date:20170615

[Freeipa-devel] [freeipa PR#874][comment] Changing cert-find to go through the proxy instead of using the port 8080

2017-06-15 Thread frasertweedale via FreeIPA-devel

  URL: https://github.com/freeipa/freeipa/pull/874
Title: #874: Changing cert-find to go through the proxy instead of using the 
port 8080

frasertweedale commented:
"""
All good.  Nice work @felipevolpone :+1:
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/874#issuecomment-308935908
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#874][+ack] Changing cert-find to go through the proxy instead of using the port 8080

2017-06-15 Thread frasertweedale via FreeIPA-devel

  URL: https://github.com/freeipa/freeipa/pull/874
Title: #874: Changing cert-find to go through the proxy instead of using the 
port 8080

Label: +ack
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#871][comment] Add --force-join into ipa-replica-install manpage

2017-06-15 Thread MartinBasti via FreeIPA-devel

  URL: https://github.com/freeipa/freeipa/pull/871
Title: #871: Add --force-join into ipa-replica-install manpage

MartinBasti commented:
"""
master:

* 7fd2102a78f2e008f2cd5fe68e9be58ead914b35 Add --force-join into 
ipa-replica-install manpage


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/871#issuecomment-308709569
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#871][+pushed] Add --force-join into ipa-replica-install manpage

2017-06-15 Thread MartinBasti via FreeIPA-devel

  URL: https://github.com/freeipa/freeipa/pull/871
Title: #871: Add --force-join into ipa-replica-install manpage

Label: +pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#866][comment] Add a README to certificate profile templates directory

2017-06-15 Thread MartinBasti via FreeIPA-devel

  URL: https://github.com/freeipa/freeipa/pull/866
Title: #866: Add a README to certificate profile templates directory

MartinBasti commented:
"""
master:

* d7e1ab8438b02db9250b0985be29ac3325c2d2dc Add a README to certificate profile 
templates directory


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/866#issuecomment-308709300
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#866][+pushed] Add a README to certificate profile templates directory

2017-06-15 Thread MartinBasti via FreeIPA-devel

  URL: https://github.com/freeipa/freeipa/pull/866
Title: #866: Add a README to certificate profile templates directory

Label: +pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#866][closed] Add a README to certificate profile templates directory

2017-06-15 Thread MartinBasti via FreeIPA-devel

   URL: https://github.com/freeipa/freeipa/pull/866
Author: frasertweedale
 Title: #866: Add a README to certificate profile templates directory
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/866/head:pr866
git checkout pr866
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#865][comment] ipatests: do not collect systemd journal when logfile_dir is missing

2017-06-15 Thread MartinBasti via FreeIPA-devel

  URL: https://github.com/freeipa/freeipa/pull/865
Title: #865: ipatests: do not collect systemd journal when logfile_dir is 
missing

MartinBasti commented:
"""
master:

* 44e3496bd1a3004bc7a6497cbd212bba7910b2e3 ipatests: do not collect systemd 
journal when logfile_dir is missing


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/865#issuecomment-308708834
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#865][+pushed] ipatests: do not collect systemd journal when logfile_dir is missing

2017-06-15 Thread MartinBasti via FreeIPA-devel

  URL: https://github.com/freeipa/freeipa/pull/865
Title: #865: ipatests: do not collect systemd journal when logfile_dir is 
missing

Label: +pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#862][comment] dnsserver.py: dnsserver-find no longer returns internal server error

2017-06-15 Thread MartinBasti via FreeIPA-devel

  URL: https://github.com/freeipa/freeipa/pull/862
Title: #862: dnsserver.py: dnsserver-find no longer returns internal server 
error

MartinBasti commented:
"""
master:

* 74d36a8af69a2946007ebd4d57c7bf0891d561db dnsserver.py: dnsserver-find no 
longer returns internal server error


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/862#issuecomment-308708624
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#862][+pushed] dnsserver.py: dnsserver-find no longer returns internal server error

2017-06-15 Thread MartinBasti via FreeIPA-devel

  URL: https://github.com/freeipa/freeipa/pull/862
Title: #862: dnsserver.py: dnsserver-find no longer returns internal server 
error

Label: +pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#860][comment] adtrustinstance: fix ID range comparison

2017-06-15 Thread MartinBasti via FreeIPA-devel

  URL: https://github.com/freeipa/freeipa/pull/860
Title: #860: adtrustinstance: fix ID range comparison

MartinBasti commented:
"""
master:

