[Freeipa-devel] [freeipa PR#874][comment] Changing cert-find to go through the proxy instead of using the port 8080
URL: https://github.com/freeipa/freeipa/pull/874 Title: #874: Changing cert-find to go through the proxy instead of using the port 8080 frasertweedale commented: """ All good. Nice work @felipevolpone :+1: """ See the full comment at https://github.com/freeipa/freeipa/pull/874#issuecomment-308935908 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#874][+ack] Changing cert-find to go through the proxy instead of using the port 8080
URL: https://github.com/freeipa/freeipa/pull/874 Title: #874: Changing cert-find to go through the proxy instead of using the port 8080 Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#871][comment] Add --force-join into ipa-replica-install manpage
URL: https://github.com/freeipa/freeipa/pull/871 Title: #871: Add --force-join into ipa-replica-install manpage MartinBasti commented: """ master: * 7fd2102a78f2e008f2cd5fe68e9be58ead914b35 Add --force-join into ipa-replica-install manpage """ See the full comment at https://github.com/freeipa/freeipa/pull/871#issuecomment-308709569 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#871][+pushed] Add --force-join into ipa-replica-install manpage
URL: https://github.com/freeipa/freeipa/pull/871 Title: #871: Add --force-join into ipa-replica-install manpage Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#866][comment] Add a README to certificate profile templates directory
URL: https://github.com/freeipa/freeipa/pull/866 Title: #866: Add a README to certificate profile templates directory MartinBasti commented: """ master: * d7e1ab8438b02db9250b0985be29ac3325c2d2dc Add a README to certificate profile templates directory """ See the full comment at https://github.com/freeipa/freeipa/pull/866#issuecomment-308709300 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#866][+pushed] Add a README to certificate profile templates directory
URL: https://github.com/freeipa/freeipa/pull/866 Title: #866: Add a README to certificate profile templates directory Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#866][closed] Add a README to certificate profile templates directory
URL: https://github.com/freeipa/freeipa/pull/866 Author: frasertweedale Title: #866: Add a README to certificate profile templates directory Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/866/head:pr866 git checkout pr866 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#865][comment] ipatests: do not collect systemd journal when logfile_dir is missing
URL: https://github.com/freeipa/freeipa/pull/865 Title: #865: ipatests: do not collect systemd journal when logfile_dir is missing MartinBasti commented: """ master: * 44e3496bd1a3004bc7a6497cbd212bba7910b2e3 ipatests: do not collect systemd journal when logfile_dir is missing """ See the full comment at https://github.com/freeipa/freeipa/pull/865#issuecomment-308708834 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#865][+pushed] ipatests: do not collect systemd journal when logfile_dir is missing
URL: https://github.com/freeipa/freeipa/pull/865 Title: #865: ipatests: do not collect systemd journal when logfile_dir is missing Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#862][comment] dnsserver.py: dnsserver-find no longer returns internal server error
URL: https://github.com/freeipa/freeipa/pull/862 Title: #862: dnsserver.py: dnsserver-find no longer returns internal server error MartinBasti commented: """ master: * 74d36a8af69a2946007ebd4d57c7bf0891d561db dnsserver.py: dnsserver-find no longer returns internal server error """ See the full comment at https://github.com/freeipa/freeipa/pull/862#issuecomment-308708624 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#862][+pushed] dnsserver.py: dnsserver-find no longer returns internal server error
URL: https://github.com/freeipa/freeipa/pull/862 Title: #862: dnsserver.py: dnsserver-find no longer returns internal server error Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#860][comment] adtrustinstance: fix ID range comparison
URL: https://github.com/freeipa/freeipa/pull/860 Title: #860: adtrustinstance: fix ID range comparison MartinBasti commented: """ master: * 440c61dc40353833cad3a5fc509821ce1f23757f adtrustinstance: fix ID range comparison """ See the full comment at https://github.com/freeipa/freeipa/pull/860#issuecomment-308708256 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#860][+pushed] adtrustinstance: fix ID range comparison
