[Freeipa-devel] [freeipa PR#792][comment] named.conf template: add modification warning
URL: https://github.com/freeipa/freeipa/pull/792 Title: #792: named.conf template: add modification warning stlaz commented: """ The IdM documentation does not list allowed operations on the file, only a note of what the file is most commonly used for. """ See the full comment at https://github.com/freeipa/freeipa/pull/792#issuecomment-30330 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#804][comment] krb5: make sure KDC certificate is readable
URL: https://github.com/freeipa/freeipa/pull/804 Title: #804: krb5: make sure KDC certificate is readable abbra commented: """ I removed chmod call now. Sorry for not noticing it yesterday. ;) """ See the full comment at https://github.com/freeipa/freeipa/pull/804#issuecomment-303303949 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#804][synchronized] krb5: make sure KDC certificate is readable
URL: https://github.com/freeipa/freeipa/pull/804 Author: abbra Title: #804: krb5: make sure KDC certificate is readable Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/804/head:pr804 git checkout pr804 From d23d3eeade2cf436beb96f4d61a34655374c9e04 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 22 May 2017 22:36:18 +0300 Subject: [PATCH] krb5: make sure KDC certificate is readable When requesting certificate for KDC profile, make sure its public part is actually readable to others. Fixes https://pagure.io/freeipa/issue/6973 --- install/restart_scripts/renew_kdc_cert | 2 -- ipalib/install/certmonger.py | 12 +--- ipaserver/install/krbinstance.py | 3 ++- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/install/restart_scripts/renew_kdc_cert b/install/restart_scripts/renew_kdc_cert index 9247920874..559ae26555 100755 --- a/install/restart_scripts/renew_kdc_cert +++ b/install/restart_scripts/renew_kdc_cert @@ -14,8 +14,6 @@ from ipaserver.install import certs def main(): with certs.renewal_lock: -os.chmod(paths.KDC_CERT, 0o644) - try: if services.knownservices.krb5kdc.is_running(): syslog.syslog(syslog.LOG_NOTICE, 'restarting krb5kdc') diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py index 5709853ffe..ad031a738f 100644 --- a/ipalib/install/certmonger.py +++ b/ipalib/install/certmonger.py @@ -302,7 +302,7 @@ def add_subject(request_id, subject): def request_and_wait_for_cert( certpath, subject, principal, nickname=None, passwd_fname=None, dns=None, ca='IPA', profile=None, -pre_command=None, post_command=None, storage='NSSDB'): +pre_command=None, post_command=None, storage='NSSDB', perms=None): """ Execute certmonger to request a server certificate. @@ -310,7 +310,7 @@ def request_and_wait_for_cert( """ reqId = request_cert(certpath, subject, principal, nickname, passwd_fname, dns, ca, profile, - pre_command, post_command, storage) + pre_command, post_command, storage, perms) state = wait_for_request(reqId, api.env.startup_timeout) ca_error = get_request_value(reqId, 'ca-error') if state != 'MONITORING' or ca_error: @@ -321,12 +321,14 @@ def request_and_wait_for_cert( def request_cert( certpath, subject, principal, nickname=None, passwd_fname=None, dns=None, ca='IPA', profile=None, -pre_command=None, post_command=None, storage='NSSDB'): +pre_command=None, post_command=None, storage='NSSDB', perms=None): """ Execute certmonger to request a server certificate. ``dns`` A sequence of DNS names to appear in SAN request extension. +``perms`` +A tuple of (cert, key) permissions in e.g., (0644,0660) """ if storage == 'FILE': certfile, keyfile = certpath @@ -367,6 +369,10 @@ def request_cert( post_command = certmonger_cmd_template % (post_command) request_parameters['cert-postsave-command'] = post_command +if perms: +request_parameters['key-perms'] = perms[0] +request_parameters['cert-perms'] = perms[1] + result = cm.obj_if.add_request(request_parameters) try: if result[0]: diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 1692e0b2ba..a1053d55cc 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -432,7 +432,8 @@ def _call_certmonger(self, certmonger_ca='IPA'): dns=self.fqdn, storage='FILE', profile=KDC_PROFILE, -post_command='renew_kdc_cert') +post_command='renew_kdc_cert', +perms=(0o644, 0o600)) except dbus.DBusException as e: # if the certificate is already tracked, ignore the error name = e.get_dbus_name() ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#623][comment] client install: do not assume /etc/krb5.conf.d exists
URL: https://github.com/freeipa/freeipa/pull/623 Title: #623: client install: do not assume /etc/krb5.conf.d exists HonzaCholasta commented: """ @frozencemetery, this is *not* for the sake of Debian. We will still have to worry about this for operating systems which are not Fedora- or Debian-based. """ See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-303298156 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#804][comment] krb5: make sure KDC certificate is readable
URL: https://github.com/freeipa/freeipa/pull/804 Title: #804: krb5: make sure KDC certificate is readable HonzaCholasta commented: """ I have already "solved" this by changing the permissions of the cert file in the `renew_kdc_cert` restart script. Your solution is definitely better, please remove the chmod call from `renew_kdc_cert`. """ See the full comment at https://github.com/freeipa/freeipa/pull/804#issuecomment-303295791 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#804][comment] krb5: make sure KDC certificate is readable
URL: https://github.com/freeipa/freeipa/pull/804 Title: #804: krb5: make sure KDC certificate is readable HonzaCholasta commented: """ I have already "solved" this by changing the permissions of the cert file in the `renew_kdc_cert`. Your solution is definitely better, please remove the chmod call from `renew_kdc_cert`. """ See the full comment at https://github.com/freeipa/freeipa/pull/804#issuecomment-303295791 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#804][-ack] krb5: make sure KDC certificate is readable
URL: https://github.com/freeipa/freeipa/pull/804 Title: #804: krb5: make sure KDC certificate is readable Label: -ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#805][+ack] Fix rare race condition with missing ccache file
URL: https://github.com/freeipa/freeipa/pull/805 Title: #805: Fix rare race condition with missing ccache file Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#805][comment] Fix rare race condition with missing ccache file
URL: https://github.com/freeipa/freeipa/pull/805 Title: #805: Fix rare race condition with missing ccache file abbra commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/805#issuecomment-303289438 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#805][opened] Fix rare race condition with missing ccache file
URL: https://github.com/freeipa/freeipa/pull/805
Author: simo5
Title: #805: Fix rare race condition with missing ccache file
Action: opened
PR body:
"""
In some circumstances the ccache file may disappear while
mod_auth_gssapi still has a valid cookie and the client is performing a
json server call.
This may lead to credentials getting sourced from the keytab.
Make sure we enforce what GSS NAME we want to resolve so HTTP creds are
never mistakenly sourced.
Ticket: #6972
Signed-off-by: Simo Sorce
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/805/head:pr805
git checkout pr805
From 4c92d47012bf6a24b2e0fb64e1c2374463bc79a6 Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Mon, 22 May 2017 10:56:41 -0400
Subject: [PATCH] Fix rare race condition with missing ccache file
In some circumstances the ccache file may disappear while
mod_auth_gssapi still has a valid cookie and the client is performing a
json server call.
This may lead to credentials getting sourced from the keytab.
Make sure we enforce what GSS NAME we want to resolve so HTTP creds are
never mistakenly sourced.
Ticket: #6972
Signed-off-by: Simo Sorce
---
ipaserver/rpcserver.py | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 4cde2815a0..89f8e9d286 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -777,8 +777,17 @@ def __call__(self, environ, start_response):
self.debug('no ccache, need login')
return self.need_login(start_response)
+# If we have a ccache, make sure we have a GSS_NAME and use
+# it to resolve the ccache name (Issue: )
+principal = environ.get('GSS_NAME')
+if principal is None:
+self.debug('no GSS Name, need login')
+return self.need_login(start_response)
+gss_name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
+
# Redirect to login if Kerberos credentials are expired
-creds = get_credentials_if_valid(ccache_name=ccache_name)
+creds = get_credentials_if_valid(name=gss_name,
+ ccache_name=ccache_name)
if not creds:
self.debug('ccache expired, deleting session, need login')
# The request is finished with the ccache, destroy it.
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#804][+ack] krb5: make sure KDC certificate is readable
URL: https://github.com/freeipa/freeipa/pull/804 Title: #804: krb5: make sure KDC certificate is readable Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#804][synchronized] krb5: make sure KDC certificate is readable
URL: https://github.com/freeipa/freeipa/pull/804 Author: abbra Title: #804: krb5: make sure KDC certificate is readable Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/804/head:pr804 git checkout pr804 From 674b9440b72f950c2512c891a01c26892a7eb23a Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 22 May 2017 22:36:18 +0300 Subject: [PATCH] krb5: make sure KDC certificate is readable When requesting certificate for KDC profile, make sure its public part is actually readable to others. Fixes https://pagure.io/freeipa/issue/6973 --- ipalib/install/certmonger.py | 12 +--- ipaserver/install/krbinstance.py | 3 ++- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py index 5709853ffe..ad031a738f 100644 --- a/ipalib/install/certmonger.py +++ b/ipalib/install/certmonger.py @@ -302,7 +302,7 @@ def add_subject(request_id, subject): def request_and_wait_for_cert( certpath, subject, principal, nickname=None, passwd_fname=None, dns=None, ca='IPA', profile=None, -pre_command=None, post_command=None, storage='NSSDB'): +pre_command=None, post_command=None, storage='NSSDB', perms=None): """ Execute certmonger to request a server certificate. @@ -310,7 +310,7 @@ def request_and_wait_for_cert( """ reqId = request_cert(certpath, subject, principal, nickname, passwd_fname, dns, ca, profile, - pre_command, post_command, storage) + pre_command, post_command, storage, perms) state = wait_for_request(reqId, api.env.startup_timeout) ca_error = get_request_value(reqId, 'ca-error') if state != 'MONITORING' or ca_error: @@ -321,12 +321,14 @@ def request_and_wait_for_cert( def request_cert( certpath, subject, principal, nickname=None, passwd_fname=None, dns=None, ca='IPA', profile=None, -pre_command=None, post_command=None, storage='NSSDB'): +pre_command=None, post_command=None, storage='NSSDB', perms=None): """ Execute certmonger to request a server certificate. ``dns`` A sequence of DNS names to appear in SAN request extension. +``perms`` +A tuple of (cert, key) permissions in e.g., (0644,0660) """ if storage == 'FILE': certfile, keyfile = certpath @@ -367,6 +369,10 @@ def request_cert( post_command = certmonger_cmd_template % (post_command) request_parameters['cert-postsave-command'] = post_command +if perms: +request_parameters['key-perms'] = perms[0] +request_parameters['cert-perms'] = perms[1] + result = cm.obj_if.add_request(request_parameters) try: if result[0]: diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 1692e0b2ba..a1053d55cc 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -432,7 +432,8 @@ def _call_certmonger(self, certmonger_ca='IPA'): dns=self.fqdn, storage='FILE', profile=KDC_PROFILE, -post_command='renew_kdc_cert') +post_command='renew_kdc_cert', +perms=(0o644, 0o600)) except dbus.DBusException as e: # if the certificate is already tracked, ignore the error name = e.get_dbus_name() ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#804][synchronized] krb5: make sure KDC certificate is readable