* 440c61dc40353833cad3a5fc509821ce1f23757f adtrustinstance: fix ID range 
comparison


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/860#issuecomment-308708256
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#860][+pushed] adtrustinstance: fix ID range comparison

2017-06-15 Thread MartinBasti via FreeIPA-devel

  URL: https://github.com/freeipa/freeipa/pull/860
Title: #860: adtrustinstance: fix ID range comparison

Label: +pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#860][+ack] adtrustinstance: fix ID range comparison

2017-06-15 Thread MartinBasti via FreeIPA-devel

  URL: https://github.com/freeipa/freeipa/pull/860
Title: #860: adtrustinstance: fix ID range comparison

Label: +ack
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#865][+ack] ipatests: do not collect systemd journal when logfile_dir is missing

2017-06-15 Thread MartinBasti via FreeIPA-devel

  URL: https://github.com/freeipa/freeipa/pull/865
Title: #865: ipatests: do not collect systemd journal when logfile_dir is 
missing

Label: +ack
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#862][+ack] dnsserver.py: dnsserver-find no longer returns internal server error

2017-06-15 Thread MartinBasti via FreeIPA-devel

  URL: https://github.com/freeipa/freeipa/pull/862
Title: #862: dnsserver.py: dnsserver-find no longer returns internal server 
error

Label: +ack
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#871][+ack] Add --force-join into ipa-replica-install manpage

2017-06-15 Thread flo-renaud via FreeIPA-devel

  URL: https://github.com/freeipa/freeipa/pull/871
Title: #871: Add --force-join into ipa-replica-install manpage

Label: +ack
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#871][comment] Add --force-join into ipa-replica-install manpage

2017-06-15 Thread flo-renaud via FreeIPA-devel

  URL: https://github.com/freeipa/freeipa/pull/871
Title: #871: Add --force-join into ipa-replica-install manpage

flo-renaud commented:
"""
Hi @Tiboris 
thank you for the patch. Works as expected.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/871#issuecomment-308687145
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#875][opened] Fix ip address checks

2017-06-15 Thread MartinBasti via FreeIPA-devel

   URL: https://github.com/freeipa/freeipa/pull/875
Author: MartinBasti
 Title: #875: Fix ip address checks
Action: opened

PR body:
"""
Fix various checks of IP address in installers, removal of some unneeded checks 
that are not working correctly,  and mainly causes only false positive errors.

This PR also fixes regressions caused by 
bf9886a84393d1d1546db7e49b102e08a16a83e7

https://pagure.io/freeipa/issue/4317
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/875/head:pr875
git checkout pr875
From f342625aa0da367792cfbd5c4f1a164bf878ee8c Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 13 Jun 2017 17:03:30 +0200
Subject: [PATCH 1/7] Fix local IP address validation

Previously bf9886a84393d1d1546db7e49b102e08a16a83e7 match_local has
undesirable side effect that CheckedIPAddress object has set self._net
from local interface.

However with the recent changes, match_local is usually set to False,
thus this side effect stops happening and default mask per address class
is used. This causes validation error because mask on interface and mask
used for provided IP addresses differ (reporducible only with classless
masks).

FreeIPA should compare only IP addresses with local addresses without masks

https://pagure.io/freeipa/issue/4317
---
 ipapython/ipautil.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index a277ed8747..647ee833ae 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -216,10 +216,10 @@ def get_matching_interface(self):
 addr=ifaddr,
 netmask=ifdata['netmask']
 ))
-if ifnet == self._net or (
-self._net is None and ifnet.ip == self):
-self._net = ifnet
+
+if ifnet.ip == self:
 iface = interface
+self._net = ifnet
 break
 
 return iface

From 446d8fbfa0a912f993191c1447fb4f8002ea065d Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 14 Jun 2017 14:45:03 +0200
Subject: [PATCH 2/7] ipa-dns-install: remove check for local ip address

This check was forgotten and will be removed now.

https://pagure.io/freeipa/issue/4317
---
 install/tools/ipa-dns-install | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index 5bd0ba6d77..cb6c5d887f 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -47,7 +47,9 @@ def parse_options():
   default=False, help="print debugging information")
 parser.add_option("--ip-address", dest="ip_addresses", metavar="IP_ADDRESS",
   default=[], action="append",
-  type="ip", ip_local=True, help="Master Server IP Address. This option can be used multiple times")
+  type="ip",
+  help="Master Server IP Address. This option can be used "
+   "multiple times")
 parser.add_option("--forwarder", dest="forwarders", action="append",
   type="ip", help="Add a DNS forwarder. This option can be used multiple times")
 parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true",

From 082ff655fd44b82e26b675f1a20fc4be5a3abc05 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 14 Jun 2017 14:47:23 +0200
Subject: [PATCH 3/7] refactor CheckedIPAddress class

Make methods without side effects (setting mask)

https://pagure.io/freeipa/issue/4317
---
 ipapython/ipautil.py | 29 ++---
 1 file changed, 22 insertions(+), 7 deletions(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 647ee833ae..2c020e3ecb 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -62,6 +62,12 @@
 socket.SOCK_DGRAM: 'udp'
 }
 
+InterfaceDetails = collections.namedtuple(
+'InterfaceDetails', [
+'name',  # interface name
+'ifnet'  # network details of interface
+])
+
 
 class UnsafeIPAddress(netaddr.IPAddress):
 """Any valid IP address with or without netmask."""
@@ -161,9 +167,12 @@ def __init__(self, addr, match_local=False, parse_netmask=True,
 raise ValueError("cannot use multicast IP address {}".format(addr))
 
 if match_local:
-if not self.get_matching_interface():
+intf_details = self.get_matching_interface()
+if not intf_details:
 raise ValueError('no network interface matches the IP address '
  'and netmask {}'.format(addr))
+else:
+self.set_ip_net(intf_details.ifnet)
 
 if self._net is None:
 if self.version == 4:
@@ -193,7 +202,8 @@ def is_broadcast_addr(self):
 
 def

[Freeipa-devel] [freeipa PR#872][synchronized] Add IPA-specific bind unit file

2017-06-15 Thread stlaz via FreeIPA-devel

   URL: https://github.com/freeipa/freeipa/pull/872
Author: stlaz
 Title: #872: Add IPA-specific bind unit file
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/872/head:pr872
git checkout pr872
From c8f0060ce4ac27db4db1771a65b9319fb6557cdc Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 14 Jun 2017 07:46:16 +0200
Subject: [PATCH] Add IPA-specific bind unit file

During upgrade of Fedora 25 to 26, when FreeIPA is installed with
DNS, bind attempts to start before KDC which leads to a failed
start because it requires a ticket to connect to LDAP.

Add an own unit file with a dependency which sets bind to start
after the KDC service.

https://pagure.io/freeipa/issue/7018
---
 freeipa.spec.in  |  1 +
 init/systemd/Makefile.am |  2 +
 init/systemd/ipa-named-pkcs11.service.in | 27 
 ipaplatform/redhat/services.py   |  3 +-
 ipaserver/install/bindinstance.py| 66 
 ipaserver/install/server/upgrade.py  | 45 +--
 ipatests/pytest_plugins/integration/tasks.py |  4 +-
 ipatests/test_xmlrpc/test_location_plugin.py |  4 +-
 8 files changed, 114 insertions(+), 38 deletions(-)
 create mode 100644 init/systemd/ipa-named-pkcs11.service.in

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 1446dfbb7c..00b2bb8ae1 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1220,6 +1220,7 @@ fi
 %attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
 %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
 %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
+%attr(644,root,root) %{_unitdir}/ipa-named-pkcs11.service
 # END
 %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
 %attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so
diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am
index 945f6ac22a..c417caac87 100644
--- a/init/systemd/Makefile.am
+++ b/init/systemd/Makefile.am
@@ -3,10 +3,12 @@
 AUTOMAKE_OPTIONS = 1.7
 
 dist_noinst_DATA = 			\
+	ipa-named-pkcs11.service.in \
 	ipa-custodia.service.in		\
 	ipa.service.in
 
 systemdsystemunit_DATA = 	\
+	ipa-named-pkcs11.service \
 	ipa-custodia.service	\
 	ipa.service
 
diff --git a/init/systemd/ipa-named-pkcs11.service.in b/init/systemd/ipa-named-pkcs11.service.in
new file mode 100644
index 00..d89d9976e5
--- /dev/null
+++ b/init/systemd/ipa-named-pkcs11.service.in
@@ -0,0 +1,27 @@
+[Unit]
+Description=Berkeley Internet Name Domain (DNS) with native PKCS#11
+Wants=nss-lookup.target
+Wants=named-setup-rndc.service
+Before=nss-lookup.target
+After=network.target
+After=named-setup-rndc.service
+# we need to wait for KDC so that named may connect to LDAP via GSSAPI
+After=krb5kdc.service
+
+[Service]
+Type=forking
+EnvironmentFile=-/etc/sysconfig/named
+Environment=KRB5_KTNAME=/etc/named.keytab
+PIDFile=/run/named/named.pid
+
+ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi'
+ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS
+
+ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
+
+ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
+
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index 8fae1f3cc5..ee5060e28f 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -62,7 +62,8 @@
 redhat_system_units['ipa-otpd'] = 'ipa-otpd.socket'
 redhat_system_units['ipa-dnskeysyncd'] = 'ipa-dnskeysyncd.service'
 redhat_system_units['named-regular'] = 'named.service'
-redhat_system_units['named-pkcs11'] = 'named-pkcs11.service'
+redhat_system_units['named-pkcs11-regular'] = 'named-pkcs11.service'
+redhat_system_units['named-pkcs11'] = 'ipa-named-pkcs11.service'
 redhat_system_units['named'] = redhat_system_units['named-pkcs11']
 redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service'
 redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd']
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 03dce56aa0..dbc014303e 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -619,7 +619,11 @@ def __init__(self, fstore=None, api=api):
 self.forwarders = None
 self.sub_dict = None
 self.reverse_zones = []
-self.named_regular = services.service('named-regular', api)
+# these DNS services should be disabled prior to setting up our own
+self.regular_dns_services = {
+'named': services.service('named-regular', api),
+'named-pkcs11': services.service('named-pkcs11-regular', api)
+}
 
 suffix =

[Freeipa-devel] [freeipa PR#872][comment] Add IPA-specific bind unit file

2017-06-15 Thread stlaz via FreeIPA-devel

  URL: https://github.com/freeipa/freeipa/pull/872
Title: #872: Add IPA-specific bind unit file

stlaz commented:
"""
The last update should sort the masking of the named-pkcs11 service along the 
previously handled named. I will update the release notes once we settle on the 
form of the patch.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/872#issuecomment-308668223
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#842][closed] Changed ownership of ldiffile to DS_USER

2017-06-15 Thread MartinBasti via FreeIPA-devel

   URL: https://github.com/freeipa/freeipa/pull/842
Author: tscherf
 Title: #842: Changed ownership of ldiffile to DS_USER
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/842/head:pr842
git checkout pr842
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#842][+pushed] Changed ownership of ldiffile to DS_USER

2017-06-15 Thread MartinBasti via FreeIPA-devel

  URL: https://github.com/freeipa/freeipa/pull/842
Title: #842: Changed ownership of ldiffile to DS_USER

Label: +pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#872][synchronized] Add IPA-specific bind unit file

2017-06-15 Thread stlaz via FreeIPA-devel

   URL: https://github.com/freeipa/freeipa/pull/872
Author: stlaz
 Title: #872: Add IPA-specific bind unit file
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/872/head:pr872
git checkout pr872
From 37f46e4f72622a3458e43d1b960ea03cdf47a99a Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 14 Jun 2017 07:46:16 +0200
Subject: [PATCH] Add IPA-specific bind unit file

During upgrade of Fedora 25 to 26, when FreeIPA is installed with
DNS, bind attempts to start before KDC which leads to a failed
start because it requires a ticket to connect to LDAP.

Add an own unit file with a dependency which sets bind to start
after the KDC service.

https://pagure.io/freeipa/issue/7018
---
 freeipa.spec.in  |  1 +
 init/systemd/Makefile.am |  2 +
 init/systemd/ipa-named-pkcs11.service.in | 27 
 ipaplatform/redhat/services.py   |  3 +-
 ipaserver/install/bindinstance.py| 66 
 ipaserver/install/server/upgrade.py  | 45 +--
 ipatests/pytest_plugins/integration/tasks.py |  4 +-
 ipatests/test_xmlrpc/test_location_plugin.py |  4 +-
 8 files changed, 114 insertions(+), 38 deletions(-)
 create mode 100644 init/systemd/ipa-named-pkcs11.service.in

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 1446dfbb7c..00b2bb8ae1 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1220,6 +1220,7 @@ fi
 %attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
 %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
 %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
+%attr(644,root,root) %{_unitdir}/ipa-named-pkcs11.service
 # END
 %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
 %attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so
diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am
index 945f6ac22a..c417caac87 100644
--- a/init/systemd/Makefile.am
+++ b/init/systemd/Makefile.am
@@ -3,10 +3,12 @@
 AUTOMAKE_OPTIONS = 1.7
 
 dist_noinst_DATA = 			\
+	ipa-named-pkcs11.service.in \
 	ipa-custodia.service.in		\
 	ipa.service.in
 
 systemdsystemunit_DATA = 	\
+	ipa-named-pkcs11.service \
 	ipa-custodia.service	\
 	ipa.service
 
diff --git a/init/systemd/ipa-named-pkcs11.service.in b/init/systemd/ipa-named-pkcs11.service.in
new file mode 100644
index 00..d89d9976e5
--- /dev/null
+++ b/init/systemd/ipa-named-pkcs11.service.in
@@ -0,0 +1,27 @@
+[Unit]
+Description=Berkeley Internet Name Domain (DNS) with native PKCS#11
+Wants=nss-lookup.target
+Wants=named-setup-rndc.service
+Before=nss-lookup.target
+After=network.target
+After=named-setup-rndc.service
+# we need to wait for KDC so that named may connect to LDAP via GSSAPI
+After=krb5kdc.service
+
+[Service]
+Type=forking
+EnvironmentFile=-/etc/sysconfig/named
+Environment=KRB5_KTNAME=/etc/named.keytab
+PIDFile=/run/named/named.pid
+
+ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi'
+ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS
+
+ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
+
+ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
+
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index 8fae1f3cc5..ee5060e28f 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -62,7 +62,8 @@
 redhat_system_units['ipa-otpd'] = 'ipa-otpd.socket'
 redhat_system_units['ipa-dnskeysyncd'] = 'ipa-dnskeysyncd.service'
 redhat_system_units['named-regular'] = 'named.service'
-redhat_system_units['named-pkcs11'] = 'named-pkcs11.service'
+redhat_system_units['named-pkcs11-regular'] = 'named-pkcs11.service'
+redhat_system_units['named-pkcs11'] = 'ipa-named-pkcs11.service'
 redhat_system_units['named'] = redhat_system_units['named-pkcs11']
 redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service'
 redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd']
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 03dce56aa0..27f67fa83a 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -619,7 +619,11 @@ def __init__(self, fstore=None, api=api):
 self.forwarders = None
 self.sub_dict = None
 self.reverse_zones = []
-self.named_regular = services.service('named-regular', api)
+# these DNS services should be disabled prior to setting up our own
+self.regular_dns_services = {
+'named': services.service('named-regular', api),
+'named-pkcs11': services.service('named-pkcs11-regular', api)
+}
 
 suffix =

[Freeipa-devel] [freeipa PR#873][comment] kra: promote: Get ticket before attempting to get KRA keys with custodia

2017-06-15 Thread martbab via FreeIPA-devel

  URL: https://github.com/freeipa/freeipa/pull/873
Title: #873: kra: promote: Get ticket before attempting to get KRA keys with 
custodia

martbab commented:
"""
master:

* 342f72140f9bd8b8db19f469ae4c56cac7492901 kra: promote: Get ticket before 
calling custodia


ipa-4-5:

* 15076a1c2b0fb31dce3903e5f50cab9edf68ad07 kra: promote: Get ticket before 
calling custodia


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/873#issuecomment-308661144
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#873][+ack] kra: promote: Get ticket before attempting to get KRA keys with custodia

2017-06-15 Thread stlaz via FreeIPA-devel

  URL: https://github.com/freeipa/freeipa/pull/873
Title: #873: kra: promote: Get ticket before attempting to get KRA keys with 
custodia

Label: +ack
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#701][+pushed] ipa help doesn't always work

2017-06-15 Thread martbab via FreeIPA-devel

  URL: https://github.com/freeipa/freeipa/pull/701
Title: #701: ipa help doesn't always work

Label: +pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#873][synchronized] kra: promote: Get ticket before attempting to get KRA keys with custodia

2017-06-15 Thread dkupka via FreeIPA-devel

   URL: https://github.com/freeipa/freeipa/pull/873
Author: dkupka
 Title: #873: kra: promote: Get ticket before attempting to get KRA keys with 
custodia
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/873/head:pr873
git checkout pr873
From 3a653419ded76b16cd7df150e6fc37c2d1651389 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 14 Jun 2017 15:39:58 +0200
Subject: [PATCH] kra: promote: Get ticket before calling custodia

When installing second (or consequent) KRA instance keys are retrieved
using custodia. Custodia checks that the keys are synchronized in
master's directory server and the check uses GSSAPI and therefore fails
if there's no ticket in ccache.

https://pagure.io/freeipa/issue/7020
---
 ipaserver/install/kra.py | 21 ++---
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
index f345406128..3545b301a9 100644
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@@ -10,6 +10,7 @@
 import shutil
 
 from ipalib import api
+from ipalib.install.kinit import kinit_keytab
 from ipaplatform import services
 from ipaplatform.paths import paths
 from ipapython import certdb
@@ -84,13 +85,19 @@ def install(api, replica_config, options):
 return
 krafile = os.path.join(replica_config.dir, 'kracert.p12')
 if options.promote:
-custodia = custodiainstance.CustodiaInstance(
-replica_config.host_name,
-replica_config.realm_name)
-custodia.get_kra_keys(
-replica_config.kra_host_name,
-krafile,
-replica_config.dirman_password)
+with ipautil.private_ccache():
+ccache = os.environ['KRB5CCNAME']
+kinit_keytab(
+'host/{env.host}@{env.realm}'.format(env=api.env),
+paths.KRB5_KEYTAB,
+ccache)
+custodia = custodiainstance.CustodiaInstance(
+replica_config.host_name,
+replica_config.realm_name)
+custodia.get_kra_keys(
+replica_config.kra_host_name,
+krafile,
+replica_config.dirman_password)
 else:
 cafile = os.path.join(replica_config.dir, 'cacert.p12')
 if not ipautil.file_exists(cafile):
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#874][comment] Changing cert-find to go through the proxy instead of using the port 8080

[Freeipa-devel] [freeipa PR#874][+ack] Changing cert-find to go through the proxy instead of using the port 8080

[Freeipa-devel] [freeipa PR#871][comment] Add --force-join into ipa-replica-install manpage

[Freeipa-devel] [freeipa PR#871][+pushed] Add --force-join into ipa-replica-install manpage

[Freeipa-devel] [freeipa PR#866][comment] Add a README to certificate profile templates directory

[Freeipa-devel] [freeipa PR#866][+pushed] Add a README to certificate profile templates directory

[Freeipa-devel] [freeipa PR#866][closed] Add a README to certificate profile templates directory

[Freeipa-devel] [freeipa PR#865][comment] ipatests: do not collect systemd journal when logfile_dir is missing

[Freeipa-devel] [freeipa PR#865][+pushed] ipatests: do not collect systemd journal when logfile_dir is missing

[Freeipa-devel] [freeipa PR#862][comment] dnsserver.py: dnsserver-find no longer returns internal server error

[Freeipa-devel] [freeipa PR#862][+pushed] dnsserver.py: dnsserver-find no longer returns internal server error

[Freeipa-devel] [freeipa PR#860][comment] adtrustinstance: fix ID range comparison

[Freeipa-devel] [freeipa PR#860][+pushed] adtrustinstance: fix ID range comparison

[Freeipa-devel] [freeipa PR#860][+ack] adtrustinstance: fix ID range comparison

[Freeipa-devel] [freeipa PR#865][+ack] ipatests: do not collect systemd journal when logfile_dir is missing

[Freeipa-devel] [freeipa PR#862][+ack] dnsserver.py: dnsserver-find no longer returns internal server error

[Freeipa-devel] [freeipa PR#871][+ack] Add --force-join into ipa-replica-install manpage

[Freeipa-devel] [freeipa PR#871][comment] Add --force-join into ipa-replica-install manpage

[Freeipa-devel] [freeipa PR#875][opened] Fix ip address checks

[Freeipa-devel] [freeipa PR#872][synchronized] Add IPA-specific bind unit file

[Freeipa-devel] [freeipa PR#872][comment] Add IPA-specific bind unit file

[Freeipa-devel] [freeipa PR#842][closed] Changed ownership of ldiffile to DS_USER

[Freeipa-devel] [freeipa PR#842][+pushed] Changed ownership of ldiffile to DS_USER

[Freeipa-devel] [freeipa PR#872][synchronized] Add IPA-specific bind unit file

[Freeipa-devel] [freeipa PR#873][comment] kra: promote: Get ticket before attempting to get KRA keys with custodia

[Freeipa-devel] [freeipa PR#873][+ack] kra: promote: Get ticket before attempting to get KRA keys with custodia

[Freeipa-devel] [freeipa PR#701][+pushed] ipa help doesn't always work

[Freeipa-devel] [freeipa PR#873][synchronized] kra: promote: Get ticket before attempting to get KRA keys with custodia

28 matches

Site Navigation

Mail list logo

Footer information