URL: https://github.com/freeipa/freeipa/pull/860 Title: #860: adtrustinstance: fix ID range comparison Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#860][+ack] adtrustinstance: fix ID range comparison
URL: https://github.com/freeipa/freeipa/pull/860 Title: #860: adtrustinstance: fix ID range comparison Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#865][+ack] ipatests: do not collect systemd journal when logfile_dir is missing
URL: https://github.com/freeipa/freeipa/pull/865 Title: #865: ipatests: do not collect systemd journal when logfile_dir is missing Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#862][+ack] dnsserver.py: dnsserver-find no longer returns internal server error
URL: https://github.com/freeipa/freeipa/pull/862 Title: #862: dnsserver.py: dnsserver-find no longer returns internal server error Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#871][+ack] Add --force-join into ipa-replica-install manpage
URL: https://github.com/freeipa/freeipa/pull/871 Title: #871: Add --force-join into ipa-replica-install manpage Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#871][comment] Add --force-join into ipa-replica-install manpage
URL: https://github.com/freeipa/freeipa/pull/871 Title: #871: Add --force-join into ipa-replica-install manpage flo-renaud commented: """ Hi @Tiboris thank you for the patch. Works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/871#issuecomment-308687145 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#875][opened] Fix ip address checks
URL: https://github.com/freeipa/freeipa/pull/875 Author: MartinBasti Title: #875: Fix ip address checks Action: opened PR body: """ Fix various checks of IP address in installers, removal of some unneeded checks that are not working correctly, and mainly causes only false positive errors. This PR also fixes regressions caused by bf9886a84393d1d1546db7e49b102e08a16a83e7 https://pagure.io/freeipa/issue/4317 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/875/head:pr875 git checkout pr875 From f342625aa0da367792cfbd5c4f1a164bf878ee8c Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Tue, 13 Jun 2017 17:03:30 +0200 Subject: [PATCH 1/7] Fix local IP address validation Previously bf9886a84393d1d1546db7e49b102e08a16a83e7 match_local has undesirable side effect that CheckedIPAddress object has set self._net from local interface. However with the recent changes, match_local is usually set to False, thus this side effect stops happening and default mask per address class is used. This causes validation error because mask on interface and mask used for provided IP addresses differ (reporducible only with classless masks). FreeIPA should compare only IP addresses with local addresses without masks https://pagure.io/freeipa/issue/4317 --- ipapython/ipautil.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index a277ed8747..647ee833ae 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -216,10 +216,10 @@ def get_matching_interface(self): addr=ifaddr, netmask=ifdata['netmask'] )) -if ifnet == self._net or ( -self._net is None and ifnet.ip == self): -self._net = ifnet + +if ifnet.ip == self: iface = interface +self._net = ifnet break return iface From 446d8fbfa0a912f993191c1447fb4f8002ea065d Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 14 Jun 2017 14:45:03 +0200 Subject: [PATCH 2/7] ipa-dns-install: remove check for local ip address This check was forgotten and will be removed now. https://pagure.io/freeipa/issue/4317 --- install/tools/ipa-dns-install | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index 5bd0ba6d77..cb6c5d887f 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -47,7 +47,9 @@ def parse_options(): default=False, help="print debugging information") parser.add_option("--ip-address", dest="ip_addresses", metavar="IP_ADDRESS", default=[], action="append", - type="ip", ip_local=True, help="Master Server IP Address. This option can be used multiple times") + type="ip", + help="Master Server IP Address. This option can be used " + "multiple times") parser.add_option("--forwarder", dest="forwarders", action="append", type="ip", help="Add a DNS forwarder. This option can be used multiple times") parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true", From 082ff655fd44b82e26b675f1a20fc4be5a3abc05 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 14 Jun 2017 14:47:23 +0200 Subject: [PATCH 3/7] refactor CheckedIPAddress class Make methods without side effects (setting mask) https://pagure.io/freeipa/issue/4317 --- ipapython/ipautil.py | 29 ++--- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 647ee833ae..2c020e3ecb 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -62,6 +62,12 @@ socket.SOCK_DGRAM: 'udp' } +InterfaceDetails = collections.namedtuple( +'InterfaceDetails', [ +'name', # interface name +'ifnet' # network details of interface +]) + class UnsafeIPAddress(netaddr.IPAddress): """Any valid IP address with or without netmask.""" @@ -161,9 +167,12 @@ def __init__(self, addr, match_local=False, parse_netmask=True, raise ValueError("cannot use multicast IP address {}".format(addr)) if match_local: -if not self.get_matching_interface(): +intf_details = self.get_matching_interface() +if not intf_details: raise ValueError('no network interface matches the IP address ' 'and netmask {}'.format(addr)) +else: +self.set_ip_net(intf_details.ifnet) if self._net is None: if self.version == 4: @@ -193,7 +202,8 @@ def is_broadcast_addr(self): def
[Freeipa-devel] [freeipa PR#872][synchronized] Add IPA-specific bind unit file
URL: https://github.com/freeipa/freeipa/pull/872 Author: stlaz Title: #872: Add IPA-specific bind unit file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/872/head:pr872 git checkout pr872 From c8f0060ce4ac27db4db1771a65b9319fb6557cdc Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Wed, 14 Jun 2017 07:46:16 +0200 Subject: [PATCH] Add IPA-specific bind unit file During upgrade of Fedora 25 to 26, when FreeIPA is installed with DNS, bind attempts to start before KDC which leads to a failed start because it requires a ticket to connect to LDAP. Add an own unit file with a dependency which sets bind to start after the KDC service. https://pagure.io/freeipa/issue/7018 --- freeipa.spec.in | 1 + init/systemd/Makefile.am | 2 + init/systemd/ipa-named-pkcs11.service.in | 27 ipaplatform/redhat/services.py | 3 +- ipaserver/install/bindinstance.py| 66 ipaserver/install/server/upgrade.py | 45 +-- ipatests/pytest_plugins/integration/tasks.py | 4 +- ipatests/test_xmlrpc/test_location_plugin.py | 4 +- 8 files changed, 114 insertions(+), 38 deletions(-) create mode 100644 init/systemd/ipa-named-pkcs11.service.in diff --git a/freeipa.spec.in b/freeipa.spec.in index 1446dfbb7c..00b2bb8ae1 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1220,6 +1220,7 @@ fi %attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service +%attr(644,root,root) %{_unitdir}/ipa-named-pkcs11.service # END %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so %attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am index 945f6ac22a..c417caac87 100644 --- a/init/systemd/Makefile.am +++ b/init/systemd/Makefile.am @@ -3,10 +3,12 @@ AUTOMAKE_OPTIONS = 1.7 dist_noinst_DATA = \ + ipa-named-pkcs11.service.in \ ipa-custodia.service.in \ ipa.service.in systemdsystemunit_DATA = \ + ipa-named-pkcs11.service \ ipa-custodia.service \ ipa.service diff --git a/init/systemd/ipa-named-pkcs11.service.in b/init/systemd/ipa-named-pkcs11.service.in new file mode 100644 index 00..d89d9976e5 --- /dev/null +++ b/init/systemd/ipa-named-pkcs11.service.in @@ -0,0 +1,27 @@ +[Unit] +Description=Berkeley Internet Name Domain (DNS) with native PKCS#11 +Wants=nss-lookup.target +Wants=named-setup-rndc.service +Before=nss-lookup.target +After=network.target +After=named-setup-rndc.service +# we need to wait for KDC so that named may connect to LDAP via GSSAPI +After=krb5kdc.service + +[Service] +Type=forking +EnvironmentFile=-/etc/sysconfig/named +Environment=KRB5_KTNAME=/etc/named.keytab +PIDFile=/run/named/named.pid + +ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi' +ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS + +ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' + +ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' + +PrivateTmp=true + +[Install] +WantedBy=multi-user.target diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py index 8fae1f3cc5..ee5060e28f 100644 --- a/ipaplatform/redhat/services.py +++ b/ipaplatform/redhat/services.py @@ -62,7 +62,8 @@ redhat_system_units['ipa-otpd'] = 'ipa-otpd.socket' redhat_system_units['ipa-dnskeysyncd'] = 'ipa-dnskeysyncd.service' redhat_system_units['named-regular'] = 'named.service' -redhat_system_units['named-pkcs11'] = 'named-pkcs11.service' +redhat_system_units['named-pkcs11-regular'] = 'named-pkcs11.service' +redhat_system_units['named-pkcs11'] = 'ipa-named-pkcs11.service' redhat_system_units['named'] = redhat_system_units['named-pkcs11'] redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service' redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd'] diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 03dce56aa0..dbc014303e 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -619,7 +619,11 @@ def __init__(self, fstore=None, api=api): self.forwarders = None self.sub_dict = None self.reverse_zones = [] -self.named_regular = services.service('named-regular', api) +# these DNS services should be disabled prior to setting up our own +self.regular_dns_services = { +'named': services.service('named-regular', api), +'named-pkcs11': services.service('named-pkcs11-regular', api) +} suffix =
[Freeipa-devel] [freeipa PR#872][comment] Add IPA-specific bind unit file
URL: https://github.com/freeipa/freeipa/pull/872 Title: #872: Add IPA-specific bind unit file stlaz commented: """ The last update should sort the masking of the named-pkcs11 service along the previously handled named. I will update the release notes once we settle on the form of the patch. """ See the full comment at https://github.com/freeipa/freeipa/pull/872#issuecomment-308668223 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#842][closed] Changed ownership of ldiffile to DS_USER
URL: https://github.com/freeipa/freeipa/pull/842 Author: tscherf Title: #842: Changed ownership of ldiffile to DS_USER Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/842/head:pr842 git checkout pr842 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#842][+pushed] Changed ownership of ldiffile to DS_USER
URL: https://github.com/freeipa/freeipa/pull/842 Title: #842: Changed ownership of ldiffile to DS_USER Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#872][synchronized] Add IPA-specific bind unit file
URL: https://github.com/freeipa/freeipa/pull/872 Author: stlaz Title: #872: Add IPA-specific bind unit file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/872/head:pr872 git checkout pr872 From 37f46e4f72622a3458e43d1b960ea03cdf47a99a Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Wed, 14 Jun 2017 07:46:16 +0200 Subject: [PATCH] Add IPA-specific bind unit file During upgrade of Fedora 25 to 26, when FreeIPA is installed with DNS, bind attempts to start before KDC which leads to a failed start because it requires a ticket to connect to LDAP. Add an own unit file with a dependency which sets bind to start after the KDC service. https://pagure.io/freeipa/issue/7018 --- freeipa.spec.in | 1 + init/systemd/Makefile.am | 2 + init/systemd/ipa-named-pkcs11.service.in | 27 ipaplatform/redhat/services.py | 3 +- ipaserver/install/bindinstance.py| 66 ipaserver/install/server/upgrade.py | 45 +-- ipatests/pytest_plugins/integration/tasks.py | 4 +- ipatests/test_xmlrpc/test_location_plugin.py | 4 +- 8 files changed, 114 insertions(+), 38 deletions(-) create mode 100644 init/systemd/ipa-named-pkcs11.service.in diff --git a/freeipa.spec.in b/freeipa.spec.in index 1446dfbb7c..00b2bb8ae1 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1220,6 +1220,7 @@ fi %attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service +%attr(644,root,root) %{_unitdir}/ipa-named-pkcs11.service # END %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so %attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am index 945f6ac22a..c417caac87 100644 --- a/init/systemd/Makefile.am +++ b/init/systemd/Makefile.am @@ -3,10 +3,12 @@ AUTOMAKE_OPTIONS = 1.7 dist_noinst_DATA = \ + ipa-named-pkcs11.service.in \ ipa-custodia.service.in \ ipa.service.in systemdsystemunit_DATA = \ + ipa-named-pkcs11.service \ ipa-custodia.service \ ipa.service diff --git a/init/systemd/ipa-named-pkcs11.service.in b/init/systemd/ipa-named-pkcs11.service.in new file mode 100644 index 00..d89d9976e5 --- /dev/null +++ b/init/systemd/ipa-named-pkcs11.service.in @@ -0,0 +1,27 @@ +[Unit] +Description=Berkeley Internet Name Domain (DNS) with native PKCS#11 +Wants=nss-lookup.target +Wants=named-setup-rndc.service +Before=nss-lookup.target +After=network.target +After=named-setup-rndc.service +# we need to wait for KDC so that named may connect to LDAP via GSSAPI +After=krb5kdc.service + +[Service] +Type=forking +EnvironmentFile=-/etc/sysconfig/named +Environment=KRB5_KTNAME=/etc/named.keytab +PIDFile=/run/named/named.pid + +ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi' +ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS + +ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' + +ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' + +PrivateTmp=true + +[Install] +WantedBy=multi-user.target diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py index 8fae1f3cc5..ee5060e28f 100644 --- a/ipaplatform/redhat/services.py +++ b/ipaplatform/redhat/services.py @@ -62,7 +62,8 @@ redhat_system_units['ipa-otpd'] = 'ipa-otpd.socket' redhat_system_units['ipa-dnskeysyncd'] = 'ipa-dnskeysyncd.service' redhat_system_units['named-regular'] = 'named.service' -redhat_system_units['named-pkcs11'] = 'named-pkcs11.service' +redhat_system_units['named-pkcs11-regular'] = 'named-pkcs11.service' +redhat_system_units['named-pkcs11'] = 'ipa-named-pkcs11.service' redhat_system_units['named'] = redhat_system_units['named-pkcs11'] redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service' redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd'] diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 03dce56aa0..27f67fa83a 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -619,7 +619,11 @@ def __init__(self, fstore=None, api=api): self.forwarders = None self.sub_dict = None self.reverse_zones = [] -self.named_regular = services.service('named-regular', api) +# these DNS services should be disabled prior to setting up our own +self.regular_dns_services = { +'named': services.service('named-regular', api), +'named-pkcs11': services.service('named-pkcs11-regular', api) +} suffix =
[Freeipa-devel] [freeipa PR#873][comment] kra: promote: Get ticket before attempting to get KRA keys with custodia
URL: https://github.com/freeipa/freeipa/pull/873 Title: #873: kra: promote: Get ticket before attempting to get KRA keys with custodia martbab commented: """ master: * 342f72140f9bd8b8db19f469ae4c56cac7492901 kra: promote: Get ticket before calling custodia ipa-4-5: * 15076a1c2b0fb31dce3903e5f50cab9edf68ad07 kra: promote: Get ticket before calling custodia """ See the full comment at https://github.com/freeipa/freeipa/pull/873#issuecomment-308661144 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#873][+ack] kra: promote: Get ticket before attempting to get KRA keys with custodia
URL: https://github.com/freeipa/freeipa/pull/873 Title: #873: kra: promote: Get ticket before attempting to get KRA keys with custodia Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#701][+pushed] ipa help doesn't always work
URL: https://github.com/freeipa/freeipa/pull/701 Title: #701: ipa help doesn't always work Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#873][synchronized] kra: promote: Get ticket before attempting to get KRA keys with custodia
URL: https://github.com/freeipa/freeipa/pull/873 Author: dkupka Title: #873: kra: promote: Get ticket before attempting to get KRA keys with custodia Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/873/head:pr873 git checkout pr873 From 3a653419ded76b16cd7df150e6fc37c2d1651389 Mon Sep 17 00:00:00 2001 From: David KupkaDate: Wed, 14 Jun 2017 15:39:58 +0200 Subject: [PATCH] kra: promote: Get ticket before calling custodia When installing second (or consequent) KRA instance keys are retrieved using custodia. Custodia checks that the keys are synchronized in master's directory server and the check uses GSSAPI and therefore fails if there's no ticket in ccache. https://pagure.io/freeipa/issue/7020 --- ipaserver/install/kra.py | 21 ++--- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py index f345406128..3545b301a9 100644 --- a/ipaserver/install/kra.py +++ b/ipaserver/install/kra.py @@ -10,6 +10,7 @@ import shutil from ipalib import api +from ipalib.install.kinit import kinit_keytab from ipaplatform import services from ipaplatform.paths import paths from ipapython import certdb @@ -84,13 +85,19 @@ def install(api, replica_config, options): return krafile = os.path.join(replica_config.dir, 'kracert.p12') if options.promote: -custodia = custodiainstance.CustodiaInstance( -replica_config.host_name, -replica_config.realm_name) -custodia.get_kra_keys( -replica_config.kra_host_name, -krafile, -replica_config.dirman_password) +with ipautil.private_ccache(): +ccache = os.environ['KRB5CCNAME'] +kinit_keytab( +'host/{env.host}@{env.realm}'.format(env=api.env), +paths.KRB5_KEYTAB, +ccache) +custodia = custodiainstance.CustodiaInstance( +replica_config.host_name, +replica_config.realm_name) +custodia.get_kra_keys( +replica_config.kra_host_name, +krafile, +replica_config.dirman_password) else: cafile = os.path.join(replica_config.dir, 'cacert.p12') if not ipautil.file_exists(cafile): ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org