[Freeipa-devel] How do replication should work?
Hello! I am trying to resolve a [1] issue and I just bumped into questions that grinds my gears. First of all after some effort spent by Christian, we had some patches that helped parallel replication, but the PR2048 [2] brought to life a regression on DL0 mentioned in issue [1] . I think that [1] is resolved correctly reverting [2] but still have these questions. Should not we try to connect to CA to make sure it is accessible [3] if the PR2048 [2] is trying to resolve this kind of problem? As it is in [4] that we only "hope" and the fact that there is possibility that even when CA is not available on host that this method will set up ca_host to point at it should not we re-factor it a bit? If yes please point me into right direction. Thanks! [1]https://pagure.io/freeipa/issue/7629 [2]https://github.com/freeipa/freeipa/pull/2048/files [3]https://github.com/freeipa/freeipa/blob/78cefe098f57bb731b10028a9eea12 a7022656c1/ipaserver/plugins/dogtag.py#L1176 [4]https://github.com/freeipa/freeipa/blob/78cefe098f57bb731b10028a9eea12 a7022656c1/ipaserver/plugins/dogtag.py#L1263 -- Tibor Dudlák Identity management - FreeIPA Brno, TPB-C, 2C407 Red Hat ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/IOSK6W6NR4JU2MWAESFDKRUZITAPQMH4/
[Freeipa-devel] Re: IPA's NTP service
Hi! To be more clear about what i do want to achieve, there is bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1456863 I want to replace ntp configuration with script provided by Miroslav Lichvar. And if any administrator would like to have another time synchronization service up and running they can still use option -N. Thanks :) -- Tibor Dudlák Identity management - freeIPA Brno, TPB-C, 2C407 Red Hat ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: Hello freeipa-devel
On Mon, Jan 29, 2018 at 4:21 PM, John Larson via FreeIPA-devel < freeipa-devel@lists.fedorahosted.org> wrote: > First of all, thanks so much for working on FreeIPA! I have been using it > for many years and I think it's great. I recently noticed an issue and I > went ahead and opened it: > > https://pagure.io/freeipa/issue/7380 > > I do a fair amount of Python so I started looking through the FreeIPA code > and noticed where I think the problem. I decided I would try and become a > contributor and try and fix it myself and then help out where I can moving > forward as my time permits. > > I am just introducing myself here, but look out as I will try and commit > this fix after I learn the process. :) > > John > ___ > FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org > To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org > Hello John! I do really like seeing possible new upstream contributor. To contribute to FreeIPA please do: - fork upstream repository: https://github.com/freeipa/freeipa - create branch for your work in your fork (keep it up to date with upstream master) - submit a pull request containing commits to upstream repository Have a nice day. -- Tibor Dudlák Identity management - freeIPA Brno, TPB-C, 2C407 Red Hat ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: IPA's NTP service
On Mon, Jan 29, 2018 at 3:09 PM, Simo Sorce wrote: > On Mon, 2018-01-29 at 14:54 +0100, Tibor Dudlák wrote: > > [...] > > > > > > So given the above we initially decided to make IPA servers also > ntp > > > > > servers and configure client to use IPA server as time sources. > > > > Not configuring NTP service but still requiting it might be way to give > > freedom of choice to IPA administrator to set one they prefer before > > installing IPA. :) > > I think this is the worst of the possible outcomes, as now you need to > add one more manual step to the configuration of the system. > The point of ipa-server-install is to simplify installation and > configure everything that is *required* except the Operating System. > Requiring something and not installing it would be a net regression. > > [...] > > > So should we only replace ntpd with chronyd and have option to not > > configure NTP service (chronyd) as it is now if administrator wants to > use > > other than chronyd? > > This is certainly an option, but we would then require to have code for > both ntpd and chronyd upstream, because some older distros use NTP. > Not that this is too difficult, we already have the platform > absraction, so it is a simply a matter of adding chronyd w/o removing > ntpd. > > HTH, > Simo. > Thanks for input Simo. -- Tibor Dudlák Identity management - freeIPA Brno, TPB-C, 2C407 Red Hat ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: IPA's NTP service
On Thu, Jan 25, 2018 at 2:02 PM, Rob Crittenden via FreeIPA-devel < freeipa-devel@lists.fedorahosted.org> wrote: > Levin Stanislav via FreeIPA-devel wrote: > > Hello All. > > > > > > There are several good NTP servers/clients. And different Linux > > distributions > > > > use them (not only ntpd or chronyd). But FreeIPA chose ntpd strictly. It > > is a > > > > bottleneck for a platform porting. Perhaps, FreeIPA should allow to > select > > > > administrator which one to use and should support it (like install and > > work). > > Administrators can do that now with the -N option (don't enable NTP). > If IPA will not drop any NTP service configuration I believe this, Stanislav, is what you would need, to have another service running. I think there is no way IPA could support all of possible NTP daemons as Rob said. > The problem is two-fold: > > 1. NTP was added because proper time is so critical to Kerberos and > 389-ds replication and it was clear early on in IPA that virtually > nobody had it properly working. Some still struggle. > 2. Providing too many knobs increases