Re: [Freeipa-devel] [PATCH] 487 fix netgroup plugin
Adam Young wrote: On 07/14/2010 07:52 PM, Dmitri Pal wrote: Adam Young wrote: On 07/14/2010 03:43 PM, Rob Crittenden wrote: The netgroup plugin was using the wrong attribute for memberships. It needs to use memberuser for users and groups and memberhost for hosts and hostgroups. I fixed this up and corrected the tests as well. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Got it installed and running. Unclear how to test. Create a user group with 3 users U1 U2 U3. Create a host group with the two hosts H 1 H2 Create a netgroup that includes this user group and this host group Configure client to use your IPA server as a source of the netgroups Lits the netgoups - should get your netgroup List the contents of the netgroup. You should get triplets: user, host, domain The order of the users and hosts in triplets does not matter. What matters is that each host and each user are listed in some triplet and generally present in the netgroup not more than once. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Here's my script. ypcat stopped working with No such map netgroup. Reason: Can't communicate with portmapper Too tired to debug tonight/ ipa user-add --first=Kermit --last=Frog kfrog ipa user-add --first=Count --last=VonCount count123 ipa user-add --first=Oscar --last=Grouch scram ipa user-add --first=Elmo --last=Gonzales elmo ipa user-add --first=Zoe --last=MacPhearson zoe ipa user-add --first=Prairie --last=Dawn pdawn ipa group-add --desc=Monsters on Sesame Street monsters ipa group-add --desc=Muppets moonlighting for CTW muppets ipa group-add-member --users=kfrog,scram,pdawn muppets ipa group-add-member --users=count123,elmo,zoe monsters ipa netgroup-add --desc=staging servers net-stage ipa netgroup-add --desc=live servers net-live ipa hostgroup-add --desc Live servers host-live ipa hostgroup-add --desc Staging servers stage-live ipa hostgroup-add-member --hosts live3.pbs.org,live2.pbs.org,live1.pbs.org host-live ipa hostgroup-add-member --hosts stage3.pbs.org,stage2.pbs.org,stage1.pbs.org host-stage ipa netgroup-add-member --groups=muppets --hostgroups=host-live net-live ipa netgroup-add-member --groups=muppets --hostgroups=host-stage net-stage ypcat -d ipa.ayoung.boston.devel.redhat.com -h ipa.ayoung.boston.devel.redhat.com netgroup Ok, kudos on the big test group but your knowledge of Sesame Street characters last names is a bit disturbing ;-) Your ypcat command is wrong. The -d is your NIS domain (same as your IPA domain) and the -h is the host to connect to. I get the following output with this data set: (-,kfrog,example.com) (-,scram,example.com) (-,pdawn,example.com) (-,kfrog,example.com) (-,scram,example.com) (-,pdawn,example.com) Based on my limited understanding of netgroups this looks correct. You have defined two netgroups, both of which have the same user group as a member. The first netgroup has no hosts or hostgroups associated with it, the second has an empty hostgroup (because you added non-existent hosts, or at least hosts not on my box). I added a host to host-live and now I get: (-,kfrog,example.com) (-,scram,example.com) (-,pdawn,example.com) (lion.example.com,kfrog,example.com) (-,scram,example.com) (-,pdawn,example.com) rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 476 fix bad API call in selfsign
Pavel Zuna wrote: On 06/25/2010 03:46 PM, Rob Crittenden wrote: Use newer API in selfsign plugin. Fix missing import when running in the in-tree lite-server. rob Maybe we should remove the comment as well, if it's not valid anymore. Other than that: ACK. Pavel I forgot to remove the comment before pushing, I'll do that in a future patch. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 485 fix ipa-compat-manage and ipa-nis-manage
Adam Young wrote: On 07/14/2010 05:44 PM, Rob Crittenden wrote: Adam Young wrote: On 07/14/2010 03:40 PM, Rob Crittenden wrote: The commands ipa-compat-manage and ipa-nis-manage didn't really work properly. I think some backend changes caused at least some of the problems. I fixed a few errors causing backtraces as well as some corner cases. Enabling nis added a new compat location. So disabling compat would fail because it wasn't handling this new nis location. I also ran pylint against both and fixed a few problems/warnings it raised. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel NACK: [r...@ipa ~]# ipa-compat-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. [r...@ipa ~]# ipa-nis-manage enable Directory Manager password: Enabling plugin Traceback (most recent call last): File /usr/sbin/ipa-nis-manage, line 201, in module sys.exit(main()) File /usr/sbin/ipa-nis-manage, line 150, in main conn.update_entry(nis_config_dn, mod, normalize=False) File /usr/lib/python2.6/site-packages/ipalib/encoder.py, line 188, in new_f return f(*new_args, **kwargs) File /usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py, line 687, in update_entry raise errors.EmptyModlist() ipalib.errors.EmptyModlist: no modifications to be performed The problem was we ship with the plugin enabled and we were trying to do an LDAP mod to enable it, so literally nothing to do. I also made ipa-nis-manage require that the schema compat plugin already be enabled. rob ACK pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 486 fix nis netgroups map
Adam Young wrote: On 07/14/2010 03:41 PM, Rob Crittenden wrote: The netgroups map was being served out of the compat subtree. This wasn't working and it is better for the nis plugin to generate its data itself, so I added the rule there as well. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 487 fix netgroup plugin
Adam Young wrote: On 07/15/2010 09:15 AM, Rob Crittenden wrote: Adam Young wrote: On 07/14/2010 07:52 PM, Dmitri Pal wrote: Adam Young wrote: On 07/14/2010 03:43 PM, Rob Crittenden wrote: The netgroup plugin was using the wrong attribute for memberships. It needs to use memberuser for users and groups and memberhost for hosts and hostgroups. I fixed this up and corrected the tests as well. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Got it installed and running. Unclear how to test. Create a user group with 3 users U1 U2 U3. Create a host group with the two hosts H 1 H2 Create a netgroup that includes this user group and this host group Configure client to use your IPA server as a source of the netgroups Lits the netgoups - should get your netgroup List the contents of the netgroup. You should get triplets: user, host, domain The order of the users and hosts in triplets does not matter. What matters is that each host and each user are listed in some triplet and generally present in the netgroup not more than once. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Here's my script. ypcat stopped working with No such map netgroup. Reason: Can't communicate with portmapper Too tired to debug tonight/ ipa user-add --first=Kermit --last=Frog kfrog ipa user-add --first=Count --last=VonCount count123 ipa user-add --first=Oscar --last=Grouch scram ipa user-add --first=Elmo --last=Gonzales elmo ipa user-add --first=Zoe --last=MacPhearson zoe ipa user-add --first=Prairie --last=Dawn pdawn ipa group-add --desc=Monsters on Sesame Street monsters ipa group-add --desc=Muppets moonlighting for CTW muppets ipa group-add-member --users=kfrog,scram,pdawn muppets ipa group-add-member --users=count123,elmo,zoe monsters ipa netgroup-add --desc=staging servers net-stage ipa netgroup-add --desc=live servers net-live ipa hostgroup-add --desc Live servers host-live ipa hostgroup-add --desc Staging servers stage-live ipa hostgroup-add-member --hosts live3.pbs.org,live2.pbs.org,live1.pbs.org host-live ipa hostgroup-add-member --hosts stage3.pbs.org,stage2.pbs.org,stage1.pbs.org host-stage ipa netgroup-add-member --groups=muppets --hostgroups=host-live net-live ipa netgroup-add-member --groups=muppets --hostgroups=host-stage net-stage ypcat -d ipa.ayoung.boston.devel.redhat.com -h ipa.ayoung.boston.devel.redhat.com netgroup Ok, kudos on the big test group but your knowledge of Sesame Street characters last names is a bit disturbing ;-) Your ypcat command is wrong. The -d is your NIS domain (same as your IPA domain) and the -h is the host to connect to. I get the following output with this data set: (-,kfrog,example.com) (-,scram,example.com) (-,pdawn,example.com) (-,kfrog,example.com) (-,scram,example.com) (-,pdawn,example.com) Based on my limited understanding of netgroups this looks correct. You have defined two netgroups, both of which have the same user group as a member. The first netgroup has no hosts or hostgroups associated with it, the second has an empty hostgroup (because you added non-existent hosts, or at least hosts not on my box). I added a host to host-live and now I get: (-,kfrog,example.com) (-,scram,example.com) (-,pdawn,example.com) (lion.example.com,kfrog,example.com) (-,scram,example.com) (-,pdawn,example.com) rob ACK pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Announcing FreeIPA v2 Server Alpha 4 Release
To all freeipa-interest, freeipa-users and freeipa-devel list members, The FreeIPA project team is pleased to announce the availability of the Alpha 4 release of freeIPA 2.0 server [1]. Binaries are available for F-12 and F-13. This alpha is mostly a bug fix release over the previous alpha. We have started the process of polishing so things should generally work more smoothly and look better. There are no improvements in the UI, those should appear in the next release. Please do not hesitate to share feedback, criticism or bugs with us on our mailing list: freeipa-us...@redhat.com The changes in this release are: - Moved our dogtag SELinux to be installed with the rpm instead of during configuration. - Fedora 13 moved to gpg2 and dropped gpg. Fix our invocation so we work with either (this was preventing replica installations). - Query remote server during replica installation to see if the replica already exists. This prevents lots of really strange errors during replica installation. - Fixed SSL error in client enrollment. - Changed the way services are handled in HBAC. There is now a separate service and servicegroup object that you associate with HBAC rules. sssd is already using this new mechanism. - First pass at per-command documentation. It still needs a lot of work. - Fix aci-mod command. It wasn't really working well in almost all cases. - Add replication version checking. This is one step in better control during updates. - Don't try to convert a host's password into a keytab with bulk enrollment (this was causing krbPasswordExpiration to be set). - Add support for User-Private Groups. - Worked on error handling in mod_wsgi. Now hopefully a shorter and less scary backtrace will be thrown when things go bump in the night. - Add new api to disable service and host principals. - Significant cleanup of crypto code. Using python-nss for a lot more (and more to come). - Fixed some errirs in and made ipa-compat-manage and ipa-nis-manage more bullet-proof. - Fixed netgroups plugin, it was generating the wrong attributes. - Other minor polish and bug fixes. Known issues: - The CA must be installed in the en_US locale (#588375) rob [1] http://www.freeipa.org/page/Downloads ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel