually > keep an eye on those results and analyze failures and file bugs, > though. > --? > Adam Williamson > Fedora QA Community Monkey > IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . > net > http://www.happyassassin.net > From awilliam at redhat.com Mon May 1 16:26:13 2017 From: awilliam at redhat.com (Adam Williamson) Date: Mon, 01 May 2017 09:26:13 -0700 Subject: [Freeipa-devel] Automated Fedora update testing In-Reply-To: <20170501085841.GA22762@10.4.128.1> References: <1493424465.2859.29.camel@redhat.com> <20170501085841.GA22762@10.4.128.1> Message-ID: <1493655973.2859.41.camel@redhat.com> On Mon, 2017-05-01 at 10:58 +0200, Lukas Slebodnik wrote: > > Tested with sssd and it passed as well. > https://bodhi.fedoraproject.org/updates/FEDORA-2017-8addfc0188 > > freeIPA has also upstream integration tests packaged in > python{2,3}-ipatests. They use pytest + python-pytest-multihost. > > Will it be possible to run some of them in openQA? > e.g. test_installation.py ( I'd have to look into how they work in more detail (I haven't used pytest-multihost before). There is always a question of whether it's more appropriate to run something in openQA or Taskotron, and openQA has some capacity limitations. How long do these tests take? -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net From freeipa-github-notification at redhat.com Tue May 2 07:30:39 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 02 May 2017 09:30:39 +0200 Subject: [Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-729.patch Type: text/x-diff Size: 6957 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 2 07:40:59 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Tue, 02 May 2017 09:40:59 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys pvoborni commented: """ What is this PR waiting for? """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298530908 From freeipa-github-notification at redhat.com Tue May 2 07:49:25 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 02 May 2017 09:49:25 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ I was expecting some action about my previous comment: > Fails with > 2017-04-12T14:16:14Z DEBUG The ipa-replica-install command failed, exception: ValueError: Incorrect number of results (0) searching forpublic key for host/vm-225.abc.idm.lab.eng.brq.redhat.com at DOM-096.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > on first replica, every try. I did not see any change in code to fix this but I can try again. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298534740 From freeipa-github-notification at redhat.com Tue May 2 08:29:22 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 02 May 2017 10:29:22 +0200 Subject: [Freeipa-devel] [freeipa PR#751][opened] ipa-client-install: remove extra space in pkinit_anchors definition Message-ID: URL: https://github.com/freeipa/freeipa/pull/751 Author: flo-renaud Title: #751: ipa-client-install: remove extra space in pkinit_anchors definition Action: opened PR body: """ ipa-client-install modifies /etc/krb5.conf and defines the following line: pkinit_anchors = FILE: /etc/ipa/ca.crt The extra space between FILE: and /etc/ipa/ca.crt break pkinit. https://pagure.io/freeipa/issue/6916 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/751/head:pr751 git checkout pr751 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-751.patch Type: text/x-diff Size: 1085 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 2 09:26:48 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 02 May 2017 11:26:48 +0200 Subject: [Freeipa-devel] [freeipa PR#741][synchronized] 6.9 -> 7.4 migration fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/741 Author: stlaz Title: #741: 6.9 -> 7.4 migration fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/741/head:pr741 git checkout pr741 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-741.patch Type: text/x-diff Size: 4987 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 2 09:36:51 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 02 May 2017 11:36:51 +0200 Subject: [Freeipa-devel] [freeipa PR#741][synchronized] 6.9 -> 7.4 migration fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/741 Author: stlaz Title: #741: 6.9 -> 7.4 migration fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/741/head:pr741 git checkout pr741 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-741.patch Type: text/x-diff Size: 5075 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 2 09:48:43 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 02 May 2017 11:48:43 +0200 Subject: [Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-729.patch Type: text/x-diff Size: 6955 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 2 10:01:14 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Tue, 02 May 2017 12:01:14 +0200 Subject: [Freeipa-devel] [freeipa PR#751][comment] ipa-client-install: remove extra space in pkinit_anchors definition In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/751 Title: #751: ipa-client-install: remove extra space in pkinit_anchors definition abbra commented: """ LGTM. For the record, this is broken since cf1c4e84e74ea15fe5cf7219872cf131bd53281e which is in 4.5.0 release. So we need to backport this to 4.5 branch. """ See the full comment at https://github.com/freeipa/freeipa/pull/751#issuecomment-298587034 From freeipa-github-notification at redhat.com Tue May 2 10:01:32 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Tue, 02 May 2017 12:01:32 +0200 Subject: [Freeipa-devel] [freeipa PR#751][+ack] ipa-client-install: remove extra space in pkinit_anchors definition In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/751 Title: #751: ipa-client-install: remove extra space in pkinit_anchors definition Label: +ack From freeipa-github-notification at redhat.com Tue May 2 10:10:18 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 02 May 2017 12:10:18 +0200 Subject: [Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-729.patch Type: text/x-diff Size: 6955 bytes Desc: not available URL: From slaznick at redhat.com Tue May 2 10:57:39 2017 From: slaznick at redhat.com (Standa Laznicka) Date: Tue, 2 May 2017 12:57:39 +0200 Subject: [Freeipa-devel] "blocker" tag for pull request In-Reply-To: References: <3344f815-4060-790f-5028-830bf3373d4c@redhat.com> <385c9b72-e29c-7ecd-6ce9-e72ff61c54b1@redhat.com> Message-ID: <83d6d9af-fde7-6776-5448-cb207b6e8a98@redhat.com> On 04/28/2017 02:41 PM, Martin Ba?ti wrote: > > > > On 28.04.2017 14:17, Tomas Krizek wrote: >> On 04/28/2017 10:15 AM, Petr Vobornik wrote: >>> Hi all, >>> >>> I created "blocker" tag for FreeIPA Git Hub PRs. >>> >>> It is should be used to mark PRs which solves test blocker or other >>> functional blockers - e.g. blocks creation of demo. I.e. should be >>> used rather rarely. >>> >>> I don't like the tag name, but I couldn't find better. >> I think we could use the name "high-priority". It could have other uses >> besides marking a blocker, e.g. requesting prompt execution of tests in >> PR CI. > Sounds good or maybe "prioritized", IMHO "blocker" word is overused. > >>> Note: blocker priority in pagure doesn't imply blocker tag in PR. But >>> testblocker tag in pagure does. Actually I'm thinking about changing >>> Pagure priority names to: "highest, high, medium, low, patchwelcome" >>> >> +1, but I'd prefer "critical" instead of "highest" >> >> >> > +1 for critical > > pyldap uses "help wanted" instead "patchwelcome", it sounds better to > me. I'd use it as separate tag instead of priority. Even high > prioritized issues can be made by contributors in early phase of > development if they are easy enough. > > Martin^2 > -- > Martin Ba?ti > Software Engineer > Red Hat Czech > > +1 for critical; +1 for "help wanted", reasons: - "patchwelcome" sounds strange, and strange is an understatement here (also, are you afraid of 2 word tags?) - "help wanted" is much more humble, "patches welcome" is a common cry when you just don't care enough to fix it yourself, and I don't believe that's the message we want to be sending outside -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Tue May 2 11:28:53 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 02 May 2017 13:28:53 +0200 Subject: [Freeipa-devel] [freeipa PR#741][comment] 6.9 -> 7.4 migration fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/741 Title: #741: 6.9 -> 7.4 migration fixes MartinBasti commented: """ It failed to me ``` [20/28]: Configure HTTP to proxy connections [21/28]: restarting certificate server [22/28]: migrating certificate profiles to LDAP [error] NetworkError: cannot connect to 'https://vm-058-166.abc.idm.lab.eng.brq.redhat.com:8443/ca/rest/account/login': [Errno 111] Connection refused Your system may be partly configured. ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/741#issuecomment-298609873 From freeipa-github-notification at redhat.com Tue May 2 11:31:31 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 02 May 2017 13:31:31 +0200 Subject: [Freeipa-devel] [freeipa PR#741][comment] 6.9 -> 7.4 migration fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/741 Title: #741: 6.9 -> 7.4 migration fixes stlaz commented: """ This was supposed to be fixed by the patch and worked for me, it seems that I may need to investigate it further. """ See the full comment at https://github.com/freeipa/freeipa/pull/741#issuecomment-298610326 From freeipa-github-notification at redhat.com Tue May 2 11:40:36 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 02 May 2017 13:40:36 +0200 Subject: [Freeipa-devel] [freeipa PR#734][+ack] kerberos session: use CA cert with full cert chain for obtaining cookie In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/734 Title: #734: kerberos session: use CA cert with full cert chain for obtaining cookie Label: +ack From freeipa-github-notification at redhat.com Tue May 2 11:41:45 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 02 May 2017 13:41:45 +0200 Subject: [Freeipa-devel] [freeipa PR#750][+pushed] Fixed typo in ipa-client-install help output In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/750 Title: #750: Fixed typo in ipa-client-install help output Label: +pushed From freeipa-github-notification at redhat.com Tue May 2 11:41:48 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 02 May 2017 13:41:48 +0200 Subject: [Freeipa-devel] [freeipa PR#750][comment] Fixed typo in ipa-client-install help output In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/750 Title: #750: Fixed typo in ipa-client-install help output MartinBasti commented: """ master: * e3f849d541e8d054b0932d8ec1bd4c836e53c6f0 Fixed typo in ipa-client-install output """ See the full comment at https://github.com/freeipa/freeipa/pull/750#issuecomment-298612165 From freeipa-github-notification at redhat.com Tue May 2 11:41:52 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 02 May 2017 13:41:52 +0200 Subject: [Freeipa-devel] [freeipa PR#750][closed] Fixed typo in ipa-client-install help output In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/750 Author: tscherf Title: #750: Fixed typo in ipa-client-install help output Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/750/head:pr750 git checkout pr750 From freeipa-github-notification at redhat.com Tue May 2 11:43:34 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 02 May 2017 13:43:34 +0200 Subject: [Freeipa-devel] [freeipa PR#734][+pushed] kerberos session: use CA cert with full cert chain for obtaining cookie In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/734 Title: #734: kerberos session: use CA cert with full cert chain for obtaining cookie Label: +pushed From freeipa-github-notification at redhat.com Tue May 2 11:43:37 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 02 May 2017 13:43:37 +0200 Subject: [Freeipa-devel] [freeipa PR#734][comment] kerberos session: use CA cert with full cert chain for obtaining cookie In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/734 Title: #734: kerberos session: use CA cert with full cert chain for obtaining cookie MartinBasti commented: """ master: * c19196a0d3fc0a38c4c83cb8a7fde56e6bc310af kerberos session: use CA cert with full cert chain for obtaining cookie ipa-4-5: * 82679c11f1fc0701d753433d1f2d14c3ee0279af kerberos session: use CA cert with full cert chain for obtaining cookie """ See the full comment at https://github.com/freeipa/freeipa/pull/734#issuecomment-298612483 From freeipa-github-notification at redhat.com Tue May 2 11:43:40 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 02 May 2017 13:43:40 +0200 Subject: [Freeipa-devel] [freeipa PR#734][closed] kerberos session: use CA cert with full cert chain for obtaining cookie In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/734 Author: pvoborni Title: #734: kerberos session: use CA cert with full cert chain for obtaining cookie Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/734/head:pr734 git checkout pr734 From freeipa-github-notification at redhat.com Tue May 2 11:47:34 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 02 May 2017 13:47:34 +0200 Subject: [Freeipa-devel] [freeipa PR#751][+pushed] ipa-client-install: remove extra space in pkinit_anchors definition In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/751 Title: #751: ipa-client-install: remove extra space in pkinit_anchors definition Label: +pushed From freeipa-github-notification at redhat.com Tue May 2 11:47:38 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 02 May 2017 13:47:38 +0200 Subject: [Freeipa-devel] [freeipa PR#751][comment] ipa-client-install: remove extra space in pkinit_anchors definition In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/751 Title: #751: ipa-client-install: remove extra space in pkinit_anchors definition MartinBasti commented: """ master: * 26dbab1fd4384b8f3999b153c2d94220cf541ad2 ipa-client-install: remove extra space in pkinit_anchors definition ipa-4-5: * a3c4e70650dbcd5dd3f00a7b2fecc051afeebec0 ipa-client-install: remove extra space in pkinit_anchors definition """ See the full comment at https://github.com/freeipa/freeipa/pull/751#issuecomment-298613205 From freeipa-github-notification at redhat.com Tue May 2 11:47:41 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 02 May 2017 13:47:41 +0200 Subject: [Freeipa-devel] [freeipa PR#751][closed] ipa-client-install: remove extra space in pkinit_anchors definition In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/751 Author: flo-renaud Title: #751: ipa-client-install: remove extra space in pkinit_anchors definition Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/751/head:pr751 git checkout pr751 From freeipa-github-notification at redhat.com Tue May 2 12:24:36 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 02 May 2017 14:24:36 +0200 Subject: [Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/729 Title: #729: Turn on NSSOCSP check in mod_nss conf flo-renaud commented: """ Hi @pvomacka I tested your last update with a new install and with an upgraded instance, and both are functionally OK. Revoked certs do not allow to access IPA Web UI. """ See the full comment at https://github.com/freeipa/freeipa/pull/729#issuecomment-298620370 From freeipa-github-notification at redhat.com Tue May 2 12:56:10 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 02 May 2017 14:56:10 +0200 Subject: [Freeipa-devel] [freeipa PR#723][+rejected] Store GSSAPI session key in /var/run/httpd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd Label: +rejected From freeipa-github-notification at redhat.com Tue May 2 12:56:32 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 02 May 2017 14:56:32 +0200 Subject: [Freeipa-devel] [freeipa PR#723][comment] Store GSSAPI session key in /var/run/httpd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd MartinBasti commented: """ The issue will be fixed on the SELinux side """ See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-298627474 From freeipa-github-notification at redhat.com Tue May 2 12:56:38 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 02 May 2017 14:56:38 +0200 Subject: [Freeipa-devel] [freeipa PR#723][closed] Store GSSAPI session key in /var/run/httpd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/723 Author: MartinBasti Title: #723: Store GSSAPI session key in /var/run/httpd Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/723/head:pr723 git checkout pr723 From freeipa-github-notification at redhat.com Tue May 2 13:13:39 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 02 May 2017 15:13:39 +0200 Subject: [Freeipa-devel] [freeipa PR#741][synchronized] 6.9 -> 7.4 migration fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/741 Author: stlaz Title: #741: 6.9 -> 7.4 migration fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/741/head:pr741 git checkout pr741 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-741.patch Type: text/x-diff Size: 6542 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 2 13:14:19 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 02 May 2017 15:14:19 +0200 Subject: [Freeipa-devel] [freeipa PR#741][comment] 6.9 -> 7.4 migration fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/741 Title: #741: 6.9 -> 7.4 migration fixes stlaz commented: """ Turns out I forgot to reorder the CA installation steps a bit. """ See the full comment at https://github.com/freeipa/freeipa/pull/741#issuecomment-298631763 From freeipa-github-notification at redhat.com Tue May 2 15:13:13 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 02 May 2017 17:13:13 +0200 Subject: [Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/729 Title: #729: Turn on NSSOCSP check in mod_nss conf MartinBasti commented: """ augeas should be dependency of python2-ipaserver and python3-ipaserver (python3-augeas) packages ``` ************* Module ipaserver.install.httpinstance ipaserver/install/httpinstance.py:32: [E0401(import-error), ] Unable to import 'augeas') ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/729#issuecomment-298665396 From freeipa-github-notification at redhat.com Tue May 2 15:25:14 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 02 May 2017 17:25:14 +0200 Subject: [Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-729.patch Type: text/x-diff Size: 7160 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 2 15:25:22 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 02 May 2017 17:25:22 +0200 Subject: [Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/729 Title: #729: Turn on NSSOCSP check in mod_nss conf pvomacka commented: """ Hello @flo-renaud, thank you for testing this. Hello @MartinBasti, thank you for review. I just fixed that. """ See the full comment at https://github.com/freeipa/freeipa/pull/729#issuecomment-298668970 From freeipa-github-notification at redhat.com Tue May 2 15:30:34 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Tue, 02 May 2017 17:30:34 +0200 Subject: [Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/736 Author: felipevolpone Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/736/head:pr736 git checkout pr736 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-736.patch Type: text/x-diff Size: 8600 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 2 15:33:00 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 02 May 2017 17:33:00 +0200 Subject: [Freeipa-devel] [freeipa PR#741][+ack] 6.9 -> 7.4 migration fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/741 Title: #741: 6.9 -> 7.4 migration fixes Label: +ack From freeipa-github-notification at redhat.com Tue May 2 15:35:16 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 02 May 2017 17:35:16 +0200 Subject: [Freeipa-devel] [freeipa PR#741][+pushed] 6.9 -> 7.4 migration fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/741 Title: #741: 6.9 -> 7.4 migration fixes Label: +pushed From freeipa-github-notification at redhat.com Tue May 2 15:35:24 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 02 May 2017 17:35:24 +0200 Subject: [Freeipa-devel] [freeipa PR#741][comment] 6.9 -> 7.4 migration fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/741 Title: #741: 6.9 -> 7.4 migration fixes MartinBasti commented: """ master: * 0d406fcb784924bfe685729f3156efb8c902b947 Refresh Dogtag RestClient.ca_host property * 92313c9e9d37733feb79d1b1c825178f48d6c69c Remove the cachedproperty class ipa-4-5: * 32981a0f9d0ff699e3d16da8f5a37c112871ba3a Refresh Dogtag RestClient.ca_host property * 9de343987e6d76d2edeba372c73c1060657aef59 Remove the cachedproperty class """ See the full comment at https://github.com/freeipa/freeipa/pull/741#issuecomment-298671871 From freeipa-github-notification at redhat.com Tue May 2 15:35:31 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 02 May 2017 17:35:31 +0200 Subject: [Freeipa-devel] [freeipa PR#741][closed] 6.9 -> 7.4 migration fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/741 Author: stlaz Title: #741: 6.9 -> 7.4 migration fixes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/741/head:pr741 git checkout pr741 From freeipa-github-notification at redhat.com Tue May 2 15:42:20 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Tue, 02 May 2017 17:42:20 +0200 Subject: [Freeipa-devel] [freeipa PR#736][comment] Fixing the cert-request command comparing whole email address case-sensitively. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/736 Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. felipevolpone commented: """ @frasertweedale I did the check in SAN extension. However, I'm not sure if these are valid situations: Case 1) The principal email is A at email.com The email in the certificate is B at email.com The emails in the SAN extensions are: A at email.com, C at email.com or this: Case 2) The principal email is A at email.com The email in the certificate is B at email.com, A at email.com The email in the SAN extensions is: C at email.com If the case 1 is valid, the check in line 799 (below) is not right, because it expects that all emails in SAN extension are in the principal. ```python elif isinstance(gn, cryptography.x509.general_name.RFC822Name): if principal_type == USER: if principal_obj and gn.value not in principal_obj.get( 'mail', []): raise errors.ValidationError( name='csr', error=_( "RFC822Name does not match " "any of user's email addresses") ) else: raise errors.ValidationError( name='csr', error=_( "subject alt name type %s is forbidden " "for non-user principals") % "RFC822Name" ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/736#issuecomment-298673966 From freeipa-github-notification at redhat.com Tue May 2 15:45:07 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Tue, 02 May 2017 17:45:07 +0200 Subject: [Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/736 Author: felipevolpone Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/736/head:pr736 git checkout pr736 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-736.patch Type: text/x-diff Size: 10176 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 2 15:46:04 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 02 May 2017 17:46:04 +0200 Subject: [Freeipa-devel] [freeipa PR#671][comment] Slim down dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/671 Title: #671: Slim down dependencies MartinBasti commented: """ Due missing jinja, tox tests failed ``` ERROR: py27: commands failed ERROR: py35: commands failed ERROR: py36: commands failed ERROR: pylint2: commands failed ERROR: pylint3: commands failed ``` Tests ``` ImportError while importing test module '/tmp/freeipa/.tox/py36/lib/python3.6/site-packages/ipatests/test_ipaclient/test_csrgen.py'. Hint: make sure your test modules/packages have valid Python names. Traceback: test_ipaclient/test_csrgen.py:8: in from ipaclient import csrgen ../ipaclient/csrgen.py:23: in import jinja2 E ModuleNotFoundError: No module named 'jinja2' ``` pylint ``` ************* Module ipaclient.csrgen lib/python3.5/site-packages/ipaclient/csrgen.py:23: [E0401(import-error), ] Unable to import 'jinja2') lib/python3.5/site-packages/ipaclient/csrgen.py:24: [E0401(import-error), ] Unable to import 'jinja2.ext') lib/python3.5/site-packages/ipaclient/csrgen.py:25: [E0401(import-error), ] Unable to import 'jinja2.sandbox') ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/671#issuecomment-298675008 From freeipa-github-notification at redhat.com Tue May 2 16:08:38 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 02 May 2017 18:08:38 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ Still fails. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298681896 From freeipa-github-notification at redhat.com Tue May 2 16:38:47 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 02 May 2017 18:38:47 +0200 Subject: [Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/729 Title: #729: Turn on NSSOCSP check in mod_nss conf MartinBasti commented: """ And you also need python[3]-augeas as Pylint BuildDependency to pass pylint :), sorry I forgot about it. """ See the full comment at https://github.com/freeipa/freeipa/pull/729#issuecomment-298690276 From freeipa-github-notification at redhat.com Tue May 2 16:41:34 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 02 May 2017 18:41:34 +0200 Subject: [Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/729 Title: #729: Turn on NSSOCSP check in mod_nss conf MartinBasti commented: """ And you also need to add it in `ipaserver/setup.py` as dependency for our PyPI packages """ See the full comment at https://github.com/freeipa/freeipa/pull/729#issuecomment-298691022 From freeipa-github-notification at redhat.com Tue May 2 17:34:53 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 02 May 2017 19:34:53 +0200 Subject: [Freeipa-devel] [freeipa PR#752][opened] upgrade: add missing DN suffix when enabling KDC proxy Message-ID: URL: https://github.com/freeipa/freeipa/pull/752 Author: tomaskrizek Title: #752: upgrade: add missing DN suffix when enabling KDC proxy Action: opened PR body: """ This issue prevented from upgrading from IPA 4.1. I also discovered a missing python dependency when I was running the ipa-server-upgrade manually. For packagers: the Python version that has the required symbols in CentOS is 2.7.5-24 https://pagure.io/freeipa/issue/6920 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/752/head:pr752 git checkout pr752 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-752.patch Type: text/x-diff Size: 2902 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 2 18:31:33 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 02 May 2017 20:31:33 +0200 Subject: [Freeipa-devel] [freeipa PR#753][opened] Check CA status: add HTTP timeout Message-ID: URL: https://github.com/freeipa/freeipa/pull/753 Author: MartinBasti Title: #753: Check CA status: add HTTP timeout Action: opened PR body: """ https://pagure.io/freeipa/issue/6766 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/753/head:pr753 git checkout pr753 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-753.patch Type: text/x-diff Size: 4466 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 2 19:20:04 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 02 May 2017 21:20:04 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ Can you please attach more of the logs before the failure ? """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298734189 From freeipa-github-notification at redhat.com Tue May 2 20:19:01 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 02 May 2017 22:19:01 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ @stlaz just FYI, I am sking this info because I cannot reproduce locally with a single replica. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298748943 From freeipa-github-notification at redhat.com Tue May 2 20:23:21 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 02 May 2017 22:23:21 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ Nevermind I finally reproduced """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298750030 From freeipa-github-notification at redhat.com Tue May 2 21:28:55 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 02 May 2017 23:28:55 +0200 Subject: [Freeipa-devel] [freeipa PR#679][synchronized] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Author: simo5 Title: #679: Make sure remote hosts have our keys Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/679/head:pr679 git checkout pr679 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-679.patch Type: text/x-diff Size: 4272 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 2 21:30:50 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 02 May 2017 23:30:50 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ Turned out my master had some more relaxed permissions I added when developing the feature. I now have added a new function to just check for the host keys without asking for data that cannot be read with the identity we have available. This has been tested and seems to work correctly. Please check @stlaz """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298767350 From freeipa-github-notification at redhat.com Wed May 3 06:06:57 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 03 May 2017 08:06:57 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ @simo5 will check, sorry for not replying yesterday, I was no more at my machine. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298829885 From pvoborni at redhat.com Wed May 3 07:26:57 2017 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 3 May 2017 09:26:57 +0200 Subject: [Freeipa-devel] Automated Fedora update testing In-Reply-To: <1493424465.2859.29.camel@redhat.com> References: <1493424465.2859.29.camel@redhat.com> Message-ID: <7ce89967-8954-28ef-78fc-088bbf478661@redhat.com> On 04/29/2017 02:07 AM, Adam Williamson wrote: > Hi folks! I thought this might be of interest to the FreeIPA community, > so I thought I'd write it up here in case anyone missed it elsewhere. > > > Until recently we ran these tests only on Fedora's nightly development > release distribution composes. Recently, though, we deployed some > enhancements to our openQA setup that let us run tests on Fedora > distribution updates as well, and have the results made visible through > the Fedora update system (Bodhi). The tests are automatically run on > any critical path package, and as of today, they are also run on any > update containing any of a manually-tended list of FreeIPA-related > packages: > > 389-ds > 389-ds-base > bind > bind-dyndb-ldap > certmonger > ding-libs > freeipa > krb5-server > pki-core > sssd > tomcat > cockpit > > This means that for any Fedora update containing one of these or any > critical path package, Fedora's openQA FreeIPA tests should run, and > you should see the results in the Fedora update system (Bodhi). You can > see the results in Bodhi by clicking the Automated Updates tab for any > update. For instance, here's a recent 389-ds-base update for Fedora 26: > > https://bodhi.fedoraproject.org/updates/FEDORA-2017-15e2a038b2 > > If you look at the Automated Tests tab, you can see passes for: > > update.server_role_deploy_domain_controller > update.realmd_join_cockpit > update.realmd_join_sssd > > indicating that this update didn't cause any problems for FreeIPA. > Clicking on any test result will take you to the openQA page for the > test, where you can diagnose failures and so on (explaining how to do > this is a bit beyond the scope of this mail, please do ask me if you're > interested!) This is really great. > > I hope this stuff will help us avoid shipping updates that break > FreeIPA (and other key components). If you have any questions, > concerns, comments, or suggestions, please do ask! > . > > Note, if you're interested in the results for the nightly Fedora > distribution composes, an email summary of the results for those is > sent each time they're run to the Fedora test@ and devel@ lists, look > for mails with "compose check report" in the subject. Any time any of > the FreeIPA tests fails, the failure will be listed in the mail (passed > tests are not specifically listed, just a count of them). I usually > keep an eye on those results and analyze failures and file bugs, > though. > Is there a way now to check current state of current Fedoras automatically using a script - e.g. avoid parsing mailing list or going through runs in OpenQA? -- Petr Vobornik From freeipa-github-notification at redhat.com Wed May 3 07:49:28 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 03 May 2017 09:49:28 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ Seems to work fine against current master, but fails with ``` Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR 503 Server Error: Service Unavailable for url: https://vm-096.abc.idm.lab.eng.brq.redhat.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.k6y2jmI8oxRIsieU93_RzG5mZU_u_DPW2XL2jjLukYPZ3oZOkLkufof0fBeH6LAR66aL9m5C9j26GmhlTqNsm2FUQT7Xql975rYR3veooDwLQlPx6k4X1J4CTEeSsf7RVj8KfLE5e4K-nW1hTyepsbm7RDAA_-tbLvWzEqCQ0I3bfpPEDmlML08FA9T_yuPb1FkT0-lSCLV5PHya4tOB3R2q5CHC2b6BpwZQtbVW8eohshEmJMTO2NMAyPlfJscgSHYmhi6oliToV_Dh90Ej1UH_S0UOkHLsvIV5IoW4EGeaGdeHwHo4GsSGHGN3exVxWk9GShhJ_WJ-dlXSGQ_9CA.SfWWO_VrqzKKX3EYSh3E1Q.n4GtjcFZOQSZmAG9MShIQVtfRv_N3jEQMS46rLGUU6xIS-BYBL0Xq1UWP6VFrZW-g96Iqe2PIBhv4m1FsuAzP_gzac1lCr2ghcVuj3rAUg81G5s8vPuYNl_Ur5UVlQ2LtWzGLc26s1z_43MF7qCl8iayvXqnweK8_kj54F1RUJ-Awp0--Z4mnK_FFrPU4BBW2_EjZ1tOR8dV7NnxnN2Gd2tiDFl6Kkbj91rf6Bo2f8telN5RJsX52PsNW2z-l78TOIAKY4qfHhSVz31RO3xgUbyu3yQ79sGIxD66hzmVisB_LnbpNHbIjCP1wKEXXSo-IPrDtXk7ZWZrEITtItzynbzBKddVLjcNMjoqGz-lhLWVNg8R8rdHEdUzhlkdM-kFfW6Fz57wSyOZnt4KvQ-lZxY62TLQB1gqJ7vhzUPUs1g7C9rsy4gTQPjuRxXnLRvqXSb3arQPkrUl_hLqRuAm8FL-ClYY9G38KVns81QTygKvkDC8E5LQBJfyzkg93AyTXNBcrdCxP8AGgaxLBlGyEX-ya0g3mVX5fz_Uj6gyKjtOS_x1AUHOMkAMRmVEzvixrz-krCMWYOQDmJi19OlNeNjb7-NUVDxPRryr7e6Po2OqSbSjP6kUSw_QbMZf8BCrqV4TUFOwndTmZ68n1TOrCqie-UO71TJnherD_3m60_t3-Li1uy6_WWX66BBEMCCtsZBJWP7OYj7c9CzWGuzUEI7g75i4TZwoM1z0SjuyoPE.ZbRawj1B943OeF6AD_W0Z3pfk13fs14rbj_Ab8n-ZXI ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information ``` against 4.4.4 master. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298844054 From freeipa-github-notification at redhat.com Wed May 3 07:53:05 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 03 May 2017 09:53:05 +0200 Subject: [Freeipa-devel] [freeipa PR#728][synchronized] ipa-cacert-manage: add --external-ca-type In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/728 Author: HonzaCholasta Title: #728: ipa-cacert-manage: add --external-ca-type Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/728/head:pr728 git checkout pr728 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-728.patch Type: text/x-diff Size: 38404 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 3 08:12:03 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 03 May 2017 10:12:03 +0200 Subject: [Freeipa-devel] [freeipa PR#749][comment] Added plugins directory to python2-ipaclient subpackage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/749 Title: #749: Added plugins directory to python2-ipaclient subpackage MartinBasti commented: """ Hello, could you please also add it for python3-ipaclient too? """ See the full comment at https://github.com/freeipa/freeipa/pull/749#issuecomment-298847918 From freeipa-github-notification at redhat.com Wed May 3 08:37:27 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 03 May 2017 10:37:27 +0200 Subject: [Freeipa-devel] [freeipa PR#754][opened] ipa-server-install with external CA: fix pkinit cert issuance Message-ID: URL: https://github.com/freeipa/freeipa/pull/754 Author: flo-renaud Title: #754: ipa-server-install with external CA: fix pkinit cert issuance Action: opened PR body: """ ipa-server-install with external CA fails to issue pkinit certs. This happens because the installer calls krb = krbinstance.KrbInstance(fstore) then krb.enable_ssl() and in this code path self.config_pkinit is set to None, leading to a wrong code path. The fix initializes the required fields of the krbinstance before calling krb.enable_ssl. https://pagure.io/freeipa/issue/6921 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/754/head:pr754 git checkout pr754 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-754.patch Type: text/x-diff Size: 2241 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 3 08:38:46 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 03 May 2017 10:38:46 +0200 Subject: [Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-729.patch Type: text/x-diff Size: 8011 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 3 08:39:07 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 03 May 2017 10:39:07 +0200 Subject: [Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/729 Title: #729: Turn on NSSOCSP check in mod_nss conf pvomacka commented: """ @MartinBasti thank you for comments, fixed. """ See the full comment at https://github.com/freeipa/freeipa/pull/729#issuecomment-298853135 From freeipa-github-notification at redhat.com Wed May 3 08:43:24 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 03 May 2017 10:43:24 +0200 Subject: [Freeipa-devel] [freeipa PR#754][comment] ipa-server-install with external CA: fix pkinit cert issuance In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/754 Title: #754: ipa-server-install with external CA: fix pkinit cert issuance stlaz commented: """ LGTM, will test it. """ See the full comment at https://github.com/freeipa/freeipa/pull/754#issuecomment-298853939 From freeipa-github-notification at redhat.com Wed May 3 10:50:32 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 03 May 2017 12:50:32 +0200 Subject: [Freeipa-devel] [freeipa PR#754][+ack] ipa-server-install with external CA: fix pkinit cert issuance In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/754 Title: #754: ipa-server-install with external CA: fix pkinit cert issuance Label: +ack From freeipa-github-notification at redhat.com Wed May 3 10:53:21 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 03 May 2017 12:53:21 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ Seems to work fine against current master, but fails with ``` Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR 503 Server Error: Service Unavailable for url: https://vm-096.abc.idm.lab.eng.brq.redhat.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.k6y2jmI8oxRIsieU93_RzG5mZU_u_DPW2XL2jjLukYPZ3oZOkLkufof0fBeH6LAR66aL9m5C9j26GmhlTqNsm2FUQT7Xql975rYR3veooDwLQlPx6k4X1J4CTEeSsf7RVj8KfLE5e4K-nW1hTyepsbm7RDAA_-tbLvWzEqCQ0I3bfpPEDmlML08FA9T_yuPb1FkT0-lSCLV5PHya4tOB3R2q5CHC2b6BpwZQtbVW8eohshEmJMTO2NMAyPlfJscgSHYmhi6oliToV_Dh90Ej1UH_S0UOkHLsvIV5IoW4EGeaGdeHwHo4GsSGHGN3exVxWk9GShhJ_WJ-dlXSGQ_9CA.SfWWO_VrqzKKX3EYSh3E1Q.n4GtjcFZOQSZmAG9MShIQVtfRv_N3jEQMS46rLGUU6xIS-BYBL0Xq1UWP6VFrZW-g96Iqe2PIBhv4m1FsuAzP_gzac1lCr2ghcVuj3rAUg81G5s8vPuYNl_Ur5UVlQ2LtWzGLc26s1z_43MF7qCl8iayvXqnweK8_kj54F1RUJ-Awp0--Z4mnK_FFrPU4BBW2_EjZ1tOR8dV7NnxnN2Gd2tiDFl6Kkbj91rf6Bo2f8telN5RJsX52PsNW2z-l78TOIAKY4qfHhSVz31RO3xgUbyu3yQ79sGIxD66hzmVisB_LnbpNHbIjCP1wKEXXSo-IPrDtXk7ZWZrEITtItzynbzBKddVLjcNMjoqGz-lhLWVNg8R8rdHEdUzhlkdM-kFfW6Fz57wSyOZnt4KvQ-lZxY62TLQB1gqJ7vhzUPUs1g7C9rsy4gTQPjuRxXnLRvqXSb3arQPkrUl_hLqRuAm8FL-ClYY9G38KVns81QTygKvkDC8E5LQBJfyzkg93AyTXNBcrdCxP8AGgaxLBlGyEX-ya0g3mVX5fz_Uj6gyKjtOS_x1AUHOMkAMRmVEzvixrz-krCMWYOQDmJi19OlNeNjb7-NUVDxPRryr7e6Po2OqSbSjP6kUSw_QbMZf8BCrqV4TUFOwndTmZ68n1TOrCqie-UO71TJnherD_3m60_t3-Li1uy6_WWX66BBEMCCtsZBJWP7OYj7c9CzWGuzUEI7g75i4TZwoM1z0SjuyoPE.ZbRawj1B943OeF6AD_W0Z3pfk13fs14rbj_Ab8n-ZXI ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information ``` against 4.4.4 master. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298844054 From freeipa-github-notification at redhat.com Wed May 3 11:01:06 2017 From: freeipa-github-notification at redhat.com (olivergs) Date: Wed, 03 May 2017 13:01:06 +0200 Subject: [Freeipa-devel] [freeipa PR#749][synchronized] Added plugins directory to python2-ipaclient subpackage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/749 Author: olivergs Title: #749: Added plugins directory to python2-ipaclient subpackage Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/749/head:pr749 git checkout pr749 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-749.patch Type: text/x-diff Size: 1489 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 3 11:01:43 2017 From: freeipa-github-notification at redhat.com (olivergs) Date: Wed, 03 May 2017 13:01:43 +0200 Subject: [Freeipa-devel] [freeipa PR#749][comment] Added plugins directory to python2-ipaclient subpackage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/749 Title: #749: Added plugins directory to python2-ipaclient subpackage olivergs commented: """ Added :) """ See the full comment at https://github.com/freeipa/freeipa/pull/749#issuecomment-298880927 From freeipa-github-notification at redhat.com Wed May 3 11:34:45 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 03 May 2017 13:34:45 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ I've seen this once but thought it was a fluke due to my "unclean" master, as the following times it did not happen. Can you reproduce the error against 4.4.4 consistently ? """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298886632 From freeipa-github-notification at redhat.com Wed May 3 11:45:53 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 03 May 2017 13:45:53 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ I was able to do it two times in a row with the same master, I can try to reinstall both the master and replica if you want. What do you mean "unclean"? It's a clean 4.4.4 master, no code changes, `/etc/httpd/alias` and `/etc/pki/pki-tomcat/alias` NSS databases seem fine, too. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298888556 From freeipa-github-notification at redhat.com Wed May 3 11:50:06 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 03 May 2017 13:50:06 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ I was able to do it two times in a row with the same master, I can try to reinstall both the master and replica if you want. What do you mean "unclean"? It's a clean 4.4.4 master, no code changes, `/etc/httpd/alias` and `/etc/pki/pki-tomcat/alias` NSS databases seem fine, too. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298888556 From freeipa-github-notification at redhat.com Wed May 3 11:54:02 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 03 May 2017 13:54:02 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ I meant my setup was unclean. I will try to reproduce here. Does master w/o this patch work properly against 4.4.4 ? """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298889962 From freeipa-github-notification at redhat.com Wed May 3 11:55:17 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 03 May 2017 13:55:17 +0200 Subject: [Freeipa-devel] [freeipa PR#755][opened] Use proper SELinux context with http.keytab Message-ID: URL: https://github.com/freeipa/freeipa/pull/755 Author: MartinBasti Title: #755: Use proper SELinux context with http.keytab Action: opened PR body: """ During upgrade keytab is moved to a new location using "move" operation. This commit replaces move operation with "copy" and "remove" that ensures a proper selinux context. https://pagure.io/freeipa/issue/6924 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/755/head:pr755 git checkout pr755 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-755.patch Type: text/x-diff Size: 1408 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 3 11:58:29 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 03 May 2017 13:58:29 +0200 Subject: [Freeipa-devel] [freeipa PR#749][comment] Added plugins directory to python2-ipaclient subpackage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/749 Title: #749: Added plugins directory to python2-ipaclient subpackage MartinBasti commented: """ Thanks, could you please merge into one patch? """ See the full comment at https://github.com/freeipa/freeipa/pull/749#issuecomment-298890770 From freeipa-github-notification at redhat.com Wed May 3 11:58:42 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 03 May 2017 13:58:42 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ Not sure, I will try that. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298890816 From freeipa-github-notification at redhat.com Wed May 3 12:04:45 2017 From: freeipa-github-notification at redhat.com (olivergs) Date: Wed, 03 May 2017 14:04:45 +0200 Subject: [Freeipa-devel] [freeipa PR#749][closed] Added plugins directory to python2-ipaclient subpackage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/749 Author: olivergs Title: #749: Added plugins directory to python2-ipaclient subpackage Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/749/head:pr749 git checkout pr749 From freeipa-github-notification at redhat.com Wed May 3 12:06:39 2017 From: freeipa-github-notification at redhat.com (olivergs) Date: Wed, 03 May 2017 14:06:39 +0200 Subject: [Freeipa-devel] [freeipa PR#756][opened] Added plugins directory to paclient subpackages Message-ID: URL: https://github.com/freeipa/freeipa/pull/756 Author: olivergs Title: #756: Added plugins directory to paclient subpackages Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/756/head:pr756 git checkout pr756 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-756.patch Type: text/x-diff Size: 958 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 3 12:06:51 2017 From: freeipa-github-notification at redhat.com (olivergs) Date: Wed, 03 May 2017 14:06:51 +0200 Subject: [Freeipa-devel] [freeipa PR#749][comment] Added plugins directory to python2-ipaclient subpackage In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/749 Title: #749: Added plugins directory to python2-ipaclient subpackage olivergs commented: """ Created new PR #756 """ See the full comment at https://github.com/freeipa/freeipa/pull/749#issuecomment-298892370 From freeipa-github-notification at redhat.com Wed May 3 12:07:01 2017 From: freeipa-github-notification at redhat.com (olivergs) Date: Wed, 03 May 2017 14:07:01 +0200 Subject: [Freeipa-devel] [freeipa PR#756][comment] Added plugins directory to paclient subpackages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/756 Title: #756: Added plugins directory to paclient subpackages olivergs commented: """ Continuation of PR #749 """ See the full comment at https://github.com/freeipa/freeipa/pull/756#issuecomment-298892402 From freeipa-github-notification at redhat.com Wed May 3 12:09:56 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 03 May 2017 14:09:56 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ It seems that replica install fails even without this patch so it's OK to go with it? """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298892918 From freeipa-github-notification at redhat.com Wed May 3 12:33:57 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 03 May 2017 14:33:57 +0200 Subject: [Freeipa-devel] [freeipa PR#757][opened] ca, kra install: validate DM password Message-ID: URL: https://github.com/freeipa/freeipa/pull/757 Author: tomaskrizek Title: #757: ca, kra install: validate DM password Action: opened PR body: """ Prevent CA and KRA installation from proceeding if provided DM password is invalid to avoid broken installations with no possibility to uninstall CA or KRA. https://pagure.io/freeipa/issue/6892 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/757/head:pr757 git checkout pr757 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-757.patch Type: text/x-diff Size: 6654 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 3 12:36:23 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 03 May 2017 14:36:23 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ We need to find why it breaks though, but yeah I think we can go forward with this patch of others agree. Can you open a separate bug for the failure you got ? """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298898148 From freeipa-github-notification at redhat.com Wed May 3 12:41:10 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 03 May 2017 14:41:10 +0200 Subject: [Freeipa-devel] [freeipa PR#755][synchronized] Use proper SELinux context with http.keytab In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/755 Author: MartinBasti Title: #755: Use proper SELinux context with http.keytab Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/755/head:pr755 git checkout pr755 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-755.patch Type: text/x-diff Size: 1464 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 3 13:26:31 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 03 May 2017 15:26:31 +0200 Subject: [Freeipa-devel] [freeipa PR#758][opened] install: fix CA-less PKINIT Message-ID: URL: https://github.com/freeipa/freeipa/pull/758 Author: HonzaCholasta Title: #758: install: fix CA-less PKINIT Action: opened PR body: """ **certdb: add named trust flag constants** Add named constants for common trust flag combinations. Use the named constants instead of trust flags strings in the code. **certdb, certs: make trust flags argument mandatory** Make the trust flags argument mandatory in all functions in `certdb` and `certs`. **certdb: use custom object for trust flags** Replace trust flag strings with `TrustFlags` objects. The `TrustFlags` class encapsulates `certstore` key policy and has an additional flag indicating the presence of a private key. **install: trust IPA CA for PKINIT** Trust IPA CA to issue PKINIT KDC and client authentication certificates in the IPA certificate store. **client install: fix client PKINIT configuration** Set `pkinit_anchors` in `krb5.conf` to a CA certificate bundle of CAs trusted to issue KDC certificates rather than `/etc/ipa/ca.crt`. Set `pkinit_pool` in `krb5.conf` to a CA certificate bundle of all CAs known to IPA. Make sure both bundles are exported in all installation code paths. **server install: fix KDC PKINIT configuration** Make sure `cacert.pem` contains only certificates of CAs trusted to issue PKINIT client certificates and is exported in all installation code paths. Set `pkinit_pool` in `kdc.conf` to a CA certificate bundle of all CAs known to IPA. Use the KDC certificate itself as a PKINIT anchor in `login_password`. **certs: do not export CA certs in install_pem_from_p12** This fixes `kdc.crt` containing the full chain rather than just the KDC certificate in CA-less server install. **server install: fix KDC certificate validation in CA-less** Verify that the provided certificate has the extended key usage and subject alternative name required for KDC. **cacert manage: support PKINIT** Allow installing 3rd party CA certificates trusted to issue PKINIT KDC and/or client certificates. **server certinstall: support PKINIT** Allow replacing the KDC certificate. https://pagure.io/freeipa/issue/6831 https://pagure.io/freeipa/issue/6869 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/758/head:pr758 git checkout pr758 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-758.patch Type: text/x-diff Size: 83337 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 3 13:32:59 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 03 May 2017 15:32:59 +0200 Subject: [Freeipa-devel] [freeipa PR#759][opened] kra install: update installation failure message Message-ID: URL: https://github.com/freeipa/freeipa/pull/759 Author: tomaskrizek Title: #759: kra install: update installation failure message Action: opened PR body: """ When installation fails, do not advise the user to use the obsoleted --uninstall option. Signed-off-by: Tomas Krizek Fixes https://pagure.io/freeipa/issue/6923 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/759/head:pr759 git checkout pr759 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-759.patch Type: text/x-diff Size: 1019 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 3 13:37:24 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 03 May 2017 15:37:24 +0200 Subject: [Freeipa-devel] [freeipa PR#759][+ack] kra install: update installation failure message In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/759 Title: #759: kra install: update installation failure message Label: +ack From freeipa-github-notification at redhat.com Wed May 3 13:40:05 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 03 May 2017 15:40:05 +0200 Subject: [Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/757 Author: tomaskrizek Title: #757: ca, kra install: validate DM password Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/757/head:pr757 git checkout pr757 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-757.patch Type: text/x-diff Size: 7696 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 3 13:40:30 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 03 May 2017 15:40:30 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ Will do, ACKing this in the meantime. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298913680 From freeipa-github-notification at redhat.com Wed May 3 13:40:37 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 03 May 2017 15:40:37 +0200 Subject: [Freeipa-devel] [freeipa PR#679][+ack] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys Label: +ack From freeipa-github-notification at redhat.com Wed May 3 13:49:18 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 03 May 2017 15:49:18 +0200 Subject: [Freeipa-devel] [freeipa PR#679][-ack] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys Label: -ack From freeipa-github-notification at redhat.com Wed May 3 13:49:37 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 03 May 2017 15:49:37 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ Removing the ACK to retest on 4.4.4 with Fedora custodia version. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298916263 From freeipa-github-notification at redhat.com Wed May 3 14:28:29 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 03 May 2017 16:28:29 +0200 Subject: [Freeipa-devel] [freeipa PR#679][+ack] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys Label: +ack From freeipa-github-notification at redhat.com Wed May 3 14:29:54 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 03 May 2017 16:29:54 +0200 Subject: [Freeipa-devel] [freeipa PR#754][+pushed] ipa-server-install with external CA: fix pkinit cert issuance In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/754 Title: #754: ipa-server-install with external CA: fix pkinit cert issuance Label: +pushed From freeipa-github-notification at redhat.com Wed May 3 14:29:58 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 03 May 2017 16:29:58 +0200 Subject: [Freeipa-devel] [freeipa PR#754][comment] ipa-server-install with external CA: fix pkinit cert issuance In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/754 Title: #754: ipa-server-install with external CA: fix pkinit cert issuance tomaskrizek commented: """ ipa-4-5: * 8107125e177ac9f378d149d7b0fa1d3774c9be3a ipa-server-install with external CA: fix pkinit cert issuance master: * a24923066dd95a88ded329f1a558d46fbb9d8f81 ipa-server-install with external CA: fix pkinit cert issuance """ See the full comment at https://github.com/freeipa/freeipa/pull/754#issuecomment-298927858 From freeipa-github-notification at redhat.com Wed May 3 14:30:03 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 03 May 2017 16:30:03 +0200 Subject: [Freeipa-devel] [freeipa PR#754][closed] ipa-server-install with external CA: fix pkinit cert issuance In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/754 Author: flo-renaud Title: #754: ipa-server-install with external CA: fix pkinit cert issuance Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/754/head:pr754 git checkout pr754 From freeipa-github-notification at redhat.com Wed May 3 14:33:20 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 03 May 2017 16:33:20 +0200 Subject: [Freeipa-devel] [freeipa PR#759][+pushed] kra install: update installation failure message In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/759 Title: #759: kra install: update installation failure message Label: +pushed From freeipa-github-notification at redhat.com Wed May 3 14:33:25 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 03 May 2017 16:33:25 +0200 Subject: [Freeipa-devel] [freeipa PR#759][comment] kra install: update installation failure message In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/759 Title: #759: kra install: update installation failure message tomaskrizek commented: """ ipa-4-5: * a4410b41f8dc58b81f02ccc42483dcfe63ddede9 kra install: update installation failure message master: * 0fa6c4d96ef2a55f853eedf3fb89433863e29ddf kra install: update installation failure message """ See the full comment at https://github.com/freeipa/freeipa/pull/759#issuecomment-298928906 From freeipa-github-notification at redhat.com Wed May 3 14:33:30 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 03 May 2017 16:33:30 +0200 Subject: [Freeipa-devel] [freeipa PR#759][closed] kra install: update installation failure message In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/759 Author: tomaskrizek Title: #759: kra install: update installation failure message Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/759/head:pr759 git checkout pr759 From freeipa-github-notification at redhat.com Wed May 3 14:37:52 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 03 May 2017 16:37:52 +0200 Subject: [Freeipa-devel] [freeipa PR#679][+pushed] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys Label: +pushed From freeipa-github-notification at redhat.com Wed May 3 14:38:00 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 03 May 2017 16:38:00 +0200 Subject: [Freeipa-devel] [freeipa PR#753][synchronized] Check CA status: add HTTP timeout In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/753 Author: MartinBasti Title: #753: Check CA status: add HTTP timeout Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/753/head:pr753 git checkout pr753 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-753.patch Type: text/x-diff Size: 4335 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 3 14:38:04 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 03 May 2017 16:38:04 +0200 Subject: [Freeipa-devel] [freeipa PR#679][closed] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Author: simo5 Title: #679: Make sure remote hosts have our keys Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/679/head:pr679 git checkout pr679 From freeipa-github-notification at redhat.com Wed May 3 14:38:05 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 03 May 2017 16:38:05 +0200 Subject: [Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys tomaskrizek commented: """ ipa-4-5: * 5f8d1119fe38807e86930af50d3680e28efe68eb Make sure remote hosts have our keys master: * 1f9f84a66d6cf9391b91ee4a13ac0f1119212578 Make sure remote hosts have our keys """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298930285 From freeipa-github-notification at redhat.com Wed May 3 14:43:58 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 03 May 2017 16:43:58 +0200 Subject: [Freeipa-devel] [freeipa PR#760][opened] Run ipa-custodia under Python 2 Message-ID: URL: https://github.com/freeipa/freeipa/pull/760 Author: tiran Title: #760: Run ipa-custodia under Python 2 Action: opened PR body: """ Closes: https://pagure.io/freeipa/issue/6926 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/760/head:pr760 git checkout pr760 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-760.patch Type: text/x-diff Size: 3292 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 3 15:07:15 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 03 May 2017 17:07:15 +0200 Subject: [Freeipa-devel] [freeipa PR#755][synchronized] Use proper SELinux context with http.keytab In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/755 Author: MartinBasti Title: #755: Use proper SELinux context with http.keytab Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/755/head:pr755 git checkout pr755 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-755.patch Type: text/x-diff Size: 1468 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 3 15:39:15 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 03 May 2017 17:39:15 +0200 Subject: [Freeipa-devel] [freeipa PR#755][+ack] Use proper SELinux context with http.keytab In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/755 Title: #755: Use proper SELinux context with http.keytab Label: +ack From freeipa-github-notification at redhat.com Wed May 3 15:40:35 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 03 May 2017 17:40:35 +0200 Subject: [Freeipa-devel] [freeipa PR#756][+ack] Added plugins directory to paclient subpackages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/756 Title: #756: Added plugins directory to paclient subpackages Label: +ack From freeipa-github-notification at redhat.com Wed May 3 15:41:26 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 03 May 2017 17:41:26 +0200 Subject: [Freeipa-devel] [freeipa PR#756][comment] Added plugins directory to paclient subpackages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/756 Title: #756: Added plugins directory to paclient subpackages MartinBasti commented: """ Thank you! Just for the record, you could use `git push --force` and keep the original PR opened :-) """ See the full comment at https://github.com/freeipa/freeipa/pull/756#issuecomment-298950141 From freeipa-github-notification at redhat.com Wed May 3 15:42:34 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 03 May 2017 17:42:34 +0200 Subject: [Freeipa-devel] [freeipa PR#756][+pushed] Added plugins directory to paclient subpackages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/756 Title: #756: Added plugins directory to paclient subpackages Label: +pushed From freeipa-github-notification at redhat.com Wed May 3 15:42:53 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 03 May 2017 17:42:53 +0200 Subject: [Freeipa-devel] [freeipa PR#756][comment] Added plugins directory to paclient subpackages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/756 Title: #756: Added plugins directory to paclient subpackages MartinBasti commented: """ master: * 548014f03eeababfd1b49e4bc9ac608633cb9b98 Added plugins directory to paclient subpackages """ See the full comment at https://github.com/freeipa/freeipa/pull/756#issuecomment-298950498 From freeipa-github-notification at redhat.com Wed May 3 15:43:00 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 03 May 2017 17:43:00 +0200 Subject: [Freeipa-devel] [freeipa PR#756][closed] Added plugins directory to paclient subpackages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/756 Author: olivergs Title: #756: Added plugins directory to paclient subpackages Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/756/head:pr756 git checkout pr756 From freeipa-github-notification at redhat.com Wed May 3 15:43:16 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 03 May 2017 17:43:16 +0200 Subject: [Freeipa-devel] [freeipa PR#755][+pushed] Use proper SELinux context with http.keytab In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/755 Title: #755: Use proper SELinux context with http.keytab Label: +pushed From freeipa-github-notification at redhat.com Wed May 3 15:43:31 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 03 May 2017 17:43:31 +0200 Subject: [Freeipa-devel] [freeipa PR#755][comment] Use proper SELinux context with http.keytab In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/755 Title: #755: Use proper SELinux context with http.keytab martbab commented: """ master: * 7f4c2fbd975d09c01e6898a4eb70d7dfea1171b4 Use proper SELinux context with http.keytab ipa-4-5: * bda733db9ede3307595963a8c086e1b700c41e25 Use proper SELinux context with http.keytab """ See the full comment at https://github.com/freeipa/freeipa/pull/755#issuecomment-298950728 From freeipa-github-notification at redhat.com Wed May 3 15:43:38 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 03 May 2017 17:43:38 +0200 Subject: [Freeipa-devel] [freeipa PR#755][closed] Use proper SELinux context with http.keytab In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/755 Author: MartinBasti Title: #755: Use proper SELinux context with http.keytab Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/755/head:pr755 git checkout pr755 From awilliam at redhat.com Wed May 3 16:08:14 2017 From: awilliam at redhat.com (Adam Williamson) Date: Wed, 03 May 2017 09:08:14 -0700 Subject: [Freeipa-devel] Automated Fedora update testing In-Reply-To: <7ce89967-8954-28ef-78fc-088bbf478661@redhat.com> References: <1493424465.2859.29.camel@redhat.com> <7ce89967-8954-28ef-78fc-088bbf478661@redhat.com> Message-ID: <1493827694.2859.76.camel@redhat.com> On Wed, 2017-05-03 at 09:26 +0200, Petr Vobornik wrote: > > Is there a way now to check current state of current Fedoras > automatically using a script - e.g. avoid parsing mailing list or going > through runs in OpenQA? The script that generates the mails is called check-compose: https://pagure.io/fedora-qa/check-compose You can just check that out of git and run it locally. You'll need the python2-openqa_client package installed. You pass it the location of a compose, e.g.: ./check-compose?https://kojipkgs.fedoraproject.org/compose/branched/Fedora-26-20170502.n.0/compose/ Does that help? -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net From freeipa-github-notification at redhat.com Wed May 3 17:27:22 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Wed, 03 May 2017 19:27:22 +0200 Subject: [Freeipa-devel] [freeipa PR#761][opened] Fixing adding authenticator indicators to host Message-ID: URL: https://github.com/freeipa/freeipa/pull/761 Author: felipevolpone Title: #761: Fixing adding authenticator indicators to host Action: opened PR body: """ The check for krbprincipalaux in the entries is now made case-insensitively. https://pagure.io/freeipa/issue/6911 https://bugzilla.redhat.com/show_bug.cgi?id=1441593#c2 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/761/head:pr761 git checkout pr761 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-761.patch Type: text/x-diff Size: 1191 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 3 17:28:50 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Wed, 03 May 2017 19:28:50 +0200 Subject: [Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/736 Author: felipevolpone Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/736/head:pr736 git checkout pr736 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-736.patch Type: text/x-diff Size: 12158 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 3 19:30:36 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Wed, 03 May 2017 21:30:36 +0200 Subject: [Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/736 Author: felipevolpone Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/736/head:pr736 git checkout pr736 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-736.patch Type: text/x-diff Size: 9163 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 3 20:08:18 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Wed, 03 May 2017 22:08:18 +0200 Subject: [Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/736 Author: felipevolpone Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/736/head:pr736 git checkout pr736 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-736.patch Type: text/x-diff Size: 10431 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu May 4 03:25:50 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 04 May 2017 05:25:50 +0200 Subject: [Freeipa-devel] [freeipa PR#756][comment] Added plugins directory to paclient subpackages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/756 Title: #756: Added plugins directory to paclient subpackages abbra commented: """ Note that we want this fix in 4.4 branch as well -- it affects F25. """ See the full comment at https://github.com/freeipa/freeipa/pull/756#issuecomment-299089291 From freeipa-github-notification at redhat.com Thu May 4 06:15:02 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 04 May 2017 08:15:02 +0200 Subject: [Freeipa-devel] [freeipa PR#761][comment] Fixing adding authenticator indicators to host In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/761 Title: #761: Fixing adding authenticator indicators to host stlaz commented: """ ``` ************* Module ipaserver.plugins.host ipaserver/plugins/host.py:887: [C0303(trailing-whitespace), ] Trailing whitespace) ``` \+ wrong author in the commit """ See the full comment at https://github.com/freeipa/freeipa/pull/761#issuecomment-299104113 From freeipa-github-notification at redhat.com Thu May 4 07:04:14 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 04 May 2017 09:04:14 +0200 Subject: [Freeipa-devel] [freeipa PR#757][comment] ca, kra install: validate DM password In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/757 Title: #757: ca, kra install: validate DM password stlaz commented: """ There will be no more sys.exits. This patchset shall not be ACKed until all have been removed. """ See the full comment at https://github.com/freeipa/freeipa/pull/757#issuecomment-299111113 From freeipa-github-notification at redhat.com Thu May 4 07:10:35 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 04 May 2017 09:10:35 +0200 Subject: [Freeipa-devel] [freeipa PR#726][comment] Add check for directory name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/726 Title: #726: Add check for directory name stlaz commented: """ Obviously we can't push this until the tests pass. """ See the full comment at https://github.com/freeipa/freeipa/pull/726#issuecomment-299112001 From freeipa-github-notification at redhat.com Thu May 4 07:40:03 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 04 May 2017 09:40:03 +0200 Subject: [Freeipa-devel] [freeipa PR#756][comment] Added plugins directory to paclient subpackages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/756 Title: #756: Added plugins directory to paclient subpackages MartinBasti commented: """ Opened issue: https://pagure.io/freeipa/issue/6927 """ See the full comment at https://github.com/freeipa/freeipa/pull/756#issuecomment-299116620 From freeipa-github-notification at redhat.com Thu May 4 07:45:13 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 04 May 2017 09:45:13 +0200 Subject: [Freeipa-devel] [freeipa PR#762][opened] fix managed-entries printing IPA not installed Message-ID: URL: https://github.com/freeipa/freeipa/pull/762 Author: stlaz Title: #762: fix managed-entries printing IPA not installed Action: opened PR body: """ ipa-managed-entries would print "IPA is not configured on this system." even though this is not true if run as a normal user. Add check for root running the script. https://pagure.io/freeipa/issue/6928 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/762/head:pr762 git checkout pr762 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-762.patch Type: text/x-diff Size: 1094 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu May 4 08:12:28 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 04 May 2017 10:12:28 +0200 Subject: [Freeipa-devel] [freeipa PR#716][comment] Fix minor typos In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Title: #716: Fix minor typos stlaz commented: """ Except for the one change I pointed out, this is all OK with me. The only thing I am not sure is whether we can go changing the doc texts in `ipaclient/remote_plugins/2_*/*.py` since these are kept for backward compatibility but I hope someone can clear this out for me. If you could possibly remove the change at the line I noted, I will ACK this as soon as we can be sure about those changes in the `remote_plugins/` directory. """ See the full comment at https://github.com/freeipa/freeipa/pull/716#issuecomment-299122208 From freeipa-github-notification at redhat.com Thu May 4 10:15:36 2017 From: freeipa-github-notification at redhat.com (olivergs) Date: Thu, 04 May 2017 12:15:36 +0200 Subject: [Freeipa-devel] [freeipa PR#756][comment] Added plugins directory to paclient subpackages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/756 Title: #756: Added plugins directory to paclient subpackages olivergs commented: """ I also opened this https://bugzilla.redhat.com/show_bug.cgi?id=1446744 """ See the full comment at https://github.com/freeipa/freeipa/pull/756#issuecomment-299146326 From freeipa-github-notification at redhat.com Thu May 4 11:10:11 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 04 May 2017 13:10:11 +0200 Subject: [Freeipa-devel] [freeipa PR#671][synchronized] Slim down dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/671 Author: tiran Title: #671: Slim down dependencies Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/671/head:pr671 git checkout pr671 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-671.patch Type: text/x-diff Size: 3144 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu May 4 11:48:51 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 04 May 2017 13:48:51 +0200 Subject: [Freeipa-devel] [freeipa PR#753][+ack] Check CA status: add HTTP timeout In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/753 Title: #753: Check CA status: add HTTP timeout Label: +ack From freeipa-github-notification at redhat.com Thu May 4 12:10:43 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 04 May 2017 14:10:43 +0200 Subject: [Freeipa-devel] [freeipa PR#753][+pushed] Check CA status: add HTTP timeout In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/753 Title: #753: Check CA status: add HTTP timeout Label: +pushed From freeipa-github-notification at redhat.com Thu May 4 12:10:47 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 04 May 2017 14:10:47 +0200 Subject: [Freeipa-devel] [freeipa PR#753][comment] Check CA status: add HTTP timeout In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/753 Title: #753: Check CA status: add HTTP timeout MartinBasti commented: """ master: * 20f7689079328aeef42b62a359b303f531db5666 http_request: add timeout option * 05984f171b0b41681254c95380a0598e4208a201 ca_status: add HTTP timeout 30 seconds ipa-4-5: * 48bb3cb69c000cea3f28bd5b44072d0fe9caa7a2 http_request: add timeout option * 68ce9aa2addb6048333e723f771132f5da7dd38f ca_status: add HTTP timeout 30 seconds """ See the full comment at https://github.com/freeipa/freeipa/pull/753#issuecomment-299167248 From freeipa-github-notification at redhat.com Thu May 4 12:10:48 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 04 May 2017 14:10:48 +0200 Subject: [Freeipa-devel] [freeipa PR#753][closed] Check CA status: add HTTP timeout In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/753 Author: MartinBasti Title: #753: Check CA status: add HTTP timeout Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/753/head:pr753 git checkout pr753 From freeipa-github-notification at redhat.com Thu May 4 12:35:09 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Thu, 04 May 2017 14:35:09 +0200 Subject: [Freeipa-devel] [freeipa PR#761][comment] Fixing adding authenticator indicators to host In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/761 Title: #761: Fixing adding authenticator indicators to host pvoborni commented: """ I'd fix it on all places in host-mod: ``` 885 raise errors.ACIError(info=msg) 886 obj_classes = entry_attrs_old['objectclass'] 887: if 'krbprincipalaux' not in obj_classes: 888 obj_classes.append('krbprincipalaux') 889 entry_attrs['objectclass'] = obj_classes ... 921 _entry_attrs = ldap.get_entry(dn, ['objectclass']) 922 obj_classes = _entry_attrs['objectclass'] 923: if 'ieee802device' not in obj_classes: 924 obj_classes.append('ieee802device') 925 entry_attrs['objectclass'] = obj_classes ... 941 _entry_attrs = ldap.get_entry(dn, ['objectclass']) 942 obj_classes = entry_attrs['objectclass'] = _entry_attrs['objectclass'] 943: if 'ipasshhost' not in obj_classes: 944 obj_classes.append('ipasshhost') ``` so that the plugin would be consistent. Rest of framework can be fixed other time. """ See the full comment at https://github.com/freeipa/freeipa/pull/761#issuecomment-299172235 From freeipa-github-notification at redhat.com Thu May 4 12:51:36 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Thu, 04 May 2017 14:51:36 +0200 Subject: [Freeipa-devel] [freeipa PR#761][synchronized] Fixing adding authenticator indicators to host In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/761 Author: felipevolpone Title: #761: Fixing adding authenticator indicators to host Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/761/head:pr761 git checkout pr761 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-761.patch Type: text/x-diff Size: 2783 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu May 4 13:25:50 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 04 May 2017 15:25:50 +0200 Subject: [Freeipa-devel] [freeipa PR#763][opened] Dogtag fail Message-ID: URL: https://github.com/freeipa/freeipa/pull/763 Author: stlaz Title: #763: Dogtag fail Action: opened PR body: """ **Make CA/KRA fail when they don't start** Since all the services throw exceptions when we're unable to start/restart them, CA/KRA should not be an exception to it. **Fix wrong message on Dogtag instances stop** https://pagure.io/freeipa/issue/6766 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/763/head:pr763 git checkout pr763 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-763.patch Type: text/x-diff Size: 2465 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu May 4 14:05:00 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 04 May 2017 16:05:00 +0200 Subject: [Freeipa-devel] [freeipa PR#763][edited] Dogtag fail In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/763 Author: stlaz Title: #763: Dogtag fail Action: edited Changed field: title Original value: """ Dogtag fail """ From freeipa-github-notification at redhat.com Thu May 4 14:06:27 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 04 May 2017 16:06:27 +0200 Subject: [Freeipa-devel] [freeipa PR#760][edited] Run ipa-custodia under Python 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/760 Author: tiran Title: #760: Run ipa-custodia under Python 2 Action: edited Changed field: title Original value: """ Run ipa-custodia under Python 2 """ From freeipa-github-notification at redhat.com Thu May 4 20:04:31 2017 From: freeipa-github-notification at redhat.com (rcritten) Date: Thu, 04 May 2017 22:04:31 +0200 Subject: [Freeipa-devel] [freeipa PR#764][opened] Basic uninstaller for the CA Message-ID: URL: https://github.com/freeipa/freeipa/pull/764 Author: rcritten Title: #764: Basic uninstaller for the CA Action: opened PR body: """ This in response to watching users flounder with repeated failed replica installations and ipa-ca-install attempts that require a complete uninstall. Review it with whatever priority you desire. This is meant ONLY to be able to re-try an installation if the CA cloning fails for some reason. It is not intended to be used to remove the CA as a service on a given master. This is to avoid having to stand up a whole new master just because the CA installation failed. https://pagure.io/freeipa/issue/6595 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/764/head:pr764 git checkout pr764 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-764.patch Type: text/x-diff Size: 6081 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu May 4 20:12:02 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Thu, 04 May 2017 22:12:02 +0200 Subject: [Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/736 Author: felipevolpone Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/736/head:pr736 git checkout pr736 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-736.patch Type: text/x-diff Size: 4974 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu May 4 20:17:23 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Thu, 04 May 2017 22:17:23 +0200 Subject: [Freeipa-devel] [freeipa PR#736][comment] Fixing the cert-request command comparing whole email address case-sensitively. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/736 Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. felipevolpone commented: """ I hope it's fine now """ See the full comment at https://github.com/freeipa/freeipa/pull/736#issuecomment-299296983 From freeipa-github-notification at redhat.com Fri May 5 13:49:17 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 05 May 2017 15:49:17 +0200 Subject: [Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/757 Author: tomaskrizek Title: #757: ca, kra install: validate DM password Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/757/head:pr757 git checkout pr757 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-757.patch Type: text/x-diff Size: 7212 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri May 5 13:50:19 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 05 May 2017 15:50:19 +0200 Subject: [Freeipa-devel] [freeipa PR#757][comment] ca, kra install: validate DM password In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/757 Title: #757: ca, kra install: validate DM password tomaskrizek commented: """ Thanks for the feedback, hopefully I addressed all the issues. """ See the full comment at https://github.com/freeipa/freeipa/pull/757#issuecomment-299469642 From freeipa-github-notification at redhat.com Fri May 5 13:52:18 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 05 May 2017 15:52:18 +0200 Subject: [Freeipa-devel] [freeipa PR#763][+ack] Dogtag: fail if instance cannot be (re)started In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/763 Title: #763: Dogtag: fail if instance cannot be (re)started Label: +ack From freeipa-github-notification at redhat.com Fri May 5 13:55:26 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Fri, 05 May 2017 15:55:26 +0200 Subject: [Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/736 Author: felipevolpone Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/736/head:pr736 git checkout pr736 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-736.patch Type: text/x-diff Size: 4219 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri May 5 14:25:30 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Fri, 05 May 2017 16:25:30 +0200 Subject: [Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/736 Author: felipevolpone Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/736/head:pr736 git checkout pr736 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-736.patch Type: text/x-diff Size: 4217 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri May 5 15:17:36 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Fri, 05 May 2017 17:17:36 +0200 Subject: [Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/736 Author: felipevolpone Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/736/head:pr736 git checkout pr736 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-736.patch Type: text/x-diff Size: 5637 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri May 5 16:21:45 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 05 May 2017 18:21:45 +0200 Subject: [Freeipa-devel] [freeipa PR#765][opened] [4.5 backport] spec file: bump python-netaddr Requires Message-ID: URL: https://github.com/freeipa/freeipa/pull/765 Author: MartinBasti Title: #765: [4.5 backport] spec file: bump python-netaddr Requires Action: opened PR body: """ Bump python-netaddr Requires to the version which has correct private and reserved IPv4 address ranges. This fixes DNS server install failure when 0.0.0.0 is entered as a forwarder. Backport from: 0784e53f7f8a323acafbbff26a9d1c0276a229b0 https://pagure.io/freeipa/issue/6894 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/765/head:pr765 git checkout pr765 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-765.patch Type: text/x-diff Size: 2085 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri May 5 16:27:56 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 05 May 2017 18:27:56 +0200 Subject: [Freeipa-devel] [freeipa PR#752][comment] upgrade: add missing DN suffix when enabling KDC proxy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/752 Title: #752: upgrade: add missing DN suffix when enabling KDC proxy martbab commented: """ This makes me wonder why don't we just use `self.api.env.basedn` in the ldap_enable/enable_kdcproxy/enable_pkinit methods but instead rely on 3 ways how to construct the root DN. LGTM as a quick fix, but we need to overhaul this part service installers in the future. """ See the full comment at https://github.com/freeipa/freeipa/pull/752#issuecomment-299511559 From freeipa-github-notification at redhat.com Fri May 5 16:29:33 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 05 May 2017 18:29:33 +0200 Subject: [Freeipa-devel] [freeipa PR#752][comment] upgrade: add missing DN suffix when enabling KDC proxy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/752 Title: #752: upgrade: add missing DN suffix when enabling KDC proxy MartinBasti commented: """ Works for me """ See the full comment at https://github.com/freeipa/freeipa/pull/752#issuecomment-299511962 From freeipa-github-notification at redhat.com Fri May 5 16:29:39 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 05 May 2017 18:29:39 +0200 Subject: [Freeipa-devel] [freeipa PR#752][+ack] upgrade: add missing DN suffix when enabling KDC proxy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/752 Title: #752: upgrade: add missing DN suffix when enabling KDC proxy Label: +ack From freeipa-github-notification at redhat.com Fri May 5 16:34:23 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 05 May 2017 18:34:23 +0200 Subject: [Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/764 Title: #764: Basic uninstaller for the CA martbab commented: """ I would avoid having half-effective CA uninstaller given that other components like Samba, DNS(Sec), and now also KRA (given the amount of bugs the uninstaller caused) do not support their uninstallation. Either we have to design some unified framework for proper optional component uninstallation, or we can go in vein of AD trust and DNS installers which are idempotent to a degree. I have an impression that this PR will cause users more problems than it aims to solve. """ See the full comment at https://github.com/freeipa/freeipa/pull/764#issuecomment-299513197 From freeipa-github-notification at redhat.com Fri May 5 16:40:22 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 05 May 2017 18:40:22 +0200 Subject: [Freeipa-devel] [freeipa PR#752][comment] upgrade: add missing DN suffix when enabling KDC proxy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/752 Title: #752: upgrade: add missing DN suffix when enabling KDC proxy martbab commented: """ A separate PR will be needed for ipa-4-5 branch. """ See the full comment at https://github.com/freeipa/freeipa/pull/752#issuecomment-299514588 From freeipa-github-notification at redhat.com Fri May 5 16:52:21 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 05 May 2017 18:52:21 +0200 Subject: [Freeipa-devel] [freeipa PR#763][+pushed] Dogtag: fail if instance cannot be (re)started In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/763 Title: #763: Dogtag: fail if instance cannot be (re)started Label: +pushed From freeipa-github-notification at redhat.com Fri May 5 16:52:25 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 05 May 2017 18:52:25 +0200 Subject: [Freeipa-devel] [freeipa PR#763][comment] Dogtag: fail if instance cannot be (re)started In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/763 Title: #763: Dogtag: fail if instance cannot be (re)started MartinBasti commented: """ master: * 1a7a1f955e327bf1a06faa53c517bdbffff22eba Make CA/KRA fail when they don't start * aba384ddb535e81f81a518fa468a8ed095250ca1 Fix wrong message on Dogtag instances stop ipa-4-5: * 81f97cb89e17e63b3dcb8925a373970ac61764c2 Make CA/KRA fail when they don't start * 1b44c4caa1e7a1f90b3b3537de9cc1529f0891e8 Fix wrong message on Dogtag instances stop """ See the full comment at https://github.com/freeipa/freeipa/pull/763#issuecomment-299517511 From freeipa-github-notification at redhat.com Fri May 5 16:52:29 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 05 May 2017 18:52:29 +0200 Subject: [Freeipa-devel] [freeipa PR#763][closed] Dogtag: fail if instance cannot be (re)started In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/763 Author: stlaz Title: #763: Dogtag: fail if instance cannot be (re)started Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/763/head:pr763 git checkout pr763 From freeipa-github-notification at redhat.com Fri May 5 16:56:56 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 05 May 2017 18:56:56 +0200 Subject: [Freeipa-devel] [freeipa PR#752][+pushed] upgrade: add missing DN suffix when enabling KDC proxy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/752 Title: #752: upgrade: add missing DN suffix when enabling KDC proxy Label: +pushed From freeipa-github-notification at redhat.com Fri May 5 16:56:59 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 05 May 2017 18:56:59 +0200 Subject: [Freeipa-devel] [freeipa PR#752][comment] upgrade: add missing DN suffix when enabling KDC proxy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/752 Title: #752: upgrade: add missing DN suffix when enabling KDC proxy MartinBasti commented: """ master: * 999706fcdfa7fd4206a2399aa578fb00753d9978 python2-ipalib: add missing python dependency * 4b8ab77dd4800bd9c6b822502462ee649c88c663 installer service: fix typo in service entry * ebefb281775d5bd5f32459ac597af78781d7dbf5 upgrade: add missing suffix to http instance """ See the full comment at https://github.com/freeipa/freeipa/pull/752#issuecomment-299518616 From freeipa-github-notification at redhat.com Fri May 5 16:57:02 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 05 May 2017 18:57:02 +0200 Subject: [Freeipa-devel] [freeipa PR#752][closed] upgrade: add missing DN suffix when enabling KDC proxy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/752 Author: tomaskrizek Title: #752: upgrade: add missing DN suffix when enabling KDC proxy Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/752/head:pr752 git checkout pr752 From freeipa-github-notification at redhat.com Fri May 5 17:19:57 2017 From: freeipa-github-notification at redhat.com (rcritten) Date: Fri, 05 May 2017 19:19:57 +0200 Subject: [Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/764 Title: #764: Basic uninstaller for the CA rcritten commented: """ What do you mean half-effective? Did you try it? There already IS a unified framework for component uninstallation: each service provides it. There are edge cases when trying to uninstall one particular piece but that is relatively straightforward to handle and as outlined in the PR this is not intended or expected to clean up every last element, just enough to be able to cleanly attempt the installation again. Forcing users to uninstall an entire master just to (try to) re-install the CA is a major pain point. Other services not having uninstall options is not relevant to this case IMHO. """ See the full comment at https://github.com/freeipa/freeipa/pull/764#issuecomment-299524085 From freeipa-github-notification at redhat.com Fri May 5 19:45:22 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Fri, 05 May 2017 21:45:22 +0200 Subject: [Freeipa-devel] [freeipa PR#766][opened] ipa-kra-install: fix check_host_keys Message-ID: URL: https://github.com/freeipa/freeipa/pull/766 Author: flo-renaud Title: #766: ipa-kra-install: fix check_host_keys Action: opened PR body: """ ipa-kra-install on a replica checks that the keys are available before going further to avoid race condition due to replication. The issue is that the check_host_keys method expects to find exactly one key for cn=env/host but 2 may exist: one below cn=custodia and one below cn=dogtag,cn=custodia. The fix is to check that at least one key exist (not exactly one key). https://pagure.io/freeipa/issue/6934 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/766/head:pr766 git checkout pr766 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-766.patch Type: text/x-diff Size: 1895 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 9 06:12:56 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 09 May 2017 08:12:56 +0200 Subject: [Freeipa-devel] [freeipa PR#728][synchronized] ipa-cacert-manage: add --external-ca-type In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/728 Author: HonzaCholasta Title: #728: ipa-cacert-manage: add --external-ca-type Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/728/head:pr728 git checkout pr728 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-728.patch Type: text/x-diff Size: 40781 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 9 06:19:32 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 09 May 2017 08:19:32 +0200 Subject: [Freeipa-devel] [freeipa PR#767][opened] [4.5] upgrade: add missing DN suffix when enabling KDC proxy Message-ID: URL: https://github.com/freeipa/freeipa/pull/767 Author: tomaskrizek Title: #767: [4.5] upgrade: add missing DN suffix when enabling KDC proxy Action: opened PR body: """ Original PR: #752 --- This issue prevented from upgrading from IPA 4.1. I also discovered a missing python dependency when I was running the ipa-server-upgrade manually. For packagers: the Python version that has the required symbols in CentOS is 2.7.5-24 https://pagure.io/freeipa/issue/6920 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/767/head:pr767 git checkout pr767 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-767.patch Type: text/x-diff Size: 2873 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 9 08:00:28 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 09 May 2017 10:00:28 +0200 Subject: [Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/764 Title: #764: Basic uninstaller for the CA martbab commented: """ @rcritten If it is expected to not clean up properly after a fai;ed installation then I would rather not advertise it as an uninstaller, otherwise users will start to get ideas like "I do not want to use built-in CA anymore, let's just uninstall it and use 3rd party certs everywhere" and will run into problems with leftover certificates and such. I would rather provide some rollback after failed install but again, I think there should be a more extensive discussion about a generic solution applicable to all service installers. Also I would not claim that we actually do not have a service uninstaller framework since every service installer has a copy-pasted code in an ad-hoc coded uninstall method repeated ad nauseam. From what I have glimpsed from `ipa-4-5` branch, `Service` class does not even provide `uninstall` abstract method to override, only `SimpleServiceInstance` does that. """ See the full comment at https://github.com/freeipa/freeipa/pull/764#issuecomment-300090846 From freeipa-github-notification at redhat.com Tue May 9 08:21:41 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 09 May 2017 10:21:41 +0200 Subject: [Freeipa-devel] [freeipa PR#767][+ack] [4.5] upgrade: add missing DN suffix when enabling KDC proxy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/767 Title: #767: [4.5] upgrade: add missing DN suffix when enabling KDC proxy Label: +ack From freeipa-github-notification at redhat.com Tue May 9 08:28:43 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 09 May 2017 10:28:43 +0200 Subject: [Freeipa-devel] [freeipa PR#758][comment] install: fix CA-less PKINIT In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/758 Title: #758: install: fix CA-less PKINIT stlaz commented: """ External CA (rebased on current master to be able to install): ``` $ kinit -n kinit: Invalid certificate while getting initial credentials $ /usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_9588 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/kerberos/krb5kdc/cacert.pem kinit: Invalid certificate while getting initial credentials ``` and on replica: ``` $ kinit -n kinit: Preauthentication failed while getting initial credentials ``` => this breaks WebUI on external CA installations. ================================= CA-less with `--no-pkinit`: ``` $ kinit -n kinit: Preauthentication failed while getting initial credentials ``` but I guess that's expected, WebUI works since the following does work as well: ``` $ /usr/bin/kinit -n -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/kerberos/krb5kdc/cacert.pem ``` ================================= In CA-less with PKINIT options, `kinit -n` works fine, although replica installation will produce: ``` Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT ipa : ERROR PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE) ipa : ERROR Failed to configure PKINIT Done configuring Kerberos KDC (krb5kdc). ``` when run with own PKINIT certificate from `--pkinit-cert-file` option. I don't think it should be asking any CA for a certificate if we already have the certificate. """ See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-300097018 From freeipa-github-notification at redhat.com Tue May 9 08:31:26 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Tue, 09 May 2017 10:31:26 +0200 Subject: [Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/764 Title: #764: Basic uninstaller for the CA pvoborni commented: """ Let's first clarify the problem to solve. If I understand @rcritten right, the problem is that if ipa-ca-install fail then one must reinstall the whole replica because the failed installation left a garbage and subsequent installer is not able to handle the garbage. Uninstallation of successful CA installation is not the intend, right? If so then it seems to me that both of you are in agreement. And I would add that I completely agree with CA uninstall not being a goal because it would add just another use case to support with a benefit I don't see. So if goal is repeatable ipa-ca-install then let's not talk about creating a CA uninstaller but rather about CA cleanup and let's hide/remove the `--uninstall` option and figure out how it should behave - i.e. let it be internal. """ See the full comment at https://github.com/freeipa/freeipa/pull/764#issuecomment-300097665 From freeipa-github-notification at redhat.com Tue May 9 08:33:21 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 09 May 2017 10:33:21 +0200 Subject: [Freeipa-devel] [freeipa PR#767][+pushed] [4.5] upgrade: add missing DN suffix when enabling KDC proxy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/767 Title: #767: [4.5] upgrade: add missing DN suffix when enabling KDC proxy Label: +pushed From freeipa-github-notification at redhat.com Tue May 9 08:33:25 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 09 May 2017 10:33:25 +0200 Subject: [Freeipa-devel] [freeipa PR#767][comment] [4.5] upgrade: add missing DN suffix when enabling KDC proxy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/767 Title: #767: [4.5] upgrade: add missing DN suffix when enabling KDC proxy martbab commented: """ ipa-4-5: * cdefa3030fba0f9a79f65f91aec84a44795c17f5 python2-ipalib: add missing python dependency * 1662b0ef2fff6ee002afd99f86b9075a603b6027 installer service: fix typo in service entry * d10d5066aa60288703f2cf4b1a8dd7ed0aab8842 upgrade: add missing suffix to http instance """ See the full comment at https://github.com/freeipa/freeipa/pull/767#issuecomment-300098076 From freeipa-github-notification at redhat.com Tue May 9 08:33:28 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 09 May 2017 10:33:28 +0200 Subject: [Freeipa-devel] [freeipa PR#767][closed] [4.5] upgrade: add missing DN suffix when enabling KDC proxy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/767 Author: tomaskrizek Title: #767: [4.5] upgrade: add missing DN suffix when enabling KDC proxy Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/767/head:pr767 git checkout pr767 From freeipa-github-notification at redhat.com Tue May 9 08:34:37 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 09 May 2017 10:34:37 +0200 Subject: [Freeipa-devel] [freeipa PR#760][synchronized] [4.4] Run ipa-custodia under Python 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/760 Author: tiran Title: #760: [4.4] Run ipa-custodia under Python 2 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/760/head:pr760 git checkout pr760 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-760.patch Type: text/x-diff Size: 3292 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 9 08:37:01 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 09 May 2017 10:37:01 +0200 Subject: [Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/764 Title: #764: Basic uninstaller for the CA martbab commented: """ @pvoborni We can try to move the uninstaller logic to the beginning of the install, or make the affected steps idempotent. But still I would be hesitant to merge this PR without some design in place. """ See the full comment at https://github.com/freeipa/freeipa/pull/764#issuecomment-300098837 From freeipa-github-notification at redhat.com Tue May 9 08:48:11 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 09 May 2017 10:48:11 +0200 Subject: [Freeipa-devel] [freeipa PR#766][synchronized] ipa-kra-install: fix check_host_keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/766 Author: flo-renaud Title: #766: ipa-kra-install: fix check_host_keys Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/766/head:pr766 git checkout pr766 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-766.patch Type: text/x-diff Size: 1924 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 9 08:49:06 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 09 May 2017 10:49:06 +0200 Subject: [Freeipa-devel] [freeipa PR#766][comment] ipa-kra-install: fix check_host_keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/766 Title: #766: ipa-kra-install: fix check_host_keys flo-renaud commented: """ Hi @MartinBasti @martbab thank you for the comment. PR updated with your suggestion. """ See the full comment at https://github.com/freeipa/freeipa/pull/766#issuecomment-300101597 From freeipa-github-notification at redhat.com Tue May 9 09:24:07 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Tue, 09 May 2017 11:24:07 +0200 Subject: [Freeipa-devel] [freeipa PR#725][closed] Fix certificate_out check in CertRetrieveOverride In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/725 Author: Akasurde Title: #725: Fix certificate_out check in CertRetrieveOverride Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/725/head:pr725 git checkout pr725 From freeipa-github-notification at redhat.com Tue May 9 09:24:45 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Tue, 09 May 2017 11:24:45 +0200 Subject: [Freeipa-devel] [freeipa PR#726][closed] Add check for directory name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/726 Author: Akasurde Title: #726: Add check for directory name Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/726/head:pr726 git checkout pr726 From freeipa-github-notification at redhat.com Tue May 9 09:52:09 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 09 May 2017 11:52:09 +0200 Subject: [Freeipa-devel] [freeipa PR#762][+ack] fix managed-entries printing IPA not installed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/762 Title: #762: fix managed-entries printing IPA not installed Label: +ack From freeipa-github-notification at redhat.com Tue May 9 10:09:16 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 09 May 2017 12:09:16 +0200 Subject: [Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/764 Title: #764: Basic uninstaller for the CA stlaz commented: """ @pvoborni @rcritten @martbab This discussion at this PR makes no sense. Clearly we can see that the impact is much higher and should be discussed on designated channels, meaning either **freeipa-devel** mailing list or in our issue tracking system (the former would be preferable with having the result in the latter). I believe that the guys from the Dogtag project could also have a great insight on this. Here's questions which should answer why I want this to be discussed there: - how to handle users so they don't use `ipa-ca-install --uninstall` any time? - at which point is the installation recoverable and when it's not? - describe what happens in each and every step, mention which files and entries are created - on master - on replica - describe what has to be done in case a step fails for each and every step - on master - on replica - describe how `ipa-ca-install` rollback should behave when installing first CA in a CA-less setup These problems are just from the top of my head and I am a CA installation noob. I would however be very cautious not knowing an answer to either of those. @rcritten if you do know the answers, please, share them with us (or maybe just me because I sure don't know them), it would help a lot with deciding on where to go from here. """ See the full comment at https://github.com/freeipa/freeipa/pull/764#issuecomment-300120774 From freeipa-github-notification at redhat.com Tue May 9 11:53:11 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 09 May 2017 13:53:11 +0200 Subject: [Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/760 Title: #760: [4.4] Run ipa-custodia under Python 2 stlaz commented: """ Works for me. However, I do not see the reason to do `custodia > 0.2`, please, either provide some or remove it. """ See the full comment at https://github.com/freeipa/freeipa/pull/760#issuecomment-300140520 From freeipa-github-notification at redhat.com Tue May 9 12:07:13 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 09 May 2017 14:07:13 +0200 Subject: [Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/760 Title: #760: [4.4] Run ipa-custodia under Python 2 tiran commented: """ The patch doesn't work with custodia 0.1. It needs at least 0.2.0-1. """ See the full comment at https://github.com/freeipa/freeipa/pull/760#issuecomment-300143282 From freeipa-github-notification at redhat.com Tue May 9 12:07:20 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 09 May 2017 14:07:20 +0200 Subject: [Freeipa-devel] [freeipa PR#760][synchronized] [4.4] Run ipa-custodia under Python 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/760 Author: tiran Title: #760: [4.4] Run ipa-custodia under Python 2 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/760/head:pr760 git checkout pr760 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-760.patch Type: text/x-diff Size: 3351 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 9 12:21:54 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 09 May 2017 14:21:54 +0200 Subject: [Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/760 Title: #760: [4.4] Run ipa-custodia under Python 2 stlaz commented: """ Alright, thanks. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/760#issuecomment-300146298 From freeipa-github-notification at redhat.com Tue May 9 12:21:59 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 09 May 2017 14:21:59 +0200 Subject: [Freeipa-devel] [freeipa PR#760][+ack] [4.4] Run ipa-custodia under Python 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/760 Title: #760: [4.4] Run ipa-custodia under Python 2 Label: +ack From freeipa-github-notification at redhat.com Tue May 9 12:23:15 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 09 May 2017 14:23:15 +0200 Subject: [Freeipa-devel] [freeipa PR#766][+ack] ipa-kra-install: fix check_host_keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/766 Title: #766: ipa-kra-install: fix check_host_keys Label: +ack From freeipa-github-notification at redhat.com Tue May 9 12:30:33 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 09 May 2017 14:30:33 +0200 Subject: [Freeipa-devel] [freeipa PR#766][+pushed] ipa-kra-install: fix check_host_keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/766 Title: #766: ipa-kra-install: fix check_host_keys Label: +pushed From freeipa-github-notification at redhat.com Tue May 9 12:30:41 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 09 May 2017 14:30:41 +0200 Subject: [Freeipa-devel] [freeipa PR#766][comment] ipa-kra-install: fix check_host_keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/766 Title: #766: ipa-kra-install: fix check_host_keys MartinBasti commented: """ master: * 8983ce53e3fdee98926f81f3012146e33bb92d30 ipa-kra-install: fix check_host_keys ipa-4-5: * b90dce88e227174aa33270beee9b3d6ff51cce59 ipa-kra-install: fix check_host_keys """ See the full comment at https://github.com/freeipa/freeipa/pull/766#issuecomment-300148119 From freeipa-github-notification at redhat.com Tue May 9 12:30:42 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 09 May 2017 14:30:42 +0200 Subject: [Freeipa-devel] [freeipa PR#766][closed] ipa-kra-install: fix check_host_keys In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/766 Author: flo-renaud Title: #766: ipa-kra-install: fix check_host_keys Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/766/head:pr766 git checkout pr766 From freeipa-github-notification at redhat.com Tue May 9 13:30:06 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 09 May 2017 15:30:06 +0200 Subject: [Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/760 Title: #760: [4.4] Run ipa-custodia under Python 2 tomaskrizek commented: """ @tiran Once this PR is merged, do you plan to remove the conflict with `freeipa-server-common < 4.5` from custodia or do we need to address something else as well? """ See the full comment at https://github.com/freeipa/freeipa/pull/760#issuecomment-300163978 From freeipa-github-notification at redhat.com Tue May 9 14:01:36 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 09 May 2017 16:01:36 +0200 Subject: [Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/760 Title: #760: [4.4] Run ipa-custodia under Python 2 tiran commented: """ @tomaskrizek yes, custodia 0.5 will no longer have the restriction. """ See the full comment at https://github.com/freeipa/freeipa/pull/760#issuecomment-300173956 From freeipa-github-notification at redhat.com Tue May 9 14:29:01 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 09 May 2017 16:29:01 +0200 Subject: [Freeipa-devel] [freeipa PR#729][+ack] Turn on NSSOCSP check in mod_nss conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/729 Title: #729: Turn on NSSOCSP check in mod_nss conf Label: +ack From mkosek at redhat.com Tue May 9 14:29:25 2017 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 9 May 2017 16:29:25 +0200 Subject: [Freeipa-devel] Moving our wiki back to password login Message-ID: <0ccf4e27-2333-5e98-c325-8ffc24fd6309@redhat.com> Hello all, As some of you noticed, FreeIPA wiki authentication via OpenID was broken in the last days. I suspect (but did get reply from Patrick who running the Fedora infra yet) that it was caused by Fedora moving to mode modern authentication protocol, i.e. from OpenID to OpenID Connect (OIDC): https://fedoraproject.org/wiki/Infrastructure/Authentication Unfortunately, I cannot make the OIDC login for our current FreeIPA instance available, given that our wiki runs on OpenShift v2 which uses PHP 5.3.3 cartridge, which can get us only as far as to Mediawiki 1.26. OIDC mediawiki authentication plugin is supported from 1.27 forward. So the wiki needs to be either: - migrated to newer PHP cartridge on current Red Hat OpenShift v2 instance - migrated to OpenShift v3 (preferred) to unblock us from this situation and get to proper OIDC authentication. However, this will need more time and preparation (which I do not even have right now). For now, I simply disabled OpenID authentication in our wiki and enabled password logins again! Anonymous account creation is disabled to avoid spammers. However, given that we now enforce people to be in a special group (editors) to fight the spammers, there is actually no big functionality lost in this, except having to use yet another password. To summarize, if you want to access the wiki again, please use the password you may have had before we migrated to Fedora OpenID. If you do not have the password yet, you should be able to simply reset it before logging in and you should get an email (the mail part did not work for martbab this afternoon, though). In the worst case, I can reset the password for you, just shoot me an email. Thanks! -- Martin Kosek Manager, Software Engineering - Identity Management Team Red Hat, Inc. From freeipa-github-notification at redhat.com Tue May 9 14:43:20 2017 From: freeipa-github-notification at redhat.com (Rezney) Date: Tue, 09 May 2017 16:43:20 +0200 Subject: [Freeipa-devel] [freeipa PR#768][opened] Ticket#6854 caless Message-ID: URL: https://github.com/freeipa/freeipa/pull/768 Author: Rezney Title: #768: Ticket#6854 caless Action: opened PR body: """ What was done? ~~~~~~~~~~~~~~ 1.) caless-create-pki The script was kind of merged with https://github.com/freeipa/freeipa-tools/blob/master/makepki.sh. Standa took care of PKINIT certificates generation so that write_chain() function was introduced which handles cert chain in the pkcs12 files and also reverse chanin order for openssl command. Then gen_pkinit_extensions() and gen_pkinit_cert() are handling the PKINIT certificate generation. See https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html for details. 2.) test_caless.py As the tests are currently failing due to the pkinit option not provided "pkinit_pin, pkinit_pkcs12_exists and pkinit_pkcs12" parameters were added to both install_server() and prepare_replica methods and particular options are added to installator. Then copy_pkinit() is handling pkinit certs transfer. TestPKINIT class contains test_server_replica_install_pkinit() test which checks both server and replica install with pkinit for a starter. Eventually added "raiseonerr=False" to ipa_certs_cleanup() cause tests were failing there but that whole workaround for ticket 4639 will be removed in different commit. What can be improved? (at least what I am aware of) ~~~~~~~~~~~~~~~~~~~~~ Currently pkinit certificates are not inside nss db so we copy it separately (we could also move it to certdir and copy as whole). Tried to put it there with pk12util but the certs were getting nicknames from openssl friendly names (I guess). Added -name parameter to "openssl pkcs12 -export" command and the nicknames were fine (e.g. "ca1/pkinit-server" after certuril -L) however after the "caless-create-pki" script was done all pkinit cert nicknames were just prefixed with "ca1/" (instead of ca1/ ca2/ etc.). Issues found: ~~~~~~~~~~~~~ Replica install with pkinit is not failing anymore with "Certificate issuance failed (CA_UNREACHABLE)", however the ERROR message is still presented: [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] [1/1]: installing X509 Certificate for PKINIT [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] ipa : ERROR PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE) [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] ipa : ERROR Failed to configure PKINIT [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Done configuring Kerberos KDC (krb5kdc). [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Applying LDAP updates [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Upgrading IPA:. Estimated time: 1 minute 30 seconds [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] [1/9]: stopping directory server """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/768/head:pr768 git checkout pr768 From freeipa-github-notification at redhat.com Tue May 9 14:46:57 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Tue, 09 May 2017 16:46:57 +0200 Subject: [Freeipa-devel] [freeipa PR#761][synchronized] Fixing adding authenticator indicators to host In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/761 Author: felipevolpone Title: #761: Fixing adding authenticator indicators to host Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/761/head:pr761 git checkout pr761 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-761.patch Type: text/x-diff Size: 2783 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 9 14:52:11 2017 From: freeipa-github-notification at redhat.com (Rezney) Date: Tue, 09 May 2017 16:52:11 +0200 Subject: [Freeipa-devel] [freeipa PR#768][edited] Ticket#6854 caless In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/768 Author: Rezney Title: #768: Ticket#6854 caless Action: edited Changed field: body Original value: """ What was done? ~~~~~~~~~~~~~~ 1.) caless-create-pki The script was kind of merged with https://github.com/freeipa/freeipa-tools/blob/master/makepki.sh. Standa took care of PKINIT certificates generation so that write_chain() function was introduced which handles cert chain in the pkcs12 files and also reverse chanin order for openssl command. Then gen_pkinit_extensions() and gen_pkinit_cert() are handling the PKINIT certificate generation. See https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html for details. 2.) test_caless.py As the tests are currently failing due to the pkinit option not provided "pkinit_pin, pkinit_pkcs12_exists and pkinit_pkcs12" parameters were added to both install_server() and prepare_replica methods and particular options are added to installator. Then copy_pkinit() is handling pkinit certs transfer. TestPKINIT class contains test_server_replica_install_pkinit() test which checks both server and replica install with pkinit for a starter. Eventually added "raiseonerr=False" to ipa_certs_cleanup() cause tests were failing there but that whole workaround for ticket 4639 will be removed in different commit. What can be improved? (at least what I am aware of) ~~~~~~~~~~~~~~~~~~~~~ Currently pkinit certificates are not inside nss db so we copy it separately (we could also move it to certdir and copy as whole). Tried to put it there with pk12util but the certs were getting nicknames from openssl friendly names (I guess). Added -name parameter to "openssl pkcs12 -export" command and the nicknames were fine (e.g. "ca1/pkinit-server" after certuril -L) however after the "caless-create-pki" script was done all pkinit cert nicknames were just prefixed with "ca1/" (instead of ca1/ ca2/ etc.). Issues found: ~~~~~~~~~~~~~ Replica install with pkinit is not failing anymore with "Certificate issuance failed (CA_UNREACHABLE)", however the ERROR message is still presented: [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] [1/1]: installing X509 Certificate for PKINIT [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] ipa : ERROR PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE) [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] ipa : ERROR Failed to configure PKINIT [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Done configuring Kerberos KDC (krb5kdc). [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Applying LDAP updates [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Upgrading IPA:. Estimated time: 1 minute 30 seconds [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] [1/9]: stopping directory server """ From freeipa-github-notification at redhat.com Tue May 9 14:53:38 2017 From: freeipa-github-notification at redhat.com (Rezney) Date: Tue, 09 May 2017 16:53:38 +0200 Subject: [Freeipa-devel] [freeipa PR#768][closed] Ticket#6854 caless In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/768 Author: Rezney Title: #768: Ticket#6854 caless Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/768/head:pr768 git checkout pr768 From freeipa-github-notification at redhat.com Tue May 9 15:02:13 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 09 May 2017 17:02:13 +0200 Subject: [Freeipa-devel] [freeipa PR#671][+ack] Slim down dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/671 Title: #671: Slim down dependencies Label: +ack From freeipa-github-notification at redhat.com Tue May 9 15:17:52 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 09 May 2017 17:17:52 +0200 Subject: [Freeipa-devel] [freeipa PR#671][+pushed] Slim down dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/671 Title: #671: Slim down dependencies Label: +pushed From freeipa-github-notification at redhat.com Tue May 9 15:17:57 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 09 May 2017 17:17:57 +0200 Subject: [Freeipa-devel] [freeipa PR#671][comment] Slim down dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/671 Title: #671: Slim down dependencies MartinBasti commented: """ master: * bd5a5012d24820b54cdca2955f5405b84de1178c Slim down dependencies """ See the full comment at https://github.com/freeipa/freeipa/pull/671#issuecomment-300198093 From freeipa-github-notification at redhat.com Tue May 9 15:18:00 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 09 May 2017 17:18:00 +0200 Subject: [Freeipa-devel] [freeipa PR#671][closed] Slim down dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/671 Author: tiran Title: #671: Slim down dependencies Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/671/head:pr671 git checkout pr671 From freeipa-github-notification at redhat.com Tue May 9 15:33:37 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Tue, 09 May 2017 17:33:37 +0200 Subject: [Freeipa-devel] [freeipa PR#768][comment] Ticket#6854 caless In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/768 Title: #768: Ticket#6854 caless abbra commented: """ PKINIT certificates are using by `krb5kdc` which uses OpenSSL. It means they cannot be placed in an NSSDB. """ See the full comment at https://github.com/freeipa/freeipa/pull/768#issuecomment-300203017 From freeipa-github-notification at redhat.com Tue May 9 15:40:41 2017 From: freeipa-github-notification at redhat.com (Rezney) Date: Tue, 09 May 2017 17:40:41 +0200 Subject: [Freeipa-devel] [freeipa PR#769][opened] test_caless: add pkinit option and test it Message-ID: URL: https://github.com/freeipa/freeipa/pull/769 Author: Rezney Title: #769: test_caless: add pkinit option and test it Action: opened PR body: """ What was done? ~~~ 1.) caless-create-pki The script was kind of merged with https://github.com/freeipa/freeipa-tools/blob/master/makepki.sh. Standa took care of PKINIT certificates generation so that write_chain() function was introduced which handles cert chain in the pkcs12 files and also reverse chanin order for openssl command. Then gen_pkinit_extensions() and gen_pkinit_cert() are handling the PKINIT certificate generation. See https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html for details. 2.) test_caless.py As the tests are currently failing due to the pkinit option not provided "pkinit_pin, pkinit_pkcs12_exists and pkinit_pkcs12" parameters were added to both install_server() and prepare_replica methods and particular options are added to installator. Then copy_pkinit() is handling pkinit certs transfer. TestPKINIT class contains test_server_replica_install_pkinit() test which checks both server and replica install with pkinit for a starter. Eventually added "raiseonerr=False" to ipa_certs_cleanup() cause tests were failing there but that whole workaround for ticket 4639 will be removed in different commit. ~~~ What can be improved? (at least what I am aware of) ~~~ Currently pkinit certificates are not inside nss db so we copy it separately (we could also move it to certdir and copy as whole). Tried to put it there with pk12util but the certs were getting nicknames from openssl friendly names (I guess). Added -name parameter to "openssl pkcs12 -export" command and the nicknames were fine (e.g. "ca1/pkinit-server" after certuril -L) however after the "caless-create-pki" script was done all pkinit cert nicknames were just prefixed with "ca1/" (instead of ca1/ ca2/ etc.). ~~~ Issues found: ~~~ Replica install with pkinit is not failing anymore with "Certificate issuance failed (CA_UNREACHABLE)", however the ERROR message is still presented: [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] [1/1]: installing X509 Certificate for PKINIT [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] ipa : ERROR PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE) [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] ipa : ERROR Failed to configure PKINIT [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Done configuring Kerberos KDC (krb5kdc). [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Applying LDAP updates [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Upgrading IPA:. Estimated time: 1 minute 30 seconds [ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] [1/9]: stopping directory server ~~~ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/769/head:pr769 git checkout pr769 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-769.patch Type: text/x-diff Size: 13472 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 9 15:52:18 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 09 May 2017 17:52:18 +0200 Subject: [Freeipa-devel] [freeipa PR#770][opened] cert-show: writable files does not mean dirs Message-ID: URL: https://github.com/freeipa/freeipa/pull/770 Author: stlaz Title: #770: cert-show: writable files does not mean dirs Action: opened PR body: """ ipalib.util.check_writable_file didn't check whether the argument is an actual file which is now fixed. https://pagure.io/freeipa/issue/6883 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/770/head:pr770 git checkout pr770 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-770.patch Type: text/x-diff Size: 950 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 9 15:54:18 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 09 May 2017 17:54:18 +0200 Subject: [Freeipa-devel] [freeipa PR#771][opened] cert-show: check if certificate_out is in options Message-ID: URL: https://github.com/freeipa/freeipa/pull/771 Author: stlaz Title: #771: cert-show: check if certificate_out is in options Action: opened PR body: """ If --certificate-out was specified on the command line, it will appear among the options. If it was empty, it will be None, though. https://pagure.io/freeipa/issue/6885 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/771/head:pr771 git checkout pr771 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-771.patch Type: text/x-diff Size: 1346 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 9 16:38:34 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 09 May 2017 18:38:34 +0200 Subject: [Freeipa-devel] [freeipa PR#772][opened] Travis CI: explicitly update pip before running the builds Message-ID: URL: https://github.com/freeipa/freeipa/pull/772 Author: martbab Title: #772: Travis CI: explicitly update pip before running the builds Action: opened PR body: """ This is to workaround around https://github.com/travis-ci/travis-ci/issues/7733 and issues with implicit requirement of python-requests on newer pip. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/772/head:pr772 git checkout pr772 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-772.patch Type: text/x-diff Size: 725 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 9 16:46:40 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 09 May 2017 18:46:40 +0200 Subject: [Freeipa-devel] [freeipa PR#772][synchronized] Travis CI: explicitly update pip before running the builds In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/772 Author: martbab Title: #772: Travis CI: explicitly update pip before running the builds Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/772/head:pr772 git checkout pr772 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-772.patch Type: text/x-diff Size: 761 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 9 17:49:06 2017 From: freeipa-github-notification at redhat.com (rcritten) Date: Tue, 09 May 2017 19:49:06 +0200 Subject: [Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/764 Title: #764: Basic uninstaller for the CA rcritten commented: """ As far as I can tell it is always recoverable using this. I wasn't able to force a failure of replication, that could be a potential show-stopper. The PR doesn't touch the replication agreements at all except to allow them to already be there, so if things were in some sort of halfway state I couldn't say for sure what would happen. The code is there for examination to determine what steps are done, but in short: - call the existing CA uninstaller which mostly just calls pki-destroy (it also does some state cleanup, removes the CRLs and untracks the CA certs via certmonger) - A side-effect of the uninstaller is to shutdown certmonger. I start that back up - The service is removed from cn=masters - The cached services list is removed so ipactl won't fail starting a non-existent tomcat instance To be idempotent would require changes in dogtag, it is that which blows up on a re-install attempt. I would not be in favor of automatically uninstalling dogtag on another ipa-ca-install call. ipa-ca-install would/should never be run on the original master. It already prints a big fat warning. I'd be ok making it fatter and requiring (no joke) multiple "Are you sure" prompts. There is no CA install for CAless so not a case I'm interested in. If you want to rename options I'm ok with that as well, maybe --try-again or something of that nature (in which case I WOULD be in favor of doing the uninstall automatically). """ See the full comment at https://github.com/freeipa/freeipa/pull/764#issuecomment-300247543 From freeipa-github-notification at redhat.com Tue May 9 18:14:42 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 09 May 2017 20:14:42 +0200 Subject: [Freeipa-devel] [freeipa PR#772][+ack] Travis CI: explicitly update pip before running the builds In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/772 Title: #772: Travis CI: explicitly update pip before running the builds Label: +ack From freeipa-github-notification at redhat.com Tue May 9 18:14:46 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 09 May 2017 20:14:46 +0200 Subject: [Freeipa-devel] [freeipa PR#772][+blocker] Travis CI: explicitly update pip before running the builds In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/772 Title: #772: Travis CI: explicitly update pip before running the builds Label: +blocker From freeipa-github-notification at redhat.com Tue May 9 18:15:19 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 09 May 2017 20:15:19 +0200 Subject: [Freeipa-devel] [freeipa PR#772][comment] Travis CI: explicitly update pip before running the builds In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/772 Title: #772: Travis CI: explicitly update pip before running the builds tiran commented: """ Needs to be merged into 4.5. """ See the full comment at https://github.com/freeipa/freeipa/pull/772#issuecomment-300255483 From freeipa-github-notification at redhat.com Tue May 9 18:54:05 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Tue, 09 May 2017 20:54:05 +0200 Subject: [Freeipa-devel] [freeipa PR#761][comment] Fixing adding authenticator indicators to host In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/761 Title: #761: Fixing adding authenticator indicators to host felipevolpone commented: """ Done """ See the full comment at https://github.com/freeipa/freeipa/pull/761#issuecomment-300266711 From freeipa-github-notification at redhat.com Tue May 9 20:10:31 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Tue, 09 May 2017 22:10:31 +0200 Subject: [Freeipa-devel] [freeipa PR#773][opened] [WIP] Warn in cert-request if CSR doesn't contain SAN Message-ID: URL: https://github.com/freeipa/freeipa/pull/773 Author: felipevolpone Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN Action: opened PR body: """ The code is obviously is not the final version, however, I would like to know if I'm on the right path. AFAIK we should check if the SAN extension is provided and if it has DNSName info. Fix: https://pagure.io/freeipa/issue/6663 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/773/head:pr773 git checkout pr773 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-773.patch Type: text/x-diff Size: 1275 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 9 20:14:25 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Tue, 09 May 2017 22:14:25 +0200 Subject: [Freeipa-devel] [freeipa PR#773][edited] [WIP] Warn in cert-request if CSR doesn't contain SAN In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/773 Author: felipevolpone Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN Action: edited Changed field: body Original value: """ The code is obviously is not the final version, however, I would like to know if I'm on the right path. AFAIK we should check if the SAN extension is provided and if it has DNSName info. Fix: https://pagure.io/freeipa/issue/6663 """ From freeipa-github-notification at redhat.com Wed May 10 01:51:58 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 10 May 2017 03:51:58 +0200 Subject: [Freeipa-devel] [freeipa PR#773][comment] [WIP] Warn in cert-request if CSR doesn't contain SAN In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/773 Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN frasertweedale commented: """ Was there agreement that this should be implemented? (I am personally against it, because the next release should update the default profile to use the new CommonNameToSanExtDefault profile component). If we do implement this, IMO it should be a per-profile configuration, because there may be legitimate use cases where SAN is not needed. If we do pursue the current approach, we should further check not only that SAN is present, but that it contains a DNSName. Put another way, with the current patch, SAN can be present, but it might contain only KRB5PrincipalName and no DNSName, and therefore the warning will not show, but it probably should have warned. """ See the full comment at https://github.com/freeipa/freeipa/pull/773#issuecomment-300351130 From freeipa-github-notification at redhat.com Wed May 10 04:53:13 2017 From: freeipa-github-notification at redhat.com (Rezney) Date: Wed, 10 May 2017 06:53:13 +0200 Subject: [Freeipa-devel] [freeipa PR#769][synchronized] test_caless: add pkinit option and test it In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/769 Author: Rezney Title: #769: test_caless: add pkinit option and test it Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/769/head:pr769 git checkout pr769 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-769.patch Type: text/x-diff Size: 14361 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 10 05:10:23 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 10 May 2017 07:10:23 +0200 Subject: [Freeipa-devel] [freeipa PR#773][comment] [WIP] Warn in cert-request if CSR doesn't contain SAN In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/773 Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN HonzaCholasta commented: """ @frasertweedale, I'm not aware of any agreement and I'm against this as well. """ See the full comment at https://github.com/freeipa/freeipa/pull/773#issuecomment-300375495 From freeipa-github-notification at redhat.com Wed May 10 06:07:12 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 10 May 2017 08:07:12 +0200 Subject: [Freeipa-devel] [freeipa PR#379][synchronized] Packaging: Add IPA commands package In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/379 Author: tiran Title: #379: Packaging: Add IPA commands package Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/379/head:pr379 git checkout pr379 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-379.patch Type: text/x-diff Size: 12028 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 10 06:10:50 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 10 May 2017 08:10:50 +0200 Subject: [Freeipa-devel] [freeipa PR#732][synchronized] ipa-custodia: use Dogtag's alias/pwdfile.txt In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/732 Author: tiran Title: #732: ipa-custodia: use Dogtag's alias/pwdfile.txt Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/732/head:pr732 git checkout pr732 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-732.patch Type: text/x-diff Size: 5708 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 10 06:44:27 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 10 May 2017 08:44:27 +0200 Subject: [Freeipa-devel] [freeipa PR#771][synchronized] cert-show: check if certificate_out is in options In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/771 Author: stlaz Title: #771: cert-show: check if certificate_out is in options Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/771/head:pr771 git checkout pr771 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-771.patch Type: text/x-diff Size: 2552 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 10 06:54:47 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 08:54:47 +0200 Subject: [Freeipa-devel] [freeipa PR#772][+pushed] Travis CI: explicitly update pip before running the builds In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/772 Title: #772: Travis CI: explicitly update pip before running the builds Label: +pushed From freeipa-github-notification at redhat.com Wed May 10 06:54:51 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 08:54:51 +0200 Subject: [Freeipa-devel] [freeipa PR#772][closed] Travis CI: explicitly update pip before running the builds In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/772 Author: martbab Title: #772: Travis CI: explicitly update pip before running the builds Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/772/head:pr772 git checkout pr772 From freeipa-github-notification at redhat.com Wed May 10 06:54:54 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 08:54:54 +0200 Subject: [Freeipa-devel] [freeipa PR#772][comment] Travis CI: explicitly update pip before running the builds In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/772 Title: #772: Travis CI: explicitly update pip before running the builds tomaskrizek commented: """ master: * afe85c37981d2846c26010f22f652c60d9cd0941 Travis CI: explicitly update pip before running the builds ipa-4-5: * f2b58854bb8df46b7e0ac0a35bf473bc9d8ad607 Travis CI: explicitly update pip before running the builds """ See the full comment at https://github.com/freeipa/freeipa/pull/772#issuecomment-300392613 From freeipa-github-notification at redhat.com Wed May 10 06:57:55 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 08:57:55 +0200 Subject: [Freeipa-devel] [freeipa PR#762][comment] fix managed-entries printing IPA not installed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/762 Title: #762: fix managed-entries printing IPA not installed tomaskrizek commented: """ master: * 6522c4a8378a22ffe82e8e845698ab104f611888 fix managed-entries printing IPA not installed """ See the full comment at https://github.com/freeipa/freeipa/pull/762#issuecomment-300393202 From freeipa-github-notification at redhat.com Wed May 10 06:57:58 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 08:57:58 +0200 Subject: [Freeipa-devel] [freeipa PR#762][+pushed] fix managed-entries printing IPA not installed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/762 Title: #762: fix managed-entries printing IPA not installed Label: +pushed From freeipa-github-notification at redhat.com Wed May 10 06:58:01 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 08:58:01 +0200 Subject: [Freeipa-devel] [freeipa PR#762][closed] fix managed-entries printing IPA not installed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/762 Author: stlaz Title: #762: fix managed-entries printing IPA not installed Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/762/head:pr762 git checkout pr762 From freeipa-github-notification at redhat.com Wed May 10 07:02:26 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 09:02:26 +0200 Subject: [Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/760 Title: #760: [4.4] Run ipa-custodia under Python 2 tomaskrizek commented: """ Needs re-base for 4.4 and 4.5. """ See the full comment at https://github.com/freeipa/freeipa/pull/760#issuecomment-300394053 From freeipa-github-notification at redhat.com Wed May 10 07:04:06 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 09:04:06 +0200 Subject: [Freeipa-devel] [freeipa PR#760][+pushed] [4.4] Run ipa-custodia under Python 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/760 Title: #760: [4.4] Run ipa-custodia under Python 2 Label: +pushed From freeipa-github-notification at redhat.com Wed May 10 07:04:09 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 09:04:09 +0200 Subject: [Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/760 Title: #760: [4.4] Run ipa-custodia under Python 2 tomaskrizek commented: """ ipa-4-4: * 307c4bd62609c9ac58633e3ccc61d85e2caacbcc Run ipa-custodia under Python 2 """ See the full comment at https://github.com/freeipa/freeipa/pull/760#issuecomment-300394311 From freeipa-github-notification at redhat.com Wed May 10 07:04:12 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 09:04:12 +0200 Subject: [Freeipa-devel] [freeipa PR#760][closed] [4.4] Run ipa-custodia under Python 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/760 Author: tiran Title: #760: [4.4] Run ipa-custodia under Python 2 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/760/head:pr760 git checkout pr760 From freeipa-github-notification at redhat.com Wed May 10 07:04:16 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 09:04:16 +0200 Subject: [Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/760 Title: #760: [4.4] Run ipa-custodia under Python 2 tomaskrizek commented: """ Needs re-base for 4.4 and 4.5. """ See the full comment at https://github.com/freeipa/freeipa/pull/760#issuecomment-300394053 From freeipa-github-notification at redhat.com Wed May 10 07:05:25 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 09:05:25 +0200 Subject: [Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/760 Title: #760: [4.4] Run ipa-custodia under Python 2 tomaskrizek commented: """ Needs re-base for 4.4 and 4.5. correction: for 4.5 and master. """ See the full comment at https://github.com/freeipa/freeipa/pull/760#issuecomment-300394053 From freeipa-github-notification at redhat.com Wed May 10 07:09:45 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 09:09:45 +0200 Subject: [Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/729 Title: #729: Turn on NSSOCSP check in mod_nss conf tomaskrizek commented: """ master: * e0b32dac5462164869ab19c3d56c36e80cde4b7b Turn on NSSOCSP check in mod_nss conf ipa-4-5: * 4aa7e70fcd1851394f943da669d6af4e11b60940 Turn on NSSOCSP check in mod_nss conf """ See the full comment at https://github.com/freeipa/freeipa/pull/729#issuecomment-300395391 From freeipa-github-notification at redhat.com Wed May 10 07:09:49 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 09:09:49 +0200 Subject: [Freeipa-devel] [freeipa PR#729][+pushed] Turn on NSSOCSP check in mod_nss conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/729 Title: #729: Turn on NSSOCSP check in mod_nss conf Label: +pushed From freeipa-github-notification at redhat.com Wed May 10 07:09:52 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 09:09:52 +0200 Subject: [Freeipa-devel] [freeipa PR#729][closed] Turn on NSSOCSP check in mod_nss conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From freeipa-github-notification at redhat.com Wed May 10 07:19:00 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 09:19:00 +0200 Subject: [Freeipa-devel] [freeipa PR#765][comment] [4.5 backport] spec file: bump python-netaddr Requires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/765 Title: #765: [4.5 backport] spec file: bump python-netaddr Requires tomaskrizek commented: """ Upstream version looks fine, but I wasn't able to verify it is fixed in 0.7.5-8 in rhel. @jcholast Is the package version for rhel correct? """ See the full comment at https://github.com/freeipa/freeipa/pull/765#issuecomment-300397137 From freeipa-github-notification at redhat.com Wed May 10 07:20:52 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 09:20:52 +0200 Subject: [Freeipa-devel] [freeipa PR#745][+ack] tests: add missing dependency iptables In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/745 Title: #745: tests: add missing dependency iptables Label: +ack From freeipa-github-notification at redhat.com Wed May 10 07:23:39 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 09:23:39 +0200 Subject: [Freeipa-devel] [freeipa PR#745][comment] tests: add missing dependency iptables In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/745 Title: #745: tests: add missing dependency iptables tomaskrizek commented: """ master: * 6c061b6836c13bf63553c6143b19e89658937e7e tests: add missing dependency iptables """ See the full comment at https://github.com/freeipa/freeipa/pull/745#issuecomment-300398099 From freeipa-github-notification at redhat.com Wed May 10 07:23:43 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 09:23:43 +0200 Subject: [Freeipa-devel] [freeipa PR#745][+pushed] tests: add missing dependency iptables In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/745 Title: #745: tests: add missing dependency iptables Label: +pushed From freeipa-github-notification at redhat.com Wed May 10 07:23:46 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 09:23:46 +0200 Subject: [Freeipa-devel] [freeipa PR#745][closed] tests: add missing dependency iptables In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/745 Author: MartinBasti Title: #745: tests: add missing dependency iptables Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/745/head:pr745 git checkout pr745 From freeipa-github-notification at redhat.com Wed May 10 07:30:15 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 10 May 2017 09:30:15 +0200 Subject: [Freeipa-devel] [freeipa PR#770][+ack] cert-show: writable files does not mean dirs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/770 Title: #770: cert-show: writable files does not mean dirs Label: +ack From freeipa-github-notification at redhat.com Wed May 10 07:33:13 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 09:33:13 +0200 Subject: [Freeipa-devel] [freeipa PR#765][comment] [4.5 backport] spec file: bump python-netaddr Requires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/765 Title: #765: [4.5 backport] spec file: bump python-netaddr Requires tomaskrizek commented: """ Upstream version looks fine, but I wasn't able to verify it is fixed in 0.7.5-8 in rhel. @jcholast Is the package version for rhel correct? """ See the full comment at https://github.com/freeipa/freeipa/pull/765#issuecomment-300397137 From freeipa-github-notification at redhat.com Wed May 10 07:38:26 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 10 May 2017 09:38:26 +0200 Subject: [Freeipa-devel] [freeipa PR#773][comment] [WIP] Warn in cert-request if CSR doesn't contain SAN In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/773 Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN pvoborni commented: """ AFAIK, there was not an agreement not implementing this, otherwise the ticket would be closed. The ticket #6663 was created to warn until the change in profiles is implemented(#4970). It was mentioned yesterday on IPA meeting that we want to warn - when discussing: https://bugzilla.redhat.com/show_bug.cgi?id=1445345 and https://bugzilla.redhat.com/show_bug.cgi?id=1445927 """ See the full comment at https://github.com/freeipa/freeipa/pull/773#issuecomment-300401288 From freeipa-github-notification at redhat.com Wed May 10 07:39:54 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 10 May 2017 09:39:54 +0200 Subject: [Freeipa-devel] [freeipa PR#765][comment] [4.5 backport] spec file: bump python-netaddr Requires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/765 Title: #765: [4.5 backport] spec file: bump python-netaddr Requires HonzaCholasta commented: """ @tomaskrizek, yes. """ See the full comment at https://github.com/freeipa/freeipa/pull/765#issuecomment-300401586 From freeipa-github-notification at redhat.com Wed May 10 08:45:02 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 10:45:02 +0200 Subject: [Freeipa-devel] [freeipa PR#765][+ack] [4.5 backport] spec file: bump python-netaddr Requires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/765 Title: #765: [4.5 backport] spec file: bump python-netaddr Requires Label: +ack From freeipa-github-notification at redhat.com Wed May 10 09:01:12 2017 From: freeipa-github-notification at redhat.com (Rezney) Date: Wed, 10 May 2017 11:01:12 +0200 Subject: [Freeipa-devel] [freeipa PR#768][comment] Ticket#6854 caless In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/768 Title: #768: Ticket#6854 caless Rezney commented: """ Ah, sorry I was not descriptive enough. I meant a temporary nssdb which is created by the script on the controller which is running the integration tests. However thanks for your input. Good to know this. """ See the full comment at https://github.com/freeipa/freeipa/pull/768#issuecomment-300420449 From freeipa-github-notification at redhat.com Wed May 10 10:09:04 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 10 May 2017 12:09:04 +0200 Subject: [Freeipa-devel] [freeipa PR#768][comment] Ticket#6854 caless In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/768 Title: #768: Ticket#6854 caless MartinBasti commented: """ This PR is obsoleted by #769 """ See the full comment at https://github.com/freeipa/freeipa/pull/768#issuecomment-300437510 From freeipa-github-notification at redhat.com Wed May 10 11:16:54 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 13:16:54 +0200 Subject: [Freeipa-devel] [freeipa PR#770][comment] cert-show: writable files does not mean dirs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/770 Title: #770: cert-show: writable files does not mean dirs tomaskrizek commented: """ master: * 33b3d7ad7ada45edbd178fe99f1257c40f39dcaa cert-show: writable files does not mean dirs ipa-4-5: * 2410023ce6ef3255ddbaaf8939a928e733297d62 cert-show: writable files does not mean dirs """ See the full comment at https://github.com/freeipa/freeipa/pull/770#issuecomment-300451638 From freeipa-github-notification at redhat.com Wed May 10 11:17:04 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 13:17:04 +0200 Subject: [Freeipa-devel] [freeipa PR#770][+pushed] cert-show: writable files does not mean dirs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/770 Title: #770: cert-show: writable files does not mean dirs Label: +pushed From freeipa-github-notification at redhat.com Wed May 10 11:17:08 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 13:17:08 +0200 Subject: [Freeipa-devel] [freeipa PR#770][closed] cert-show: writable files does not mean dirs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/770 Author: stlaz Title: #770: cert-show: writable files does not mean dirs Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/770/head:pr770 git checkout pr770 From freeipa-github-notification at redhat.com Wed May 10 11:21:17 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 13:21:17 +0200 Subject: [Freeipa-devel] [freeipa PR#765][comment] [4.5 backport] spec file: bump python-netaddr Requires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/765 Title: #765: [4.5 backport] spec file: bump python-netaddr Requires tomaskrizek commented: """ Please rebase for current master. """ See the full comment at https://github.com/freeipa/freeipa/pull/765#issuecomment-300452468 From freeipa-github-notification at redhat.com Wed May 10 11:35:36 2017 From: freeipa-github-notification at redhat.com (apophys) Date: Wed, 10 May 2017 13:35:36 +0200 Subject: [Freeipa-devel] [freeipa PR#745][comment] tests: add missing dependency iptables In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/745 Title: #745: tests: add missing dependency iptables apophys commented: """ The kdc proxy test requiring the package is also in ipa-4-5 branch. Should it not go there as well? """ See the full comment at https://github.com/freeipa/freeipa/pull/745#issuecomment-300455303 From freeipa-github-notification at redhat.com Wed May 10 12:24:05 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 10 May 2017 14:24:05 +0200 Subject: [Freeipa-devel] [freeipa PR#765][comment] [4.5 backport] spec file: bump python-netaddr Requires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/765 Title: #765: [4.5 backport] spec file: bump python-netaddr Requires HonzaCholasta commented: """ @tomaskrizek, this PR is for ipa-4-5, the change is already present in master. """ See the full comment at https://github.com/freeipa/freeipa/pull/765#issuecomment-300465628 From freeipa-github-notification at redhat.com Wed May 10 13:08:21 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Wed, 10 May 2017 15:08:21 +0200 Subject: [Freeipa-devel] [freeipa PR#761][synchronized] Fixing adding authenticator indicators to host In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/761 Author: felipevolpone Title: #761: Fixing adding authenticator indicators to host Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/761/head:pr761 git checkout pr761 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-761.patch Type: text/x-diff Size: 4952 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 10 13:21:35 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Wed, 10 May 2017 15:21:35 +0200 Subject: [Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/736 Author: felipevolpone Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/736/head:pr736 git checkout pr736 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-736.patch Type: text/x-diff Size: 7447 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 10 13:24:58 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Wed, 10 May 2017 15:24:58 +0200 Subject: [Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/736 Author: felipevolpone Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/736/head:pr736 git checkout pr736 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-736.patch Type: text/x-diff Size: 8503 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 10 13:34:02 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Wed, 10 May 2017 15:34:02 +0200 Subject: [Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/736 Author: felipevolpone Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/736/head:pr736 git checkout pr736 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-736.patch Type: text/x-diff Size: 7502 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 10 13:58:24 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 10 May 2017 15:58:24 +0200 Subject: [Freeipa-devel] [freeipa PR#774][opened] Deprecate pkinit-anonymous command Message-ID: URL: https://github.com/freeipa/freeipa/pull/774 Author: stlaz Title: #774: Deprecate pkinit-anonymous command Action: opened PR body: """ Ever since from v4.5, FreeIPA expects at least some kind of anonymous PKINIT to work. Deprecate the command which is capable of turning this feature off. https://pagure.io/freeipa/issue/6936 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/774/head:pr774 git checkout pr774 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-774.patch Type: text/x-diff Size: 3693 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 10 14:01:39 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 10 May 2017 16:01:39 +0200 Subject: [Freeipa-devel] [freeipa PR#773][comment] [WIP] Warn in cert-request if CSR doesn't contain SAN In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/773 Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN pvoborni commented: """ I don't think it makes sense to spend time on configuration of warning - that is larger change (ldap attr, schema, api...) and as such out of scope of 4.5. Simple warning is IMO good, but it should be worded in a sense that SAN is not always needed. Probably mention in what general use cases it is needed e.g. web services/pages. """ See the full comment at https://github.com/freeipa/freeipa/pull/773#issuecomment-300491247 From freeipa-github-notification at redhat.com Wed May 10 14:07:49 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 10 May 2017 16:07:49 +0200 Subject: [Freeipa-devel] [freeipa PR#761][comment] Fixing adding authenticator indicators to host In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/761 Title: #761: Fixing adding authenticator indicators to host stlaz commented: """ Yes, that seems to have fixed that. Please do squash them now, I guess we can ACK this ;) """ See the full comment at https://github.com/freeipa/freeipa/pull/761#issuecomment-300493147 From freeipa-github-notification at redhat.com Wed May 10 14:42:54 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 10 May 2017 16:42:54 +0200 Subject: [Freeipa-devel] [freeipa PR#774][synchronized] Deprecate pkinit-anonymous command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/774 Author: stlaz Title: #774: Deprecate pkinit-anonymous command Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/774/head:pr774 git checkout pr774 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-774.patch Type: text/x-diff Size: 4702 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 10 14:49:46 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 10 May 2017 16:49:46 +0200 Subject: [Freeipa-devel] [freeipa PR#774][synchronized] Deprecate pkinit-anonymous command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/774 Author: stlaz Title: #774: Deprecate pkinit-anonymous command Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/774/head:pr774 git checkout pr774 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-774.patch Type: text/x-diff Size: 4715 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 10 15:01:39 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 17:01:39 +0200 Subject: [Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/757 Author: tomaskrizek Title: #757: ca, kra install: validate DM password Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/757/head:pr757 git checkout pr757 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-757.patch Type: text/x-diff Size: 13452 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 10 15:04:16 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 17:04:16 +0200 Subject: [Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/757 Author: tomaskrizek Title: #757: ca, kra install: validate DM password Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/757/head:pr757 git checkout pr757 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-757.patch Type: text/x-diff Size: 9606 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 10 15:12:50 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 17:12:50 +0200 Subject: [Freeipa-devel] [freeipa PR#757][comment] ca, kra install: validate DM password In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/757 Title: #757: ca, kra install: validate DM password tomaskrizek commented: """ Implementing the tests shouldn't block us from pushing this fix. I opened a ticket for it: https://pagure.io/freeipa/issue/6941 """ See the full comment at https://github.com/freeipa/freeipa/pull/757#issuecomment-300514130 From freeipa-github-notification at redhat.com Wed May 10 15:15:00 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 10 May 2017 17:15:00 +0200 Subject: [Freeipa-devel] [freeipa PR#765][comment] [4.5 backport] spec file: bump python-netaddr Requires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/765 Title: #765: [4.5 backport] spec file: bump python-netaddr Requires tomaskrizek commented: """ Sorry, I meant current ipa-4-5. Other PR changed the spec file as well. """ See the full comment at https://github.com/freeipa/freeipa/pull/765#issuecomment-300514924 From freeipa-github-notification at redhat.com Wed May 10 15:56:56 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 10 May 2017 17:56:56 +0200 Subject: [Freeipa-devel] [freeipa PR#775][opened] Added plugins directory to ipaclient subpackages Message-ID: URL: https://github.com/freeipa/freeipa/pull/775 Author: MartinBasti Title: #775: Added plugins directory to ipaclient subpackages Action: opened PR body: """ https://pagure.io/freeipa/issue/6927 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/775/head:pr775 git checkout pr775 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-775.patch Type: text/x-diff Size: 996 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 10 15:57:08 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 10 May 2017 17:57:08 +0200 Subject: [Freeipa-devel] [freeipa PR#775][edited] Added plugins directory to ipaclient subpackages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/775 Author: MartinBasti Title: #775: Added plugins directory to ipaclient subpackages Action: edited Changed field: title Original value: """ Added plugins directory to ipaclient subpackages """ From freeipa-github-notification at redhat.com Wed May 10 15:59:17 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 10 May 2017 17:59:17 +0200 Subject: [Freeipa-devel] [freeipa PR#775][synchronized] [4.4 backport] Added plugins directory to ipaclient subpackages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/775 Author: MartinBasti Title: #775: [4.4 backport] Added plugins directory to ipaclient subpackages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/775/head:pr775 git checkout pr775 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-775.patch Type: text/x-diff Size: 997 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 10 15:59:49 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 10 May 2017 17:59:49 +0200 Subject: [Freeipa-devel] [freeipa PR#776][opened] [4.5 backport] Added plugins directory to ipaclient subpackages Message-ID: URL: https://github.com/freeipa/freeipa/pull/776 Author: MartinBasti Title: #776: [4.5 backport] Added plugins directory to ipaclient subpackages Action: opened PR body: """ https://pagure.io/freeipa/issue/6927 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/776/head:pr776 git checkout pr776 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-776.patch Type: text/x-diff Size: 996 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 10 16:13:09 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 10 May 2017 18:13:09 +0200 Subject: [Freeipa-devel] [freeipa PR#765][synchronized] [4.5 backport] spec file: bump python-netaddr Requires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/765 Author: MartinBasti Title: #765: [4.5 backport] spec file: bump python-netaddr Requires Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/765/head:pr765 git checkout pr765 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-765.patch Type: text/x-diff Size: 2092 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 10 16:18:25 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 10 May 2017 18:18:25 +0200 Subject: [Freeipa-devel] [freeipa PR#777][opened] ipa-kra-install manpage: document domain-level 1 Message-ID: URL: https://github.com/freeipa/freeipa/pull/777 Author: flo-renaud Title: #777: ipa-kra-install manpage: document domain-level 1 Action: opened PR body: """ ipa-kra-install man page was missing a specific section for domain level 1. This commits also fixes a wrong option short name (for --log-file) and indents the text corresponding to -p DM_PASSWORD https://pagure.io/freeipa/issue/6922 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/777/head:pr777 git checkout pr777 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-777.patch Type: text/x-diff Size: 3152 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed May 10 16:41:47 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 10 May 2017 18:41:47 +0200 Subject: [Freeipa-devel] [freeipa PR#778][opened] ipaclient: fix missing RPM ownership Message-ID: URL: https://github.com/freeipa/freeipa/pull/778 Author: MartinBasti Title: #778: ipaclient: fix missing RPM ownership Action: opened PR body: """ FreeIPA package should own all subdirectories to work properly with 3rd party packages/plugins. https://pagure.io/freeipa/issue/6927 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/778/head:pr778 git checkout pr778 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-778.patch Type: text/x-diff Size: 2649 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu May 11 08:45:40 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 11 May 2017 10:45:40 +0200 Subject: [Freeipa-devel] [freeipa PR#779][opened] [master, 4.5] Bump version of ipa.conf file Message-ID: URL: https://github.com/freeipa/freeipa/pull/779 Author: dkupka Title: #779: [master, 4.5] Bump version of ipa.conf file Action: opened PR body: """ In commit 157831a287c64106eed4 the version bump was forgotten and therefore the ipa.conf file is not replaced during upgrade and login using certificate when single certificate is mapped to multiple users doesn't work. https://pagure.io/freeipa/issue/6944 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/779/head:pr779 git checkout pr779 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-779.patch Type: text/x-diff Size: 829 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu May 11 09:48:48 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Thu, 11 May 2017 11:48:48 +0200 Subject: [Freeipa-devel] [freeipa PR#780][opened] server-del: update defaultServerList in cn=default, ou=profile, $BASE Message-ID: URL: https://github.com/freeipa/freeipa/pull/780 Author: flo-renaud Title: #780: server-del: update defaultServerList in cn=default,ou=profile,$BASE Action: opened PR body: """ ipa server-del should remove the server from the entry cn=default,ou=profile,$BASE The entry contains an attribute defaultServerList: srv1.domain.com srv2.domain.com srv3.domain.com The code calls srvlist = ret.single_value.get('defaultServerList') which means that srvlist contains a single value (string) containing all the servers separated by a space, and not a list of attribute values. Because of that, srvlist[0] corresponds to the first character of the value. The fix splits srvlist and not srvlist[0]. https://pagure.io/freeipa/issue/6943 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/780/head:pr780 git checkout pr780 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-780.patch Type: text/x-diff Size: 1839 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu May 11 11:39:36 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 11 May 2017 13:39:36 +0200 Subject: [Freeipa-devel] [freeipa PR#779][comment] [master, 4.5] Bump version of ipa.conf file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/779 Title: #779: [master, 4.5] Bump version of ipa.conf file MartinBasti commented: """ Please use ticket https://pagure.io/freeipa/issue/6860 in commit message """ See the full comment at https://github.com/freeipa/freeipa/pull/779#issuecomment-300763946 From freeipa-github-notification at redhat.com Thu May 11 11:54:06 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 11 May 2017 13:54:06 +0200 Subject: [Freeipa-devel] [freeipa PR#745][comment] tests: add missing dependency iptables In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/745 Title: #745: tests: add missing dependency iptables MartinBasti commented: """ AFAIK nobody complains about this issue except me, and I'm fine with master only """ See the full comment at https://github.com/freeipa/freeipa/pull/745#issuecomment-300766961 From freeipa-github-notification at redhat.com Thu May 11 11:56:15 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 11 May 2017 13:56:15 +0200 Subject: [Freeipa-devel] [freeipa PR#758][synchronized] install: fix CA-less PKINIT In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/758 Author: HonzaCholasta Title: #758: install: fix CA-less PKINIT Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/758/head:pr758 git checkout pr758 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-758.patch Type: text/x-diff Size: 91925 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu May 11 11:56:23 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 11 May 2017 13:56:23 +0200 Subject: [Freeipa-devel] [freeipa PR#758][comment] install: fix CA-less PKINIT In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/758 Title: #758: install: fix CA-less PKINIT HonzaCholasta commented: """ @stlaz, FTFY. Also fixed wrong permissions on the CA-less KDC key file (props to @dkupka). The "preauthentication failed" with `--no-pkinit` is expected indeed. """ See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-300767441 From mkosek at redhat.com Thu May 11 12:11:59 2017 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 11 May 2017 14:11:59 +0200 Subject: [Freeipa-devel] Moving our wiki back to password login In-Reply-To: <0ccf4e27-2333-5e98-c325-8ffc24fd6309@redhat.com> References: <0ccf4e27-2333-5e98-c325-8ffc24fd6309@redhat.com> Message-ID: <179b4974-2c16-9bba-df39-edf281e3d2f5@redhat.com> On 05/09/2017 04:29 PM, Martin Kosek wrote: > Hello all, > > As some of you noticed, FreeIPA wiki authentication via OpenID was > broken in the last days. I suspect (but did get reply from Patrick who > running the Fedora infra yet) that it was caused by Fedora moving to > mode modern authentication protocol, i.e. from OpenID to OpenID Connect > (OIDC): > https://fedoraproject.org/wiki/Infrastructure/Authentication > > Unfortunately, I cannot make the OIDC login for our current FreeIPA > instance available, given that our wiki runs on OpenShift v2 which uses > PHP 5.3.3 cartridge, which can get us only as far as to Mediawiki 1.26. > OIDC mediawiki authentication plugin is supported from 1.27 forward. > > So the wiki needs to be either: > - migrated to newer PHP cartridge on current Red Hat OpenShift v2 instance > - migrated to OpenShift v3 (preferred) > to unblock us from this situation and get to proper OIDC authentication. > > However, this will need more time and preparation (which I do not even > have right now). For now, I simply disabled OpenID authentication in our > wiki and enabled password logins again! Anonymous account creation is > disabled to avoid spammers. However, given that we now enforce people to > be in a special group (editors) to fight the spammers, there is actually > no big functionality lost in this, except having to use yet another > password. > > To summarize, if you want to access the wiki again, please use the > password you may have had before we migrated to Fedora OpenID. If you do > not have the password yet, you should be able to simply reset it before > logging in and you should get an email (the mail part did not work for > martbab this afternoon, though). In the worst case, I can reset the > password for you, just shoot me an email. After finally reaching Patrick, I found out that Fedora still supports plain OpenID and it was likely just some interim error. I thus reverted the patch for simple password login and re-enabled OpenID logins again. Still, current situation with FreeIPA.org mediawiki version stays, we will be unable to upgrade the wiki or most of it's plugins until we move to a newer OpenShift instance. Martin From freeipa-github-notification at redhat.com Thu May 11 13:20:53 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Thu, 11 May 2017 15:20:53 +0200 Subject: [Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/736 Author: felipevolpone Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/736/head:pr736 git checkout pr736 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-736.patch Type: text/x-diff Size: 4210 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu May 11 13:26:40 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Thu, 11 May 2017 15:26:40 +0200 Subject: [Freeipa-devel] [freeipa PR#761][synchronized] Fixing adding authenticator indicators to host In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/761 Author: felipevolpone Title: #761: Fixing adding authenticator indicators to host Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/761/head:pr761 git checkout pr761 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-761.patch Type: text/x-diff Size: 3356 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu May 11 13:27:13 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Thu, 11 May 2017 15:27:13 +0200 Subject: [Freeipa-devel] [freeipa PR#761][comment] Fixing adding authenticator indicators to host In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/761 Title: #761: Fixing adding authenticator indicators to host felipevolpone commented: """ Cool :)) thanks! """ See the full comment at https://github.com/freeipa/freeipa/pull/761#issuecomment-300788709 From freeipa-github-notification at redhat.com Thu May 11 13:28:43 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Thu, 11 May 2017 15:28:43 +0200 Subject: [Freeipa-devel] [freeipa PR#736][comment] Fixing the cert-request command comparing whole email address case-sensitively. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/736 Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. felipevolpone commented: """ Done! Thank you Fraser :)) :+1: """ See the full comment at https://github.com/freeipa/freeipa/pull/736#issuecomment-300789100 From freeipa-github-notification at redhat.com Thu May 11 13:52:12 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 11 May 2017 15:52:12 +0200 Subject: [Freeipa-devel] [freeipa PR#779][synchronized] [master, 4.5] Bump version of ipa.conf file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/779 Author: dkupka Title: #779: [master, 4.5] Bump version of ipa.conf file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/779/head:pr779 git checkout pr779 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-779.patch Type: text/x-diff Size: 829 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu May 11 14:44:37 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 11 May 2017 16:44:37 +0200 Subject: [Freeipa-devel] [freeipa PR#757][comment] ca, kra install: validate DM password In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/757 Title: #757: ca, kra install: validate DM password MartinBasti commented: """ We have to use `sys.exit()` in this case, because I forgot that CA still uses old style installer. Without `sys.exit()` ti will always suggest user to uninstall server: ``` Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ``` We don't want to uninstall server due typo in password """ See the full comment at https://github.com/freeipa/freeipa/pull/757#issuecomment-300811680 From freeipa-github-notification at redhat.com Thu May 11 14:48:50 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 11 May 2017 16:48:50 +0200 Subject: [Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/757 Author: tomaskrizek Title: #757: ca, kra install: validate DM password Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/757/head:pr757 git checkout pr757 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-757.patch Type: text/x-diff Size: 7610 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu May 11 14:50:39 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 11 May 2017 16:50:39 +0200 Subject: [Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/757 Author: tomaskrizek Title: #757: ca, kra install: validate DM password Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/757/head:pr757 git checkout pr757 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-757.patch Type: text/x-diff Size: 7671 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu May 11 14:55:34 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 11 May 2017 16:55:34 +0200 Subject: [Freeipa-devel] [freeipa PR#779][+ack] [master, 4.5] Bump version of ipa.conf file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/779 Title: #779: [master, 4.5] Bump version of ipa.conf file Label: +ack From freeipa-github-notification at redhat.com Thu May 11 14:56:30 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 11 May 2017 16:56:30 +0200 Subject: [Freeipa-devel] [freeipa PR#777][+ack] ipa-kra-install manpage: document domain-level 1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/777 Title: #777: ipa-kra-install manpage: document domain-level 1 Label: +ack From freeipa-github-notification at redhat.com Thu May 11 14:58:07 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 11 May 2017 16:58:07 +0200 Subject: [Freeipa-devel] [freeipa PR#765][+pushed] [4.5 backport] spec file: bump python-netaddr Requires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/765 Title: #765: [4.5 backport] spec file: bump python-netaddr Requires Label: +pushed From freeipa-github-notification at redhat.com Thu May 11 14:58:10 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 11 May 2017 16:58:10 +0200 Subject: [Freeipa-devel] [freeipa PR#765][comment] [4.5 backport] spec file: bump python-netaddr Requires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/765 Title: #765: [4.5 backport] spec file: bump python-netaddr Requires MartinBasti commented: """ ipa-4-5: * ecccd6cb843c44093449cc45a7d94bb14fa65513 spec file: bump python-netaddr Requires """ See the full comment at https://github.com/freeipa/freeipa/pull/765#issuecomment-300815982 From freeipa-github-notification at redhat.com Thu May 11 14:58:14 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 11 May 2017 16:58:14 +0200 Subject: [Freeipa-devel] [freeipa PR#765][closed] [4.5 backport] spec file: bump python-netaddr Requires In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/765 Author: MartinBasti Title: #765: [4.5 backport] spec file: bump python-netaddr Requires Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/765/head:pr765 git checkout pr765 From freeipa-github-notification at redhat.com Thu May 11 15:01:13 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 11 May 2017 17:01:13 +0200 Subject: [Freeipa-devel] [freeipa PR#779][+pushed] [master, 4.5] Bump version of ipa.conf file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/779 Title: #779: [master, 4.5] Bump version of ipa.conf file Label: +pushed From freeipa-github-notification at redhat.com Thu May 11 15:01:17 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 11 May 2017 17:01:17 +0200 Subject: [Freeipa-devel] [freeipa PR#779][comment] [master, 4.5] Bump version of ipa.conf file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/779 Title: #779: [master, 4.5] Bump version of ipa.conf file MartinBasti commented: """ master: * 9d32e61ba548e7e940f165c0ec8df0b4bfd210bd Bump version of ipa.conf file ipa-4-5: * 76e5ac59579f36f28bb247bf3173e95e57ee4af4 Bump version of ipa.conf file """ See the full comment at https://github.com/freeipa/freeipa/pull/779#issuecomment-300816972 From freeipa-github-notification at redhat.com Thu May 11 15:01:20 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 11 May 2017 17:01:20 +0200 Subject: [Freeipa-devel] [freeipa PR#779][closed] [master, 4.5] Bump version of ipa.conf file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/779 Author: dkupka Title: #779: [master, 4.5] Bump version of ipa.conf file Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/779/head:pr779 git checkout pr779 From freeipa-github-notification at redhat.com Thu May 11 15:05:35 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 11 May 2017 17:05:35 +0200 Subject: [Freeipa-devel] [freeipa PR#777][+pushed] ipa-kra-install manpage: document domain-level 1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/777 Title: #777: ipa-kra-install manpage: document domain-level 1 Label: +pushed From freeipa-github-notification at redhat.com Thu May 11 15:05:39 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 11 May 2017 17:05:39 +0200 Subject: [Freeipa-devel] [freeipa PR#777][comment] ipa-kra-install manpage: document domain-level 1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/777 Title: #777: ipa-kra-install manpage: document domain-level 1 MartinBasti commented: """ master: * f3e1efdcf5db5da2c3c42d3d58be172943f20bce ipa-kra-install manpage: document domain-level 1 ipa-4-5: * 72d2e9e4c312576e1a62e210b4e5d9696bc70609 ipa-kra-install manpage: document domain-level 1 """ See the full comment at https://github.com/freeipa/freeipa/pull/777#issuecomment-300818344 From freeipa-github-notification at redhat.com Thu May 11 15:05:42 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 11 May 2017 17:05:42 +0200 Subject: [Freeipa-devel] [freeipa PR#777][closed] ipa-kra-install manpage: document domain-level 1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/777 Author: flo-renaud Title: #777: ipa-kra-install manpage: document domain-level 1 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/777/head:pr777 git checkout pr777 From freeipa-github-notification at redhat.com Thu May 11 22:54:50 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Fri, 12 May 2017 00:54:50 +0200 Subject: [Freeipa-devel] [freeipa PR#773][synchronized] [WIP] Warn in cert-request if CSR doesn't contain SAN In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/773 Author: felipevolpone Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/773/head:pr773 git checkout pr773 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-773.patch Type: text/x-diff Size: 3112 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu May 11 22:58:19 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Fri, 12 May 2017 00:58:19 +0200 Subject: [Freeipa-devel] [freeipa PR#773][closed] [WIP] Warn in cert-request if CSR doesn't contain SAN In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/773 Author: felipevolpone Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/773/head:pr773 git checkout pr773 From freeipa-github-notification at redhat.com Thu May 11 23:30:24 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Fri, 12 May 2017 01:30:24 +0200 Subject: [Freeipa-devel] [freeipa PR#781][opened] [WIP] Warn in cert-request if CSR doesn't contain SAN Message-ID: URL: https://github.com/freeipa/freeipa/pull/781 Author: felipevolpone Title: #781: [WIP] Warn in cert-request if CSR doesn't contain SAN Action: opened PR body: """ The code is not "production-ready", however, I would like to know if I'm on the right path. AFAIK we should check if the SAN extension is provided and if it has DNSName info. Fix: https://pagure.io/freeipa/issue/6663 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/781/head:pr781 git checkout pr781 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-781.patch Type: text/x-diff Size: 1273 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu May 11 23:33:02 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Fri, 12 May 2017 01:33:02 +0200 Subject: [Freeipa-devel] [freeipa PR#781][comment] [WIP] Warn in cert-request if CSR doesn't contain SAN In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/781 Title: #781: [WIP] Warn in cert-request if CSR doesn't contain SAN felipevolpone commented: """ Hi everyone, after a long long day, I did a great job deleting the branch from PR #773, then Github closed it. If someone knows how to reopen it, great. Otherwise, I create a new branch and this new PR. Sorry about that :( Notifying people that were following that thread: @stlaz @MartinBasti @frasertweedale @HonzaCholasta @pvoborni """ See the full comment at https://github.com/freeipa/freeipa/pull/781#issuecomment-300944178 From freeipa-github-notification at redhat.com Thu May 11 23:42:12 2017 From: freeipa-github-notification at redhat.com (felipevolpone) Date: Fri, 12 May 2017 01:42:12 +0200 Subject: [Freeipa-devel] [freeipa PR#782][opened] [WIP] Improving GUI text in "Add DNS Zones" popup Message-ID: URL: https://github.com/freeipa/freeipa/pull/782 Author: felipevolpone Title: #782: [WIP] Improving GUI text in "Add DNS Zones" popup Action: opened PR body: """ Improving usability of the "Add DNS Zones" popup in Web UI. Ticket: https://pagure.io/freeipa/issue/6687 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/782/head:pr782 git checkout pr782 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-782.patch Type: text/x-diff Size: 1828 bytes Desc: not available URL: From slaznick at redhat.com Fri May 12 06:36:34 2017 From: slaznick at redhat.com (Standa Laznicka) Date: Fri, 12 May 2017 08:36:34 +0200 Subject: [Freeipa-devel] Don't work with Pagure right now Message-ID: <7012847d-1efc-1264-cb72-5ff5fb832111@redhat.com> Hello, This morning I found out that "https://pagure.io/freeipa/" resolves to a different project, originally https://pagure.io/freeIPA/. I pointed the problem to the developer of the system, we'll see what he can do about it, but for now, we're missing about 200 issues. Please, don't open any new issues, as that's just pointless and would only cause us problems as these would need to be merged back to our project (should it be recoverable, which I hope it should). Luckily enough, `git clone https://git at pagure.io/freeipa.git` seemed to have resolved to the correct repo so our git repos should hopefully not be affected. Sorry for inconvenience, Standa From mbasti at redhat.com Fri May 12 08:42:09 2017 From: mbasti at redhat.com (=?UTF-8?Q?Martin_Ba=c5=a1ti?=) Date: Fri, 12 May 2017 10:42:09 +0200 Subject: [Freeipa-devel] [WIKI DRAFT] Files to be attached to bug reports Message-ID: Hello all, I created a wiki page that should help people to provide right logs for investigation depending on a issue. https://www.freeipa.org/page/Files_to_be_attached_to_bug_report Feel free to fix errors, update sections, add new sections or provide feedback. Once this page is polished I will link it to wiki on right places. Martin^2 -- Martin Ba?ti Software Engineer Red Hat Czech From freeipa-github-notification at redhat.com Fri May 12 08:49:26 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 12 May 2017 10:49:26 +0200 Subject: [Freeipa-devel] [freeipa PR#783][opened] Provide useful messages during cert verification Message-ID: URL: https://github.com/freeipa/freeipa/pull/783 Author: stlaz Title: #783: Provide useful messages during cert verification Action: opened PR body: """ When the certificate verification was replaced, some error messages were omitted (like "Peer's certificate expired."). Bring these back. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/783/head:pr783 git checkout pr783 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-783.patch Type: text/x-diff Size: 6391 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri May 12 10:36:48 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 12 May 2017 12:36:48 +0200 Subject: [Freeipa-devel] [freeipa PR#728][comment] ipa-cacert-manage: add --external-ca-type In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/728 Title: #728: ipa-cacert-manage: add --external-ca-type stlaz commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/728#issuecomment-301043646 From freeipa-github-notification at redhat.com Fri May 12 10:53:58 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Fri, 12 May 2017 12:53:58 +0200 Subject: [Freeipa-devel] [freeipa PR#728][comment] ipa-cacert-manage: add --external-ca-type In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/728 Title: #728: ipa-cacert-manage: add --external-ca-type dkupka commented: """ Work for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/728#issuecomment-301046744 From freeipa-github-notification at redhat.com Fri May 12 10:54:07 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Fri, 12 May 2017 12:54:07 +0200 Subject: [Freeipa-devel] [freeipa PR#728][+ack] ipa-cacert-manage: add --external-ca-type In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/728 Title: #728: ipa-cacert-manage: add --external-ca-type Label: +ack From slaznick at redhat.com Fri May 12 11:34:02 2017 From: slaznick at redhat.com (Standa Laznicka) Date: Fri, 12 May 2017 13:34:02 +0200 Subject: [Freeipa-devel] Don't work with Pagure right now In-Reply-To: <7012847d-1efc-1264-cb72-5ff5fb832111@redhat.com> References: <7012847d-1efc-1264-cb72-5ff5fb832111@redhat.com> Message-ID: On 05/12/2017 08:36 AM, Standa Laznicka wrote: > Hello, > > This morning I found out that "https://pagure.io/freeipa/" resolves to > a different project, originally https://pagure.io/freeIPA/. I pointed > the problem to the developer of the system, we'll see what he can do > about it, but for now, we're missing about 200 issues. > > Please, don't open any new issues, as that's just pointless and would > only cause us problems as these would need to be merged back to our > project (should it be recoverable, which I hope it should). > > Luckily enough, `git clone https://git at pagure.io/freeipa.git` seemed > to have resolved to the correct repo so our git repos should hopefully > not be affected. > > Sorry for inconvenience, > Standa > Hopefully everything is back on track now. From freeipa-github-notification at redhat.com Fri May 12 12:00:20 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 12 May 2017 14:00:20 +0200 Subject: [Freeipa-devel] [freeipa PR#757][comment] ca, kra install: validate DM password In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/757 Title: #757: ca, kra install: validate DM password stlaz commented: """ You forgot an import in ipa-ca-install: ``` ************* Module ipa-ca-install install/tools/ipa-ca-install:37: [W0611(unused-import), ] Unused ScriptError imported from ipapython.admintool) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/757#issuecomment-301058163 From freeipa-github-notification at redhat.com Fri May 12 12:10:42 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 12 May 2017 14:10:42 +0200 Subject: [Freeipa-devel] [freeipa PR#783][synchronized] Provide useful messages during cert verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/783 Author: stlaz Title: #783: Provide useful messages during cert verification Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/783/head:pr783 git checkout pr783 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-783.patch Type: text/x-diff Size: 6429 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri May 12 13:00:28 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Fri, 12 May 2017 15:00:28 +0200 Subject: [Freeipa-devel] [freeipa PR#784][opened] ipa-replica-manage del (dl 0): remove server from defaultServerList Message-ID: URL: https://github.com/freeipa/freeipa/pull/784 Author: flo-renaud Title: #784: ipa-replica-manage del (dl 0): remove server from defaultServerList Action: opened PR body: """ ipa-replica-manage del should remove the server from the entry cn=default,ou=profile,$BASE The entry contains an attribute defaultServerList: srv1.domain.com srv2.domain.com srv3.domain.com The code calls srvlist = ret.single_value.get('defaultServerList') which means that srvlist contains a single value (string) containing all the servers separated by a space, and not a list of attribute values. Because of that, srvlist[0] corresponds to the first character of the value. The fix splits srvlist and not srvlist[0]. https://pagure.io/freeipa/issue/6946 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/784/head:pr784 git checkout pr784 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-784.patch Type: text/x-diff Size: 1853 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri May 12 13:15:08 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Fri, 12 May 2017 15:15:08 +0200 Subject: [Freeipa-devel] [freeipa PR#778][+ack] ipaclient: fix missing RPM ownership In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/778 Title: #778: ipaclient: fix missing RPM ownership Label: +ack From freeipa-github-notification at redhat.com Fri May 12 13:49:02 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 12 May 2017 15:49:02 +0200 Subject: [Freeipa-devel] [freeipa PR#782][comment] [WIP] Improving GUI text in "Add DNS Zones" popup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/782 Title: #782: [WIP] Improving GUI text in "Add DNS Zones" popup pvoborni commented: """ I'm not completely sure that the approach suggested in bug report is correct. That is why I suggested alternative in https://bugzilla.redhat.com/show_bug.cgi?id=1419834#c2 So before implementing it a small conversation could have happen to agree on the approach. """ See the full comment at https://github.com/freeipa/freeipa/pull/782#issuecomment-301081271 From freeipa-github-notification at redhat.com Fri May 12 13:58:13 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 12 May 2017 15:58:13 +0200 Subject: [Freeipa-devel] [freeipa PR#783][synchronized] Provide useful messages during cert verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/783 Author: stlaz Title: #783: Provide useful messages during cert verification Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/783/head:pr783 git checkout pr783 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-783.patch Type: text/x-diff Size: 6425 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri May 12 13:58:19 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 12 May 2017 15:58:19 +0200 Subject: [Freeipa-devel] [freeipa PR#783][edited] Provide useful messages during cert verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/783 Author: stlaz Title: #783: Provide useful messages during cert verification Action: edited Changed field: title Original value: """ Provide useful messages during cert verification """ From freeipa-github-notification at redhat.com Fri May 12 13:58:28 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 12 May 2017 15:58:28 +0200 Subject: [Freeipa-devel] [freeipa PR#783][edited] Provide useful messages during cert validation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/783 Author: stlaz Title: #783: Provide useful messages during cert validation Action: edited Changed field: body Original value: """ When the certificate verification was replaced, some error messages were omitted (like "Peer's certificate expired."). Bring these back. """ From freeipa-github-notification at redhat.com Fri May 12 14:22:22 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 12 May 2017 16:22:22 +0200 Subject: [Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/757 Author: tomaskrizek Title: #757: ca, kra install: validate DM password Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/757/head:pr757 git checkout pr757 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-757.patch Type: text/x-diff Size: 7299 bytes Desc: not available URL: From tkrizek at redhat.com Fri May 12 14:42:17 2017 From: tkrizek at redhat.com (Tomas Krizek) Date: Fri, 12 May 2017 16:42:17 +0200 Subject: [Freeipa-devel] [WIKI DRAFT] Files to be attached to bug reports In-Reply-To: References: Message-ID: <37d36f64-216f-1017-580d-a435a5af4817@redhat.com> On 05/12/2017 10:42 AM, Martin Ba?ti wrote: > Hello all, > > I created a wiki page that should help people to provide right logs > for investigation depending on a issue. > > https://www.freeipa.org/page/Files_to_be_attached_to_bug_report > > Feel free to fix errors, update sections, add new sections or provide > feedback. Once this page is polished I will link it to wiki on right > places. > > > Martin^2 > Thanks for the page, it's a great idea! I suggest we use '-r' option for all journalctl logs. On a running server, the journal can be quite long and someone might post an old/unrelated error by accident. Using '-r' will ensure the user will see the most recent and relevant log output. -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Fri May 12 15:31:55 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Fri, 12 May 2017 17:31:55 +0200 Subject: [Freeipa-devel] [freeipa PR#785][opened] otptoken-add-yubikey: When --digits not provided use default value Message-ID: URL: https://github.com/freeipa/freeipa/pull/785 Author: dkupka Title: #785: otptoken-add-yubikey: When --digits not provided use default value Action: opened PR body: """ Since Thin client was introduced default values for options are not populated in client side plugins. When option has default value and is needed in client plugin it must be handled by explicitly. https://pagure.io/freeipa/issue/6900 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/785/head:pr785 git checkout pr785 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-785.patch Type: text/x-diff Size: 1214 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri May 12 15:46:09 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Fri, 12 May 2017 17:46:09 +0200 Subject: [Freeipa-devel] [freeipa PR#782][comment] [WIP] Improving GUI text in "Add DNS Zones" popup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/782 Title: #782: [WIP] Improving GUI text in "Add DNS Zones" popup pvomacka commented: """ Hello @felipevolpone , Thank you for your patch. For adding arbitrary text into a dialog or details page is probably the most suitable IPA.html_widget (but it has a big disadvantage - described below in section A). You can put it into the section you created. It might look like this: ``` { name: 'dnszone_title', show_header: false, fields: [ { field: false, $type: 'html', name: 'info', html: "Select the required zone type." } ], layout: { $factory: IPA.fluid_layout, widget_cls: "col-sm-12 controls", label_cls: "hide" } }, ``` Layout attribute of the section might not be needed, but I would say that here it good to add it. It hides label of field and set width of the field to 100% of the dialog. (Simpler solutions below - B and C) A) The html attribute contains text which will be displayed. Text there should be taken from translatable strings. It can be done by using `text.get('i18n:path.to.the.string')` and writing the string into ipaserver/internal.py. The main challenge here might be to find a place where the string has to be loaded. It has to be done before building the whole dialog and its sections. You will probably need to override `dialog_build_properites` attribute of entity specification and there change `$post_ops` operation which where is the function which builds adder dialog for entity (add there loading of translate string). B) (not tested) Another solution would be to set text field instead of html one and turn off the field in the same way as above and then set it non-writable and read_only. Then hide the label and there the `text.get()` should work directly in field definition. (should not be needed to change behavior of building entity's adder dialog). C) Another solution will be to create new widget, which will work in the same way as `IPA.html_widget` but it will support translatable strings. If you have any question feel free to ask. :) """ See the full comment at https://github.com/freeipa/freeipa/pull/782#issuecomment-301113031 From freeipa-github-notification at redhat.com Fri May 12 16:03:19 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Fri, 12 May 2017 18:03:19 +0200 Subject: [Freeipa-devel] [freeipa PR#782][comment] [WIP] Improving GUI text in "Add DNS Zones" popup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/782 Title: #782: [WIP] Improving GUI text in "Add DNS Zones" popup pvomacka commented: """ Sorry I haven't refresh the page so I didn't see @pvoborni comment before I sent mine. The suggestion which Petr wrote into Bugzilla should be discussed with @MartinBasti and if I recall correctly he did not recommend it from point of view of DNS. """ See the full comment at https://github.com/freeipa/freeipa/pull/782#issuecomment-301117428 From freeipa-github-notification at redhat.com Mon May 15 00:20:30 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Mon, 15 May 2017 02:20:30 +0200 Subject: [Freeipa-devel] [freeipa PR#736][+ack] Fixing the cert-request command comparing whole email address case-sensitively. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/736 Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. Label: +ack From freeipa-github-notification at redhat.com Mon May 15 06:21:57 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 15 May 2017 08:21:57 +0200 Subject: [Freeipa-devel] [freeipa PR#783][edited] Provide useful messages during cert validation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/783 Author: stlaz Title: #783: Provide useful messages during cert validation Action: edited Changed field: body Original value: """ When the certificate validation was replaced, some error messages were omitted (like "Peer's certificate expired."). Bring these back. """ From freeipa-github-notification at redhat.com Mon May 15 08:19:29 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Mon, 15 May 2017 10:19:29 +0200 Subject: [Freeipa-devel] [freeipa PR#782][comment] [WIP] Improving GUI text in "Add DNS Zones" popup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/782 Title: #782: [WIP] Improving GUI text in "Add DNS Zones" popup pvoborni commented: """ Ok, when one field is not usuable because IP address or network address are also valid DNS zones, then the proper way is to follow patternfly design for this kind of workflows: http://www.patternfly.org/pattern-library/forms-and-controls/progressive-disclosure/ """ See the full comment at https://github.com/freeipa/freeipa/pull/782#issuecomment-301408101 From freeipa-github-notification at redhat.com Mon May 15 08:37:18 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 15 May 2017 10:37:18 +0200 Subject: [Freeipa-devel] [freeipa PR#758][comment] install: fix CA-less PKINIT In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/758 Title: #758: install: fix CA-less PKINIT stlaz commented: """ `kinit -n` still fails with my setup. I found out the reason is that I have a self-sign certificate in the trust chain: ``` [36993] 1494834859.113259: PKINIT client could not verify DH reply [36993] 1494834859.113276: Preauth module pkinit (17) (real) returned: -1765328313/Failed to verify received certificate (depth 2): self signed certificate in certificate chain kinit: Invalid certificate while getting initial credentials ``` This does not happen without this patchset so the question is whether it is OK that this is happening or not. If so, we should add a check which would prevent this + probably warn our QA team because I guess this is just the way they are testing this, """ See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-301411948 From freeipa-github-notification at redhat.com Mon May 15 08:37:28 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 15 May 2017 10:37:28 +0200 Subject: [Freeipa-devel] [freeipa PR#758][comment] install: fix CA-less PKINIT In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/758 Title: #758: install: fix CA-less PKINIT stlaz commented: """ `kinit -n` still fails with my setup. I found out the reason is that I have a self-sign certificate in the trust chain: ``` [36993] 1494834859.113259: PKINIT client could not verify DH reply [36993] 1494834859.113276: Preauth module pkinit (17) (real) returned: -1765328313/Failed to verify received certificate (depth 2): self signed certificate in certificate chain kinit: Invalid certificate while getting initial credentials ``` This does not happen without this patchset so the question is whether it is OK that this is happening or not. If so, we should add a check which would prevent this + probably warn our QA team because I guess this is just the way they are testing this, """ See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-301411948 From freeipa-github-notification at redhat.com Mon May 15 08:38:55 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 15 May 2017 10:38:55 +0200 Subject: [Freeipa-devel] [freeipa PR#758][comment] install: fix CA-less PKINIT In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/758 Title: #758: install: fix CA-less PKINIT stlaz commented: """ `kinit -n` still fails with my external CA setup. I found out the reason is that I have a self-sign certificate in the trust chain: ``` [36993] 1494834859.113259: PKINIT client could not verify DH reply [36993] 1494834859.113276: Preauth module pkinit (17) (real) returned: -1765328313/Failed to verify received certificate (depth 2): self signed certificate in certificate chain kinit: Invalid certificate while getting initial credentials ``` This does not happen without this patchset so the question is whether it is OK that this is happening or not. If so, we should add a check which would prevent this + probably warn our QA team because I guess this is just the way they are testing this, """ See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-301411948 From freeipa-github-notification at redhat.com Mon May 15 10:20:57 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Mon, 15 May 2017 12:20:57 +0200 Subject: [Freeipa-devel] [freeipa PR#728][+pushed] ipa-cacert-manage: add --external-ca-type In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/728 Title: #728: ipa-cacert-manage: add --external-ca-type Label: +pushed From freeipa-github-notification at redhat.com Mon May 15 10:21:00 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Mon, 15 May 2017 12:21:00 +0200 Subject: [Freeipa-devel] [freeipa PR#728][comment] ipa-cacert-manage: add --external-ca-type In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/728 Title: #728: ipa-cacert-manage: add --external-ca-type dkupka commented: """ master: * ce9eefe53b398b73f956df420ea8694b90e24f76 renew agent: respect CA renewal master setting * 5abd9bb99680df45b6cd87de3b08466d612344bb server upgrade: always fix certmonger tracking request * 09a49ad45846e3c2e76c5a035a27d0fa95b347b9 cainstance: use correct profile for lightweight CA certificates * 25aeeaf46dd92e06f14de83459ab9be8ab846922 renew agent: allow reusing existing certs * 0bf41e804e89937fc72502cfbe1363dd7591675e renew agent: always export CSR on IPA CA certificate renewal * 21f4cbf8da8091b898fc8032fff65e821223d042 renew agent: get rid of virtual profiles * b03ede87963bc5933691c9e3f88768e1bf92736f ipa-cacert-manage: add --external-ca-type ipa-4-5: * 36fc44b90ceb9e98abd93a3abb1e5b8d18df6ff0 renew agent: respect CA renewal master setting * b55dd9cee5c2161002f56c63d7e0ae86e792fbbd server upgrade: always fix certmonger tracking request * 4a01114f1e49fd73e88e2d9f1512a11cbab0176e cainstance: use correct profile for lightweight CA certificates * 920d56a8f0321c4b092da6c173961c82aa1d6bd3 renew agent: allow reusing existing certs * 25b0a9cf6c60c709cacb74ad188cd6e91d4b60ea renew agent: always export CSR on IPA CA certificate renewal * bb952827b84d7b47ffd77549b3a7c9da2fe537ae renew agent: get rid of virtual profiles * c56d12aeaccb455a193271a31362b7412b2d2e60 ipa-cacert-manage: add --external-ca-type """ See the full comment at https://github.com/freeipa/freeipa/pull/728#issuecomment-301435675 From freeipa-github-notification at redhat.com Mon May 15 10:21:03 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Mon, 15 May 2017 12:21:03 +0200 Subject: [Freeipa-devel] [freeipa PR#728][closed] ipa-cacert-manage: add --external-ca-type In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/728 Author: HonzaCholasta Title: #728: ipa-cacert-manage: add --external-ca-type Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/728/head:pr728 git checkout pr728 From freeipa-github-notification at redhat.com Mon May 15 11:37:41 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 15 May 2017 13:37:41 +0200 Subject: [Freeipa-devel] [freeipa PR#782][comment] [WIP] Improving GUI text in "Add DNS Zones" popup In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/782 Title: #782: [WIP] Improving GUI text in "Add DNS Zones" popup pvomacka commented: """ Yes, this pattern should be used. We already have a widget for this (without hiding not-selected area) and it is used i.e. in certmapdata adder dialog which could be opened from user's details page. Try to look for `multiple_choice_section`. """ See the full comment at https://github.com/freeipa/freeipa/pull/782#issuecomment-301450276 From freeipa-github-notification at redhat.com Mon May 15 13:48:47 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 15 May 2017 15:48:47 +0200 Subject: [Freeipa-devel] [freeipa PR#689][synchronized] Sort SRV records by priority In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/689 Author: alex-zel Title: #689: Sort SRV records by priority Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/689/head:pr689 git checkout pr689 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-689.patch Type: text/x-diff Size: 1186 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon May 15 13:49:54 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 15 May 2017 15:49:54 +0200 Subject: [Freeipa-devel] [freeipa PR#689][comment] Sort SRV records by priority In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/689 Title: #689: Sort SRV records by priority MartinBasti commented: """ I squashed your commits, please check """ See the full comment at https://github.com/freeipa/freeipa/pull/689#issuecomment-301480548 From freeipa-github-notification at redhat.com Mon May 15 14:28:09 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 15 May 2017 16:28:09 +0200 Subject: [Freeipa-devel] [freeipa PR#716][comment] Fix minor typos In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/716 Title: #716: Fix minor typos stlaz commented: """ I asked today at a meeting and the `ipaclient/remote_plugins/2_*/*.py` changes are fine. If you could possibly change the one small issue, we will finally be able tu push this :) """ See the full comment at https://github.com/freeipa/freeipa/pull/716#issuecomment-301492072 From freeipa-github-notification at redhat.com Mon May 15 15:18:39 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 15 May 2017 17:18:39 +0200 Subject: [Freeipa-devel] [freeipa PR#786][opened] ipa-server-install: fix uninstall Message-ID: URL: https://github.com/freeipa/freeipa/pull/786 Author: flo-renaud Title: #786: ipa-server-install: fix uninstall Action: opened PR body: """ ipa-server-install --uninstall fails to stop tracking the certificates because it assigns a tuple to the variable nicknames, then tries to call nicknames.append(). This is a regression introduced by 92a08266. Assignment should be done using nicknames = list(self.tracking_reqs) instead. https://pagure.io/freeipa/issue/6950 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/786/head:pr786 git checkout pr786 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-786.patch Type: text/x-diff Size: 1175 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon May 15 16:56:05 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 15 May 2017 18:56:05 +0200 Subject: [Freeipa-devel] [freeipa PR#787][opened] ipasetup: fix dependencies handling based on python version Message-ID: URL: https://github.com/freeipa/freeipa/pull/787 Author: MartinBasti Title: #787: ipasetup: fix dependencies handling based on python version Action: opened PR body: """ On RHEL system ipasetup is failing: ``` ValueError: (":python_version>='3'", ['pyldap']) ``` Our RHEL re-implementation of setuptools logic should ignore python3 packages when python3 is not available. https://pagure.io/freeipa/issue/6875 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/787/head:pr787 git checkout pr787 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-787.patch Type: text/x-diff Size: 1442 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 16 05:35:31 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 16 May 2017 07:35:31 +0200 Subject: [Freeipa-devel] [freeipa PR#758][comment] install: fix CA-less PKINIT In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/758 Title: #758: install: fix CA-less PKINIT HonzaCholasta commented: """ @stlaz, this seems to be a bug in kinit. When you have a certificate chain root CA -> intermediate CA -> KDC and want to trust the intermediate CA, but not the root CA, the validation will always fail. This is the case in external CA setup (the external CA is the root CA, IPA CA is the intermediate CA), but I haven't confirmed it without IPA yet. Without this patchset, both the CA certificates are trusted, which is a bug, but makes kinit work. """ See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-301680152 From freeipa-github-notification at redhat.com Tue May 16 05:44:08 2017 From: freeipa-github-notification at redhat.com (alex-zel) Date: Tue, 16 May 2017 07:44:08 +0200 Subject: [Freeipa-devel] [freeipa PR#689][comment] Sort SRV records by priority In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/689 Title: #689: Sort SRV records by priority alex-zel commented: """ Thanks, sorry I didn't get to it. """ See the full comment at https://github.com/freeipa/freeipa/pull/689#issuecomment-301681362 From freeipa-github-notification at redhat.com Tue May 16 06:51:41 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 16 May 2017 08:51:41 +0200 Subject: [Freeipa-devel] [freeipa PR#776][+ack] [4.5 backport] Added plugins directory to ipaclient subpackages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/776 Title: #776: [4.5 backport] Added plugins directory to ipaclient subpackages Label: +ack From freeipa-github-notification at redhat.com Tue May 16 06:52:02 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 16 May 2017 08:52:02 +0200 Subject: [Freeipa-devel] [freeipa PR#775][+ack] [4.4 backport] Added plugins directory to ipaclient subpackages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/775 Title: #775: [4.4 backport] Added plugins directory to ipaclient subpackages Label: +ack From tkrizek at redhat.com Tue May 16 07:06:59 2017 From: tkrizek at redhat.com (Tomas Krizek) Date: Tue, 16 May 2017 09:06:59 +0200 Subject: [Freeipa-devel] "blocker" tag for pull request In-Reply-To: <83d6d9af-fde7-6776-5448-cb207b6e8a98@redhat.com> References: <3344f815-4060-790f-5028-830bf3373d4c@redhat.com> <385c9b72-e29c-7ecd-6ce9-e72ff61c54b1@redhat.com> <83d6d9af-fde7-6776-5448-cb207b6e8a98@redhat.com> Message-ID: <4585529b-62f0-5b7c-280d-7b1b177f19c8@redhat.com> On 05/02/2017 12:57 PM, Standa Laznicka wrote: > On 04/28/2017 02:41 PM, Martin Ba?ti wrote: >> >> On 28.04.2017 14:17, Tomas Krizek wrote: >>> On 04/28/2017 10:15 AM, Petr Vobornik wrote: >>>> Hi all, >>>> >>>> I created "blocker" tag for FreeIPA Git Hub PRs. >>>> >>>> It is should be used to mark PRs which solves test blocker or other >>>> functional blockers - e.g. blocks creation of demo. I.e. should be >>>> used rather rarely. >>>> >>>> I don't like the tag name, but I couldn't find better. >>> I think we could use the name "high-priority". It could have other uses >>> besides marking a blocker, e.g. requesting prompt execution of tests in >>> PR CI. >> Sounds good or maybe "prioritized", IMHO "blocker" word is overused. Bump, can we please change the "blocker" tag to "high-priority" and tag the high priority PR? Currently #757, #758. >> >>>> Note: blocker priority in pagure doesn't imply blocker tag in PR. But >>>> testblocker tag in pagure does. Actually I'm thinking about changing >>>> Pagure priority names to: "highest, high, medium, low, patchwelcome" >>>> >>> +1, but I'd prefer "critical" instead of "highest" >>> >>> >>> >> +1 for critical >> >> pyldap uses "help wanted" instead "patchwelcome", it sounds better to >> me. I'd use it as separate tag instead of priority. Even high >> prioritized issues can be made by contributors in early phase of >> development if they are easy enough. >> >> Martin^2 >> -- >> Martin Ba?ti >> Software Engineer >> Red Hat Czech >> >> > +1 for critical; > > +1 for "help wanted", reasons: > > - "patchwelcome" sounds strange, and strange is an understatement here > (also, are you afraid of 2 word tags?) > > - "help wanted" is much more humble, "patches welcome" is a common cry > when you just don't care enough to fix it yourself, and I don't > believe that's the message we want to be sending outside > > > I believe there's also an agreement to change the priority names as mentioned above. Does anything prevent us from doing so? -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Tue May 16 07:29:31 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 16 May 2017 09:29:31 +0200 Subject: [Freeipa-devel] [freeipa PR#788][opened] ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname Message-ID: URL: https://github.com/freeipa/freeipa/pull/788 Author: flo-renaud Title: #788: ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname Action: opened PR body: """ During ipa-kra-install, the installer prepares a configuration file provided to pkispawn. This configuration file defines pki_security_domain_hostname=(first master) but when we are installing a clone, it should be set to the local hostname instead, see man page pki_default.cfg: pki_security_domain_hostname, pki_security_domain_https_port Location of the security domain. Required for KRA, OCSP, TKS, and TPS subsystems and for CA subsystems joining a security domain. Defaults to the location of the CA subsystem within the same instance. When pki_security_domain_hostname points to the 1st master, and this first master is decommissioned, ipa-kra-install fails on new replicas because pkispawn tries to connect to this (non-existing) host. https://pagure.io/freeipa/issue/6895 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/788/head:pr788 git checkout pr788 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-788.patch Type: text/x-diff Size: 1907 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 16 07:37:48 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 09:37:48 +0200 Subject: [Freeipa-devel] [freeipa PR#689][+ack] Sort SRV records by priority In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/689 Title: #689: Sort SRV records by priority Label: +ack From freeipa-github-notification at redhat.com Tue May 16 07:44:25 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 09:44:25 +0200 Subject: [Freeipa-devel] [freeipa PR#689][+pushed] Sort SRV records by priority In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/689 Title: #689: Sort SRV records by priority Label: +pushed From freeipa-github-notification at redhat.com Tue May 16 07:44:29 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 09:44:29 +0200 Subject: [Freeipa-devel] [freeipa PR#689][comment] Sort SRV records by priority In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/689 Title: #689: Sort SRV records by priority MartinBasti commented: """ master: * 8ec8e24015df29bae97fa58d1a7ae12d28639d25 Sort SRV records by priority """ See the full comment at https://github.com/freeipa/freeipa/pull/689#issuecomment-301702375 From freeipa-github-notification at redhat.com Tue May 16 07:44:33 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 09:44:33 +0200 Subject: [Freeipa-devel] [freeipa PR#689][closed] Sort SRV records by priority In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/689 Author: alex-zel Title: #689: Sort SRV records by priority Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/689/head:pr689 git checkout pr689 From freeipa-github-notification at redhat.com Tue May 16 08:11:30 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 16 May 2017 10:11:30 +0200 Subject: [Freeipa-devel] [freeipa PR#785][comment] otptoken-add-yubikey: When --digits not provided use default value In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/785 Title: #785: otptoken-add-yubikey: When --digits not provided use default value stlaz commented: """ Works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/785#issuecomment-301708499 From freeipa-github-notification at redhat.com Tue May 16 08:11:34 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 16 May 2017 10:11:34 +0200 Subject: [Freeipa-devel] [freeipa PR#785][+ack] otptoken-add-yubikey: When --digits not provided use default value In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/785 Title: #785: otptoken-add-yubikey: When --digits not provided use default value Label: +ack From freeipa-github-notification at redhat.com Tue May 16 08:14:57 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 10:14:57 +0200 Subject: [Freeipa-devel] [freeipa PR#736][+pushed] Fixing the cert-request command comparing whole email address case-sensitively. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/736 Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. Label: +pushed From freeipa-github-notification at redhat.com Tue May 16 08:15:02 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 10:15:02 +0200 Subject: [Freeipa-devel] [freeipa PR#736][comment] Fixing the cert-request command comparing whole email address case-sensitively. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/736 Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. MartinBasti commented: """ master: * d973168e89c7fb5e8c36919b3adb685371e1a3ab Fixing the cert-request comparing whole email address case-sensitively. """ See the full comment at https://github.com/freeipa/freeipa/pull/736#issuecomment-301709267 From freeipa-github-notification at redhat.com Tue May 16 08:15:08 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 10:15:08 +0200 Subject: [Freeipa-devel] [freeipa PR#736][closed] Fixing the cert-request command comparing whole email address case-sensitively. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/736 Author: felipevolpone Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/736/head:pr736 git checkout pr736 From freeipa-github-notification at redhat.com Tue May 16 08:18:49 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 16 May 2017 10:18:49 +0200 Subject: [Freeipa-devel] [freeipa PR#787][+ack] ipasetup: fix dependencies handling based on python version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/787 Title: #787: ipasetup: fix dependencies handling based on python version Label: +ack From freeipa-github-notification at redhat.com Tue May 16 08:33:06 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 16 May 2017 10:33:06 +0200 Subject: [Freeipa-devel] [freeipa PR#787][comment] ipasetup: fix dependencies handling based on python version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/787 Title: #787: ipasetup: fix dependencies handling based on python version pvomacka commented: """ Works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/787#issuecomment-301713360 From freeipa-github-notification at redhat.com Tue May 16 08:34:15 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 10:34:15 +0200 Subject: [Freeipa-devel] [freeipa PR#761][+pushed] Fixing adding authenticator indicators to host In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/761 Title: #761: Fixing adding authenticator indicators to host Label: +pushed From freeipa-github-notification at redhat.com Tue May 16 08:34:26 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 10:34:26 +0200 Subject: [Freeipa-devel] [freeipa PR#761][comment] Fixing adding authenticator indicators to host In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/761 Title: #761: Fixing adding authenticator indicators to host MartinBasti commented: """ master: * d51af28bdbef8386b6d3bde683be2fc5f73b904e Fixing adding authenticator indicators to host ipa-4-5: * 81ae5f4d655bb052c6c0961760dba34e70dcd3c3 Fixing adding authenticator indicators to host """ See the full comment at https://github.com/freeipa/freeipa/pull/761#issuecomment-301713644 From freeipa-github-notification at redhat.com Tue May 16 08:34:37 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 10:34:37 +0200 Subject: [Freeipa-devel] [freeipa PR#761][closed] Fixing adding authenticator indicators to host In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/761 Author: felipevolpone Title: #761: Fixing adding authenticator indicators to host Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/761/head:pr761 git checkout pr761 From freeipa-github-notification at redhat.com Tue May 16 08:40:54 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 10:40:54 +0200 Subject: [Freeipa-devel] [freeipa PR#776][+pushed] [4.5 backport] Added plugins directory to ipaclient subpackages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/776 Title: #776: [4.5 backport] Added plugins directory to ipaclient subpackages Label: +pushed From freeipa-github-notification at redhat.com Tue May 16 08:40:57 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 10:40:57 +0200 Subject: [Freeipa-devel] [freeipa PR#776][comment] [4.5 backport] Added plugins directory to ipaclient subpackages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/776 Title: #776: [4.5 backport] Added plugins directory to ipaclient subpackages MartinBasti commented: """ ipa-4-5: * 3605f8ba9a2545680cd46ff02c282d03f84bb366 Added plugins directory to ipaclient subpackages """ See the full comment at https://github.com/freeipa/freeipa/pull/776#issuecomment-301715202 From freeipa-github-notification at redhat.com Tue May 16 08:41:02 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 10:41:02 +0200 Subject: [Freeipa-devel] [freeipa PR#776][closed] [4.5 backport] Added plugins directory to ipaclient subpackages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/776 Author: MartinBasti Title: #776: [4.5 backport] Added plugins directory to ipaclient subpackages Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/776/head:pr776 git checkout pr776 From freeipa-github-notification at redhat.com Tue May 16 08:46:35 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 10:46:35 +0200 Subject: [Freeipa-devel] [freeipa PR#775][closed] [4.4 backport] Added plugins directory to ipaclient subpackages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/775 Author: MartinBasti Title: #775: [4.4 backport] Added plugins directory to ipaclient subpackages Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/775/head:pr775 git checkout pr775 From freeipa-github-notification at redhat.com Tue May 16 08:46:39 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 10:46:39 +0200 Subject: [Freeipa-devel] [freeipa PR#775][+pushed] [4.4 backport] Added plugins directory to ipaclient subpackages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/775 Title: #775: [4.4 backport] Added plugins directory to ipaclient subpackages Label: +pushed From freeipa-github-notification at redhat.com Tue May 16 08:46:43 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 10:46:43 +0200 Subject: [Freeipa-devel] [freeipa PR#775][comment] [4.4 backport] Added plugins directory to ipaclient subpackages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/775 Title: #775: [4.4 backport] Added plugins directory to ipaclient subpackages MartinBasti commented: """ ipa-4-4: * d22ac59828cc4339d509804ddb3e2e1da9cfaa20 Added plugins directory to ipaclient subpackages """ See the full comment at https://github.com/freeipa/freeipa/pull/775#issuecomment-301716584 From freeipa-github-notification at redhat.com Tue May 16 09:12:01 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 16 May 2017 11:12:01 +0200 Subject: [Freeipa-devel] [freeipa PR#783][comment] Provide useful messages during cert validation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/783 Title: #783: Provide useful messages during cert validation flo-renaud commented: """ Hi @stlaz Thank you for the patch. LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/783#issuecomment-301722760 From freeipa-github-notification at redhat.com Tue May 16 09:12:08 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 16 May 2017 11:12:08 +0200 Subject: [Freeipa-devel] [freeipa PR#783][+ack] Provide useful messages during cert validation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/783 Title: #783: Provide useful messages during cert validation Label: +ack From freeipa-github-notification at redhat.com Tue May 16 09:30:43 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 11:30:43 +0200 Subject: [Freeipa-devel] [freeipa PR#778][comment] ipaclient: fix missing RPM ownership In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/778 Title: #778: ipaclient: fix missing RPM ownership MartinBasti commented: """ master: * 374a58fa49adc715d50996571631af37ae16bd64 ipaclient: fix missing RPM ownership ipa-4-5: * 5d0975319daa34a16d4163669474af89e987457e ipaclient: fix missing RPM ownership """ See the full comment at https://github.com/freeipa/freeipa/pull/778#issuecomment-301727407 From freeipa-github-notification at redhat.com Tue May 16 09:30:34 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 11:30:34 +0200 Subject: [Freeipa-devel] [freeipa PR#778][+pushed] ipaclient: fix missing RPM ownership In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/778 Title: #778: ipaclient: fix missing RPM ownership Label: +pushed From freeipa-github-notification at redhat.com Tue May 16 09:30:45 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 11:30:45 +0200 Subject: [Freeipa-devel] [freeipa PR#778][closed] ipaclient: fix missing RPM ownership In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/778 Author: MartinBasti Title: #778: ipaclient: fix missing RPM ownership Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/778/head:pr778 git checkout pr778 From freeipa-github-notification at redhat.com Tue May 16 09:35:37 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 11:35:37 +0200 Subject: [Freeipa-devel] [freeipa PR#789][opened] ipaclient: fix missing RPM ownership Message-ID: URL: https://github.com/freeipa/freeipa/pull/789 Author: MartinBasti Title: #789: ipaclient: fix missing RPM ownership Action: opened PR body: """ FreeIPA package should own all subdirectories to work properly with 3rd party packages/plugins. https://pagure.io/freeipa/issue/6927 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/789/head:pr789 git checkout pr789 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-789.patch Type: text/x-diff Size: 1598 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 16 09:35:51 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 11:35:51 +0200 Subject: [Freeipa-devel] [freeipa PR#789][edited] ipaclient: fix missing RPM ownership In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/789 Author: MartinBasti Title: #789: ipaclient: fix missing RPM ownership Action: edited Changed field: title Original value: """ ipaclient: fix missing RPM ownership """ From freeipa-github-notification at redhat.com Tue May 16 09:52:07 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 11:52:07 +0200 Subject: [Freeipa-devel] [freeipa PR#785][comment] otptoken-add-yubikey: When --digits not provided use default value In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/785 Title: #785: otptoken-add-yubikey: When --digits not provided use default value MartinBasti commented: """ ipa-4-5: * 749fc90d1fde0d012acb05ba64309f4a6ed63124 otptoken-add-yubikey: When --digits not provided use default value master: * e415da22f350fbda5b8b341bf2dc5f969cecb84a otptoken-add-yubikey: When --digits not provided use default value """ See the full comment at https://github.com/freeipa/freeipa/pull/785#issuecomment-301732673 From freeipa-github-notification at redhat.com Tue May 16 09:52:12 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 11:52:12 +0200 Subject: [Freeipa-devel] [freeipa PR#785][+pushed] otptoken-add-yubikey: When --digits not provided use default value In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/785 Title: #785: otptoken-add-yubikey: When --digits not provided use default value Label: +pushed From freeipa-github-notification at redhat.com Tue May 16 09:52:15 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 11:52:15 +0200 Subject: [Freeipa-devel] [freeipa PR#785][closed] otptoken-add-yubikey: When --digits not provided use default value In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/785 Author: dkupka Title: #785: otptoken-add-yubikey: When --digits not provided use default value Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/785/head:pr785 git checkout pr785 From freeipa-github-notification at redhat.com Tue May 16 09:54:12 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 11:54:12 +0200 Subject: [Freeipa-devel] [freeipa PR#787][+pushed] ipasetup: fix dependencies handling based on python version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/787 Title: #787: ipasetup: fix dependencies handling based on python version Label: +pushed From freeipa-github-notification at redhat.com Tue May 16 09:54:16 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 11:54:16 +0200 Subject: [Freeipa-devel] [freeipa PR#787][comment] ipasetup: fix dependencies handling based on python version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/787 Title: #787: ipasetup: fix dependencies handling based on python version MartinBasti commented: """ master: * bea7236b9c5a82db5d945a88103c0524a793a8a2 ipasetup: fix dependencies handling based on python version ipa-4-5: * c49e146a69a66cda894687f39f3d77ff3ad9c33b ipasetup: fix dependencies handling based on python version """ See the full comment at https://github.com/freeipa/freeipa/pull/787#issuecomment-301733213 From freeipa-github-notification at redhat.com Tue May 16 09:54:19 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 11:54:19 +0200 Subject: [Freeipa-devel] [freeipa PR#787][closed] ipasetup: fix dependencies handling based on python version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/787 Author: MartinBasti Title: #787: ipasetup: fix dependencies handling based on python version Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/787/head:pr787 git checkout pr787 From freeipa-github-notification at redhat.com Tue May 16 10:00:14 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 16 May 2017 12:00:14 +0200 Subject: [Freeipa-devel] [freeipa PR#789][+ack] [4.4] ipaclient: fix missing RPM ownership In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/789 Title: #789: [4.4] ipaclient: fix missing RPM ownership Label: +ack From freeipa-github-notification at redhat.com Tue May 16 10:05:23 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 12:05:23 +0200 Subject: [Freeipa-devel] [freeipa PR#789][+pushed] [4.4] ipaclient: fix missing RPM ownership In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/789 Title: #789: [4.4] ipaclient: fix missing RPM ownership Label: +pushed From freeipa-github-notification at redhat.com Tue May 16 10:05:27 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 12:05:27 +0200 Subject: [Freeipa-devel] [freeipa PR#789][comment] [4.4] ipaclient: fix missing RPM ownership In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/789 Title: #789: [4.4] ipaclient: fix missing RPM ownership MartinBasti commented: """ ipa-4-4: * 62cf83808d77ea456e608486c5a9bd28edb3350d ipaclient: fix missing RPM ownership """ See the full comment at https://github.com/freeipa/freeipa/pull/789#issuecomment-301735963 From freeipa-github-notification at redhat.com Tue May 16 10:05:30 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 16 May 2017 12:05:30 +0200 Subject: [Freeipa-devel] [freeipa PR#789][closed] [4.4] ipaclient: fix missing RPM ownership In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/789 Author: MartinBasti Title: #789: [4.4] ipaclient: fix missing RPM ownership Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/789/head:pr789 git checkout pr789 From freeipa-github-notification at redhat.com Tue May 16 11:02:48 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 16 May 2017 13:02:48 +0200 Subject: [Freeipa-devel] [freeipa PR#786][edited] ipa-server-install: fix uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/786 Author: flo-renaud Title: #786: ipa-server-install: fix uninstall Action: edited Changed field: body Original value: """ ipa-server-install --uninstall fails to stop tracking the certificates because it assigns a tuple to the variable nicknames, then tries to call nicknames.append(). This is a regression introduced by 92a08266. Assignment should be done using nicknames = list(self.tracking_reqs) instead. https://pagure.io/freeipa/issue/6950 """ From freeipa-github-notification at redhat.com Tue May 16 11:03:29 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 16 May 2017 13:03:29 +0200 Subject: [Freeipa-devel] [freeipa PR#786][synchronized] ipa-server-install: fix uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/786 Author: flo-renaud Title: #786: ipa-server-install: fix uninstall Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/786/head:pr786 git checkout pr786 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-786.patch Type: text/x-diff Size: 1175 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 16 11:16:39 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 16 May 2017 13:16:39 +0200 Subject: [Freeipa-devel] [freeipa PR#790][opened] RFC: API for reporting PKINIT status Message-ID: URL: https://github.com/freeipa/freeipa/pull/790 Author: martbab Title: #790: RFC: API for reporting PKINIT status Action: opened PR body: """ This PR implements easily-consumable API that reports PKINIT status on masters based on the presence of pkinitEnabled value in KDC entry's ipaConfigString attribute. https://pagure.io/freeipa/issue/6937 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/790/head:pr790 git checkout pr790 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-790.patch Type: text/x-diff Size: 27903 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue May 16 11:33:23 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 16 May 2017 13:33:23 +0200 Subject: [Freeipa-devel] [freeipa PR#786][+ack] ipa-server-install: fix uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/786 Title: #786: ipa-server-install: fix uninstall Label: +ack From freeipa-github-notification at redhat.com Tue May 16 11:40:59 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Tue, 16 May 2017 13:40:59 +0200 Subject: [Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/764 Title: #764: Basic uninstaller for the CA pvoborni commented: """ We need to develop something like this, but right now it is not the best time for it. First we need to stabilize 4.5.1 (seems that's almost done). Then focus on testing - current test coverage + on pull request CI. When this is ready we can focus on python3 porting and existing PRs including this one. The reason is that I'm hesitant implementing this to not introduce other regressions because it touches more areas than it seems. For the parts above: - +1 for denying uninstall on successful install - there is actually a path from CA less to CA so we need to think about it as well """ See the full comment at https://github.com/freeipa/freeipa/pull/764#issuecomment-301756039 From freeipa-github-notification at redhat.com Tue May 16 11:41:08 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Tue, 16 May 2017 13:41:08 +0200 Subject: [Freeipa-devel] [freeipa PR#764][+postponed] Basic uninstaller for the CA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/764 Title: #764: Basic uninstaller for the CA Label: +postponed From freeipa-github-notification at redhat.com Tue May 16 11:44:38 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 16 May 2017 13:44:38 +0200 Subject: [Freeipa-devel] [freeipa PR#786][+pushed] ipa-server-install: fix uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/786 Title: #786: ipa-server-install: fix uninstall Label: +pushed From freeipa-github-notification at redhat.com Tue May 16 11:44:41 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 16 May 2017 13:44:41 +0200 Subject: [Freeipa-devel] [freeipa PR#786][comment] ipa-server-install: fix uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/786 Title: #786: ipa-server-install: fix uninstall HonzaCholasta commented: """ master: * d9ed2573fd5b4dcdc8ea865f16d81325707e0f9d ipa-server-install: fix uninstall ipa-4-5: * 752e167497eca87632261dec7bbb352cd0e599c8 ipa-server-install: fix uninstall """ See the full comment at https://github.com/freeipa/freeipa/pull/786#issuecomment-301756756 From freeipa-github-notification at redhat.com Tue May 16 11:44:46 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 16 May 2017 13:44:46 +0200 Subject: [Freeipa-devel] [freeipa PR#786][closed] ipa-server-install: fix uninstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/786 Author: flo-renaud Title: #786: ipa-server-install: fix uninstall Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/786/head:pr786 git checkout pr786 From mbasti at redhat.com Tue May 16 13:42:49 2017 From: mbasti at redhat.com (=?UTF-8?Q?Martin_Ba=c5=a1ti?=) Date: Tue, 16 May 2017 15:42:49 +0200 Subject: [Freeipa-devel] IMPORTANT: Migration of FreeIPA-devel list to lists.fedorahosted.org Message-ID: Dear FreeIPA-devel subscribers, due to various issues with the current mailing lists, the FreeIPA-devel list is being migrated to a new provider, lists.fedorahosted.org. Information about the new list: E-mail address: freeipa-devel at lists.fedorahosted.org Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel at lists.fedorahosted.org/ List-Id: Discussion of the development of FreeIPA All subscribers will be automatically subscribed to the new mailing list, please update your email filters in advance. The mass subscription will be done in 24 hours. This mailing list will be set to read-only mode in a week, please finish any current discussions here and please start new discussions on the new mailing list. Sorry for inconvenience, Your FreeIPA developers -- Martin Ba?ti Software Engineer Red Hat Czech