URL: https://github.com/freeipa/freeipa/pull/804 Author: abbra Title: #804: krb5: make sure KDC certificate is readable Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/804/head:pr804 git checkout pr804 From 1eb6639ad94cfa674bf59b893929fdf902344733 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 22 May 2017 22:36:18 +0300 Subject: [PATCH] krb5: make sure KDC certificate is readable When requesting certificate for KDC profile, make sure its public part is actually readable to others. Fixes https://pagure.io/freeipa/issue/6973 --- ipalib/install/certmonger.py | 12 +--- ipaserver/install/krbinstance.py | 3 ++- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py index 5709853ffe..ad031a738f 100644 --- a/ipalib/install/certmonger.py +++ b/ipalib/install/certmonger.py @@ -302,7 +302,7 @@ def add_subject(request_id, subject): def request_and_wait_for_cert( certpath, subject, principal, nickname=None, passwd_fname=None, dns=None, ca='IPA', profile=None, -pre_command=None, post_command=None, storage='NSSDB'): +pre_command=None, post_command=None, storage='NSSDB', perms=None): """ Execute certmonger to request a server certificate. @@ -310,7 +310,7 @@ def request_and_wait_for_cert( """ reqId = request_cert(certpath, subject, principal, nickname, passwd_fname, dns, ca, profile, - pre_command, post_command, storage) + pre_command, post_command, storage, perms) state = wait_for_request(reqId, api.env.startup_timeout) ca_error = get_request_value(reqId, 'ca-error') if state != 'MONITORING' or ca_error: @@ -321,12 +321,14 @@ def request_and_wait_for_cert( def request_cert( certpath, subject, principal, nickname=None, passwd_fname=None, dns=None, ca='IPA', profile=None, -pre_command=None, post_command=None, storage='NSSDB'): +pre_command=None, post_command=None, storage='NSSDB', perms=None): """ Execute certmonger to request a server certificate. ``dns`` A sequence of DNS names to appear in SAN request extension. +``perms`` +A tuple of (cert, key) permissions in e.g., (0644,0660) """ if storage == 'FILE': certfile, keyfile = certpath @@ -367,6 +369,10 @@ def request_cert( post_command = certmonger_cmd_template % (post_command) request_parameters['cert-postsave-command'] = post_command +if perms: +request_parameters['key-perms'] = perms[0] +request_parameters['cert-perms'] = perms[1] + result = cm.obj_if.add_request(request_parameters) try: if result[0]: diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 1692e0b2ba..8f734d5709 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -432,7 +432,8 @@ def _call_certmonger(self, certmonger_ca='IPA'): dns=self.fqdn, storage='FILE', profile=KDC_PROFILE, -post_command='renew_kdc_cert') +post_command='renew_kdc_cert', +perms=(0644, 0600)) except dbus.DBusException as e: # if the certificate is already tracked, ignore the error name = e.get_dbus_name() ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#804][synchronized] krb5: make sure KDC certificate is readable
URL: https://github.com/freeipa/freeipa/pull/804 Author: abbra Title: #804: krb5: make sure KDC certificate is readable Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/804/head:pr804 git checkout pr804 From fa696f4419441a5851ffed8327847aaa848576a1 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 22 May 2017 22:36:18 +0300 Subject: [PATCH] krb5: make sure KDC certificate is readable When requesting certificate for KDC profile, make sure its public part is actually readable to others. Fixes https://pagure.io/freeipa/issue/6973 --- ipalib/install/certmonger.py | 12 +--- ipaserver/install/krbinstance.py | 3 ++- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py index 5709853ffe..ad031a738f 100644 --- a/ipalib/install/certmonger.py +++ b/ipalib/install/certmonger.py @@ -302,7 +302,7 @@ def add_subject(request_id, subject): def request_and_wait_for_cert( certpath, subject, principal, nickname=None, passwd_fname=None, dns=None, ca='IPA', profile=None, -pre_command=None, post_command=None, storage='NSSDB'): +pre_command=None, post_command=None, storage='NSSDB', perms=None): """ Execute certmonger to request a server certificate. @@ -310,7 +310,7 @@ def request_and_wait_for_cert( """ reqId = request_cert(certpath, subject, principal, nickname, passwd_fname, dns, ca, profile, - pre_command, post_command, storage) + pre_command, post_command, storage, perms) state = wait_for_request(reqId, api.env.startup_timeout) ca_error = get_request_value(reqId, 'ca-error') if state != 'MONITORING' or ca_error: @@ -321,12 +321,14 @@ def request_and_wait_for_cert( def request_cert( certpath, subject, principal, nickname=None, passwd_fname=None, dns=None, ca='IPA', profile=None, -pre_command=None, post_command=None, storage='NSSDB'): +pre_command=None, post_command=None, storage='NSSDB', perms=None): """ Execute certmonger to request a server certificate. ``dns`` A sequence of DNS names to appear in SAN request extension. +``perms`` +A tuple of (cert, key) permissions in e.g., (0644,0660) """ if storage == 'FILE': certfile, keyfile = certpath @@ -367,6 +369,10 @@ def request_cert( post_command = certmonger_cmd_template % (post_command) request_parameters['cert-postsave-command'] = post_command +if perms: +request_parameters['key-perms'] = perms[0] +request_parameters['cert-perms'] = perms[1] + result = cm.obj_if.add_request(request_parameters) try: if result[0]: diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 1692e0b2ba..35fc72f7ac 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -432,7 +432,8 @@ def _call_certmonger(self, certmonger_ca='IPA'): dns=self.fqdn, storage='FILE', profile=KDC_PROFILE, -post_command='renew_kdc_cert') +post_command='renew_kdc_cert', +perms=(0644,0600)) except dbus.DBusException as e: # if the certificate is already tracked, ignore the error name = e.get_dbus_name() ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#804][opened] krb5: make sure KDC certificate is readable
