[Freeipa-devel] [PATCH] SSHPublicKey.fingerprint_dns_sha1 should return unicode value
Hi, this one-liner fixes updating DNS SSHFP records in host-mod. Honza -- Jan Cholasta From 132bd4011909589e0db50d71828aeccadb09 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Thu, 20 Sep 2012 03:43:30 -0400 Subject: [PATCH] SSHPublicKey.fingerprint_dns_sha1 should return unicode value. --- ipapython/ssh.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipapython/ssh.py b/ipapython/ssh.py index 667d21e..6686e91 100644 --- a/ipapython/ssh.py +++ b/ipapython/ssh.py @@ -196,4 +196,4 @@ class SSHPublicKey(object): else: return fp = sha1(self._key).hexdigest().upper() -return '%d 1 %s' % (keytype, fp) +return u'%d 1 %s' % (keytype, fp) -- 1.7.11.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range
On 09/19/2012 06:19 PM, Alexander Bokovoy wrote: Hi, This patch adds validation of SID for trusted domain when adding or modifying ID range for the domain. We only allow creating ranges for trusted domains when the trust is already established -- the default range is created automatically right after the trust is added. https://fedorahosted.org/freeipa/ticket/3087 Basic functionality looks OK, but I saw few issues with exception formatting: diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index efa906428aa58c670bc4af63b10c88123dda5b65..4750c1d6716bd69045d53f32ae1836f44e70b03b 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -26,6 +26,12 @@ from ipapython import ipautil from ipalib import util from ipapython.dn import DN +if api.env.in_server and api.env.context in ['lite', 'server']: +try: +import ipaserver.dcerpc +_dcerpc_bindings_installed = True +except Exception, e: +_dcerpc_bindings_installed = False Variable e is not used, so it can be removed. __doc__ = _( ID ranges @@ -137,6 +143,21 @@ user. RIDs are unique in a domain, 32bit values and are used for users and groups. ) +def validate_trusted_domain_sid(self, sid): self is not needed in the list of attributes, this is not a class method. +if not _dcerpc_bindings_installed: +raise errors.NotFound(name=_('ID Range setup'), + reason=_('''Cannot perform SID validation without Samba 4 support installed. + Make sure you have installed server-trust-ad sub-package of IPA on the server''')) Improperly formatted exception: 1) NotFound error does not use name param, maybe you wanted to use ValidationError? 2) The text will be improperly formatted - since you used '''text''', the indentation will be in text: ipa: ERROR: Cannot perform SID validation without Samba 4 support installed. Make sure you have installed server-trust-ad sub-package of IPA on the server Also, I know this was discussed before, but using gettext in a name attribute of ValidationError will cause improperly formatted exception: # ipa idrange-add foo --base-id=1000 --range-size=100 --dom-sid=foo ipa: ERROR: invalid Gettext('ID Range setup', domain='ipa', localedir=None): Options dom_sid and rid_base must be used together The problem is, that name param is printer as %r, thus you would need to coerce it to unicode to make it better. +domain_validator = ipaserver.dcerpc.DomainValidator(self.api) +if not domain_validator.is_configured(): +raise errors.NotFound(name=_('ID Range setup'), + reason=_('''Cross-realm trusts are not configured.. + Make sure you have run ipa-adtrust-install on the IPA server first''')) Same issues: # ipa idrange-add foo --base-id=1000 --range-size=100 --dom-sid=foo --rid-base=1000 ipa: ERROR: Cross-realm trusts are not configured.. Make sure you have run ipa-adtrust-install on the IPA server first +if not domain_validator.is_trusted_sid_valid(sid): +raise errors.ValidationError(name=_('ID Range setup'), + error=_('SID is not recognized as a valid SID from a trusted domain')) + + Same issues: ipa: ERROR: invalid Gettext('ID Range setup', domain='ipa', localedir=None): SID is not recognized as a valid SID from a trusted domain Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 311 Fix idrange plugin help
range plugin was renamed to idrange. Update plugin help to reflect this change. From 060c9b88d927919112d9b26def3bbed6660d9d38 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 20 Sep 2012 10:26:17 +0200 Subject: [PATCH] Fix idrange plugin help range plugin was renamed to idrange. Update plugin help to reflect this change. --- ipalib/plugins/idrange.py | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index efa906428aa58c670bc4af63b10c88123dda5b65..ee50613bbaeb70aecf830ad480773a253f88a136 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -60,8 +60,8 @@ EXAMPLE: Add a new ID range for a trusted domain Since there might be more than one trusted domain the domain SID must be given while creating the ID range. - ipa range-add --base-id=120 --range-size=20 --rid-base=0 \\ ---dom-sid=S-1-5-21-123-456-789 trusted_dom_range + ipa idrange-add --base-id=120 --range-size=20 --rid-base=0 \\ + --dom-sid=S-1-5-21-123-456-789 trusted_dom_range This ID range is then used by the IPA server and the SSSD IPA provider to assign Posix UIDs to users from the trusted domain. @@ -81,8 +81,8 @@ To create an ID range for the local domain it is not necessary to specify a domain SID. But since it is possible that a user and a group can have the same value as Posix ID a second RID interval is needed to handle conflicts. - ipa range-add --base-id=120 --range-size=20 --rid-base=1000 \\ ---secondary-rid-base=100 local_range + ipa idrange-add --base-id=120 --range-size=20 --rid-base=1000 \\ + --secondary-rid-base=100 local_range The data from the ID ranges of the local domain are used by the IPA server internally to assign SIDs to IPA users and groups. The SID will then be stored -- 1.7.11.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 311 Fix idrange plugin help
On 09/20/2012 10:28 AM, Martin Kosek wrote: range plugin was renamed to idrange. Update plugin help to reflect this change. ACK :-) Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0077 Check direct/reverse hostname/address resolution in ipa-replica-install
On 09/19/2012 08:46 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 09/19/2012 04:56 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 09/17/2012 08:10 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 09/14/2012 08:46 AM, Martin Kosek wrote: On 09/13/2012 10:35 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 09/11/2012 11:05 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 09/04/2012 07:44 PM, Rob Crittenden wrote: Petr Viktorin wrote: https://fedorahosted.org/freeipa/ticket/2845 Shouldn't this also call verify_fqdn() on the local hostname and not just the master? I think this would eventually fail in the conncheck but what if that was skipped? rob A few lines above there is a call to get_host_name, which will call verify_fqdn. I double-checked this, it fails in conncheck. Here are my steps: # ipa-server-install --setup-dns # ipa-replica-prepare replica.example.com --ip-address=192.168.100.2 # ipa host-del replica.example.com On replica, set DNS to IPA master, with hostname in /etc/hosts. # ipa-replica-install ... The verify_fqdn() passes because the resolver uses /etc/hosts. The conncheck fails: Execute check on remote master Check connection from master to remote replica 'replica.example.com': Remote master check failed with following error message(s): Could not chdir to home directory /home/admin: No such file or directory Port check failed! Unable to resolve host name 'replica.example.com' Connection check failed! Please fix your network settings according to error messages above. If the check results are not valid it can be skipped with --skip-conncheck parameter. The DNS test happens much further after this, and I get why, I just don't see how useful it is unless the --skip-conncheck is used. For the record, it's because we need to check if the host has DNS installed. We need a LDAP connection to check this. ipa-replica-install ~rcrit/replica-info-replica.example.com.gpg --skip-conncheck Directory Manager (existing master) password: ipa : ERRORCould not resolve hostname replica.example.com using DNS. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) Continue? [no]: So I guess, what are the intentions here? It is certainly better than before. rob If the replica is in the master's /etc/hosts, but not in DNS, the conncheck will succeed. This check explicitly queries IPA records only and ignores /etc/hosts so it'll notice this case and warn. Ok, like I said, this is better than we have. Just one nit then you get an ack: +# If remote host has DNS, check forward/reverse resolution +try: +entry = conn.find_entries(u'cn=dns', base_dn=DN(api.env.basedn)) +except errors.NotFound: u'cn=dns' should be str(constants.container_dns). rob This is a search filter, Petr could use the one I already have in dns.py::get_dns_masters() function: '((objectClass=ipaConfigObject)(cn=DNS))' For performance sake, I would also not search in the entire tree, but limit the search only to: DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) Martin Attaching updated patch with Martin's suggestions. I think what Martin had in mind was: if api.Object.dnsrecord.get_dns_masters(): ... I didn't want to do this because api.Object.