On 9.12.2015 16:39, Jan Cholasta wrote:
On 7.12.2015 08:14, Jan Cholasta wrote:
On 6.12.2015 21:32, Martin Basti wrote:


On 04.12.2015 16:58, Simo Sorce wrote:
On Fri, 2015-12-04 at 15:39 +0100, Jan Cholasta wrote:
On 4.12.2015 15:16, Jan Cholasta wrote:
On 4.12.2015 15:12, Jan Cholasta wrote:
On 4.12.2015 11:15, Petr Vobornik wrote:
On 12/03/2015 03:11 PM, Martin Basti wrote:

On 01.12.2015 12:19, Jan Cholasta wrote:
On 23.11.2015 15:47, Simo Sorce wrote:
On Mon, 2015-11-23 at 15:37 +0100, Jan Cholasta wrote:
Ad alternative is to add the host to ipaservers before the
checks
are
done and remove it again if any of them fail.
Too error prone, I am ok with the current way in your patches
until/unless I can think of a fail safe way. :-)
Updated patches attached. Note that 520 should be applied
between 509
and 510.



Functional ACK

Simo, do you want to review the ACIs or other things it the
patches? Or
can the patches be pushed?
There were no changes in the ACIs since last time.
Actually, memberPrincipal was removed from the "IPA server hosts can
manage own Custodia secrets" ACI, as per Simo's request.

Rebased patches attached.
Note that 520 should still be applied between 509 and 510.

LGTM

ACK

Thanks.

Pushed to master: 01ddf51df76f3298499973355c5461727e46ab5b

Martin Babinsky found out that ipaservers is not created early enough
when installing a replica of a 4.2 or older server which causes a crash.

The attached patch fixes that.

Actually I don't like how I fixed that, here's an updated patch.

Also, I noticed that replica promotion fails too late in domain level 0. Fixed as well.

--
Jan Cholasta
From 00db51a7a3c3b38fc8e2680bbb0304d74ebabcfa Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 9 Dec 2015 15:56:24 +0100
Subject: [PATCH] replica install: add ipaservers if it does not exist

This prevents crash when adding the host entry to ipaservers when
installing replica of a 4.2 or older server.

https://fedorahosted.org/freeipa/ticket/3416
---
 ipaserver/install/krbinstance.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index f928e50..cd803b0 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -41,6 +41,7 @@ from ipapython.dn import DN
 
 from ipaserver.install import replication
 from ipaserver.install import dsinstance
+from ipaserver.install import ldapupdate
 
 import pyasn1.codec.ber.decoder
 import struct
@@ -118,11 +119,9 @@ class KrbInstance(service.Service):
         self.admin_conn.add_entry(host_entry)
 
         # Add the host to the ipaserver host group
-        hostgroup_dn = DN(('cn', 'ipaservers'), ('cn', 'hostgroups'),
-                          ('cn', 'accounts'), self.suffix)
-        hostgroup_entry = self.admin_conn.get_entry(hostgroup_dn, ['member'])
-        hostgroup_entry.setdefault('member', []).append(host_dn)
-        self.admin_conn.update_entry(hostgroup_entry)
+        ld = ldapupdate.LDAPUpdate(ldapi=True)
+        ld.update([os.path.join(paths.UPDATES_DIR,
+                                '20-ipaservers_hostgroup.update')])
 
     def __common_setup(self, realm_name, host_name, domain_name, admin_password):
         self.fqdn = host_name
-- 
2.4.3

From cba6aa7404fb9475f34d189f7ed97ca63c7a2c0e Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 10 Dec 2015 07:23:18 +0100
Subject: [PATCH] replica promotion: check domain level before ipaservers
 membership

Check domain level before checking ipaservers membership to prevent
"not found" error when attempting replica promotion in domain level 0.

https://fedorahosted.org/freeipa/ticket/5401
---
 ipaserver/install/server/replicainstall.py | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index a42ed7e..d10dfd3 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -973,6 +973,20 @@ def promote_check(installer):
         replman = ReplicationManager(config.realm_name,
                                      config.master_host_name, None)
 
+        # Detect the current domain level
+        try:
+            current = remote_api.Command['domainlevel_get']()['result']
+        except errors.NotFound:
+            # If we're joining an older master, domain entry is not
+            # available
+            current = constants.DOMAIN_LEVEL_0
+
+        if current == constants.DOMAIN_LEVEL_0:
+            raise RuntimeError(
+                "You must provide a file generated by ipa-replica-prepare to "
+                "create a replica when the domain is at level 0."
+            )
+
         # Check authorization
         result = remote_api.Command['hostgroup_find'](
             cn=u'ipaservers',
@@ -1027,20 +1041,6 @@ def promote_check(installer):
                   config.host_name)
             sys.exit(3)
 
-        # Detect the current domain level
-        try:
-            current = remote_api.Command['domainlevel_get']()['result']
-        except errors.NotFound:
-            # If we're joining an older master, domain entry is not
-            # available
-            current = constants.DOMAIN_LEVEL_0
-
-        if current == constants.DOMAIN_LEVEL_0:
-            raise RuntimeError(
-                "You must provide a file generated by ipa-replica-prepare to "
-                "create a replica when the domain is at level 0."
-            )
-
         # Detect if current level is out of supported range
         # for this IPA version
         under_lower_bound = current < constants.MIN_DOMAIN_LEVEL
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to