support and development costs in > time and effort. Each server has its own config and idiosyncrasies and > they can change over time so keeping up has cost. > > We didn't pick ntpd as the winner. It was the only game in town at the > time, and given it worked and since then we've had much bigger fish to > fry there has been no real drive to replace it (at least not so much > that someone provided patches to do so). > > rob > > > > > > > Thank you. > > > > > > > > 24.01.2018 18:57, Simo Sorce via FreeIPA-devel пишет: > >> On Wed, 2018-01-24 at 16:25 +0100, Tibor Dudlák via FreeIPA-devel > >> wrote: > >>> Hello FreeIPA-devel list fellow beings! > >>> > >>> I would like to continue the discussion started in [1], and find its > >>> solution. > >>> > >>> While using the Single-Sign-on authentication provided via an MIT > Kerberos > >>> KDC there must not be any significant clock skew between server and > >>> clients so a time synchronization service is required. > >>> > >>> Red Hat Enterprise Linux is about to deprecate ntpd service and will > >>> support chronyd instead. This will happen in release 8 and by this > time we > >>> should agree on some changes in IPA - whether to remove or replace the > already > >>> used ntpd service. I would like to sum up this change in a design page > but > >>> there should be an agreement first. > >>> > >>> IPA, as is, checks the system configuration and if there is an NTP > service > >>> configured and running then it forces ntpd, meaning it disables any > other > >>> NTP service. It also alters its configuration, and restarts the NTP > service > >>> instance. > >>> > >>> We may now want to consider, as the time sync service change is > required, > >>> to NOT configure a service that is not a part of the identity > management > >>> such as NTP, and leave it to system/IPA administrators. > >> Let me explain why we do this: > >> As you noted above kerberos will fail to work properly if clocks drift > >> too much, so we wanted to provide a simple way to keep the whole domain > >> in sync. We also had plans to keep the domain in sync *securely* as an > >> attacker could create Denial pf Service attacks by subtly drifting > >> different machines clocks. > >> > >> ntpd was the only one that offered hooks to sign NTP packets (which > >> were used by Samba only at the time and required compile time changes > >> when we started) using kerberos keys, so the original plan was to > >> eventually get there. Unfortunately we never prioritized this work. > >> > >> So given the above we initially decided to make IPA servers also ntp > >> servers and configure client to use IPA server as time sources. > Not configuring NTP service but still requiting it might be way to give freedom of choice to IPA administrator to set one they prefer before installing IPA. :) > >> > >> This is just to give an overview of the reasons behind choosing ntpd > >> specifically and why it was overriding ntp config on servers/clients > >> > >>> IPA install script may only check wheter there is an NTP service > running > >>> and if not, it would ask the administrator to configure it before the > IPA > >>> installation
[Freeipa-devel] IPA's NTP service
Hello FreeIPA-devel list fellow beings! I would like to continue the discussion started in [1], and find its solution. While using the Single-Sign-on authentication provided via an MIT Kerberos KDC there must not be any significant clock skew between server and clients so a time synchronization service is required. Red Hat Enterprise Linux is about to deprecate ntpd service and will support chronyd instead. This will happen in release 8 and by this time we should agree on some changes in IPA - whether to remove or replace the already used ntpd service. I would like to sum up this change in a design page but there should be an agreement first. IPA, as is, checks the system configuration and if there is an NTP service configured and running then it forces ntpd, meaning it disables any other NTP service. It also alters its configuration, and restarts the NTP service instance. We may now want to consider, as the time sync service change is required, to NOT configure a service that is not a part of the identity management such as NTP, and leave it to system/IPA administrators. IPA install script may only check wheter there is an NTP service running and if not, it would ask the administrator to configure it before the IPA installation. Upgrade of IPA might be more complicated because there will be the ntpd service entry in LDAP, and the service will be up and running. I would suggest that we do not remove any working ntpd service already configured but only disown it from IPA's LDAP tree. I will be glad for any input from you people and hopefully there will be an acceptable solution for this soon :) Thanks! [1] https://www.redhat.com/archives/freeipa-devel/2016-November/msg00807.html -- Tibor Dudlák Identity management - FreeIPA Brno, TPB-C, 2C407 Red Hat ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] GitHub assignee labels
Hi people! I could not miss that we stopped using github's assignee label and I have got used to it. Is there possibility to bring this habit back on track? I find it very useful when i am trying to find PR which I want to look into it. Thanks! -- Tibor Dudlák Identity management - freeIPA Brno, TPB-C, 2C407 Red Hat ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Announcing FreeIPA 4.6.2
The FreeIPA team would like to announce FreeIPA 4.6.2 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for
Fedora 26 and 27 will be available in the official
[https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-6/ COPR
repository].
== Highlights in 4.6.2 ==
=== Enhancements ===
=== Known Issues ===
=== Bug fixes ===
FreeIPA 4.6.2 is a stabilization release for the features delivered as a
part of 4.6.0.
There are more than 20 bug-fixes details of which can be seen in
the list of resolved tickets below.
== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing
list (
https://lists.fedoraproject.org/archives/list/freeipa-us...@lists.fedorahosted.org/
)
or #freeipa channel on Freenode.
== Resolved tickets ==
* 7275 Viewing DNS Records with WebUI fails
* 7254 test_caless: fix http.p12 is not valid and provide domain_level for
replica tests
* 7226 Remove remaining references to Firefox configuration extension
* 7213 Increase dbus client timeouts during CA install
* 7210 Firefox reports insecure TLS configuration when visiting FreeIPA web
UI after standard server deployment
* 7208 freeipa: binary RPMs require both Python 2 and Python 3
* 7190 Wrong info message from tasks.py
* 7189 make check is failed
* 7187 ipa-replica-manage should provide a debug option
* 7186 testing: get back command outputs when running tests
* 7155 test_caless: add caless to external CA test
* 7154 test_external_ca: switch to python-cryptography
* 7153 Switch "ipa-run-tests" symlink to "ipa-run-tests-3.6"
* 7151 ipa-server-upgrade performs unneeded steps to stop tracking/start
tracking certs
* 7148 py3: ipa cert-request --principal --database fails with
BytesWarning: str() on a bytes instance
* 7142 py3: ipa ca-add fails with 'an internal error has occurred'
* 7134 ipa param-find: command displays internal error
* 7133 tox -e pylint3 fails under Python 3.6
* 7132 [4.6] PyPI packages are broken
* 7124 [ipatests] - forced_client_reenrollment-domlevel-1 test suite fails
due to missing dns records
* 7033 vault: TypeError: ... is not JSON serializable
* 6994 RFE: Remove 389-ds tuning step
* 6858 RFE - Option to add custom OID or display name in IPA Cert
* 6844 ipa-restore fails when umask is set to 0027
* 6702 Update Dogtag to 10.4
* 5887 IDNA domains does not work under py3
* 5442 [tracker] SELinux 'execmem' denials
== Detailed changelog since 4.6.1 ==
=== Alexander Bokovoy (10) ===
* ipaserver/plugins/trust.py: pep8 compliance
* trust: detect and error out when non-AD trust with IPA domain name exists
* ipaserver/plugins/trust.py; fix some indenting issues
* ipa-extdom-extop: refactor nsswitch operations
* test_dns_plugin: cope with missing IPv6 in Travis
* travis-ci: collect logs from cmocka tests
* ipa-kdb: override krb5.conf when testing KDC code in cmocka
* adtrust: filter out subdomains when defining our topology to AD
* ipa-replica-manage: implicitly ignore initial time skew in force-sync
* ds: ignore time skew during initial replication step
=== Abhijeet Kasurde (3) ===
* Trivial typo fix.
* ipatests: Fix interactive prompt in ca_less tests
* tests: correct usage of hostname in logger in tasks
=== Alexander Koksharov (1) ===
* kra-install: better warning message
=== Aleksei Slaikovskii (6) ===
* ipa-restore: Set umask to 0022 while restoring
* View plugin/command help in pager
* Add a notice to restart ipa services after certs are installed
* Fix TypeError while ipa-restore is restoring a backup
* ipaclient.plugins.dns: Cast DNS name to unicode
* Less confusing message for PKINIT configuration during install
=== Christian Heimes (23) ===
* Update IPA_GIT_BRANCH to ipa-4-6
* Add make targets for fast linting and testing
* Add marker needs_ipaapi and option to skip tests
* Add python_requires to Python package metadata
* Remove Custodia keys on uninstall
* Update to python-ldap 3.0.0
* Update builddep command to install Python 3 and tox deps
* Add workaround for pytest 3.3.0 bug
* Fix dict iteration bug in dnsrecord_show
* Reproducer for bug in structured dnsrecord_show
* Use Python 3 on Travis
* Prevent installation of Py2 and Py3 mod_wsgi
* libotp: add libraries after objects
* Require UTF-8 fs encoding
* Run tox tests for PyPI packages on Travis
* Py3: Fix vault tests
* Use namespace-aware meta importer for ipaplatform
* Test script for ipa-custodia
* Remove ignore_import_errors
* Backup ipa-custodia conf and keys
* Py3: fix fetching of tar files
* Use os.path.isfile() and isdir()
* Block PyOpenSSL to prevent SELinux execmem in wsgi
=== David Kupka (2) ===
* schema: Fix internal error in param-{find,show} with nonexistent object
* tests: Add LDAP URI to ldappasswd explicitly
=== Felipe Barreto (6) ===
* Warning the user when using a loopback IP as forwarder
* Removing replica-s4u2proxy.ldif since it's not used anymore
* Fix log capture when running pytests_multihosts commands