* use our global ldap2 Backend, which is hardwired to query localhost. I see now that I can hack around this, and we already do this in ipa-replica-install. I've extracted the hack and reused it to get the DNS masters. I can't say I'm crazy about the method name you've chosen... rob I intended the name as a warning to not use it unless necessary. Changed to temporary_ldap2_connection. I found a dangling reference to replman. I removed this and installation seemed to work ok. --- install/tools/ipa-replica-install 2012-09-19 14:01:16.169053047 -0400 +++ /usr/sbin/ipa-replica-install 2012-09-19 14:43:06.684917906 -0400 @@ -564,8 +564,6 @@ finally: if conn and conn.isconnected(): conn.disconnect() -if replman and replman.conn: -replman.conn.unbind_s() # Configure ntpd if options.conf_ntp: I never had a problem with this. How are you installing the replica? It's true that replman might be uninitialized if there's an error (though it doesn't seem related to the issue). Attached patch initializes it. -- Petr³ From 01ef8b906b976823f2ef6bfb094ca2a714dbc79f Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Tue, 4 Sep 2012 03:47:43 -0400 Subject: [PATCH] Check direct/reverse hostname/address resolution in ipa-replica-install Forward and reverse resolution of the newly created replica is already checked via get_host_name (which calls verify_fqdn). Add the same check for the existing master. Additionally, if DNS is installed on the remote host, check forward and reverse resolution of both
Re: [Freeipa-devel] [PATCH] 311 Fix idrange plugin help
On 09/20/2012 10:33 AM, Petr Spacek wrote: On 09/20/2012 10:28 AM, Martin Kosek wrote: range plugin was renamed to idrange. Update plugin help to reflect this change. ACK :-) Petr^2 Spacek Pushed to master, ipa-3-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] SSHPublicKey.fingerprint_dns_sha1 should return unicode value
On 09/20/2012 10:22 AM, Jan Cholasta wrote: Hi, this one-liner fixes updating DNS SSHFP records in host-mod. Honza ACK. Pushed to master, ipa-3-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range
Hi, On Thu, 20 Sep 2012, Martin Kosek wrote: On 09/19/2012 06:19 PM, Alexander Bokovoy wrote: Hi, This patch adds validation of SID for trusted domain when adding or modifying ID range for the domain. We only allow creating ranges for trusted domains when the trust is already established -- the default range is created automatically right after the trust is added. https://fedorahosted.org/freeipa/ticket/3087 Basic functionality looks OK, but I saw few issues with exception formatting: diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index efa906428aa58c670bc4af63b10c88123dda5b65..4750c1d6716bd69045d53f32ae1836f44e70b03b 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -26,6 +26,12 @@ from ipapython import ipautil from ipalib import util from ipapython.dn import DN +if api.env.in_server and api.env.context in ['lite', 'server']: +try: +import ipaserver.dcerpc +_dcerpc_bindings_installed = True +except Exception, e: +_dcerpc_bindings_installed = False Variable e is not used, so it can be removed. Then Exception, e should be omitted completely :) __doc__ = _( ID ranges @@ -137,6 +143,21 @@ user. RIDs are unique in a domain, 32bit values and are used for users and groups. ) +def validate_trusted_domain_sid(self, sid): self is not needed in the list of attributes, this is not a class method. I'm using self.api inside. While api is singleton and accessible globally, I'd prefer passing it explicitly. So may be I'll change that to 'api'. +if not _dcerpc_bindings_installed: +raise errors.NotFound(name=_('ID Range setup'), + reason=_('''Cannot perform SID validation without Samba 4 support installed. + Make sure you have installed server-trust-ad sub-package of IPA on the server''')) Improperly formatted exception: 1) NotFound error does not use name param, maybe you wanted to use ValidationError? 2) The text will be improperly formatted - since you used '''text''', the indentation will be in text: ipa: ERROR: Cannot perform SID validation without Samba 4 support installed. Make sure you have installed server-trust-ad sub-package of IPA on the server Will fix it. Also, I know this was discussed before, but using gettext in a name attribute of ValidationError will cause improperly formatted exception: # ipa idrange-add foo --base-id=1000 --range-size=100 --dom-sid=foo ipa: ERROR: invalid Gettext('ID Range setup', domain='ipa', localedir=None): Options dom_sid and rid_base must be used together The problem is, that name param is printer as %r, thus you would need to coerce it to unicode to make it better. I'd rather fix our printing code and Gettext() usage to properly give out the original string rather than swallow limitations we put on ourselves. Wider use will be, more translations will be needed and names will need to be translated as well. +domain_validator = ipaserver.dcerpc.DomainValidator(self.api) +if not domain_validator.is_configured(): +raise errors.NotFound(name=_('ID Range setup'), + reason=_('''Cross-realm trusts are not configured.. + Make sure you have run ipa-adtrust-install on the IPA server first''')) Same issues: # ipa idrange-add foo --base-id=1000 --range-size=100 --dom-sid=foo --rid-base=1000 ipa: ERROR: Cross-realm trusts are not configured.. Make sure you have run ipa-adtrust-install on the IPA server first +if not domain_validator.is_trusted_sid_valid(sid): +raise errors.ValidationError(name=_('ID Range setup'), + error=_('SID is not recognized as a valid SID from a trusted domain')) + + Same issues: ipa: ERROR: invalid Gettext('ID Range setup', domain='ipa', localedir=None): SID is not recognized as a valid SID from a trusted domain I'll fix formatting. Thanks! -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range
On 09/20/2012 11:42 AM, Alexander Bokovoy wrote: Hi, On Thu, 20 Sep 2012, Martin Kosek wrote: On 09/19/2012 06:19 PM, Alexander Bokovoy wrote: Hi, This patch adds validation of SID for trusted domain when adding or modifying ID range for the domain. We only allow creating ranges for trusted domains when the trust is already established -- the default range is created automatically right after the trust is added. https://fedorahosted.org/freeipa/ticket/3087 Basic functionality looks OK, but I saw few issues with exception formatting: diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index efa906428aa58c670bc4af63b10c88123dda5b65..4750c1d6716bd69045d53f32ae1836f44e70b03b 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -26,6 +26,12 @@ from ipapython import ipautil from ipalib import util from ipapython.dn import DN +if api.env.in_server and api.env.context in ['lite', 'server']: +try: +import ipaserver.dcerpc +_dcerpc_bindings_installed = True +except Exception, e: +_dcerpc_bindings_installed = False Variable e is not used, so it can be removed. Then Exception, e should be omitted completely :) As per PEP8, except Exception: is preffered over bare except: as otherwise it would also catch SystemExit or KeyboardInterrupt. __doc__ = _( ID ranges @@ -137,6 +143,21 @@ user. RIDs are unique in a domain, 32bit values and are used for users and groups. ) +def validate_trusted_domain_sid(self, sid): self is not needed in the list of attributes, this is not a class method. I'm using self.api inside. While api is singleton and accessible globally, I'd prefer passing it explicitly. So may be I'll change that to 'api'. Looks like to hack to me. I would either define this function as a method of idrange class (as I did with handle_iparangetype) and then use self.api or use api directly as a function parameter and not make assumptions what self may be. +if not _dcerpc_bindings_installed: +raise errors.NotFound(name=_('ID Range setup'), + reason=_('''Cannot perform SID validation without Samba 4 support installed. + Make sure you have installed server-trust-ad sub-package of IPA on the server''')) Improperly formatted exception: 1) NotFound error does not use name param, maybe you wanted to use ValidationError? 2) The text will be improperly formatted - since you used '''text''', the indentation will be in text: ipa: ERROR: Cannot perform SID validation without Samba 4 support installed. Make sure you have installed server-trust-ad sub-package of IPA on the server Will fix it. Also, I know this was discussed before, but using gettext in a name attribute of ValidationError will cause improperly formatted exception: # ipa idrange-add foo --base-id=1000 --range-size=100 --dom-sid=foo ipa: ERROR: invalid Gettext('ID Range setup', domain='ipa', localedir=None): Options dom_sid and rid_base must be used together The problem is, that name param is printer as %r, thus you would need to coerce it to unicode to make it better. I'd rather fix our printing code and Gettext() usage to properly give out the original string rather than swallow limitations we put on ourselves. Wider use will be, more translations will be needed and names will need to be translated as well. ValidationError has this format: _('invalid %(name)r: %(error)s'). AFAIU, name parameter was intended to contain only a name of attribute or option where the validation failed, i.e. a non-translable string. So this was the reason why we print it as %r. This pattern is followed in the rest of the plugins. In your case, I think using name=dom_sid would be the preferred use of ValidationError. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range
On 09/20/2012 12:12 PM, Martin Kosek wrote: On 09/20/2012 11:42 AM, Alexander Bokovoy wrote: Hi, On Thu, 20 Sep 2012, Martin Kosek wrote: On 09/19/2012 06:19 PM, Alexander Bokovoy wrote: Hi, This patch adds validation of SID for trusted domain when adding or modifying ID range for the domain. We only allow creating ranges for trusted domains when the trust is already established -- the default range is created automatically right after the trust is added. https://fedorahosted.org/freeipa/ticket/3087 Basic functionality looks OK, but I saw few issues with exception formatting: diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index efa906428aa58c670bc4af63b10c88123dda5b65..4750c1d6716bd69045d53f32ae1836f44e70b03b 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -26,6 +26,12 @@ from ipapython import ipautil from ipalib import util from ipapython.dn import DN +if api.env.in_server and api.env.context in ['lite', 'server']: +try: +import ipaserver.dcerpc +_dcerpc_bindings_installed = True +except Exception, e: +_dcerpc_bindings_installed = False Variable e is not used, so it can be removed. Then Exception, e should be omitted completely :) As per PEP8, except Exception: is preffered over bare except: as otherwise it would also catch SystemExit or KeyboardInterrupt. You should use the most specific exception you want to handle. In this case it's probably ImportError. __doc__ = _( ID ranges @@ -137,6 +143,21 @@ user. RIDs are unique in a domain, 32bit values and are used for users and groups. ) +def validate_trusted_domain_sid(self, sid): self is not needed in the list of attributes, this is not a class method. I'm using self.api inside. While api is singleton and accessible globally, I'd prefer passing it explicitly. So may be I'll change that to 'api'. Looks like to hack to me. I would either define this function as a method of idrange class (as I did with handle_iparangetype) and then use self.api or use api directly as a function parameter and not make assumptions what self may be. +if not _dcerpc_bindings_installed: +raise errors.NotFound(name=_('ID Range setup'), + reason=_('''Cannot perform SID validation without Samba 4 support installed. + Make sure you have installed server-trust-ad sub-package of IPA on the server''')) Improperly formatted exception: 1) NotFound error does not use name param, maybe you wanted to use ValidationError? 2) The text will be improperly formatted - since you used '''text''', the indentation will be in text: ipa: ERROR: Cannot perform SID validation without Samba 4 support installed. Make sure you have installed server-trust-ad sub-package of IPA on the server Will fix it. Also, I know this was discussed before, but using gettext in a name attribute of ValidationError will cause improperly formatted exception: # ipa idrange-add foo --base-id=1000 --range-size=100 --dom-sid=foo ipa: ERROR: invalid Gettext('ID Range setup', domain='ipa', localedir=None): Options dom_sid and rid_base must be used together The problem is, that name param is printer as %r, thus you would need to coerce it to unicode to make it better. I'd rather fix our printing code and Gettext() usage to properly give out the original string rather than swallow limitations we put on ourselves. Wider use will be, more translations will be needed and names will need to be translated as well. ValidationError has this format: _('invalid %(name)r: %(error)s'). AFAIU, name parameter was intended to contain only a name of attribute or option where the validation failed, i.e. a non-translable string. So this was the reason why we print it as %r. This pattern is followed in the rest of the plugins. In your case, I think using name=dom_sid would be the preferred use of ValidationError. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0082 Use correct Dogtag port in ipaserver.install.certs
Something I overlooked in the Dogtag 10 patch: On an instance upgraded from Dogtag 9 to Dogtag 10, ipa-replica-prepare used the wrong set of constants, and failed to contact the server. This patch fixes that. Additional fix for https://fedorahosted.org/freeipa/ticket/2846 -- Petr³ From e35e31aba9693f0d1cfd35d33e4a1997437e8659 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Wed, 19 Sep 2012 08:01:40 -0400 Subject: [PATCH] Use correct Dogtag port in ipaserver.install.certs On an instance upgraded from Dogtag 9 to Dogtag 10, ipa-replica-prepare used the wrong port number. Fix that. --- ipaserver/install/certs.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 0094d0b89637557e172cecac084fa967deabda21..bfbba08f04563c752c20a27cc6ea239cfaa81d7f 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -663,7 +663,7 @@ def issue_server_cert(self, certreq_fname, cert_fname): result = dogtag.https_request( self.host_name, api.env.ca_ee_install_port or -dogtag.install_constants.EE_SECURE_PORT, +dogtag.configured_constants().EE_SECURE_PORT, /ca/ee/ca/profileSubmitSSLClient, self.secdir, password, ipaCert, **params) http_status, http_reason_phrase, http_headers, http_body = result @@ -751,7 +751,7 @@ def issue_signing_cert(self, certreq_fname, cert_fname): result = dogtag.https_request( self.host_name, api.env.ca_ee_install_port or -dogtag.install_constants.EE_SECURE_PORT, +dogtag.configured_constants().EE_SECURE_PORT, /ca/ee/ca/profileSubmitSSLClient, self.secdir, password, ipaCert, **params) http_status, http_reason_phrase, http_headers, http_body = result -- 1.7.11.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1051 Fix CS replica management
Hi, Dne 31.8.2012 19:43, Rob Crittenden napsal(a): The naming in CS replication agreements is different from IPA agreements, we have to live with what the create. The master side should be on the local side, replica1, not the remote. This required reversing a few master variables. Pass in the force flag to del_link. Do a better job of finding the agreements on each side. This should be ipa-csreplica-manage more in line with ipa-replica-manage. rob Rob, can you please rebase the patch on top of current master? There were some dogtag 10 related changes to ipa-csreplica-manage since you posted the patch. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0061] Add missing DNS view attach/detach to LDAP instance management code
On 09/13/2012 01:37 PM, Petr Spacek wrote: Hello, Add missing DNS view attach/detach to LDAP instance management code. This fixes race condition in BIND shutdown after SIGINT: - failing assert caused by use-after-free in dns_zt_find(): (((zt) != ((void *)0)) (((const isc__magic_t *)(zt))-magic == ((('Z') 24 | ('T') 16 | ('b') 8 | ('l') Petr^2 Spacek This patch causes deadlock in shut-down sequence in certain situations, I'm still searching for the root cause. Old comment from 2009-02-10 /* commented out for now, cause named to hang */ was correct, apparently ... -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range
On Thu, 20 Sep 2012, Petr Viktorin wrote: On 09/20/2012 12:12 PM, Martin Kosek wrote: On 09/20/2012 11:42 AM, Alexander Bokovoy wrote: Hi, On Thu, 20 Sep 2012, Martin Kosek wrote: On 09/19/2012 06:19 PM, Alexander Bokovoy wrote: Hi, This patch adds validation of SID for trusted domain when adding or modifying ID range for the domain. We only allow creating ranges for trusted domains when the trust is already established -- the default range is created automatically right after the trust is added. https://fedorahosted.org/freeipa/ticket/3087 Basic functionality looks OK, but I saw few issues with exception formatting: diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index efa906428aa58c670bc4af63b10c88123dda5b65..4750c1d6716bd69045d53f32ae1836f44e70b03b 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -26,6 +26,12 @@ from ipapython import ipautil from ipalib import util from ipapython.dn import DN +if api.env.in_server and api.env.context in ['lite', 'server']: +try: +import ipaserver.dcerpc +_dcerpc_bindings_installed = True +except Exception, e: +_dcerpc_bindings_installed = False Variable e is not used, so it can be removed. Then Exception, e should be omitted completely :) As per PEP8, except Exception: is preffered over bare except: as otherwise it would also catch SystemExit or KeyboardInterrupt. You should use the most specific exception you want to handle. In this case it's probably ImportError. New patch is attached. -- / Alexander Bokovoy From 4ddcad0b54e18339581a7aec042f42bec5bc7b48 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Wed, 19 Sep 2012 19:09:22 +0300 Subject: [PATCH 1/4] validate SID for trusted domain when adding/modifying ID range https://fedorahosted.org/freeipa/ticket/3087 --- ipalib/plugins/idrange.py | 25 + 1 file changed, 25 insertions(+) diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index ee50613bbaeb70aecf830ad480773a253f88a136..4ef3559aca0ef5314e44b727e97106866db94cda 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -26,6 +26,12 @@ from ipapython import ipautil from ipalib import util from ipapython.dn import DN +if api.env.in_server and api.env.context in ['lite', 'server']: +try: +import ipaserver.dcerpc +_dcerpc_bindings_installed = True +except ImportError: +_dcerpc_bindings_installed = False __doc__ = _( ID ranges @@ -249,6 +255,18 @@ class idrange(LDAPObject): error=_('range modification leaving objects with ID out ' 'of the defined range is not allowed')) +def validate_trusted_domain_sid(self, sid): +if not _dcerpc_bindings_installed: +raise errors.NotFound(reason=_('Cannot perform SID validation without Samba 4 support installed. ' + 'Make sure you have installed server-trust-ad sub-package of IPA on the server')) +domain_validator = ipaserver.dcerpc.DomainValidator(self.api) +if not domain_validator.is_configured(): +raise errors.NotFound(reason=_('Cross-realm trusts are not configured. ' + 'Make sure you have run ipa-adtrust-install on the IPA server first')) +if not domain_validator.is_trusted_sid_valid(sid): +raise errors.ValidationError(name='domain SID', + error=_('SID is not recognized as a valid SID for a trusted domain')) + class idrange_add(LDAPCreate): __doc__ = _( Add new ID range. @@ -287,6 +305,9 @@ class idrange_add(LDAPCreate): error=_('Options dom_sid and rid_base must ' \ 'be used together')) +# Validate SID as the one of trusted domains + self.obj.validate_trusted_domain_sid(options['ipanttrusteddomainsid']) +# Finally, add trusted AD domain range object class entry_attrs['objectclass'].append('ipatrustedaddomainrange') else: if (('ipasecondarybaserid' in options) != ('ipabaserid' in options)): @@ -366,6 +387,10 @@ class idrange_mod(LDAPUpdate): except errors.NotFound: self.obj.handle_not_found(*keys) +if 'ipanttrusteddomainsid' in options: +# Validate SID as the one of trusted domains + self.obj.validate_trusted_domain_sid(options['ipanttrusteddomainsid']) + old_base_id = int(old_attrs.get('ipabaseid', [0])[0]) old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0]) new_base_id = entry_attrs.get('ipabaseid') -- 1.7.12 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0075 Fix error messages and use proper ImportError for dcerpc
Hi, fix use of NotFound error exception in plugins/group.py similar to what is discussed in patch 0074 for idrange plugin. -- / Alexander Bokovoy From 9028d2c8c8da9bc259e00250093352085317f91c Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Thu, 20 Sep 2012 14:02:15 +0300 Subject: [PATCH 2/4] Fix error messages and use proper ImportError for dcerpc import --- ipalib/plugins/group.py | 13 ++--- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index 011587206d809cf7ab32308f8d70eba06298c555..ae00aa8ac7d087befa5107df4eb978f1ada00240 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -26,7 +26,7 @@ if api.env.in_server and api.env.context in ['lite', 'server']: try: import ipaserver.dcerpc _dcerpc_bindings_installed = True -except Exception, e: +except ImportError: _dcerpc_bindings_installed = False __doc__ = _( @@ -328,14 +328,13 @@ class group_add_member(LDAPAddMember): result = (completed, dn) if 'ipaexternalmember' in options: if not _dcerpc_bindings_installed: -raise errors.NotFound(name=_('AD Trust'), - reason=_('''Cannot perform external member validation without Samba 4 support installed. - Make sure you have installed server-trust-ad sub-package of IPA on the server''')) +raise errors.NotFound(reason=_('Cannot perform external member validation without ' + 'Samba 4 support installed. Make sure you have installed ' + 'server-trust-ad sub-package of IPA on the server')) domain_validator = ipaserver.dcerpc.DomainValidator(self.api) if not domain_validator.is_configured(): -raise errors.NotFound(name=_('AD Trust setup'), - reason=_('''Cannot perform join operation without own domain configured. - Make sure you have run ipa-adtrust-install on the IPA server first''')) +raise errors.NotFound(reason=_('Cannot perform join operation without own domain configured. ' + 'Make sure you have run ipa-adtrust-install on the IPA server first')) sids = [] failed_sids = [] for sid in options['ipaexternalmember']: -- 1.7.12 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0082 Use correct Dogtag port in ipaserver.install.certs
On 09/20/2012 12:48 PM, Petr Viktorin wrote: Something I overlooked in the Dogtag 10 patch: On an instance upgraded from Dogtag 9 to Dogtag 10, ipa-replica-prepare used the wrong set of constants, and failed to contact the server. This patch fixes that. Additional fix for https://fedorahosted.org/freeipa/ticket/2846 Cool, fixed ipa-replica-prepare on my upgraded instance. ACK. Pushed to master, ipa-3-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0076-0077 Document trust commands and external group member
Hi, attached patches 0076 and 0077 add base documentation about trust commands. Part of that documentation is also added to group membership plugin to describe external groups and external members. -- / Alexander Bokovoy From bb0c11364826c0738ab7bd649101cdaeaa0081f4 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Thu, 20 Sep 2012 14:25:05 +0300 Subject: [PATCH 3/4] Add documentation for 'ipa trust' set of commands --- ipalib/plugins/trust.py | 60 +++-- 1 file changed, 58 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index bced06f4db83b98f16e75b63ba0c0c252a12e489..9d3e9a873e8f6335c12729e9f9475e59499fb3d4 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -34,11 +34,67 @@ if api.env.in_server and api.env.context in ['lite', 'server']: try: import ipaserver.dcerpc #pylint: disable=F0401 _bindings_installed = True -except Exception, e: +except ImportError: _bindings_installed = False __doc__ = _( -Manage trust relationship between realms +Cross-realm trusts + +Manage trust relationship between IPA and Active Directory domains. + +In order to allow users from a remote domain to access resources in IPA +domain, trust relationship needs to be established. Currently IPA supports +only trusts between IPA and Active Directory domains under control of Windows +Server 2008 or later, with functional level 2008 or later. + +Please note that DNS on both IPA and Active Directory domain sides should be +configured properly to discover each other. Trust relationship relies on +ability to discover special resources in the other domain via DNS records. + +Examples: + +1. Establish cross-realm trust with Active Directory using AD administrator + credentials: + + ipa trust-add --type=ad ad.domain --admin AD domain administrator --password + +2. List all existing trust relationships: + + ipa trust-find + +3. Show details of the specific trust relationship: + + ipa trust-show ad.domain + +4. Delete existing trust relationship: + + ipa trust-del ad.domain + +Once trust relationship is established, remote users will need to be mapped +to local POSIX groups in order to actually use IPA resources. The mapping should +be done via use of external membership of non-POSIX group and then this group +should be included into one of local POSIX groups. + +Example: + +1. Make note of the trusted domain security identifier + + domainsid = `ipa trust-show ad.domain | grep Identifier | cut -d: -f2` + +2. Create group for the trusted domain admins' mapping and their local POSIX group: + + ipa group-add --desc='ad.domain admins external map' ad_admins_external --external + ipa group-add --desc='ad.domain admins' ad_admins + +3. Add security identifier of Domain Admins of the ad.domain to the ad_admins_external + group (security identifier of ad.domain SID-513 is Domain Admins group): + + ipa group-add-member ad_admins_external --external ${domainsid}-513 + +4. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: + + ipa group-add-member ad_admins --groups ad_admins_external + ) trust_output_params = ( -- 1.7.12 From 29598d8e958e571fcba0c4a81ea671092375b727 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Thu, 20 Sep 2012 14:31:01 +0300 Subject: [PATCH 4/4] Document use of external group membership --- ipalib/plugins/group.py | 29 + 1 file changed, 29 insertions(+) diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index ae00aa8ac7d087befa5107df4eb978f1ada00240..3775056a12400ddc236bf5c12ff862731f699431 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -76,6 +76,35 @@ EXAMPLES: Display information about a named group. ipa group-show localadmins + +External group membership is designed to allow users from trusted domains +to be mapped to local POSIX groups in order to actually use IPA resources. +External members should be added to groups that specifically created as +external and non-POSIX. Such group later should be included into one of POSIX +groups. + +An external group member is currently a Security Identifier as defined by +the trusted domain. + +Example: + +1. Make note of the trusted domain security identifier + + domainsid = `ipa trust-show ad.domain | grep Identifier | cut -d: -f2` + +2. Create group for the trusted domain admins' mapping and their local POSIX group: + + ipa group-add --desc='ad.domain admins external map' ad_admins_external --external + ipa group-add --desc='ad.domain admins' ad_admins + +3. Add security identifier of Domain Admins of the ad.domain to the ad_admins_external + group (security identifier of ad.domain SID-513 is Domain Admins group): + + ipa group-add-member ad_admins_external --external ${domainsid}-513 + +4. Allow members of
Re: [Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range
On 09/20/2012 01:58 PM, Alexander Bokovoy wrote: On Thu, 20 Sep 2012, Petr Viktorin wrote: On 09/20/2012 12:12 PM, Martin Kosek wrote: On 09/20/2012 11:42 AM, Alexander Bokovoy wrote: Hi, On Thu, 20 Sep 2012, Martin Kosek wrote: On 09/19/2012 06:19 PM, Alexander Bokovoy wrote: Hi, This patch adds validation of SID for trusted domain when adding or modifying ID range for the domain. We only allow creating ranges for trusted domains when the trust is already established -- the default range is created automatically right after the trust is added. https://fedorahosted.org/freeipa/ticket/3087 Basic functionality looks OK, but I saw few issues with exception formatting: diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index efa906428aa58c670bc4af63b10c88123dda5b65..4750c1d6716bd69045d53f32ae1836f44e70b03b 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -26,6 +26,12 @@ from ipapython import ipautil from ipalib import util from ipapython.dn import DN +if api.env.in_server and api.env.context in ['lite', 'server']: +try: +import ipaserver.dcerpc +_dcerpc_bindings_installed = True +except Exception, e: +_dcerpc_bindings_installed = False Variable e is not used, so it can be removed. Then Exception, e should be omitted completely :) As per PEP8, except Exception: is preffered over bare except: as otherwise it would also catch SystemExit or KeyboardInterrupt. You should use the most specific exception you want to handle. In this case it's probably ImportError. New patch is attached. The patch looks OK, I would just also like to have the rest of the name=_('ID Range setup') messages fixed so that we don't print confusing errors: $ git grep ID Range setup ipalib/ ipalib/plugins/idrange.py:raise errors.ValidationError(name=_('ID Range setup'), ipalib/plugins/idrange.py:raise errors.ValidationError(name=_('ID Range setup'), ipalib/plugins/idrange.py:raise errors.ValidationError(name=_('ID Range setup'), Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range
On Thu, 20 Sep 2012, Martin Kosek wrote: On 09/20/2012 01:58 PM, Alexander Bokovoy wrote: On Thu, 20 Sep 2012, Petr Viktorin wrote: On 09/20/2012 12:12 PM, Martin Kosek wrote: On 09/20/2012 11:42 AM, Alexander Bokovoy wrote: Hi, On Thu, 20 Sep 2012, Martin Kosek wrote: On 09/19/2012 06:19 PM, Alexander Bokovoy wrote: Hi, This patch adds validation of SID for trusted domain when adding or modifying ID range for the domain. We only allow creating ranges for trusted domains when the trust is already established -- the default range is created automatically right after the trust is added. https://fedorahosted.org/freeipa/ticket/3087 Basic functionality looks OK, but I saw few issues with exception formatting: diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index efa906428aa58c670bc4af63b10c88123dda5b65..4750c1d6716bd69045d53f32ae1836f44e70b03b 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -26,6 +26,12 @@ from ipapython import ipautil from ipalib import util from ipapython.dn import DN +if api.env.in_server and api.env.context in ['lite', 'server']: +try: +import ipaserver.dcerpc +_dcerpc_bindings_installed = True +except Exception, e: +_dcerpc_bindings_installed = False Variable e is not used, so it can be removed. Then Exception, e should be omitted completely :) As per PEP8, except Exception: is preffered over bare except: as otherwise it would also catch SystemExit or KeyboardInterrupt. You should use the most specific exception you want to handle. In this case it's probably ImportError. New patch is attached. The patch looks OK, I would just also like to have the rest of the name=_('ID Range setup') messages fixed so that we don't print confusing errors: $ git grep ID Range setup ipalib/ ipalib/plugins/idrange.py:raise errors.ValidationError(name=_('ID Range setup'), ipalib/plugins/idrange.py:raise errors.ValidationError(name=_('ID Range setup'), ipalib/plugins/idrange.py:raise errors.ValidationError(name=_('ID Range setup'), Yep. Done. -- / Alexander Bokovoy From 86fef992edd0f6e7b5c818c774352067e90e02a3 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Wed, 19 Sep 2012 19:09:22 +0300 Subject: [PATCH 1/4] validate SID for trusted domain when adding/modifying ID range https://fedorahosted.org/freeipa/ticket/3087 --- ipalib/plugins/idrange.py | 31 --- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index ee50613bbaeb70aecf830ad480773a253f88a136..8f2d4efdc0463e7d81cd72fba7769e38dc0c638b 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -26,6 +26,12 @@ from ipapython import ipautil from ipalib import util from ipapython.dn import DN +if api.env.in_server and api.env.context in ['lite', 'server']: +try: +import ipaserver.dcerpc +_dcerpc_bindings_installed = True +except ImportError: +_dcerpc_bindings_installed = False __doc__ = _( ID ranges @@ -249,6 +255,18 @@ class idrange(LDAPObject): error=_('range modification leaving objects with ID out ' 'of the defined range is not allowed')) +def validate_trusted_domain_sid(self, sid): +if not _dcerpc_bindings_installed: +raise errors.NotFound(reason=_('Cannot perform SID validation without Samba 4 support installed. ' + 'Make sure you have installed server-trust-ad sub-package of IPA on the server')) +domain_validator = ipaserver.dcerpc.DomainValidator(self.api) +if not domain_validator.is_configured(): +raise errors.NotFound(reason=_('Cross-realm trusts are not configured. ' + 'Make sure you have run ipa-adtrust-install on the IPA server first')) +if not domain_validator.is_trusted_sid_valid(sid): +raise errors.ValidationError(name='domain SID', + error=_('SID is not recognized as a valid SID for a trusted domain')) + class idrange_add(LDAPCreate): __doc__ = _( Add new ID range. @@ -278,19 +296,22 @@ class idrange_add(LDAPCreate): if 'ipanttrusteddomainsid' in options: if 'ipasecondarybaserid' in options: -raise errors.ValidationError(name=_('ID Range setup'), +raise errors.ValidationError(name='ID Range setup', error=_('Options dom_sid and secondary_rid_base cannot ' \ 'be used together')) if 'ipabaserid' not in options: -raise errors.ValidationError(name=_('ID Range setup'), +raise errors.ValidationError(name='ID Range setup', error=_('Options dom_sid and rid_base must ' \ 'be used together')) +#
Re: [Freeipa-devel] [PATCH 0006] Improves sssd.conf handling during ipa-client uninstall
On 09/18/2012 11:21 AM, Tomas Babej wrote: On 09/12/2012 05:29 PM, Martin Kosek wrote: On 08/29/2012 02:54 PM, Tomas Babej wrote: On 08/27/2012 04:55 PM, Martin Kosek wrote: On 08/27/2012 03:37 PM, Jakub Hrozek wrote: On Mon, Aug 27, 2012 at 02:57:44PM +0200, Martin Kosek wrote: I think that the right behavior of SSSD conf uninstall should be the following: * sssd.conf existed before IPA install + non-IPA domains in sssd.conf found: - move backed conf up sssd.conf.bkp (and inform the user) - use SSSDConfig delete_domain function to remove ipa domain from sssd.conf - restart sssd afterwards I'm confused here, which of the files is the original pre-ipa-client-install file? This is the backed up sssd.conf. I thought that it may be useful for user to still have an access to it after uninstall. How does the non-ipa domain end up in the sssd.conf file? Does it have to be configured manually or does ipa-client-install merge the list of domains on installation? ipa-client-install merge the list of the domains. It overrides the old sssd.conf only when we cannot parse the sssd.conf and --preserve-sssd option was not set. Martin Hi, The sssd.conf file is no longer left behind in case sssd was not configured before the installation. However, the patch goes behind the scope of this ticked and improves the handling of sssd.conf during the ipa-client-install --uninstall in general. The current behaviour (well documented in source code) is as follows: - In general, the IPA domain is simply removed from the sssd.conf file, instead of sssd.conf being rewritten from the backup. This preserves any domains added after installation. - If sssd.conf existed before the installation, it is restored to sssd.conf.bkp. However, any IPA domains from pre-installation sssd.conf should have been merged during the installation. - If sssd.conf did not exist before the installation, and no other domains than IPA domain exist in it, the patch makes sure that sssd.conf is moved to sssd.conf.deleted so user experiences no crash during any next installation due to its existence. https://fedorahosted.org/freeipa/ticket/2740 Tomas Good job, SSSD uninstall process now looks more consistent and better documented. I just found the following (mainly minor) issues. Comments in the patch: diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 2e65921e8de2dfe68443f5b5875954d71dd48ed2..c5cef15e1fb3a3e1d7cfd070f4288d3839accfc8 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -183,6 +183,36 @@ def nssldap_exists(): return (retval, files_found) +# helper function for uninstall +# deletes IPA domain from sssd.conf +def delete_IPA_domain(): Function names should be lowercase - delete_ipa_domain +sssd = ipaservices.service('sssd') +try: +sssdconfig = SSSDConfig.SSSDConfig() +sssdconfig.import_config() +domains = sssdconfig.list_active_domains() + +IPA_domain_name = None Variables should be lowercase - ipa_domain_name + +for name in domains: +domain = sssdconfig.get_domain(name) +try: +provider = domain.get_option('id_provider') +if provider == ipa: +IPA_domain_name = name +break +except SSSDConfig.NoOptionError: +continue + +if IPA_domain_name != None: Do not use != with None, True, False - use is not None. +sssdconfig.delete_domain(IPA_domain_name) +sssdconfig.write() +else: +root_logger.warning(IPA domain could not be found in + +sssd.conf and therefore not deleted) +except IOError: +root_logger.warning(IPA domain could not be deleted. No access to the sssd.conf file.) There should be full path to sssd.conf in this error message. It is very useful sometimes. + def uninstall(options, env): if not fstore.has_files(): @@ -212,7 +242,12 @@ def uninstall(options, env): sssdconfig = SSSDConfig.SSSDConfig() sssdconfig.import_config() domains = sssdconfig.list_active_domains() -if len(domains) 1: +all_domains = sssdconfig.list_domains() + +# we consider all the domains, because handling sssd.conf +# during uninstall is dependant on was_sssd_configured flag +# so the user does not lose info about inactive domains +if len(all_domains) 1: # There was more than IPA domain configured was_sssd_configured = True for name in domains: @@ -349,6 +384,62 @@ def uninstall(options, env): Failed to remove krb5/LDAP configuration: %s, str(e)) return
Re: [Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range
On 09/20/2012 02:31 PM, Alexander Bokovoy wrote: On Thu, 20 Sep 2012, Martin Kosek wrote: On 09/20/2012 01:58 PM, Alexander Bokovoy wrote: On Thu, 20 Sep 2012, Petr Viktorin wrote: On 09/20/2012 12:12 PM, Martin Kosek wrote: On 09/20/2012 11:42 AM, Alexander Bokovoy wrote: Hi, On Thu, 20 Sep 2012, Martin Kosek wrote: On 09/19/2012 06:19 PM, Alexander Bokovoy wrote: Hi, This patch adds validation of SID for trusted domain when adding or modifying ID range for the domain. We only allow creating ranges for trusted domains when the trust is already established -- the default range is created automatically right after the trust is added. https://fedorahosted.org/freeipa/ticket/3087 Basic functionality looks OK, but I saw few issues with exception formatting: diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index efa906428aa58c670bc4af63b10c88123dda5b65..4750c1d6716bd69045d53f32ae1836f44e70b03b 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -26,6 +26,12 @@ from ipapython import ipautil from ipalib import util from ipapython.dn import DN +if api.env.in_server and api.env.context in ['lite', 'server']: +try: +import ipaserver.dcerpc +_dcerpc_bindings_installed = True +except Exception, e: +_dcerpc_bindings_installed = False Variable e is not used, so it can be removed. Then Exception, e should be omitted completely :) As per PEP8, except Exception: is preffered over bare except: as otherwise it would also catch SystemExit or KeyboardInterrupt. You should use the most specific exception you want to handle. In this case it's probably ImportError. New patch is attached. The patch looks OK, I would just also like to have the rest of the name=_('ID Range setup') messages fixed so that we don't print confusing errors: $ git grep ID Range setup ipalib/ ipalib/plugins/idrange.py:raise errors.ValidationError(name=_('ID Range setup'), ipalib/plugins/idrange.py:raise errors.ValidationError(name=_('ID Range setup'), ipalib/plugins/idrange.py:raise errors.ValidationError(name=_('ID Range setup'), Yep. Done. ACK. Pushed to master, ipa-3-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0075 Fix error messages and use proper ImportError for dcerpc
On 09/20/2012 02:01 PM, Alexander Bokovoy wrote: Hi, fix use of NotFound error exception in plugins/group.py similar to what is discussed in patch 0074 for idrange plugin. ACK. Pushed to master, ipa-3-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0076-0077 Document trust commands and external group member
On 09/20/2012 02:03 PM, Alexander Bokovoy wrote: Hi, attached patches 0076 and 0077 add base documentation about trust commands. Part of that documentation is also added to group membership plugin to describe external groups and external members. ACK. Pushed both patches to master, ipa-3-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0081 Only stop the main DS instance when upgrading it
On 09/14/2012 05:37 PM, Martin Kosek wrote: On 09/14/2012 04:53 PM, Petr Viktorin wrote: On 09/14/2012 04:12 PM, Petr Viktorin wrote: On 09/14/2012 03:12 PM, Simo Sorce wrote: On Fri, 2012-09-14 at 14:53 +0200, Petr Viktorin wrote: This fixes a 2.2→3.0 upgrade bug found while testing the Dogtag 10 work. See commit or ticket for details. https://fedorahosted.org/freeipa/ticket/3083 I also suspect that waiting for ports is not a good way to check if the CMS is fully initialized, but I don't know of a better way. If you know one, please speak up. Such a better way is coming with https://fedorahosted.org/pki/ticket/314. I opened https://fedorahosted.org/freeipa/ticket/3084 so we won't forget to take advantage of it. Won;t we get back to square zero when the work to merge DS and CS instances into one will be completed ? Simo. When they're merged we'll probably need to bring down the CA while upgrading the server. Or just stop all the IPA services to be on the safe side, and of course bring them back up afterwards. Meanwhile, this patch shouldn't hurt things. The patch worked fine for me. It will be useful at least to the point when we use a common DS instance, as Simo suggested. Martin Just for the record - this patch was ACKed and pushed by Rob on Sep 18th to master, ipa-3-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0065] Bump version in .spec file to 2.0
Hello, this patch bumps version in .spec file to 2.0. -- Petr^2 Spacek From b4fc1e119e5d602c196af47bde07d3cfe3091a3d Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 20 Sep 2012 16:14:05 +0200 Subject: [PATCH] Bump version in .spec file to 2.0. Signed-off-by: Petr Spacek pspa...@redhat.com --- contrib/bind-dyndb-ldap.spec | 10 +++--- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/contrib/bind-dyndb-ldap.spec b/contrib/bind-dyndb-ldap.spec index 664e6a9af9629f07193c82382debac028c425fe1..5f1e0262e4a4707a6bb5a5820f807a98390581ce 100644 --- a/contrib/bind-dyndb-ldap.spec +++ b/contrib/bind-dyndb-ldap.spec @@ -1,12 +1,8 @@ -#%define PATCHVER P4 -%define PREVER rc1 -#%define VERSION %{version} -#%define VERSION %{version}-%{PATCHVER} -%define VERSION %{version}%{PREVER} +%define VERSION %{version} Name: bind-dyndb-ldap -Version:1.1.0 -Release:0.1.%{PREVER}%{?dist} +Version:2.0 +Release:0%{?dist} Summary:LDAP back-end plug-in for BIND Group: System Environment/Libraries -- 1.7.11.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0065] Bump version in .spec file to 2.0
On Thu, Sep 20, 2012 at 04:16:41PM +0200, Petr Spacek wrote: Hello, this patch bumps version in .spec file to 2.0. Ack From b4fc1e119e5d602c196af47bde07d3cfe3091a3d Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 20 Sep 2012 16:14:05 +0200 Subject: [PATCH] Bump version in .spec file to 2.0. Signed-off-by: Petr Spacek pspa...@redhat.com --- contrib/bind-dyndb-ldap.spec | 10 +++--- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/contrib/bind-dyndb-ldap.spec b/contrib/bind-dyndb-ldap.spec index 664e6a9af9629f07193c82382debac028c425fe1..5f1e0262e4a4707a6bb5a5820f807a98390581ce 100644 --- a/contrib/bind-dyndb-ldap.spec +++ b/contrib/bind-dyndb-ldap.spec @@ -1,12 +1,8 @@ -#%define PATCHVER P4 -%define PREVER rc1 -#%define VERSION %{version} -#%define VERSION %{version}-%{PATCHVER} -%define VERSION %{version}%{PREVER} +%define VERSION %{version} Name: bind-dyndb-ldap -Version:1.1.0 -Release:0.1.%{PREVER}%{?dist} +Version:2.0 +Release:0%{?dist} Summary:LDAP back-end plug-in for BIND Group: System Environment/Libraries -- 1.7.11.4 -- Adam Tkac, Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0006] Improves sssd.conf handling during ipa-client uninstall
On 09/20/2012 02:42 PM, Martin Kosek wrote: On 09/18/2012 11:21 AM, Tomas Babej wrote: On 09/12/2012 05:29 PM, Martin Kosek wrote: On 08/29/2012 02:54 PM, Tomas Babej wrote: On 08/27/2012 04:55 PM, Martin Kosek wrote: On 08/27/2012 03:37 PM, Jakub Hrozek wrote: On Mon, Aug 27, 2012 at 02:57:44PM +0200, Martin Kosek wrote: I think that the right behavior of SSSD conf uninstall should be the following: * sssd.conf existed before IPA install + non-IPA domains in sssd.conf found: - move backed conf up sssd.conf.bkp (and inform the user) - use SSSDConfig delete_domain function to remove ipa domain from sssd.conf - restart sssd afterwards I'm confused here, which of the files is the original pre-ipa-client-install file? This is the backed up sssd.conf. I thought that it may be useful for user to still have an access to it after uninstall. How does the non-ipa domain end up in the sssd.conf file? Does it have to be configured manually or does ipa-client-install merge the list of domains on installation? ipa-client-install merge the list of the domains. It overrides the old sssd.conf only when we cannot parse the sssd.conf and --preserve-sssd option was not set. Martin Hi, The sssd.conf file is no longer left behind in case sssd was not configured before the installation. However, the patch goes behind the scope of this ticked and improves the handling of sssd.conf during the ipa-client-install --uninstall in general. The current behaviour (well documented in source code) is as follows: - In general, the IPA domain is simply removed from the sssd.conf file, instead of sssd.conf being rewritten from the backup. This preserves any domains added after installation. - If sssd.conf existed before the installation, it is restored to sssd.conf.bkp. However, any IPA domains from pre-installation sssd.conf should have been merged during the installation. - If sssd.conf did not exist before the installation, and no other domains than IPA domain exist in it, the patch makes sure that sssd.conf is moved to sssd.conf.deleted so user experiences no crash during any next installation due to its existence. https://fedorahosted.org/freeipa/ticket/2740 Tomas Good job, SSSD uninstall process now looks more consistent and better documented. I just found the following (mainly minor) issues. Comments in the patch: diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 2e65921e8de2dfe68443f5b5875954d71dd48ed2..c5cef15e1fb3a3e1d7cfd070f4288d3839accfc8 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -183,6 +183,36 @@ def nssldap_exists(): return (retval, files_found) +# helper function for uninstall +# deletes IPA domain from sssd.conf +def delete_IPA_domain(): Function names should be lowercase - delete_ipa_domain +sssd = ipaservices.service('sssd') +try: +sssdconfig = SSSDConfig.SSSDConfig() +sssdconfig.import_config() +domains = sssdconfig.list_active_domains() + +IPA_domain_name = None Variables should be lowercase - ipa_domain_name + +for name in domains: +domain = sssdconfig.get_domain(name) +try: +provider = domain.get_option('id_provider') +if provider == ipa: +IPA_domain_name = name +break +except SSSDConfig.NoOptionError: +continue + +if IPA_domain_name != None: Do not use != with None, True, False - use is not None. +sssdconfig.delete_domain(IPA_domain_name) +sssdconfig.write() +else: +root_logger.warning(IPA domain could not be found in + +sssd.conf and therefore not deleted) +except IOError: +root_logger.warning(IPA domain could not be deleted. No access to the sssd.conf file.) There should be full path to sssd.conf in this error message. It is very useful sometimes. + def uninstall(options, env): if not fstore.has_files(): @@ -212,7 +242,12 @@ def uninstall(options, env): sssdconfig = SSSDConfig.SSSDConfig() sssdconfig.import_config() domains = sssdconfig.list_active_domains() -if len(domains) 1: +all_domains = sssdconfig.list_domains() + +# we consider all the domains, because handling sssd.conf +# during uninstall is dependant on was_sssd_configured flag +# so the user does not lose info about inactive domains +if len(all_domains) 1: # There was more than IPA domain configured was_sssd_configured = True for name in domains: @@ -349,6 +384,62 @@ def uninstall(options, env): Failed to remove krb5/LDAP configuration: %s, str(e)) return CLIENT_INSTALL_ERROR +# Next if-elif-elif
Re: [Freeipa-devel] [PATCH 0065] Bump version in .spec file to 2.0
On 09/20/2012 04:18 PM, Adam Tkac wrote: On Thu, Sep 20, 2012 at 04:16:41PM +0200, Petr Spacek wrote: Hello, this patch bumps version in .spec file to 2.0. Ack Pushed to master: https://fedorahosted.org/bind-dyndb-ldap/changeset/bd1e312c74921f2572cad0a6ba7db7d25196d758 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0006] Improves sssd.conf handling during ipa-client uninstall
On Thu, 2012-09-20 at 16:20 +0200, Tomas Babej wrote: On 09/20/2012 02:42 PM, Martin Kosek wrote: On 09/18/2012 11:21 AM, Tomas Babej wrote: On 09/12/2012 05:29 PM, Martin Kosek wrote: On 08/29/2012 02:54 PM, Tomas Babej wrote: On 08/27/2012 04:55 PM, Martin Kosek wrote: On 08/27/2012 03:37 PM, Jakub Hrozek wrote: On Mon, Aug 27, 2012 at 02:57:44PM +0200, Martin Kosek wrote: I think that the right behavior of SSSD conf uninstall should be the following: * sssd.conf existed before IPA install + non-IPA domains in sssd.conf found: - move backed conf up sssd.conf.bkp (and inform the user) - use SSSDConfig delete_domain function to remove ipa domain from sssd.conf - restart sssd afterwards I'm confused here, which of the files is the original pre-ipa-client-install file? This is the backed up sssd.conf. I thought that it may be useful for user to still have an access to it after uninstall. How does the non-ipa domain end up in the sssd.conf file? Does it have to be configured manually or does ipa-client-install merge the list of domains on installation? ipa-client-install merge the list of the domains. It overrides the old sssd.conf only when we cannot parse the sssd.conf and --preserve-sssd option was not set. Martin Hi, The sssd.conf file is no longer left behind in case sssd was not configured before the installation. However, the patch goes behind the scope of this ticked and improves the handling of sssd.conf during the ipa-client-install --uninstall in general. The current behaviour (well documented in source code) is as follows: - In general, the IPA domain is simply removed from the sssd.conf file, instead of sssd.conf being rewritten from the backup. This preserves any domains added after installation. - If sssd.conf existed before the installation, it is restored to sssd.conf.bkp. However, any IPA domains from pre-installation sssd.conf should have been merged during the installation. - If sssd.conf did not exist before the installation, and no other domains than IPA domain exist in it, the patch makes sure that sssd.conf is moved to sssd.conf.deleted so user experiences no crash during any next installation due to its existence. https://fedorahosted.org/freeipa/ticket/2740 Tomas Good job, SSSD uninstall process now looks more consistent and better documented. I just found the following (mainly minor) issues. Comments in the patch: diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 2e65921e8de2dfe68443f5b5875954d71dd48ed2..c5cef15e1fb3a3e1d7cfd070f4288d3839accfc8 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -183,6 +183,36 @@ def nssldap_exists(): return (retval, files_found) +# helper function for uninstall +# deletes IPA domain from sssd.conf +def delete_IPA_domain(): Function names should be lowercase - delete_ipa_domain +sssd = ipaservices.service('sssd') +try: +sssdconfig = SSSDConfig.SSSDConfig() +sssdconfig.import_config() +domains = sssdconfig.list_active_domains() + +IPA_domain_name = None Variables should be lowercase - ipa_domain_name + +for name in domains: +domain = sssdconfig.get_domain(name) +try: +provider = domain.get_option('id_provider') +if provider == ipa: +IPA_domain_name = name +break +except SSSDConfig.NoOptionError: +continue + +if IPA_domain_name != None: Do not use != with None, True, False - use is not None. +sssdconfig.delete_domain(IPA_domain_name) +sssdconfig.write() +else: +root_logger.warning(IPA domain could not be found in + +sssd.conf and therefore not deleted) +except IOError: +root_logger.warning(IPA domain could not be deleted. No access to the sssd.conf file.) There should be full path to sssd.conf in this error message. It is very useful sometimes. + def uninstall(options, env): if not fstore.has_files(): @@ -212,7 +242,12 @@ def uninstall(options, env): sssdconfig = SSSDConfig.SSSDConfig() sssdconfig.import_config() domains = sssdconfig.list_active_domains() -if len(domains) 1: +all_domains = sssdconfig.list_domains() + +# we consider all the domains, because handling sssd.conf +# during uninstall is dependant on was_sssd_configured flag +# so the user does not lose info about inactive domains +if len(all_domains) 1: # There was more
Re: [Freeipa-devel] [PATCH] 1051 Fix CS replica management
Jan Cholasta wrote: Hi, Dne 31.8.2012 19:43, Rob Crittenden napsal(a): The naming in CS replication agreements is different from IPA agreements, we have to live with what the create. The master side should be on the local side, replica1, not the remote. This required reversing a few master variables. Pass in the force flag to del_link. Do a better job of finding the agreements on each side. This should be ipa-csreplica-manage more in line with ipa-replica-manage. rob Rob, can you please rebase the patch on top of current master? There were some dogtag 10 related changes to ipa-csreplica-manage since you posted the patch. Honza I re-tested after the merge and found some problems with my initial approach. The problem stems from the naming convention that dogtag uses when creating the initial agreements. It is hard to predict how things were set up later so rather than trying to reconstruct the DN we search for it and pass it when deleting agreements. rob From fbdf1ef492cf82f036e5b8d50120008c643d5b98 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Thu, 30 Aug 2012 16:24:10 -0400 Subject: [PATCH] Fix CS replication management. The master side should be on the local side, replica1, not the remote. This required reversing a few master variables. This impacts the naming of the replication agreements. When deleting an agreement pass in the DN of that agreement rather than trying to calculate what it is on-the-fly. We cannot be sure which side is the master/clone and since we search for it anyway to determine if the agreement exists it is more correct to use what we find. The force flag wasn't being passed into del_link so there was no way to force a deletion. https://fedorahosted.org/freeipa/ticket/2858 --- install/tools/ipa-csreplica-manage | 52 +++--- ipaserver/install/replication.py | 22 2 files changed, 54 insertions(+), 20 deletions(-) diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage index 39cfa58511ae552cae64798c7559303fda27866a..0336089ae53bc705a2c6e216ccd91cbeac8d25ba 100755 --- a/install/tools/ipa-csreplica-manage +++ b/install/tools/ipa-csreplica-manage @@ -176,7 +176,7 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose): peers[ent.getValue('cn')] = ['CA not configured', ''] except Exception, e: -sys.exit(Failed to get data from '%s': %s % (host, convert_error(e))) +sys.exit(Failed to get data from '%s' while trying to list replicas: %s % (host, convert_error(e))) finally: conn.unbind_s() @@ -205,18 +205,25 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False): repl1 = CSReplicationManager(realm, replica1, dirman_passwd, PORT, True) repl1.hostnames = [replica1, replica2] -type1 = repl1.get_agreement_type(replica2) -repl_list = repl1.find_ipa_replication_agreements() +repl_list = repl1.find_replication_agreements() if not force and len(repl_list) = 1: print Cannot remove the last replication link of '%s' % replica1 print Please use the 'del' command to remove it from the domain sys.exit(1) -except ldap.NO_SUCH_OBJECT: -sys.exit('%s' has no replication agreement for '%s' % (replica1, replica2)) -except errors.NotFound: -sys.exit('%s' has no replication agreement for '%s' % (replica1, replica2)) +# Find the DN of the replication agreement to remove +replica1_dn = None +for e in repl_list: +if e.getValue('nsDS5ReplicaHost') == replica2: +replica1_dn = e.dn +break + +if replica1_dn is None: +sys.exit('%s' has no replication agreement for '%s' % (replica1, replica2)) + +repl1.hostnames = [replica1, replica2] + except ldap.SERVER_DOWN, e: sys.exit(Unable to connect to %s: %s % (ipautil.format_netloc(replica1, PORT), convert_error(e))) except Exception, e: @@ -226,12 +233,23 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False): repl2 = CSReplicationManager(realm, replica2, dirman_passwd, PORT, True) repl2.hostnames = [replica1, replica2] -repl_list = repl1.find_ipa_replication_agreements() +repl_list = repl2.find_replication_agreements() if not force and len(repl_list) = 1: print Cannot remove the last replication link of '%s' % replica2 print Please use the 'del' command to remove it from the domain sys.exit(1) +# Find the DN of the replication agreement to remove +replica2_dn = None +for e in repl_list: +if e.getValue('nsDS5ReplicaHost') == replica1: +replica2_dn = e.dn +break + +# This should never happen +if replica2_dn is None: +sys.exit('%s' has no
Re: [Freeipa-devel] [PATCH] Set master_kdc and dns_lookup_kdc to true
Sumit Bose wrote: On Sat, Sep 15, 2012 at 06:14:56PM -0400, Simo Sorce wrote: On Sat, 2012-09-15 at 22:02 +0200, Sumit Bose wrote: On Fri, Sep 14, 2012 at 05:57:23PM -0400, Rob Crittenden wrote: Sumit Bose wrote: Hi, those two patches should fix https://fedorahosted.org/freeipa/ticket/2515 . The first makes the needed change for fresh installations. The second adds the changes during ipa-adtrust-install if needed. I prefer to do the changes here instead of during updates, because during updates it is not easy to see that the Kerberos configuration was changes. I guess it is good form to update the RHEL 4 client installer but will anyone test it? I think it would be confusion if the RHEL4 client installer has different information than the default one. Is master_kdc supported in the MIT kfw version (krb5.ini)? For me it looks that the parse is build from the same sources. This suffers from the problem Simo envisioned with ticket 931. If the /etc/hosts entry is removed then DNS will not start. We add an entry during installation, so this may be less of an issue. If the /etc/hosts entry is removed DNS will not start in either case. I think the solution to #931 is setting the master_kdc option. You can easily reproduce startup problems if you set 'dns_lookup_kdc = true', stop sssd and try to restart named. This will run into a timeout and bind will not start. The reason is that besides a KDC the Kerberos client libraries also try to look up the master KDC (but it seems to be ok if the lookup finally fails). If sssd is running the locator plugin will return the current KDC as master. If it is not running, as in the test described above, /etc/krb5.conf is used next. If it does not have a master_kdc entry and 'dns_lookup_kdc = false' there is no other source for the master KDC and the client libraries continue with normal processing. If master_kdc is not set but 'dns_lookup_kdc = true' then a DNS lookup is tried, which will run into a timeout since the DNS server is not started yet. But if master_kdc is set in krb5.conf the client libraries will just use this value and will not try any DNS lookup, independently of the setting of dns_lookup_kdc. As a side note. Since we run named as user named I wonder if it would be possible to use SASL EXTERNAL auth instead of GSSAPI to bind to the LDAP server. If this would work safe and secure there would be no dependencies to the KDC during the startup of bind? The reason why we use gssapi is so that all operations performed by bind happen as the DNS/fqdn user, and we can use ACIs targeted at the bind process. In order to use SASL EXTERNAL we would need the bind process to change euid to an unprivileged user that we then need to map to some specific user. As said above named is already run as the unprivileged user named. In general krb5kdc should always start before named, and should not depend on DNS resolution. If krb5kdc is started first bind should have no issues. The only proble is if gssapi libraries try to use DNS resolution, but we should have that solved by using the krb locator plugin. yes, and even if the locator plugin isn't available setting master_kdc will make sure we never fall back to DNS for the local realm. Just to make sure, I do not want to say that the authentication type used by named must be changes to solve potential issues. Setting master_kdc will solve them. Ok, I'm satisfied. ACK, pushed both to master and ipa-3-0. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1055 update audit cert renewal time
Rob Crittenden wrote: The CA audit certificate is initially valid for two years but its profile has it renewing at six months. This bumps the value up to two years to match the other certificates. This relies on Petr's and Ade's dogtag 10 patches. Updated patch. The value of policyset.caLogSigningSet.2.constraint.params.range needs to be bumped to 720 as well. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1055 update audit cert renewal time
On 09/20/2012 02:58 PM, Rob Crittenden wrote: Updated patch. The value of policyset.caLogSigningSet.2.constraint.params.range needs to be bumped to 720 as well. I keep doing my test and let everyone know the test result. Yi -- ~ | Yi Zhang | | QA @ Mountain View, California| | Cell: 408-509-6375| ~ attachment: yzhang.vcf___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel