Re: [Freeipa-devel] [PATCH] Add kerberos mapping for clients outside the IPA domain
On Thu, 2011-10-20 at 10:26 +0200, Lars Sjöström wrote: Hello, Proposed patch for bug https://fedorahosted.org/freeipa/ticket/2006 Best regards, Lars Hello Lars, thank you for your investigation of the problem and the patch! I had to refactor the patch a little, your patch updated just the temporary krb5.conf, not the one put permanently to /etc/krb5.conf. I also moved DNS update before the certmonger is being configured. Otherwise certmonger may fail because the client does not have proper DNS record. Patch attached. Martin From 180b06667b966db7ab79d92fa2ca0fce56efe2c6 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Fri, 21 Oct 2011 11:18:26 +0200 Subject: [PATCH] Fix client krb5 domain mapping and DNS Add Kerberos mapping for clients outside of server domain. Otherwise certmonger had problems issuing the certificate. Also make sure that client DNS records on the server are set before certmonger is started and certificate is requested. Based on Lars Sjostrom patch. https://fedorahosted.org/freeipa/ticket/2006 --- ipa-client/ipa-install/ipa-client-install | 20 +--- 1 files changed, 13 insertions(+), 7 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 628652efcf2067ec1997a8656d5ff471dc3baa90..2f7f1ff55f455f8750f7e22de5d8973a6a342295 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -546,7 +546,7 @@ def hardcode_ldap_server(cli_server): return -def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, filename): +def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, filename, client_domain): krbconf = ipaclient.ipachangeconf.IPAChangeConf(IPA Installer) krbconf.setOptionAssignment( = ) @@ -589,6 +589,12 @@ def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, c #[domain_realm] dropts = [{'name':'.'+cli_domain, 'type':'option', 'value':cli_realm}, {'name':cli_domain, 'type':'option', 'value':cli_realm}] + +#add client domain mapping if different from server domain +if cli_domain != client_domain: +dropts.append({'name':'.'+client_domain, 'type':'option', 'value':cli_realm}) +dropts.append({'name':client_domain, 'type':'option', 'value':cli_realm}) + opts.append({'name':'domain_realm', 'type':'section', 'value':dropts}) opts.append({'name':'empty', 'type':'empty'}) @@ -895,6 +901,8 @@ def install(options, env, fstore, statestore): cli_domain = ds.getDomainName() logging.debug(will use domain: %s\n, cli_domain) +client_domain = hostname[hostname.find(.)+1:] + if ret in (ipadiscovery.NO_LDAP_SERVER, ipadiscovery.NOT_IPA_SERVER) \ or not ds.getServerName(): logging.debug(IPA Server not found) @@ -1015,7 +1023,7 @@ def install(options, env, fstore, statestore): print Unable to sync time with IPA NTP server, assuming the time is in sync. (krb_fd, krb_name) = tempfile.mkstemp() os.close(krb_fd) -if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name): +if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name, client_domain): print Test kerberos configuration failed return CLIENT_INSTALL_ERROR env['KRB5_CONFIG'] = krb_name @@ -1115,17 +1123,15 @@ def install(options, env, fstore, statestore): if not options.on_master: # Configure krb5.conf fstore.backup_file(/etc/krb5.conf) -if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, /etc/krb5.conf): +if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, /etc/krb5.conf, client_domain): return CLIENT_INSTALL_ERROR print Configured /etc/krb5.conf for IPA realm + cli_realm -configure_certmonger(fstore, subject_base, cli_realm, hostname, options) - -#Try to update the DNS records, failure is not fatal -if not options.on_master: client_dns(cli_server, hostname, options.dns_updates) +configure_certmonger(fstore, subject_base, cli_realm, hostname, options) + #Name Server Caching Daemon. Disable for SSSD, use otherwise (if installed) nscd = ipaservices.knownservices.nscd if nscd.is_installed(): -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add kerberos mapping for clients outside the IPA domain
On Fri, 21 Oct 2011, Martin Kosek wrote: On Thu, 2011-10-20 at 10:26 +0200, Lars Sjöström wrote: Proposed patch for bug https://fedorahosted.org/freeipa/ticket/2006 thank you for your investigation of the problem and the patch! I had to refactor the patch a little, your patch updated just the temporary krb5.conf, not the one put permanently to /etc/krb5.conf. I also moved DNS update before the certmonger is being configured. Otherwise certmonger may fail because the client does not have proper DNS record. Patch attached. ACK. It took me a while but hostname is ensured to be FQDN by the point we do that dangerous hostname[where is the dot+1:] operation. :) -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 295 Fixed inconsistent required/optional attributes.