URL: https://github.com/freeipa/freeipa/pull/804 Author: abbra Title: #804: krb5: make sure KDC certificate is readable Action: opened PR body: """ When requesting certificate for KDC profile, make sure its public part is actually readable to others. Fixes https://pagure.io/freeipa/issue/6973 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/804/head:pr804 git checkout pr804 From 7582ef230e5e0514f75f871ce93d2e9566cd756c Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 22 May 2017 22:36:18 +0300 Subject: [PATCH] krb5: make sure KDC certificate is readable When requesting certificate for KDC profile, make sure its public part is actually readable to others. Fixes https://pagure.io/freeipa/issue/6973 --- ipalib/install/certmonger.py | 12 +--- ipaserver/install/krbinstance.py | 3 ++- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py index 5709853ffe..ad031a738f 100644 --- a/ipalib/install/certmonger.py +++ b/ipalib/install/certmonger.py @@ -302,7 +302,7 @@ def add_subject(request_id, subject): def request_and_wait_for_cert( certpath, subject, principal, nickname=None, passwd_fname=None, dns=None, ca='IPA', profile=None, -pre_command=None, post_command=None, storage='NSSDB'): +pre_command=None, post_command=None, storage='NSSDB', perms=None): """ Execute certmonger to request a server certificate. @@ -310,7 +310,7 @@ def request_and_wait_for_cert( """ reqId = request_cert(certpath, subject, principal, nickname, passwd_fname, dns, ca, profile, - pre_command, post_command, storage) + pre_command, post_command, storage, perms) state = wait_for_request(reqId, api.env.startup_timeout) ca_error = get_request_value(reqId, 'ca-error') if state != 'MONITORING' or ca_error: @@ -321,12 +321,14 @@ def request_and_wait_for_cert( def request_cert( certpath, subject, principal, nickname=None, passwd_fname=None, dns=None, ca='IPA', profile=None, -pre_command=None, post_command=None, storage='NSSDB'): +pre_command=None, post_command=None, storage='NSSDB', perms=None): """ Execute certmonger to request a server certificate. ``dns`` A sequence of DNS names to appear in SAN request extension. +``perms`` +A tuple of (cert, key) permissions in e.g., (0644,0660) """ if storage == 'FILE': certfile, keyfile = certpath @@ -367,6 +369,10 @@ def request_cert( post_command = certmonger_cmd_template % (post_command) request_parameters['cert-postsave-command'] = post_command +if perms: +request_parameters['key-perms'] = perms[0] +request_parameters['cert-perms'] = perms[1] + result = cm.obj_if.add_request(request_parameters) try: if result[0]: diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 2f14ff5920..b8d3aae38c 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -428,7 +428,8 @@ def _call_certmonger(self, certmonger_ca='IPA'): ca=certmonger_ca, dns=self.fqdn, storage='FILE', -profile=KDC_PROFILE) +profile=KDC_PROFILE, +perms=(0644,0600)) except dbus.DBusException as e: # if the certificate is already tracked, ignore the error name = e.get_dbus_name() ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#803][opened] ipatests: add systemd journal collection for multihost tests
URL: https://github.com/freeipa/freeipa/pull/803
Author: tomaskrizek
Title: #803: ipatests: add systemd journal collection for multihost tests
Action: opened
PR body:
"""
Some messages are only logged in journal. Collection of journal
makes debugging failed tests from logs easier.
Fixes: https://pagure.io/freeipa/issue/6971
Signed-off-by: Tomas Krizek
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/803/head:pr803
git checkout pr803
From 477fa691bf8f297102953d1c6eb324c256f92881 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 22 May 2017 18:27:44 +0200
Subject: [PATCH 1/2] ipatests: change logdir naming pattern for multihost
tests
Remove brackets from the paths in naming pattern of directories
for multihost logs. Brackets in filenames require special handling
in markdown URLs, bash paths etc.
Related: https://pagure.io/freeipa/issue/6971
Signed-off-by: Tomas Krizek
---
ipatests/pytest_plugins/integration/__init__.py | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/ipatests/pytest_plugins/integration/__init__.py b/ipatests/pytest_plugins/integration/__init__.py
index 8fb10422e5..86a335605a 100644
--- a/ipatests/pytest_plugins/integration/__init__.py
+++ b/ipatests/pytest_plugins/integration/__init__.py
@@ -24,6 +24,7 @@
import os
import tempfile
import shutil
+import re
import pytest
from pytest_multihost import make_multihost_fixture
@@ -45,6 +46,14 @@ def pytest_addoption(parser):
help="Directory to store integration test logs in.")
+def _get_logname_from_node(node):
+name = node.nodeid
+name = re.sub('\(\)/', '', name) # remove ()/
+name = re.sub('[()]', '', name) # and standalone brackets
+name = re.sub('(/|::)', '-', name)
+return name
+
+
def collect_test_logs(node, logs_dict, test_config):
"""Collect logs from a test
@@ -55,7 +64,7 @@ def collect_test_logs(node, logs_dict, test_config):
:param test_config: Pytest configuration
"""
collect_logs(
-name=node.nodeid.replace('/', '-').replace('::', '-'),
+name=_get_logname_from_node(node),
logs_dict=logs_dict,
logfile_dir=test_config.getoption('logfile_dir'),
beakerlib_plugin=test_config.pluginmanager.getplugin('BeakerLibPlugin'),
From eeeb9e12f10482abf6c880f9f0d0bb5dbb1b8248 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 22 May 2017 18:33:49 +0200
Subject: [PATCH 2/2] ipatests: add systemd journal collection for multihost
tests
Some messages are only logged in journal. Collection of journal
makes debugging failed tests from logs easier.
Fixes: https://pagure.io/freeipa/issue/6971
Signed-off-by: Tomas Krizek
---
ipatests/pytest_plugins/integration/__init__.py | 32 +
ipatests/test_integration/test_testconfig.py| 1 +
2 files changed, 33 insertions(+)
diff --git a/ipatests/pytest_plugins/integration/__init__.py b/ipatests/pytest_plugins/integration/__init__.py
index 86a335605a..0105513627 100644
--- a/ipatests/pytest_plugins/integration/__init__.py
+++ b/ipatests/pytest_plugins/integration/__init__.py
@@ -71,6 +71,36 @@ def collect_test_logs(node, logs_dict, test_config):
)
+def collect_systemd_journal(node, hosts, test_config):
+"""Collect systemd journal from remote hosts
+
+:param node: The pytest collection node (request.node)
+:param hosts: List of hosts from which to collect journal
+:param test_config: Pytest configuration
+"""
+name = _get_logname_from_node(node)
+logfile_dir = test_config.getoption('logfile_dir')
+
+for host in hosts:
+log.info("Collecting journal from: %s", host.hostname)
+
+topdirname = os.path.join(logfile_dir, name, host.hostname)
+if not os.path.exists(topdirname):
+os.makedirs(topdirname)
+
+# Get journal content
+cmd = host.run_command(
+['journalctl', '--since', '-1h'],
+log_stdout=False, raiseonerr=False)
+if cmd.returncode:
+log.error('An error occurred while collecting journal')
+continue
+
+# Write journal to file
+with open(os.path.join(topdirname, "journal"), 'w') as f:
+f.write(cmd.stdout_text)
+
+
def collect_logs(name, logs_dict, logfile_dir=None, beakerlib_plugin=None):
"""Collect logs from remote hosts
@@ -157,7 +187,9 @@ def integration_logs(class_integration_logs, request):
"""Provides access to test integration logs, and collects after each test
"""
yield class_integration_logs
+hosts = class_integration_logs.keys()
collect_test_logs(request.node, class_integration_logs, request.config)
+collect_systemd_journal(request.node, hosts, request.config)
@pytest.yield_fixture(scope='class')
diff --git a/ipatests/test_integration/test_testconfig.py b/ipatests/test_integration/test_testconfig.py
index c66be8c33d..6ded5f7702
[Freeipa-devel] [freeipa PR#792][comment] named.conf template: add modification warning
URL: https://github.com/freeipa/freeipa/pull/792 Title: #792: named.conf template: add modification warning tomaskrizek commented: """ - fixed the broken comment - mentioned any changes should be documented in FreeIPA or Red Hat IdM documentation I don't think going into more detail is necessary. """ See the full comment at https://github.com/freeipa/freeipa/pull/792#issuecomment-303156828 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#792][synchronized] named.conf template: add modification warning
URL: https://github.com/freeipa/freeipa/pull/792
Author: tomaskrizek
Title: #792: named.conf template: add modification warning
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/792/head:pr792
git checkout pr792
From 6de24603adc38224d20b361351ec007bbe0cef26 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Tue, 16 May 2017 15:04:41 +0200
Subject: [PATCH] named.conf template: add modification warning
Warn the user some modifications may break IPA setup or upgrade.
All changes the user makes should be explicitly supported and mentioned
in the documentation. Undocumented and unsupported changes, such as
renaming dyndb part from "ipa" will break IPA.
Signed-off-by: Tomas Krizek
---
install/share/bind.named.conf.template | 6 ++
1 file changed, 6 insertions(+)
diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index b7c3a0b78e..b3a454a61d 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -43,6 +43,11 @@ zone "." IN {
include "$RFC1912_ZONES";
include "$ROOT_KEY";
+/* WARNING: This part of the config file is IPA-managed.
+ * Before making any modifications, please make sure they are supported by
+ * consulting the FreeIPA or Red Hat IdM documentation.
+ * Unsupported modifications may break IPA setup or upgrades.
+ */
dyndb "ipa" "$BIND_LDAP_SO" {
uri "ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket";
base "cn=dns, $SUFFIX";
@@ -51,3 +56,4 @@ dyndb "ipa" "$BIND_LDAP_SO" {
sasl_mech "GSSAPI";
sasl_user "DNS/$FQDN";
};
+/* End of IPA-managed part. */
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2
URL: https://github.com/freeipa/freeipa/pull/760 Title: #760: [4.4] Run ipa-custodia under Python 2 lslebodn commented: """ @tiran Do you plan to release custodia-0.2 in fedora 25? Because this patch broke building of ipa-4.4 on fedora 25. If you do not plan to upgrade custodia in f25 then this patch should be (partially) reverted """ See the full comment at https://github.com/freeipa/freeipa/pull/760#issuecomment-303130820 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#802][opened] Improve cert messages some more + do that for KDC certs as well
URL: https://github.com/freeipa/freeipa/pull/802
Author: stlaz
Title: #802: Improve cert messages some more + do that for KDC certs as well
Action: opened
PR body:
"""
Some of the previous error message handling would not work in
a locale different from English so we just output the error message we get
from `certutil`.
Also, since this was previously done, there is now kdc cert validation that is
different from the others so make the error messages more verbose there.
OpenSSL prints quite verbose messages so you may want to grab only a
part of it, let me know what your opinion is.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/802/head:pr802
git checkout pr802
From ce3c7b090868ad5ade9852af1b64a90bef3aafd2 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Mon, 22 May 2017 14:36:43 +0200
Subject: [PATCH 1/2] cert-validate: keep all messages in cert validation
Previous attempt to improve error messages during certificate
validation would only work in English locale so we're keeping
the NSS messages for all cases.
TODO: fix CA-less tests
https://pagure.io/freeipa/issue/6945
---
ipapython/certdb.py | 6 --
1 file changed, 6 deletions(-)
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index fa6995d3d7..ee0e837469 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -55,8 +55,6 @@
NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
-BAD_USAGE_ERR = 'Certificate key usage inadequate for attempted operation.'
-
TrustFlags = collections.namedtuple('TrustFlags', 'has_key trusted ca usages')
EMPTY_TRUST_FLAGS = TrustFlags(False, None, None, None)
@@ -691,8 +689,6 @@ def verify_server_cert_validity(self, nickname, hostname):
# certutil output in case of error is
# 'certutil: certificate is invalid: \n'
msg = e.output.split(': ')[2].strip()
-if msg == BAD_USAGE_ERR:
-msg = 'invalid for a SSL server.'
raise ValueError(msg)
try:
@@ -723,8 +719,6 @@ def verify_ca_cert_validity(self, nickname):
# certutil output in case of error is
# 'certutil: certificate is invalid: \n'
msg = e.output.split(': ')[2].strip()
-if msg == BAD_USAGE_ERR:
-msg = 'invalid for a CA.'
raise ValueError(msg)
def verify_kdc_cert_validity(self, nickname, realm):
From 55a2fb6d219887ae6ef846aea78efcccebb84fb4 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Mon, 22 May 2017 17:08:00 +0200
Subject: [PATCH 2/2] More verbose error message on kdc cert validation
KDC cert validation was added but provides rather non-descriptive
error should there be something wrong with a certificate. Pass
the error message from the `openssl` tool in such cases.
https://pagure.io/freeipa/issue/6945
---
ipapython/certdb.py | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index ee0e837469..caecfca0a0 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -192,7 +192,12 @@ def verify_kdc_cert_validity(kdc_cert, ca_certs, realm):
try:
ipautil.run(
-[OPENSSL, 'verify', '-CAfile', ca_file.name, kdc_file.name])
+[OPENSSL, 'verify', '-CAfile', ca_file.name, kdc_file.name],
+capture_output=True)
+except ipautil.CalledProcessError as e:
+raise ValueError(e.output)
+
+try:
eku = kdc_cert.extensions.get_extension_for_class(
cryptography.x509.ExtendedKeyUsage)
list(eku.value).index(
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#623][comment] client install: do not assume /etc/krb5.conf.d exists
URL: https://github.com/freeipa/freeipa/pull/623 Title: #623: client install: do not assume /etc/krb5.conf.d exists frozencemetery commented: """ Adding on to my previous comment: I've talked with the Debian maintainers, and they plan to add the same `includedir` after the Stretch release. So, eventually (for some values of eventually) we won't have to worry about this. """ See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-303124429 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#800][comment] Change python-cryptography to python2-cryptography
URL: https://github.com/freeipa/freeipa/pull/800 Title: #800: Change python-cryptography to python2-cryptography martbab commented: """ @pvoborni thank you for explanation I am OK with this change then. """ See the full comment at https://github.com/freeipa/freeipa/pull/800#issuecomment-303103024 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#800][comment] Change python-cryptography to python2-cryptography
URL: https://github.com/freeipa/freeipa/pull/800 Title: #800: Change python-cryptography to python2-cryptography MartinBasti commented: """ Voting for explicit `python2-*` prefix """ See the full comment at https://github.com/freeipa/freeipa/pull/800#issuecomment-303077114 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#771][comment] cert-show: check if certificate_out is in options
URL: https://github.com/freeipa/freeipa/pull/771 Title: #771: cert-show: check if certificate_out is in options martbab commented: """ @frasertweedale @HonzaCholasta can you please continue review of this PR? """ See the full comment at https://github.com/freeipa/freeipa/pull/771#issuecomment-303075665 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#797][comment] ipa-replica-conncheck: handle ssh not installed
URL: https://github.com/freeipa/freeipa/pull/797 Title: #797: ipa-replica-conncheck: handle ssh not installed flo-renaud commented: """ Hi @martbab I initially thought that the code never worked and always triggered an exception, but you are right, it used to skip the check when ssh client is not installed. I updated the PR to revert to the original behavior. """ See the full comment at https://github.com/freeipa/freeipa/pull/797#issuecomment-303075145 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#797][synchronized] ipa-replica-conncheck: handle ssh not installed
URL: https://github.com/freeipa/freeipa/pull/797
Author: flo-renaud
Title: #797: ipa-replica-conncheck: handle ssh not installed
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/797/head:pr797
git checkout pr797
From a545478cf058ce6d25c7586c40aa7bcc3532e9c2 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud
Date: Thu, 18 May 2017 17:01:19 +0200
Subject: [PATCH] ipa-replica-conncheck: handle ssh not installed
When ipa-replica-conncheck is run but ssh is not installed, the tool exits
with a stack trace. Properly handle the error by raising an Exception in the
SshExec constructor, and catch the exception in order to ignore the error and
skip ssh test.
The tool will exit with the following output:
[...]
Check RPC connection to remote master
trying https://master.domain.com/ipa/session/json
Forwarding 'schema' to json server 'https://master.domain.com/ipa/session/json'
Retrying using SSH...
WARNING: ssh not installed, skipping ssh test
https://pagure.io/freeipa/issue/6935
---
install/tools/ipa-replica-conncheck | 13 -
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index fdbd4f32d9..87bed5f4ee 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -59,12 +59,11 @@ class SshExec(object):
self.user = user
self.addr = addr
self.cmd = distutils.spawn.find_executable('ssh')
-
-def __call__(self, command, verbose=False):
# Bail if ssh is not installed
if self.cmd is None:
-root_logger.warning("WARNING: ssh not installed, skipping ssh test")
-return ('', '', 0)
+raise RuntimeError("ssh not installed")
+
+def __call__(self, command, verbose=False):
tmpf = tempfile.NamedTemporaryFile()
cmd = [
@@ -594,7 +593,11 @@ def main():
# Ticket 5812 Always qualify requests for admin
user = principal
-ssh = SshExec(user, options.master)
+try:
+ssh = SshExec(user, options.master)
+except RuntimeError as e:
+root_logger.warning("WARNING: %s, skipping ssh test" % e)
+return
root_logger.info("Check SSH connection to remote master")
result = ssh('echo OK', verbose=True)
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#794][+pushed] ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt
URL: https://github.com/freeipa/freeipa/pull/794 Title: #794: ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#794][closed] ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt
URL: https://github.com/freeipa/freeipa/pull/794 Author: flo-renaud Title: #794: ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/794/head:pr794 git checkout pr794 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#794][comment] ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt
URL: https://github.com/freeipa/freeipa/pull/794 Title: #794: ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt martbab commented: """ master: * d93264247563937d6d8e3f030a2bffac10572612 ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt ipa-4-5: * 653d2f412012bcef04599b512938f06084d267b1 ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt """ See the full comment at https://github.com/freeipa/freeipa/pull/794#issuecomment-303074268 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#623][synchronized] client install: do not assume /etc/krb5.conf.d exists
URL: https://github.com/freeipa/freeipa/pull/623
Author: HonzaCholasta
Title: #623: client install: do not assume /etc/krb5.conf.d exists
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/623/head:pr623
git checkout pr623
From 188c3bb5d7da9f0a60ed4b2f66aca5ee56d2a876 Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Mon, 20 Mar 2017 06:56:53 +
Subject: [PATCH] install: do not assume /etc/krb5.conf.d exists
Add `includedir /etc/krb5.conf.d` to /etc/krb5.conf only if
/etc/krb5.conf.d exists.
Do not rely on /etc/krb5.conf.d to enable the certauth plugin.
This fixes install on platforms which do not have /etc/krb5.conf.d.
https://pagure.io/freeipa/issue/6589
---
.gitignore | 1 -
daemons/ipa-kdb/Makefile.am | 6 --
daemons/ipa-kdb/ipa-certauth| 5 -
freeipa.spec.in | 1 -
install/share/krb5.conf.template| 7 ++-
ipaclient/install/client.py | 16 ++--
ipaserver/install/krbinstance.py| 8 +++-
ipaserver/install/server/upgrade.py | 33 +
8 files changed, 56 insertions(+), 21 deletions(-)
delete mode 100644 daemons/ipa-kdb/ipa-certauth
diff --git a/.gitignore b/.gitignore
index 8b57dbcddf..8f4c2aa7a9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -77,7 +77,6 @@ freeipa2-dev-doc
/daemons/dnssec/ipa-ods-exporter.socket
/daemons/ipa-kdb/ipa_kdb_tests
/daemons/ipa-kdb/tests/.dirstamp
-/daemons/ipa-kdb/ipa-certauth
/daemons/ipa-otpd/ipa-otpd
/daemons/ipa-otpd/ipa-otpd.socket
/daemons/ipa-otpd/ipa-otpd@.service
diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
index 259bc3b20f..5669349af2 100644
--- a/daemons/ipa-kdb/Makefile.am
+++ b/daemons/ipa-kdb/Makefile.am
@@ -44,12 +44,6 @@ dist_noinst_DATA = ipa_kdb.exports
if BUILD_IPA_CERTAUTH_PLUGIN
ipadb_la_SOURCES += ipa_kdb_certauth.c
-
-
-krb5confdir = $(sysconfdir)/krb5.conf.d
-krb5conf_DATA = ipa-certauth
-else
-dist_noinst_DATA += ipa-certauth
endif
ipadb_la_LDFLAGS = \
diff --git a/daemons/ipa-kdb/ipa-certauth b/daemons/ipa-kdb/ipa-certauth
deleted file mode 100644
index 6fde08284d..00
--- a/daemons/ipa-kdb/ipa-certauth
+++ /dev/null
@@ -1,5 +0,0 @@
-[plugins]
- certauth = {
- module = ipakdb:kdb/ipadb.so
- enable_only = ipakdb
- }
diff --git a/freeipa.spec.in b/freeipa.spec.in
index beb11bc12a..1093617f91 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1202,7 +1202,6 @@ fi
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
-%config(noreplace) %{_sysconfdir}/krb5.conf.d/ipa-certauth
%dir %{_libexecdir}/ipa/certmonger
%attr(755,root,root) %{_libexecdir}/ipa/certmonger/*
# NOTE: systemd specific section
diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
index 1f18ff90d3..e3420e5376 100644
--- a/install/share/krb5.conf.template
+++ b/install/share/krb5.conf.template
@@ -1,4 +1,4 @@
-includedir /etc/krb5.conf.d/
+$INCLUDES
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
@@ -35,3 +35,8 @@ $OTHER_DOMAIN_REALM_MAPS
db_library = ipadb.so
}
+[plugins]
+ certauth = {
+ module = ipakdb:kdb/ipadb.so
+ enable_only = ipakdb
+ }
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 1aa50372a4..c0c6cdd7de 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -641,14 +641,18 @@ def configure_krb5_conf(
'value': 'File modified by ipa-client-install'
},
krbconf.emptyLine(),
-{
-'name': 'includedir',
-'type': 'option',
-'value': paths.COMMON_KRB5_CONF_DIR,
-'delim': ' '
-}
]
+if os.path.exists(paths.COMMON_KRB5_CONF_DIR):
+opts.extend([
+{
+'name': 'includedir',
+'type': 'option',
+'value': paths.COMMON_KRB5_CONF_DIR,
+'delim': ' '
+}
+])
+
# SSSD include dir
if configure_sssd:
opts.extend([
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 1692e0b2ba..fdd5e3c2c7 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -249,6 +249,11 @@ def __start_instance(self):
root_logger.critical("krb5kdc service failed to start")
def __setup_sub_dict(self):
+if os.path.exists(paths.COMMON_KRB5_CONF_DIR):
+includes = 'includedir {}'.format(paths.COMMON_KRB5_CONF_DIR)
+else:
+includes = ''
+
self.sub_dict = dict(FQDN=self.fqdn,
IP=self.ip,
PASSWORD=self.kdc_password,
@@ -264,7 +269,8 @@ def __setup_sub_dict(self):
[Freeipa-devel] [freeipa PR#794][comment] ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt
URL: https://github.com/freeipa/freeipa/pull/794 Title: #794: ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt flo-renaud commented: """ Hi @MartinBasti , Thanks for the heads-up, I just rebased the PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/794#issuecomment-303038076 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#794][synchronized] ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt
URL: https://github.com/freeipa/freeipa/pull/794 Author: flo-renaud Title: #794: ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/794/head:pr794 git checkout pr794 From 74b2d19975472746d5dc0a8c0f6552d5440adfd5 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Tue, 16 May 2017 17:24:09 +0200 Subject: [PATCH] ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt ipa-ca-install currently overwrites /etc/ipa/ca.crt with the CA chain retrieved from Dogtag. It should instead append the new certs, otherwise the CA that signed dirsrv and httpd certificates is removed and ipa tools fail. A consequence is that ipa-kra-install fails. This is a regression introduced by 5ab85b36. https://pagure.io/freeipa/issue/6925 --- ipaserver/install/cainstance.py | 8 1 file changed, 8 insertions(+) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index b8c8cc4fc4..b0e9e8757e 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -793,6 +793,14 @@ def __export_ca_chain(self): # Get list of PEM certificates certlist = x509.pkcs7_to_pems(data, x509.DER) +# We need to append the certs to the existing file, so start by +# reading the file +if ipautil.file_exists(paths.IPA_CA_CRT): +ca_certs = x509.load_certificate_list_from_file(paths.IPA_CA_CRT) +ca_certs = [cert.public_bytes(serialization.Encoding.PEM) +for cert in ca_certs] +certlist.extend(ca_certs) + # We have all the certificates in certlist, write them to a PEM file for path in [paths.IPA_CA_CRT, paths.KDC_CA_BUNDLE_PEM, ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#801][opened] httpinstance: wait until the service entry is replicated
URL: https://github.com/freeipa/freeipa/pull/801
Author: HonzaCholasta
Title: #801: httpinstance: wait until the service entry is replicated
Action: opened
PR body:
"""
Wait until the local HTTP service entry is replicated to the remote master
before requesting the server certificate.
This prevents a replication conflict between the service entry added
locally and service entry added remotely when requesting the certificate.
https://pagure.io/freeipa/issue/6867
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/801/head:pr801
git checkout pr801
From 40bcbd3e3589fdc0c0c021e1055c1fc8e5e2d0b9 Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Mon, 22 May 2017 08:15:14 +
Subject: [PATCH] httpinstance: wait until the service entry is replicated
Wait until the local HTTP service entry is replicated to the remote master
before requesting the server certificate.
This prevents a replication conflict between the service entry added
locally and service entry added remotely when requesting the certificate.
https://pagure.io/freeipa/issue/6867
---
ipaserver/install/httpinstance.py | 20 +++-
ipaserver/install/server/replicainstall.py | 2 +-
2 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index c76a1a4e48..9c72db97c3 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -32,9 +32,11 @@
from augeas import Augeas
from ipalib.install import certmonger
+from ipapython import ipaldap
from ipapython.certdb import (IPA_CA_TRUST_FLAGS,
EXTERNAL_CA_TRUST_FLAGS,
TRUSTED_PEER_TRUST_FLAGS)
+from ipaserver.install import replication
from ipaserver.install import service
from ipaserver.install import certs
from ipaserver.install import installutils
@@ -129,7 +131,8 @@ def __init__(self, fstore=None, cert_nickname='Server-Cert',
def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
subject_base=None, auto_redirect=True, ca_file=None,
-ca_is_configured=None, promote=False):
+ca_is_configured=None, promote=False,
+master_fqdn=None):
self.fqdn = fqdn
self.realm = realm
self.domain = domain_name
@@ -148,6 +151,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
if ca_is_configured is not None:
self.ca_is_configured = ca_is_configured
self.promote = promote
+self.master_fqdn = master_fqdn
self.step("stopping httpd", self.__stop)
self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
@@ -577,3 +581,17 @@ def start_tracking_certificates(self):
db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR)
db.track_server_cert(self.cert_nickname, self.principal,
db.passwd_fname, 'restart_httpd')
+
+def request_service_keytab(self):
+super(HTTPInstance, self).request_service_keytab()
+
+if self.master_fqdn is not None:
+service_dn = DN(('krbprincipalname', self.principal),
+('cn', 'services'),
+('cn', 'accounts'),
+self.suffix)
+
+ldap_uri = ipaldap.get_ldap_uri(self.master_fqdn)
+with ipaldap.LDAPClient(ldap_uri) as remote_ldap:
+remote_ldap.gssapi_bind()
+replication.wait_for_entry(remote_ldap, service_dn, timeout=60)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index b30133ffa2..8e4152f2ef 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -165,7 +165,7 @@ def install_http(config, auto_redirect, ca_is_configured, ca_file,
config.realm_name, config.host_name, config.domain_name,
pkcs12_info, auto_redirect=auto_redirect, ca_file=ca_file,
ca_is_configured=ca_is_configured, promote=promote,
-subject_base=config.subject_base)
+subject_base=config.subject_base, master_fqdn=config.master_host_name)
return http
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