On 10/20/2011 09:35 PM, Endi Sukma Dewata wrote: The dialogs and details pages have been modified to use the * symbol to mark required fields. The automount map and the DNS zone dialogs have been modified to update the required fields according to the input type. Ticket #1696 1) Wouldn't be better if the asterisk has different color than the label? Visually I don't like it that much and I think it can be overlook. Attaching a proposition. I used green IPAish color because red usually means error. Code from browser how it was done: td class=section-cell-label title=First namelabel name=givenname class=field-labelFirst name:/labelspan class=required style= float: right; font-weight: bold; color: #319016; font-size: 20px; title=required*/span/td (style should be moved to css file) div style=line-height: 25px;span class=required style= font-weight: bold; color: #319016; font-size: 20px; vertical-align: middle; */span required/div It may vary on the section type. 2) When rendering label, we should also obtain field input's id (if possible) for 'for' attribute of label. This can be done separately. 3) Should we create some common pure html widgets with certain semantics? IE asterisk shouldn't be directly concatenated with label text. It is used on more than one place which may cause maintenance issues. IPA.form(or some other name).required_indicator = function() { return '*' }; in this case this seems unnecessary. But if the required indicator was like in 1) it will be useful. Summary: All 3 points are nice to have. If you think is not necessary then ACK. This patch is also fixing https://fedorahosted.org/freeipa/ticket/1973 . -- Petr Vobornik attachment: required-field.png___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add kerberos mapping for clients outside the IPA domain
Hello Lars, that's the plan. I pushed the patch to master, ipa-2-1 and set up flags for the BZ so that we can get it to Snapshot 4. Martin On Fri, 2011-10-21 at 13:57 +0200, Lars Sjöström wrote: Excellent! Thanks guys! Still a chance that this can be backported into rhel6.2 release? Best regards, Lars 2011/10/21 Alexander Bokovoy aboko...@redhat.com: On Fri, 21 Oct 2011, Martin Kosek wrote: On Thu, 2011-10-20 at 10:26 +0200, Lars Sjöström wrote: Proposed patch for bug https://fedorahosted.org/freeipa/ticket/2006 thank you for your investigation of the problem and the patch! I had to refactor the patch a little, your patch updated just the temporary krb5.conf, not the one put permanently to /etc/krb5.conf. I also moved DNS update before the certmonger is being configured. Otherwise certmonger may fail because the client does not have proper DNS record. Patch attached. ACK. It took me a while but hostname is ensured to be FQDN by the point we do that dangerous hostname[where is the dot+1:] operation. :) -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0029 hbactest fails while you have svcgroup in hbacrule
Alexander Bokovoy wrote: Hi, attached patch should fix ticket 1988. This is currently last known bug in hbactest and should be safe to add to 2.1.3 (even though it is targetting 2.1.4 milestone). Tested using rules similar to the ones in the ticket description and also with --service=service group (where service group is the group specified in the rule), as well as negative cases. https://fedorahosted.org/freeipa/ticket/1988 ack, pushed to ipa-2-1 and master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 151 Add --zonemgr validator
Martin Kosek wrote: On Fri, 2011-10-14 at 14:11 -0400, Rob Crittenden wrote: Martin Kosek wrote: Do at least a basic validation of DNS zone manager mail address. Do not require '@' to be in the mail address as it is not used in common DNS zone configuration (in bind for example) and people may be used to configure it that way. '@' is always removed by the installer before the DNS zone is created. https://fedorahosted.org/freeipa/ticket/1966 There is already a zonemgr_callback defined for this option, can the verify_zonemgr call be either integrated or called from that? rob Right. Please, try this one. I also added a parser error when more than one '@' is in the checked value. Martin A couple of things: In the block where you are counting @ why not add an : else: raise ValueError('address is not fully qualified') rather than looking for '.' in the result? I think it will be clearer that way. I wonder if the error should contain an example as well, are people going to know what a fully-qualified means? The regex is very strict for e-mail addresses, perhaps too much so. It doesn't allow upper-case characters, periods or _, both of which are allowed in login names. A common e-mail format is first.last@domain. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 51/51] Ticket 1201 - Unable to Download Certificate with Browser
On 10/20/2011 9:58 AM, John Dennis wrote: ACK, fixed jslint warnings, pushed to master and ipa-2-1. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix help system
Martin Kosek wrote: On Tue, 2011-10-18 at 12:13 -0400, Rob Crittenden wrote: Forgive me for not having this in git format. This patch fixes a couple of problems in the help system: 1. If all commands in an object are disabled the object is still visible as a topic, see ipa help aci as an example 2. ipa help will show you that show-mappings help is broken 3. You shouldn't be able to get help on disabled cli. diff --git a/ipalib/cli.py b/ipalib/cli.py index 06e7b1c..7fe8087 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -748,6 +748,8 @@ class help(frontend.Local): self.print_commands(name) elif name in self.Command: cmd = self.Command[name] +if cmd.NO_CLI: +raise HelpError(topic=name) print unicode(_('Purpose: %s')) % unicode(_(cmd.doc)).strip() self.Backend.cli.build_parser(cmd).print_help() elif mod_name in sys.modules: @@ -805,6 +807,9 @@ class help(frontend.Local): m = '%s.%s' % (self._PLUGIN_BASE_MODULE, topic) doc = (unicode(_(sys.modules[m].__doc__)) or '').strip() +if topic not in self.Command and len(commands) == 0: +raise HelpError(topic=topic) + print doc if len(commands) 1: print '' @@ -814,6 +819,9 @@ class help(frontend.Local): print \n class show_mappings(frontend.Command): + +Show mapping of LDAP attributes to command-line option. + takes_args = ( Str('command_name', label=_('Command name'), ACK. Works fine. Please, just format it properly and add a commit message with ticket ID https://fedorahosted.org/freeipa/ticket/1998 before pushing :-) Martin Done, pushed to master and ipa-2-1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 899 more context with attribute in error message
Depending on the context and how you are using input (-- options or set/addattr) you might get a different attribute name in the error message. This patch tries to clear that up a bit. See the ticket for some test cases. rob From 3874e15bc26a6bca126838af64462214d0bddce8 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Fri, 21 Oct 2011 15:21:45 -0400 Subject: [PATCH] Be more consistent when returning the attribute in error messages. Use whatever context when have (attr vs cli_name) when returning error messages. When --set/addattr are used try to return that value, otherwise return cli_name if we have it. https://fedorahosted.org/freeipa/ticket/1418 --- ipalib/frontend.py |8 ++-- ipalib/parameters.py |5 - 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/ipalib/frontend.py b/ipalib/frontend.py index 61e7f49..9ddef63 100644 --- a/ipalib/frontend.py +++ b/ipalib/frontend.py @@ -30,7 +30,7 @@ from util import make_repr from output import Output, Entry, ListOfEntries from text import _, ngettext -from errors import ZeroArgumentError, MaxArgumentError, OverlapError, RequiresRoot, VersionError, RequirementError +from errors import ZeroArgumentError, MaxArgumentError, OverlapError, RequiresRoot, VersionError, RequirementError, ValidationError from errors import InvocationError from constants import TYPE_ERROR from ipapython.version import API_VERSION @@ -551,7 +551,11 @@ class Command(HasParam): # None means delete this attribute value = None if attr in self.params: -value = self.params[attr](value) +try: +value = self.params[attr](value) +except ValidationError, err: +(name, error) = err.strerror.split(':') +raise ValidationError(name=attr, error=error) if append and attr in newdict: if type(value) in (tuple,): newdict[attr] += list(value) diff --git a/ipalib/parameters.py b/ipalib/parameters.py index f9e171b..2d5367b 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -1043,7 +1043,10 @@ class Int(Number): return int(value) except ValueError: pass -raise ConversionError(name=self.name, index=index, +name = self.cli_name +if not name: +name = self.name +raise ConversionError(name=name, index=index, error=ugettext(self.type_error), ) -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 880 don't check for existing 389-ds instances
Rob Crittenden wrote: We don't need to prohibit existing 389-ds instances when installing IPA, just that the ports we need are available. Remove this check. For master only. rob Re-based patch against master. rob From 65556716d3a0cd63c4cfcb17dbd60100fb81f267 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Fri, 21 Oct 2011 15:25:21 -0400 Subject: [PATCH] Don't check for 389-instances. We no longer need to enforce that no 389-ds instances exist on an IPA server. Checking that the ports exist should be enough. This used to be one mechanism we used to check to see if IPA was already installed. We have a better mechanism now. https://fedorahosted.org/freeipa/ticket/1735 --- install/tools/ipa-replica-install | 19 --- install/tools/ipa-server-install | 31 ++- ipaserver/install/dsinstance.py | 12 3 files changed, 2 insertions(+), 60 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index c2018f4..da0f28d 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -119,7 +119,6 @@ def set_owner(config, dir): os.chown(dir, pw.pw_uid, pw.pw_gid) def install_replica_ds(config): -dsinstance.check_existing_installation() dsinstance.check_ports() # if we have a pkcs12 file, create the cert db from @@ -249,24 +248,6 @@ def install_dns_records(config, options): object.__setattr__(api.Backend.ldap2, 'ldap_uri', cur_uri) def check_dirsrv(): -serverids = dsinstance.check_existing_installation() -if serverids: -print -print An existing Directory Server has been detected. -if not ipautil.user_input(Do you wish to remove it and create a new one?, False): -print -print Only a single Directory Server instance is allowed on an IPA -print server, the one used by IPA itself. -sys.exit(1) - -try: -ipaservices.knownservices.dirsrv.stop() -except: -pass - -for serverid in serverids: -dsinstance.erase_ds_instance_data(serverid) - (ds_unsecure, ds_secure) = dsinstance.check_ports() if not ds_unsecure or not ds_secure: print IPA requires ports 389 and 636 for the Directory Server. diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 76d5f2f..b33cb90 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -443,24 +443,6 @@ def read_admin_password(): return admin_password def check_dirsrv(unattended): -serverids = dsinstance.check_existing_installation() -if serverids: -print -print An existing Directory Server has been detected. -if unattended or not user_input(Do you wish to remove it and create a new one?, False): -print -print Only a single Directory Server instance is allowed on an IPA -print server, the one used by IPA itself. -sys.exit(1) - -try: -ipaservices.knownservices.dirsrv.stop() -except: -pass - -for serverid in serverids: -dsinstance.erase_ds_instance_data(serverid) - (ds_unsecure, ds_secure) = dsinstance.check_ports() if not ds_unsecure or not ds_secure: print IPA requires ports 389 and 636 for the Directory Server. @@ -532,13 +514,6 @@ def uninstall(): except CalledProcessError, e: print sys.stderr, Failed to set this machine hostname back to %s (%s). % (old_hostname, str(e)) -# Now for some sanity checking. Make sure everything was really -# uninstalled. -serverids = dsinstance.check_existing_installation() -if len(serverids): -rv = 1 -logging.error('IPA cannot be re-installed without removing existing 389-ds instance(s)') - if fstore.has_files(): logging.error('Some files have not been restored, see /var/lib/ipa/sysrestore/sysrestore.index') has_state = False @@ -714,10 +689,8 @@ def main(): print To accept the default shown in brackets, press the Enter key. print -if not options.external_ca and not options.external_cert_file: -# Let it past if there is an external_cert_file defined on the chance -# that we are coming in without a cache file. -check_dirsrv(options.unattended) +# Make sure the 389-ds ports are available +check_dirsrv(options.unattended) realm_name = host_name = diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index f2b16df..2c39ab5 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -90,18 +90,6 @@ def erase_ds_instance_data(serverid): #except: #pass -def check_existing_installation(): -dirs = glob.glob(/etc/dirsrv/slapd-*) -if not dirs: -return [] - -serverids = [] -for
[Freeipa-devel] [PATHC] 0291-show-enrollment-time-for-host.patch
From c91971b54b322b1fcc0b8d269b09dc185addfc81 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Fri, 21 Oct 2011 16:11:23 -0400 Subject: [PATCH] show enrollment time for host --- install/ui/host.js |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/install/ui/host.js b/install/ui/host.js index 758008892e3ba09380f241142418fc0b96e4f064..e86dab86231cc524449623d9b80a5130d879585c 100644 --- a/install/ui/host.js +++ b/install/ui/host.js @@ -29,6 +29,7 @@ IPA.entity_factories.host = function () { return IPA.entity_builder(). entity('host'). search_facet({ +search_all: true, columns: [ 'fqdn', 'description', -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel