Re: [Freeipa-devel] OTP Design
On 30.1.2013 05:35, Dmitri Pal wrote: Hello, We started to shape a page for the OTP prototyping work we are doing. It is work in progress but it has enough information to share and discuss. http://freeipa.org/page/V3/OTP Comments welcome! I gave it a quick look. Generally, the core seems correct to me. I have only nitpicks: I see big amount of new ipa* specific attributes. How other OTP solutions store tokens/configuration? Is there any standard/semi-standard LDAP schema with attributes describing tokens? MIT KDC has own (native) LDAP driver. It would be nice to coordinate OID allocation and schema definition with MIT and share as much attributes as possible. Do they plan to support OTP configuration in LDAP? (I don't see any note about LDAP support in http://k5wiki.kerberos.org/wiki/Projects/OTPOverRADIUS .) Is the author of https://fedoraproject.org/wiki/Features/EnterpriseTwoFactorAuthentication aware of our effort? What about re-using http://www.dynalogin.org/ server for TOTP/HOTP implementation (rather than writing own OTP-in-389 implementation)? I haven't looked to the dynalogin code ... Could be (old) draft SASL and GSS-API Mechanism for Two Factor Authentication based on a Password and a One-Time Password (OTP): CROTP from http://tools.ietf.org/html/draft-josefsson-kitten-crotp-00 interesting for us (in future)? Is it worth to resurrect this effort? -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 146-164 LDAP code refactoring (Part 4)
On 01/30/2013 10:53 AM, Petr Viktorin wrote: On 01/29/2013 04:39 PM, Petr Viktorin wrote: On 01/28/2013 04:09 PM, Petr Viktorin wrote: On 01/28/2013 09:34 AM, Jan Cholasta wrote: On 25.1.2013 14:54, Petr Viktorin wrote: On 01/24/2013 03:06 PM, Petr Viktorin wrote: On 01/24/2013 10:43 AM, Petr Viktorin wrote: On 01/22/2013 04:04 PM, Petr Viktorin wrote: On 01/21/2013 06:38 PM, Petr Viktorin wrote: On 01/17/2013 06:27 PM, Petr Viktorin wrote: Hello, This is the first batch of changes aimed to consolidate our LDAP code. Each should be a self-contained change that doesn't break anything. [...] Since this patchset is becoming unwieldy, I've put it in a public repo that I'll keep updated. The following command will fetch it into your pviktori-ldap-refactor branch: git fetch git://github.com/encukou/freeipa ldap-refactor:pviktori-ldap-refactor [...] I found a bug in patch 143, here is a fixed version. -- Petr³ From 383f19456dd695a2132e0cf0dab244237b964ec3 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Wed, 23 Jan 2013 06:38:32 -0500 Subject: [PATCH] Change {add,update,delete}_entry to take LDAPEntries These methods currently take (dn, entry_attrs, normalize=True) (or (dn, normalize=True) for delete). Change them to also accept just an LDAPEntry, and document the legacy calling style as such. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660 --- ipaserver/ipaldap.py | 83 +- 1 files changed, 55 insertions(+), 28 deletions(-) diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py index 27016e92f9435461aedee98ecb82482913d0e435..6d92a11b590ef05454f99acc81766951cf38e347 100644 --- a/ipaserver/ipaldap.py +++ b/ipaserver/ipaldap.py @@ -1354,21 +1354,40 @@ class LDAPConnection(object): self.log.debug(get_members: result=%s, entries) return entries -def add_entry(self, dn, entry_attrs, normalize=True): -Create a new entry. - -assert isinstance(dn, DN) - -if normalize: -dn = self.normalize_dn(dn) -# remove all None or [] values, python-ldap hates'em -entry_attrs = dict( -# FIXME, shouldn't these values be an error? -(k, v) for (k, v) in entry_attrs.iteritems() -if v is not None and v != [] -) +def _get_dn_and_attrs(self, entry_or_dn, entry_attrs, normalize): +Helper for legacy calling style for {add,update}_entry + +if entry_attrs is None: +assert normalize is None +return entry_or_dn.dn, entry_or_dn +else: +assert isinstance(entry_or_dn, DN) +if normalize is None or normalize: +entry_or_dn = self.normalize_dn(entry_or_dn) +entry_attrs = dict(entry_attrs) +for key, value in entry_attrs.items(): +if value is None: +entry_attrs[key] = [] +return entry_or_dn, entry_attrs + +def add_entry(self, entry, entry_attrs=None, normalize=None): +Create a new entry. + +This should be called as add_entry(entry). + +The legacy two/three-argument variant is: +add_entry(dn, entry_attrs, normalize=True) + +dn, attrs = self._get_dn_and_attrs(entry, entry_attrs, normalize) + +# remove all [] values (python-ldap hates 'em) +attrs = dict((k, v) for k, v in attrs.iteritems() +# FIXME: Once entry values are always lists, this condition can +# be just if v: +if v is not None and v != []) + try: -self.conn.add_s(dn, list(entry_attrs.iteritems())) +self.conn.add_s(dn, list(attrs.iteritems())) except _ldap.LDAPError, e: self.handle_errors(e) @@ -1455,34 +1474,42 @@ class LDAPConnection(object): return modlist -def update_entry(self, dn, entry_attrs, normalize=True): - -Update entry's attributes. +def update_entry(self, entry, entry_attrs=None, normalize=None): +Update entry's attributes. -An attribute value set to None deletes all current values. - +This should be called as update_entry(entry). -assert isinstance(dn, DN) -if normalize: -dn = self.normalize_dn(dn) +The legacy two/three-argument variant is: +update_entry(dn, entry_attrs, normalize=True) + +dn, attrs = self._get_dn_and_attrs(entry, entry_attrs, normalize) # generate modlist -modlist = self._generate_modlist(dn, entry_attrs, normalize) +modlist = self._generate_modlist(dn, attrs, normalize) if not modlist: raise errors.EmptyModlist() # pass arguments to python-ldap try: self.conn.modify_s(dn, modlist) except _ldap.LDAPError, e: self.handle_errors(e) -def delete_entry(self,
Re: [Freeipa-devel] [PATCHES] 94-96 Remove Entry and Entity classes
On 22.1.2013 15:32, Jan Cholasta wrote: Hi, these patches remove the Entry and Entity classes and move instantiation of LDAPEntry objects to LDAPConnection.make_entry factory method. Apply on top of Petr Viktorin's LDAP code refactoring (part 1 2) patches. Honza Slightly changed patch 95 and rebased all the patches on top of current master and LDAP code refactoring part 1 2. Honza -- Jan Cholasta From 47cbd2281d20a28715d11209b274cee8f5f0c495 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 22 Jan 2013 09:28:25 +0100 Subject: [PATCH 1/3] Add make_entry factory method to LDAPConnection. Replace all occurences of Entry instantiation with calls to make_entry. --- ipaserver/install/adtrustinstance.py | 17 - ipaserver/install/cainstance.py | 2 +- ipaserver/install/dsinstance.py | 2 +- ipaserver/install/krbinstance.py | 7 +++ ipaserver/install/ldapupdate.py | 4 ++-- ipaserver/install/replication.py | 18 +- ipaserver/install/service.py | 4 ++-- ipaserver/ipaldap.py | 7 +++ 8 files changed, 33 insertions(+), 28 deletions(-) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 16f2136..91e40c8 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -22,7 +22,6 @@ import errno import ldap import tempfile import uuid -from ipaserver import ipaldap from ipaserver.install import installutils from ipaserver.install import service from ipaserver.install.dsinstance import realm_to_serverid @@ -327,7 +326,7 @@ class ADTRUSTInstance(service.Service): try: self.admin_conn.getEntry(new_dn, ldap.SCOPE_BASE) except errors.NotFound: -entry = ipaldap.Entry(new_dn) +entry = self.admin_conn.make_entry(new_dn) entry.setValues(objectclass, [nsContainer]) try: name = new_dn[1].attr @@ -338,7 +337,7 @@ class ADTRUSTInstance(service.Service): entry.setValues(cn, name) self.admin_conn.addEntry(entry) -entry = ipaldap.Entry(self.smb_dom_dn) +entry = self.admin_conn.make_entry(self.smb_dom_dn) entry.setValues(objectclass, [self.OBJC_DOMAIN, nsContainer]) entry.setValues(cn, self.domain_name) entry.setValues(self.ATTR_FLAT_NAME, self.netbios_name) @@ -415,7 +414,7 @@ class ADTRUSTInstance(service.Service): ('cn', 'etc'), self.suffix) try: targets = self.admin_conn.getEntry(targets_dn, ldap.SCOPE_BASE) -current = ipaldap.Entry((targets_dn, targets.toDict())) +current = self.admin_conn.make_entry(targets_dn, targets.toDict()) members = current.getValues('memberPrincipal') or [] if not(self.cifs_principal in members): current.setValues(memberPrincipal, members + [self.cifs_principal]) @@ -447,13 +446,13 @@ class ADTRUSTInstance(service.Service): # the principal's proper dn as defined in self.cifs_agent try: entry = self.admin_conn.getEntry(self.smb_dn, ldap.SCOPE_BASE) -current = ipaldap.Entry((self.smb_dn, entry.toDict())) +current = self.admin_conn.make_entry(self.smb_dn, entry.toDict()) members = current.getValues('member') or [] if not(self.cifs_agent in members): current.setValues(member, members + [self.cifs_agent]) self.admin_conn.updateEntry(self.smb_dn, entry.toDict(), current.toDict()) except errors.NotFound: -entry = ipaldap.Entry(self.smb_dn) +entry = self.admin_conn.make_entry(self.smb_dn) entry.setValues(objectclass, [top, GroupOfNames]) entry.setValues(cn, self.smb_dn['cn']) entry.setValues(member, [self.cifs_agent]) @@ -735,9 +734,9 @@ class ADTRUSTInstance(service.Service): range.\nAdd local ID range manually and try \ again!) -entry = ipaldap.Entry(DN(('cn', ('%s_id_range' % self.realm)), - api.env.container_ranges, - self.suffix)) +entry = self.admin_conn.make_entry(DN(('cn', ('%s_id_range' % self.realm)), + api.env.container_ranges, + self.suffix)) entry.setValue('objectclass', 'ipaDomainIDRange') entry.setValue('cn', ('%s_id_range' % self.realm)) entry.setValue('ipaBaseID', str(base_id)) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index d29f674..e3122cf 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -395,7
[Freeipa-devel] [PATCH 0028] Prevent backtrace in ipa-replica-prepare
Hi, This was a regression due to change from DatabaseError to NetworkError when LDAP server is down. https://fedorahosted.org/freeipa/ticket/2939 Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0028] Prevent backtrace in ipa-replica-prepare
On 01/31/2013 12:03 PM, Tomas Babej wrote: Hi, This was a regression due to change from DatabaseError to NetworkError when LDAP server is down. https://fedorahosted.org/freeipa/ticket/2939 Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Clicking send too soon, patch attached :) Tomas From 33bb4b90da4ba47624293738811d14393bfbe55c Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Thu, 31 Jan 2013 05:56:15 -0500 Subject: [PATCH] Prevent backtrace in ipa-replica-prepare This was a regression due to change from DatabaseError to NetworkError when LDAP server is down. https://fedorahosted.org/freeipa/ticket/2939 --- install/tools/ipa-replica-prepare | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index 274e8456af65fad31af4331ba0648aef088ec33a..80094ae8443c0888538e7ee5e58b41e19c9adcbe 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -278,8 +278,8 @@ def main(): sys.exit(\nThe password provided is incorrect for LDAP server %s % api.env.host) except errors.LDAPError: sys.exit(\nUnable to connect to LDAP server %s % api.env.host) -except errors.DatabaseError, e: -sys.exit(\n+e.desc) +except errors.NetworkError, e: +sys.exit(\n+e.error) try: installutils.verify_fqdn(replica_fqdn, local_hostname=False) -- 1.8.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 360 Add autodiscovery section in ipa-client-install man pages
Explain how autodiscovery and failover works and which options are important for these elements. https://fedorahosted.org/freeipa/ticket/3383 From ac0502ca82e5f15dbc3161257b91362c2552 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 31 Jan 2013 13:16:29 +0100 Subject: [PATCH] Add autodiscovery section in ipa-client-install man pages Explain how autodiscovery and failover works and which options are important for these elements. https://fedorahosted.org/freeipa/ticket/3383 --- ipa-client/man/ipa-client-install.1 | 29 +++-- 1 file changed, 23 insertions(+), 6 deletions(-) diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index 35aea4e4a2a328ebd3a0b300bf8b31f0b3dd9381..a99d4f905982399bb4aa99d968f931df9bc96482 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -16,7 +16,7 @@ .\ .\ Author: Rob Crittenden rcrit...@redhat.com .\ -.TH ipa-client-install 1 Sep 5 2011 FreeIPA FreeIPA Manual Pages +.TH ipa-client-install 1 Jan 31 2013 FreeIPA FreeIPA Manual Pages .SH NAME ipa\-client\-install \- Configure an IPA client .SH SYNOPSIS @@ -30,25 +30,37 @@ An authorized user is required to join a client machine to IPA. This can take th This same tool is used to unconfigure IPA and attempts to return the machine to its previous state. Part of this process is to unenroll the host from the IPA server. Unenrollment consists of disabling the prinicipal key on the IPA server so that it may be re\-enrolled. The machine principal in /etc/krb5.keytab (host/fqdn@REALM) is used to authenticate to the IPA server to unenroll itself. If this principal does not exist then unenrollment will fail and an administrator will need to disable the host principal (ipa host\-disable fqdn). -.SS HOSTNAME REQUIREMENTS +.SS Hostname Requirements Client must use a \fBstatic hostname\fR. If the machine hostname changes for example due to a dynamic hostname assignment by a DHCP server, client enrollment to IPA server breaks and user then would not be able to perform Kerberos authentication. \-\-hostname option may be used to specify a static hostname that persists over reboot. +.SS DNS Autodiscovery +Client installer by default tries to search for _ldap._tcp.DOMAIN DNS SRV records for all domains that are parent to its hostname. For example, if a client machine has a hostname 'client1.lab.example.com', the installer will try to retrieve an IPA server hostname from _ldap._tcp.lab.example.com, _ldap._tcp.example.com and _ldap._tcp.com DNS SRV records, respectively. The discovered domain is then used to configure client components (e.g. SSSD and Kerberos 5 configuration) on the machine. + +When the client machine hostname is not in a subdomain of an IPA server, its domain can be passed with \-\-domain option. In that case, both SSSD and Kerberos components have the domain set in the configuration files and will use it to autodiscover IPA servers. + +Client machine can also be configured without a DNS autodiscovery at all. When both \-\-server and \-\-domain options are used, client installer will use the specified server and domain directly. \-\-server option accepts multiple server hostnames which can be used for failover mechanism. Without DNS autodiscovery, Kerberos is configured with a fixed list of KDC and Admin servers. SSSD is still configured to either try to read domain's SRV records or the specified fixed list of servers. When \-\-fixed\-primary option is specified, SSSD will not try to read DNS SRV record at all (see sssd\-ipa(5) for details). + +.SS The Failover Mechanism +When some of the IPA servers is not available, client components are able to fallback to other IPA replica and thus preserving a continued service. When client machine is configured to use DNS SRV record autodiscovery (no fixed server was passed to the installer), client components do the fallback automatically, based on the IPA server hostnames and priorities discovered from the DNS SRV records. + +If DNS autodiscovery is not available, clients should be configured at least with a fixed list of IPA servers that can be used in case of a failure. When only one IPA server is configured, IPA client services will not be available in case of a failure of the IPA server. Please note, that in case of a fixed list of IPA servers, the fixed server lists in client components need to be updated when a new IPA server is enrolled or a current IPA server is decommissioned. + .SH OPTIONS .SS BASIC OPTIONS .TP \fB\-\-domain\fR=\fIDOMAIN\fR -Set the domain name to DOMAIN +Set the domain name to DOMAIN. When no \-\-server option is specified, the installer will try to discover all available servers via DNS SRV record autodiscovery (see DNS Autodiscovery section for details). .TP \fB\-\-server\fR=\fISERVER\fR -Set the IPA server to connect to. May be specified multiple times to add multiple servers to ipa_server value in sssd.conf.
Re: [Freeipa-devel] [PATCH 0028] Prevent backtrace in ipa-replica-prepare
On 01/31/2013 12:05 PM, Tomas Babej wrote: On 01/31/2013 12:03 PM, Tomas Babej wrote: Hi, This was a regression due to change from DatabaseError to NetworkError when LDAP server is down. https://fedorahosted.org/freeipa/ticket/2939 Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Clicking send too soon, patch attached :) Tomas I don't think that removing errors.DatabaseError is necessary. By the way, would this error (and many similar errors) be solved by a server tool refactoring that Petr Viktorin is working on? IIRC, he was about to wrap ipa-replica-prepare in a similar framework like ipa-ldap-updater. With a framework like this one, we would not have to specify separate try..catch lists in all our server manipulation tools. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0029] Fix a typo in ipa-adtrust-install help
Hi, this is a fix for a benign typo in ipa-adtrust-install --help description. Tomas From 785cd2df77874c524a36eab24257cdaff14a374b Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Thu, 31 Jan 2013 07:58:48 -0500 Subject: [PATCH] Fix a typo in ipa-adtrust-install help Add SIDs for existing users andgroups as the final step changed to Add SIDs for existing users and groups as the final step. --- install/tools/ipa-adtrust-install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 83c6b8f4f843e6e389a28b9b4527f89a5e7a118d..17f2f0e98d08863c9e48595d219bffb148490921 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -63,7 +63,7 @@ def parse_options(): help=admin user principal) parser.add_option(--add-sids, dest=add_sids, action=store_true, default=False, help=Add SIDs for existing users and \ - groups as the final step) + groups as the final step) options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) -- 1.8.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0029] Fix a typo in ipa-adtrust-install help
On 01/31/2013 02:07 PM, Tomas Babej wrote: Hi, this is a fix for a benign typo in ipa-adtrust-install --help description. Tomas ACK. Pushed to master, ipa-3-1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0029] Fix a typo in ipa-adtrust-install help
On Thu, Jan 31, 2013 at 02:07:22PM +0100, Tomas Babej wrote: Hi, this is a fix for a benign typo in ipa-adtrust-install --help description. Tomas thanks for catching this. Usually I prefer to add the space at the end truncated line instead at the beginning of the new line. Do we/the python community have a common rule about this? bye, Sumit ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0027] Add checks for SELinux in install scripts
On 01/30/2013 05:58 PM, Tomas Babej wrote: On 01/30/2013 05:12 PM, Tomas Babej wrote: Hi, The checks make sure that SELinux is: - installed and enabled (on server install) - installed and enabled OR not installed (on client install) Please note that client installs with SELinux not installed are allowed since freeipa-client package has no dependency on SELinux. (any objections to this approach?) The (unsupported) option --allow-no-selinux has been added. It can used to bypass the checks. Parts of platform-dependant code were refactored to use newly added is_selinux_enabled() function. https://fedorahosted.org/freeipa/ticket/3359 Tomas I forgot to edit the man pages. Thanks Rob! Updated patch attached. Tomas Just for the record, since this is a RFE. I updated the 3.2 minor enhacements page: http://www.freeipa.org/page/V3_Minor_Enhancements Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0028] Prevent backtrace in ipa-replica-prepare
On 01/31/2013 01:35 PM, Martin Kosek wrote: On 01/31/2013 12:05 PM, Tomas Babej wrote: On 01/31/2013 12:03 PM, Tomas Babej wrote: Hi, This was a regression due to change from DatabaseError to NetworkError when LDAP server is down. https://fedorahosted.org/freeipa/ticket/2939 I don't think that removing errors.DatabaseError is necessary. By the way, would this error (and many similar errors) be solved by a server tool refactoring that Petr Viktorin is working on? IIRC, he was about to wrap ipa-replica-prepare in a similar framework like ipa-ldap-updater. With a framework like this one, we would not have to specify separate try..catch lists in all our server manipulation tools. That patch is on the list. And yes, the framework tries to handle errors sanely, so this `sys.exit(\n+e.error)` nonsense is not necessary there. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0029] Fix a typo in ipa-adtrust-install help
On 01/31/2013 02:15 PM, Sumit Bose wrote: On Thu, Jan 31, 2013 at 02:07:22PM +0100, Tomas Babej wrote: Hi, this is a fix for a benign typo in ipa-adtrust-install --help description. Tomas thanks for catching this. Usually I prefer to add the space at the end truncated line instead at the beginning of the new line. Do we/the python community have a common rule about this? bye, Sumit Personally, I always put the space at the end (and I have reformatted quite a few of such lines in IPA). I'm not aware of a documented consensus though. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 360 Add autodiscovery section in ipa-client-install man pages
On 31.1.2013 13:18, Martin Kosek wrote: Explain how autodiscovery and failover works and which options are important for these elements. https://fedorahosted.org/freeipa/ticket/3383 Could you add some note about how ipa-client installer will be confused by AD? One paragraph with some explanation could help. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 361 ipa-adtrust-install should ask for SID generation
When ipa-adtrust-install is run, check if there are any objects that need to have SID generated. If yes, interactively ask the user if the sidgen task should be run. https://fedorahosted.org/freeipa/ticket/3195 From bd6512628d83d1f4bdfc9f414689c8a67bd01c7c Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 31 Jan 2013 15:08:08 +0100 Subject: [PATCH] ipa-adtrust-install should ask for SID generation When ipa-adtrust-install is run, check if there are any objects that need have SID generated. If yes, interactively ask the user if the sidgen task should be run. https://fedorahosted.org/freeipa/ticket/3195 --- install/tools/ipa-adtrust-install | 42 +-- 1 file changed, 36 insertions(+), 6 deletions(-) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 17f2f0e98d08863c9e48595d219bffb148490921..e127fd63e9a43b2630325d1fc3aa645f2ef8951a 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -275,12 +275,6 @@ def main(): ip_address = str(ip) root_logger.debug(will use ip_address: %s\n, ip_address) -if not options.unattended: -print -print The following operations may take some minutes to complete. -print Please wait until the prompt is returned. -print - admin_password = options.admin_password if not (options.unattended or admin_password): admin_password = read_admin_password(options.admin_name) @@ -320,6 +314,42 @@ def main(): set_and_check_netbios_name(options.netbios_name, options.unattended) +if not options.unattended and not options.add_sids: +# The filter corresponds to ipa_sidgen_task.c LDAP search filter +filter = '((objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \ + '(|(objectclass=posixaccount)(objectclass=posixgroup)' \ + '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))' +try: +(entries, truncated) = api.Backend.ldap2.find_entries(filter=filter, +base_dn=api.env.basedn, attrs_list=['']) +except errors.NotFound: +# All objects have SIDs assigned +pass +except (errors.DatabaseError, errors.NetworkError), e: +print Could not retrieve a list of entries that needs a SID generation: +print %s % e +else: +object_count = len(entries) +if object_count 0: +print +print %d existing users or groups do not have a SID identifier assigned. \ +% len(entries) +print Installer can run a task to have ipa-sidgen Directory Server plugin generate +print the SID identifier for all these users. Please note, the in case of a high +print number of users and groups, the operation might lead to high replication +print traffic and performance degradation. Refer to ipa-adtrust-install(1) man page +print for details. +print +if ipautil.user_input(Do you want to run the ipa-sidgen task?, default=False, +allow_empty=False): +options.add_sids = True + +if not options.unattended: +print +print The following operations may take some minutes to complete. +print Please wait until the prompt is returned. +print + smb = adtrustinstance.ADTRUSTInstance(fstore) smb.realm = api.env.realm smb.autobind = service.ENABLED -- 1.7.11.7 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES] 98-101 Preserve case of LDAP attribute names
Hi, these patches implement attribute name case preservation in LDAPEntry. Apply on top of Petr Viktorin's LDAP code refactoring patchset (up to part 5). Honza -- Jan Cholasta From 8778f668591e28d78741df55dc2bca98917073e5 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Thu, 31 Jan 2013 11:19:13 +0100 Subject: [PATCH 1/4] Use the dn attribute of LDAPEntry to set/get DNs of entries. Convert all code that uses the 'dn' key of LDAPEntry for this to use the dn attribute instead. --- install/tools/ipa-compliance | 10 +++ install/tools/ipa-replica-install | 2 +- ipalib/plugins/automember.py | 9 -- ipalib/plugins/baseldap.py| 58 +++ ipalib/plugins/krbtpolicy.py | 6 ++-- ipalib/plugins/permission.py | 6 ++-- ipalib/plugins/sudorule.py| 8 -- ipalib/plugins/trust.py | 2 +- ipalib/plugins/user.py| 9 ++ ipaserver/ipaldap.py | 4 +-- ipaserver/plugins/ldap2.py| 2 -- 11 files changed, 73 insertions(+), 43 deletions(-) diff --git a/install/tools/ipa-compliance b/install/tools/ipa-compliance index c82e415..9b34350 100644 --- a/install/tools/ipa-compliance +++ b/install/tools/ipa-compliance @@ -116,7 +116,7 @@ def check_compliance(tmpdir, debug=False): hostcount = 0 # Get the hosts first try: -(entries, truncated) = conn.find_entries('(krblastpwdchange=*)', ['dn'], +(entries, truncated) = conn.find_entries('(krblastpwdchange=*)', [], DN(api.env.container_host, api.env.basedn), conn.SCOPE_ONELEVEL, size_limit = -1) @@ -136,10 +136,10 @@ def check_compliance(tmpdir, debug=False): available = 0 try: (entries, truncated) = conn.find_entries('(objectclass=ipaentitlement)', -['dn', 'userCertificate'], -DN(api.env.container_entitlements, api.env.basedn), -conn.SCOPE_ONELEVEL, -size_limit = -1) +['userCertificate'], +DN(api.env.container_entitlements, api.env.basedn), +conn.SCOPE_ONELEVEL, +size_limit = -1) for entry in entries: (dn, attrs) = entry diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 13c3260..846122d 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -572,7 +572,7 @@ def main(): config.dirman_password) found = False try: -entry = conn.find_entries(u'fqdn=%s' % host, ['dn', 'fqdn'], DN(api.env.container_host, api.env.basedn)) +entry = conn.find_entries(u'fqdn=%s' % host, ['fqdn'], DN(api.env.container_host, api.env.basedn)) print The host %s already exists on the master server.\nYou should remove it before proceeding: % host print %% ipa host-del %s % host found = True diff --git a/ipalib/plugins/automember.py b/ipalib/plugins/automember.py index af39f6a..520f8a0 100644 --- a/ipalib/plugins/automember.py +++ b/ipalib/plugins/automember.py @@ -316,10 +316,12 @@ class automember_add_condition(LDAPUpdate): except errors.NotFound: failed['failed'][attr].append(regex) +entry_attrs = entry_to_dict(entry_attrs, **options) + # Set failed and completed to they can be harvested in the execute super setattr(context, 'failed', failed) setattr(context, 'completed', completed) -setattr(context, 'entry_attrs', dict(entry_attrs)) +setattr(context, 'entry_attrs', entry_attrs) # Make sure to returned the failed results if there is nothing to remove if completed == 0: @@ -406,10 +408,13 @@ class automember_remove_condition(LDAPUpdate): else: failed['failed'][attr].append(regex) entry_attrs[attr] = old_entry + +entry_attrs = entry_to_dict(entry_attrs, **options) + # Set failed and completed to they can be harvested in the execute super setattr(context, 'failed', failed) setattr(context, 'completed', completed) -setattr(context, 'entry_attrs', dict(entry_attrs)) +setattr(context, 'entry_attrs', entry_attrs) # Make sure to returned the failed results if there is nothing to remove if completed == 0: diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 44751e1..74e2384 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -229,6 +229,12 @@ def entry_from_entry(entry, newentry): for e in newentry.keys(): entry[e] = newentry[e] +def entry_to_dict(entry, **options): +result = dict(entry) +if options.get('all', False): +result['dn'] = entry.dn +return result + def wait_for_value(ldap, dn, attr, value): 389-ds postoperation plugins are executed after
Re: [Freeipa-devel] [PATCH] 361 ipa-adtrust-install should ask for SID generation
On Thu, 31 Jan 2013, Martin Kosek wrote: When ipa-adtrust-install is run, check if there are any objects that need to have SID generated. If yes, interactively ask the user if the sidgen task should be run. https://fedorahosted.org/freeipa/ticket/3195 From bd6512628d83d1f4bdfc9f414689c8a67bd01c7c Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 31 Jan 2013 15:08:08 +0100 Subject: [PATCH] ipa-adtrust-install should ask for SID generation When ipa-adtrust-install is run, check if there are any objects that need have SID generated. If yes, interactively ask the user if the sidgen task should be run. https://fedorahosted.org/freeipa/ticket/3195 --- install/tools/ipa-adtrust-install | 42 +-- 1 file changed, 36 insertions(+), 6 deletions(-) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 17f2f0e98d08863c9e48595d219bffb148490921..e127fd63e9a43b2630325d1fc3aa645f2ef8951a 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -275,12 +275,6 @@ def main(): ip_address = str(ip) root_logger.debug(will use ip_address: %s\n, ip_address) -if not options.unattended: -print -print The following operations may take some minutes to complete. -print Please wait until the prompt is returned. -print - admin_password = options.admin_password if not (options.unattended or admin_password): admin_password = read_admin_password(options.admin_name) @@ -320,6 +314,42 @@ def main(): set_and_check_netbios_name(options.netbios_name, options.unattended) +if not options.unattended and not options.add_sids: +# The filter corresponds to ipa_sidgen_task.c LDAP search filter +filter = '((objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \ + '(|(objectclass=posixaccount)(objectclass=posixgroup)' \ + '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))' +try: +(entries, truncated) = api.Backend.ldap2.find_entries(filter=filter, +base_dn=api.env.basedn, attrs_list=['']) +except errors.NotFound: +# All objects have SIDs assigned +pass +except (errors.DatabaseError, errors.NetworkError), e: +print Could not retrieve a list of entries that needs a SID generation: +print %s % e +else: +object_count = len(entries) +if object_count 0: +print +print %d existing users or groups do not have a SID identifier assigned. \ +% len(entries) +print Installer can run a task to have ipa-sidgen Directory Server plugin generate +print the SID identifier for all these users. Please note, the in case of a high +print number of users and groups, the operation might lead to high replication +print traffic and performance degradation. Refer to ipa-adtrust-install(1) man page +print for details. +print +if ipautil.user_input(Do you want to run the ipa-sidgen task?, default=False, +allow_empty=False): +options.add_sids = True I would still run this check in options.unattended mode and reported warning, for accounting purposes. Could you please make so? -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 360 Add autodiscovery section in ipa-client-install man pages
On 01/31/2013 02:44 PM, Petr Spacek wrote: On 31.1.2013 13:18, Martin Kosek wrote: Explain how autodiscovery and failover works and which options are important for these elements. https://fedorahosted.org/freeipa/ticket/3383 Could you add some note about how ipa-client installer will be confused by AD? One paragraph with some explanation could help. Sure, makes sense. Updated patch attached. Martin From 5d275e5ee81a46b2f8eca4ab6fb5980ef1cac143 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 31 Jan 2013 13:16:29 +0100 Subject: [PATCH] Add autodiscovery section in ipa-client-install man pages Explain how autodiscovery and failover works and which options are important for these elements. https://fedorahosted.org/freeipa/ticket/3383 --- ipa-client/man/ipa-client-install.1 | 34 -- 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index 35aea4e4a2a328ebd3a0b300bf8b31f0b3dd9381..b6cc85a4965980585e1304f863ba347c100cddf2 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -16,7 +16,7 @@ .\ .\ Author: Rob Crittenden rcrit...@redhat.com .\ -.TH ipa-client-install 1 Sep 5 2011 FreeIPA FreeIPA Manual Pages +.TH ipa-client-install 1 Jan 31 2013 FreeIPA FreeIPA Manual Pages .SH NAME ipa\-client\-install \- Configure an IPA client .SH SYNOPSIS @@ -30,25 +30,42 @@ An authorized user is required to join a client machine to IPA. This can take th This same tool is used to unconfigure IPA and attempts to return the machine to its previous state. Part of this process is to unenroll the host from the IPA server. Unenrollment consists of disabling the prinicipal key on the IPA server so that it may be re\-enrolled. The machine principal in /etc/krb5.keytab (host/fqdn@REALM) is used to authenticate to the IPA server to unenroll itself. If this principal does not exist then unenrollment will fail and an administrator will need to disable the host principal (ipa host\-disable fqdn). -.SS HOSTNAME REQUIREMENTS +.SS Hostname Requirements Client must use a \fBstatic hostname\fR. If the machine hostname changes for example due to a dynamic hostname assignment by a DHCP server, client enrollment to IPA server breaks and user then would not be able to perform Kerberos authentication. \-\-hostname option may be used to specify a static hostname that persists over reboot. +.SS DNS Autodiscovery +Client installer by default tries to search for _ldap._tcp.DOMAIN DNS SRV records for all domains that are parent to its hostname. For example, if a client machine has a hostname 'client1.lab.example.com', the installer will try to retrieve an IPA server hostname from _ldap._tcp.lab.example.com, _ldap._tcp.example.com and _ldap._tcp.com DNS SRV records, respectively. The discovered domain is then used to configure client components (e.g. SSSD and Kerberos 5 configuration) on the machine. + +When the client machine hostname is not in a subdomain of an IPA server, its domain can be passed with \-\-domain option. In that case, both SSSD and Kerberos components have the domain set in the configuration files and will use it to autodiscover IPA servers. + +Client machine can also be configured without a DNS autodiscovery at all. When both \-\-server and \-\-domain options are used, client installer will use the specified server and domain directly. \-\-server option accepts multiple server hostnames which can be used for failover mechanism. Without DNS autodiscovery, Kerberos is configured with a fixed list of KDC and Admin servers. SSSD is still configured to either try to read domain's SRV records or the specified fixed list of servers. When \-\-fixed\-primary option is specified, SSSD will not try to read DNS SRV record at all (see sssd\-ipa(5) for details). + +.SS The Failover Mechanism +When some of the IPA servers is not available, client components are able to fallback to other IPA replica and thus preserving a continued service. When client machine is configured to use DNS SRV record autodiscovery (no fixed server was passed to the installer), client components do the fallback automatically, based on the IPA server hostnames and priorities discovered from the DNS SRV records. + +If DNS autodiscovery is not available, clients should be configured at least with a fixed list of IPA servers that can be used in case of a failure. When only one IPA server is configured, IPA client services will not be available in case of a failure of the IPA server. Please note, that in case of a fixed list of IPA servers, the fixed server lists in client components need to be updated when a new IPA server is enrolled or a current IPA server is decommissioned. + +.SS Coexistence With Other Directory Servers +Other directory servers deployed in the network (e.g. Microsoft Active Directory) may use the same DNS SRV records to denote hosts with a
Re: [Freeipa-devel] [PATCHES] 0117-0118 Port ipa-replica-prepare to the admintool framework
Petr Viktorin wrote: On 01/28/2013 04:36 PM, Petr Viktorin wrote: On 01/04/2013 02:43 PM, Petr Viktorin wrote: On 01/03/2013 02:56 PM, John Dennis wrote: On 01/03/2013 08:00 AM, Petr Viktorin wrote: Hello, The first patch implements logging-related changes to the admintool framework and ipa-ldap-updater (the only thing ported to it so far). The design document is at http://freeipa.org/page/V3/Logging_and_output John, I decided to go ahead and put an explicit logger attribute on the tool class rather than adding debug, info, warn. etc methods dynamically using log_mgr.get_logger. I believe it's the cleanest solution. We had a discussion about this in this thread: https://www.redhat.com/archives/freeipa-devel/2012-July/msg00223.html; I didn't get a reaction to my conclusion so I'm letting you know in case you have more to say. I'm fine with not directly adding the debug, info, warn etc. methods, that practice was historical dating back to the days of Jason. However I do think it's useful to use a named logger and not the global root_logger. I'd prefer we got away from using the root_logger, it's continued existence is historical as well and the idea was over time we would slowly eliminate it's usage. FWIW the log_mgr.get_logger() is still useful for what you want to do. def get_logger(self, who, bind_logger_names=False) If you don't set bind_logger_names to True (and pass the class instance as who) you won't get the offensive debug, info, etc. methods added to the class instance. But it still does all the other bookeeping. The 'who' in this instance could be either the name of the admin tool or the class instance. Also I'd prefer using the attribute 'log' rather than 'logger'. That would make it consistent with code which does already use get_logger() passing a class instance because it's adds a 'log' attribute which is the logger. Also 'log' is twice as succinct than 'logger' (shorter line lengths). Thus if you do: log_mgr.get_logger(self) I think you'll get exactly what you want. A logger named for the class and being able to say self.log.debug() self.log.error() inside the class. In summary, just drop the True from the get_logger() call. Thanks! Yes, this works better. Updated patches attached. Here is patch 117 rebased to current master. Rebased again. Just a few minor points. Patch 117: The n-v-r should be -14. ipa-ldap-updater is no longer runable as non-root. Was this intentional? Patch 118: Seems to work as it did though as a side effect of the new logging some things are displayed that we may want to suppress, specifically: request 'https://dart.example.com:8443/ca/ee/ca/profileSubmitSSLClient' I think changing the log level to DEBUG is probably the way to go. While you're at it you might consider replacing the ipa_replica_prepare remove_file() with the one in installutils. They differ slightly in implementation but basically do the same thing. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 361 ipa-adtrust-install should ask for SID generation
On 01/31/2013 04:29 PM, Alexander Bokovoy wrote: On Thu, 31 Jan 2013, Martin Kosek wrote: When ipa-adtrust-install is run, check if there are any objects that need to have SID generated. If yes, interactively ask the user if the sidgen task should be run. https://fedorahosted.org/freeipa/ticket/3195 ... I would still run this check in options.unattended mode and reported warning, for accounting purposes. Could you please make so? Sure! Updated patch attached. Martin From dca4904b06956c191dbe23a0580561c35a81d11f Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 31 Jan 2013 15:08:08 +0100 Subject: [PATCH] ipa-adtrust-install should ask for SID generation When ipa-adtrust-install is run, check if there are any objects that need have SID generated. If yes, interactively ask the user if the sidgen task should be run. https://fedorahosted.org/freeipa/ticket/3195 --- install/tools/ipa-adtrust-install | 46 ++- 1 file changed, 40 insertions(+), 6 deletions(-) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 17f2f0e98d08863c9e48595d219bffb148490921..2f7480447be8007ef2f136cbab5ff0f8a47df7cb 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -275,12 +275,6 @@ def main(): ip_address = str(ip) root_logger.debug(will use ip_address: %s\n, ip_address) -if not options.unattended: -print -print The following operations may take some minutes to complete. -print Please wait until the prompt is returned. -print - admin_password = options.admin_password if not (options.unattended or admin_password): admin_password = read_admin_password(options.admin_name) @@ -320,6 +314,46 @@ def main(): set_and_check_netbios_name(options.netbios_name, options.unattended) +if not options.add_sids: +# The filter corresponds to ipa_sidgen_task.c LDAP search filter +filter = '((objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \ + '(|(objectclass=posixaccount)(objectclass=posixgroup)' \ + '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))' +base_dn = api.env.basedn +try: +root_logger.debug(Searching for objects with missing SID with +filter=%s, base_dn=%s, filter, base_dn) +(entries, truncated) = api.Backend.ldap2.find_entries(filter=filter, +base_dn=base_dn, attrs_list=['']) +except errors.NotFound: +# All objects have SIDs assigned +pass +except (errors.DatabaseError, errors.NetworkError), e: +print Could not retrieve a list of objects that need a SID identifier assigned: +print unicode(e) +else: +object_count = len(entries) +if object_count 0: +print +print WARNING: %d existing users or groups do not have a SID identifier assigned. \ +% len(entries) +print Installer can run a task to have ipa-sidgen Directory Server plugin generate +print the SID identifier for all these users. Please note, the in case of a high +print number of users and groups, the operation might lead to high replication +print traffic and performance degradation. Refer to ipa-adtrust-install(1) man page +print for details. +print +if not options.unattended: +if ipautil.user_input(Do you want to run the ipa-sidgen task?, default=False, +allow_empty=False): +options.add_sids = True + +if not options.unattended: +print +print The following operations may take some minutes to complete. +print Please wait until the prompt is returned. +print + smb = adtrustinstance.ADTRUSTInstance(fstore) smb.realm = api.env.realm smb.autobind = service.ENABLED -- 1.7.11.7 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 357 Use fully qualified CCACHE names
On Wed, 30 Jan 2013, Martin Kosek wrote: Some parts of install scripts used only ccache name as returned by krbV.CCache.name attribute. However, when this name is used again to initialize krbV.CCache object or when it is used in KRB5CCNAME environmental variable, it fails for new DIR type of CCACHE. We should always use both CCACHE type and name when referring to them to avoid these crashes. ldap2 backend was also updated to accept directly krbV.CCache object which contains everything we need to authenticate with ccache. https://fedorahosted.org/freeipa/ticket/3381 Minor comment: there are few cleanups of 'import krbV' in places where Kerberos functions are not used. Maybe it would be better to separate them into their own patch to avoid rebasing issues in future? Please note, that this fix is rather a short/medium-term fix for Fedora 18. In a long term we should consolidate our CCACHE manipulation code, it now uses several different wrappers or just uses krbV python library directly. I did not do any global refactoring in this patch, this should be done after we decide if we want to create a new, more usable krb5 library bindings as was already discussed in the past. Yes. John has published his current code for new Python bindings to libkrb5 at https://github.com/jdennis/python-krb. It is far from finished but gives more pythony feeling and additional contributions are highly welcomed. Once it is ready, we can start looking migrating to it. from ipalib import api, errors from ipalib.crud import CrudBackend from ipalib.request import context @@ -783,7 +781,7 @@ class ldap2(CrudBackend): Keyword arguments: ldapuri -- the LDAP server to connect to -ccache -- Kerberos V5 ccache name +ccache -- Kerberos V5 ccache object or name bind_dn -- dn used to bind to the server bind_pw -- password used to bind to the server debug_level -- LDAP debug level option @@ -821,10 +819,17 @@ class ldap2(CrudBackend): if maxssf minssf: conn.set_option(_ldap.OPT_X_SASL_SSF_MAX, minssf) if ccache is not None: +if isinstance(ccache, krbV.CCache): +principal = ccache.principal().name +# get a fully qualified CCACHE name (schema+name) +ccache = %(type)s:%(name)s % dict(type=ccache.type, +name=ccache.name) May be a comment could be added here that we don't use krbV.CCache instance afterwards and it is OK to override refernce to it by a string? +else: +principal = krbV.CCache(name=ccache, +context=krbV.default_context()).principal().name + os.environ['KRB5CCNAME'] = ccache conn.sasl_interactive_bind_s(None, SASL_AUTH) -principal = krbV.CCache(name=ccache, -context=krbV.default_context()).principal().name setattr(context, 'principal', principal) else: # no kerberos ccache, use simple bind or external sasl -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 360 Add autodiscovery section in ipa-client-install man pages
On 01/31/2013 04:41 PM, Martin Kosek wrote: On 01/31/2013 02:44 PM, Petr Spacek wrote: On 31.1.2013 13:18, Martin Kosek wrote: Explain how autodiscovery and failover works and which options are important for these elements. https://fedorahosted.org/freeipa/ticket/3383 Could you add some note about how ipa-client installer will be confused by AD? One paragraph with some explanation could help. Sure, makes sense. Updated patch attached. Martin Petr noticed a typo in the updated section. Fixed version attached. Martin From 605a8a563b26569c0c8115d43ec929f7043139d0 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 31 Jan 2013 13:16:29 +0100 Subject: [PATCH] Add autodiscovery section in ipa-client-install man pages Explain how autodiscovery and failover works and which options are important for these elements. https://fedorahosted.org/freeipa/ticket/3383 --- ipa-client/man/ipa-client-install.1 | 34 -- 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index 35aea4e4a2a328ebd3a0b300bf8b31f0b3dd9381..2990b6694de9acc0780d3afe21ae7766c57d0b41 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -16,7 +16,7 @@ .\ .\ Author: Rob Crittenden rcrit...@redhat.com .\ -.TH ipa-client-install 1 Sep 5 2011 FreeIPA FreeIPA Manual Pages +.TH ipa-client-install 1 Jan 31 2013 FreeIPA FreeIPA Manual Pages .SH NAME ipa\-client\-install \- Configure an IPA client .SH SYNOPSIS @@ -30,25 +30,42 @@ An authorized user is required to join a client machine to IPA. This can take th This same tool is used to unconfigure IPA and attempts to return the machine to its previous state. Part of this process is to unenroll the host from the IPA server. Unenrollment consists of disabling the prinicipal key on the IPA server so that it may be re\-enrolled. The machine principal in /etc/krb5.keytab (host/fqdn@REALM) is used to authenticate to the IPA server to unenroll itself. If this principal does not exist then unenrollment will fail and an administrator will need to disable the host principal (ipa host\-disable fqdn). -.SS HOSTNAME REQUIREMENTS +.SS Hostname Requirements Client must use a \fBstatic hostname\fR. If the machine hostname changes for example due to a dynamic hostname assignment by a DHCP server, client enrollment to IPA server breaks and user then would not be able to perform Kerberos authentication. \-\-hostname option may be used to specify a static hostname that persists over reboot. +.SS DNS Autodiscovery +Client installer by default tries to search for _ldap._tcp.DOMAIN DNS SRV records for all domains that are parent to its hostname. For example, if a client machine has a hostname 'client1.lab.example.com', the installer will try to retrieve an IPA server hostname from _ldap._tcp.lab.example.com, _ldap._tcp.example.com and _ldap._tcp.com DNS SRV records, respectively. The discovered domain is then used to configure client components (e.g. SSSD and Kerberos 5 configuration) on the machine. + +When the client machine hostname is not in a subdomain of an IPA server, its domain can be passed with \-\-domain option. In that case, both SSSD and Kerberos components have the domain set in the configuration files and will use it to autodiscover IPA servers. + +Client machine can also be configured without a DNS autodiscovery at all. When both \-\-server and \-\-domain options are used, client installer will use the specified server and domain directly. \-\-server option accepts multiple server hostnames which can be used for failover mechanism. Without DNS autodiscovery, Kerberos is configured with a fixed list of KDC and Admin servers. SSSD is still configured to either try to read domain's SRV records or the specified fixed list of servers. When \-\-fixed\-primary option is specified, SSSD will not try to read DNS SRV record at all (see sssd\-ipa(5) for details). + +.SS The Failover Mechanism +When some of the IPA servers is not available, client components are able to fallback to other IPA replica and thus preserving a continued service. When client machine is configured to use DNS SRV record autodiscovery (no fixed server was passed to the installer), client components do the fallback automatically, based on the IPA server hostnames and priorities discovered from the DNS SRV records. + +If DNS autodiscovery is not available, clients should be configured at least with a fixed list of IPA servers that can be used in case of a failure. When only one IPA server is configured, IPA client services will not be available in case of a failure of the IPA server. Please note, that in case of a fixed list of IPA servers, the fixed server lists in client components need to be updated when a new IPA server is enrolled or a current IPA server is decommissioned. + +.SS Coexistence With Other Directory Servers +Other directory
Re: [Freeipa-devel] [PATCH 0005] Clarified error message with ipa-client-automount
Lynn Root wrote: On Mon 03 Dec 2012 05:20:32 AM PST, Lynn Root wrote: On 11/30/2012 10:35 PM, Rob Crittenden wrote: Lynn Root wrote: Returns a clearer hint when user is running ipa-client-automount with possible firewall up and blocking need ports. Not sure if this patch is worded correctly in order to address the potential firewall block when running ipa-client-automount. Perhaps a different error should be thrown, rather than NOT_IPA_SERVER. Ticket: https://fedorahosted.org/freeipa/ticket/3080 Tomas made a similar change recently in ipa-client-install which includes more information on the ports we need. You may want to take a look at that. It was for ticket https://fedorahosted.org/freeipa/ticket/2816 rob Thank you Rob - I adapted the same approach in this updated patch. Let me know if it addresses the blocked port issue better. Thanks! Just bumping this thread - I think this might have fallen on the way-side; certainly lost track of it myself after returning home/holidays. However I noticed that this ticket (https://fedorahosted.org/freeipa/ticket/3080) now has an RFE tag - don't _believe_ that was there when I started working on it in late November. I believe the whole design doc conversation was going on around then. I assume I'll need to start one for this? Thanks! I think this is still not quite right, and I think could be improved in ipa-client-install as well. ipacheckldap() only tries to connect to port 389 (optionally with StartTLS). It returns a number of different possible errors, I think we should have some way to report more specific error messages based on those (can't connect to server Y on port 389, Unable to find Kerberos container, etc) in addition to Unable to confirm that X is an IPA server. We probably want to do something about the v2 part as well. I think a table in ipadiscovery to translate the possible return vals from ipacheckldap() into a string that can logged is the way to go. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 357 Use fully qualified CCACHE names
On 01/31/2013 05:01 PM, Alexander Bokovoy wrote: On Wed, 30 Jan 2013, Martin Kosek wrote: Some parts of install scripts used only ccache name as returned by krbV.CCache.name attribute. However, when this name is used again to initialize krbV.CCache object or when it is used in KRB5CCNAME environmental variable, it fails for new DIR type of CCACHE. We should always use both CCACHE type and name when referring to them to avoid these crashes. ldap2 backend was also updated to accept directly krbV.CCache object which contains everything we need to authenticate with ccache. https://fedorahosted.org/freeipa/ticket/3381 Minor comment: there are few cleanups of 'import krbV' in places where Kerberos functions are not used. Maybe it would be better to separate them into their own patch to avoid rebasing issues in future? Sure, good idea. Attaching both patches. Please note, that this fix is rather a short/medium-term fix for Fedora 18. In a long term we should consolidate our CCACHE manipulation code, it now uses several different wrappers or just uses krbV python library directly. I did not do any global refactoring in this patch, this should be done after we decide if we want to create a new, more usable krb5 library bindings as was already discussed in the past. Yes. John has published his current code for new Python bindings to libkrb5 at https://github.com/jdennis/python-krb. It is far from finished but gives more pythony feeling and additional contributions are highly welcomed. Once it is ready, we can start looking migrating to it. Agreed. During the migration, it would then make sense to also refactor and consolidate a our CCACHE manupulation code. from ipalib import api, errors from ipalib.crud import CrudBackend from ipalib.request import context @@ -783,7 +781,7 @@ class ldap2(CrudBackend): Keyword arguments: ldapuri -- the LDAP server to connect to -ccache -- Kerberos V5 ccache name +ccache -- Kerberos V5 ccache object or name bind_dn -- dn used to bind to the server bind_pw -- password used to bind to the server debug_level -- LDAP debug level option @@ -821,10 +819,17 @@ class ldap2(CrudBackend): if maxssf minssf: conn.set_option(_ldap.OPT_X_SASL_SSF_MAX, minssf) if ccache is not None: +if isinstance(ccache, krbV.CCache): +principal = ccache.principal().name +# get a fully qualified CCACHE name (schema+name) +ccache = %(type)s:%(name)s % dict(type=ccache.type, +name=ccache.name) May be a comment could be added here that we don't use krbV.CCache instance afterwards and it is OK to override refernce to it by a string? Comment added. +else: +principal = krbV.CCache(name=ccache, +context=krbV.default_context()).principal().name + os.environ['KRB5CCNAME'] = ccache conn.sasl_interactive_bind_s(None, SASL_AUTH) -principal = krbV.CCache(name=ccache, -context=krbV.default_context()).principal().name setattr(context, 'principal', principal) else: # no kerberos ccache, use simple bind or external sasl Updated patches attached. Martin From 386eaebe74ae55fd51615ac072675fcf185a3b9a Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 31 Jan 2013 17:16:32 +0100 Subject: [PATCH 1/2] Remove unused krbV imports https://fedorahosted.org/freeipa/ticket/3381 --- install/certmonger/dogtag-ipa-retrieve-agent-submit | 1 - install/restart_scripts/renew_ca_cert | 1 - install/tools/ipa-upgradeconfig | 1 - ipaserver/plugins/ldap2.py | 2 -- 4 files changed, 5 deletions(-) diff --git a/install/certmonger/dogtag-ipa-retrieve-agent-submit b/install/certmonger/dogtag-ipa-retrieve-agent-submit index 6d54000d6ec15b89557af144fe1d72c14c3128ac..3781fc5d01da12ce2dc01e17fc60143e82fbedc6 100644 --- a/install/certmonger/dogtag-ipa-retrieve-agent-submit +++ b/install/certmonger/dogtag-ipa-retrieve-agent-submit @@ -26,7 +26,6 @@ import os import sys import shutil import tempfile -import krbV import syslog from ipalib import api from ipapython.dn import DN diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index b7e4ebaae89472dd12f3767616e004f96358df7e..b1efd8f9d5c211315c140915fa51e17bae4c0436 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -23,7 +23,6 @@ import os import sys import shutil import tempfile -import krbV import syslog import random import time diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index
Re: [Freeipa-devel] [PATCHES] 146-164 LDAP code refactoring (Part 4)
On 31.1.2013 11:00, Petr Viktorin wrote: On 01/30/2013 10:53 AM, Petr Viktorin wrote: On 01/29/2013 04:39 PM, Petr Viktorin wrote: On 01/28/2013 04:09 PM, Petr Viktorin wrote: On 01/28/2013 09:34 AM, Jan Cholasta wrote: On 25.1.2013 14:54, Petr Viktorin wrote: On 01/24/2013 03:06 PM, Petr Viktorin wrote: On 01/24/2013 10:43 AM, Petr Viktorin wrote: On 01/22/2013 04:04 PM, Petr Viktorin wrote: On 01/21/2013 06:38 PM, Petr Viktorin wrote: On 01/17/2013 06:27 PM, Petr Viktorin wrote: Hello, This is the first batch of changes aimed to consolidate our LDAP code. Each should be a self-contained change that doesn't break anything. [...] Since this patchset is becoming unwieldy, I've put it in a public repo that I'll keep updated. The following command will fetch it into your pviktori-ldap-refactor branch: git fetch git://github.com/encukou/freeipa ldap-refactor:pviktori-ldap-refactor [...] I found a bug in patch 143, here is a fixed version. I would prefer if you used the semantics of .get() for .get_single() as well (i.e. when no default value is provided, None is assumed) in patch 152. Or is there a reason not to? Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 361 ipa-adtrust-install should ask for SID generation
On Thu, 31 Jan 2013, Martin Kosek wrote: On 01/31/2013 04:29 PM, Alexander Bokovoy wrote: On Thu, 31 Jan 2013, Martin Kosek wrote: When ipa-adtrust-install is run, check if there are any objects that need to have SID generated. If yes, interactively ask the user if the sidgen task should be run. https://fedorahosted.org/freeipa/ticket/3195 ... I would still run this check in options.unattended mode and reported warning, for accounting purposes. Could you please make so? Sure! Updated patch attached. Thanks! I have only small addition: +object_count = len(entries) +if object_count 0: +print +print WARNING: %d existing users or groups do not have a SID identifier assigned. \ +% len(entries) +print Installer can run a task to have ipa-sidgen Directory Server plugin generate +print the SID identifier for all these users. Please note, the in case of a high +print number of users and groups, the operation might lead to high replication +print traffic and performance degradation. Refer to ipa-adtrust-install(1) man page +print for details. +print +if not options.unattended: +if ipautil.user_input(Do you want to run the ipa-sidgen task?, default=False, +allow_empty=False): +options.add_sids = True ... to make the text of warning consistent it would be good to add + else: + print Unattended mode was selected, installer will *not* run ipa-sidgen task! -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 357 Use fully qualified CCACHE names
On Thu, 31 Jan 2013, Martin Kosek wrote: On 01/31/2013 05:01 PM, Alexander Bokovoy wrote: On Wed, 30 Jan 2013, Martin Kosek wrote: Some parts of install scripts used only ccache name as returned by krbV.CCache.name attribute. However, when this name is used again to initialize krbV.CCache object or when it is used in KRB5CCNAME environmental variable, it fails for new DIR type of CCACHE. We should always use both CCACHE type and name when referring to them to avoid these crashes. ldap2 backend was also updated to accept directly krbV.CCache object which contains everything we need to authenticate with ccache. https://fedorahosted.org/freeipa/ticket/3381 Minor comment: there are few cleanups of 'import krbV' in places where Kerberos functions are not used. Maybe it would be better to separate them into their own patch to avoid rebasing issues in future? Sure, good idea. Attaching both patches. ACK to both now. Thanks! -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0107-0114 Fix Confusing ipa tool online help organization
Petr Viktorin wrote: On 12/14/2012 01:46 AM, Dmitri Pal wrote: On 12/13/2012 10:21 AM, Petr Viktorin wrote: https://fedorahosted.org/freeipa/ticket/3060 Here is a collection of smallish fixes to `ipa help` and `ipa something --help`. This should address most of Nikolai's proposal. Additionally, it's now possible to run `ipa command --help` without a Kerberos ticket. And there are some new tests. I've not included the Often used commands in `ipa help`; I think that is material for a manual/tutorial, not a help command. Selecting a topic from `ipa topics` and then choosing a command from `ipa help TOPIC` is a better way to use the help than the verbose `ipa help commands` or proposed incomplete Often used commands. Since the ticket has a bit of discussion and you indicate that you did not to address everything can you please extract what have been addressed and put it into a design page. I know it is not RFE but it would help to validate the changes by testers. Please put the wiki link into the ticket. http://freeipa.org/page/V3/Help What is the purpose of the no-option outfile? Do you anticipate at some point opening this up as a real option or making it easier to log while using the api directly? The help for help is a little confusing: - Purpose: Display help for a command or topic. Usage: ipa [global-options] help [TOPIC] [options] Positional arguments: TOPIC The topic or command name. Options: -h, --help show this help message and exit - Should [TOPIC] be [TOPIC | COMMAND] or something else? On my fresh F-18 install one of the new unit tests fails: == FAIL: Test that `help user-add` `user-add -h` are equivalent and contain doc -- Traceback (most recent call last): File /usr/lib/python2.7/site-packages/nose/case.py, line 197, in runTest self.test(*self.arg) File /home/rcrit/redhat/freeipa/tests/test_cmdline/test_help.py, line 111, in test_command_help assert h_ctx.stdout == help_ctx.stdout AssertionError I'm not sure the errors to stderr are working either: $ ipa user-show foo bar baz 2 /dev/null ipa: ERROR: command 'user_show' takes at most 1 argument rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] OTP Design
On 01/31/2013 04:34 AM, Petr Spacek wrote: On 30.1.2013 05:35, Dmitri Pal wrote: Hello, We started to shape a page for the OTP prototyping work we are doing. It is work in progress but it has enough information to share and discuss. http://freeipa.org/page/V3/OTP Comments welcome! I gave it a quick look. Generally, the core seems correct to me. I have only nitpicks: I see big amount of new ipa* specific attributes. How other OTP solutions store tokens/configuration? Is there any standard/semi-standard LDAP schema with attributes describing tokens? No. Not that we are aware of. MIT KDC has own (native) LDAP driver. Which they do not like and do not want to do more with it. We effectively wrote our own. It would be nice to coordinate OID allocation and schema definition with MIT and share as much attributes as possible. Do they plan to support OTP configuration in LDAP? (I don't see any note about LDAP support in http://k5wiki.kerberos.org/wiki/Projects/OTPOverRADIUS .) They do not plan. And we do not plan to extend the driver. This is the reason for the current design. Is the author of https://fedoraproject.org/wiki/Features/EnterpriseTwoFactorAuthentication aware of our effort? No I need to reach out to him. What about re-using http://www.dynalogin.org/ server for TOTP/HOTP implementation (rather than writing own OTP-in-389 implementation)? I haven't looked to the dynalogin code ... The TOTP/HOTP algorithm is very simple there is really no much to reuse. Could be (old) draft SASL and GSS-API Mechanism for Two Factor Authentication based on a Password and a One-Time Password (OTP): CROTP from http://tools.ietf.org/html/draft-josefsson-kitten-crotp-00 interesting for us (in future)? Is it worth to resurrect this effort? Not sure. We will see. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 91-92 Add support for RFC 6594 SSHFP DNS records
Jan Cholasta wrote: On 23.1.2013 23:45, Rob Crittenden wrote: Jan Cholasta wrote: On 10.1.2013 05:56, Jan Cholasta wrote: Hi, Patch 91 removes module ipapython.compat. The code that uses it doesn't work with ancient Python versions anyway, so there's no need to keep it around. Patch 92 adds support for automatic generation of RFC 6594 SSHFP DNS records to ipa-client-install and host plugin, as described in http://freeipa.org/page/V3/RFC_6594_SSHFP_DNS_records. Note that https://fedorahosted.org/freeipa/ticket/2642#comment:7 still applies. https://fedorahosted.org/freeipa/ticket/2642 Honza Self-NACK, forgot to actually remove ipapython/compat.py in the first patch. Also removed an unnecessary try block from the second patch. Honza These look good. I'm a little concerned about the magic numbers in the SSHFP code. I know these come from the RFCs. Can you add a comment there so future developers know where the values for key type and fingerprint type come from? rob Comment added. Sorry, I just noticed that this is an RFE and there is no design page. Can you write one up real quick, then I'll push both. I went back and forth a few times on whether we should have a ticket on the dropping of compat, if only to codify that we're giving up an python 2.6, but since this has been a given for a while I think we're ok. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 358-359 Fix openldap migration errors
Martin Kosek wrote: These 2 attached patches were generated based on my debugging session with tsunamie and helping him dealing with migration from his openldap DS. With these applied, migrate-ds command no longer crashes with an error. I can lend my openldap instance I used when developing these patches. Martin Doesn't the second patch break the rule where the same enforcement is done on entering the data via a named option and setattr? If I understand this correctly the implication is that you couldn't do: ipa user-mod --description=' foo ' But you could do ipa user-mod --setattr description=' foo ' rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 358-359 Fix openldap migration errors
Martin Kosek wrote: On 01/31/2013 08:36 PM, Rob Crittenden wrote: Martin Kosek wrote: These 2 attached patches were generated based on my debugging session with tsunamie and helping him dealing with migration from his openldap DS. With these applied, migrate-ds command no longer crashes with an error. I can lend my openldap instance I used when developing these patches. Martin Doesn't the second patch break the rule where the same enforcement is done on entering the data via a named option and setattr? If I understand this correctly the implication is that you couldn't do: ipa user-mod --description=' foo ' But you could do ipa user-mod --setattr description=' foo ' rob I don't think so. This patch just removes this restriction from *attr parameters themselves, the underlying parameter validators (i.e. description parameter) should be still applied. Though in case of the leading and trailing spaces, they somehow get trimmed: # ipa group-mod foo --setattr description=some spaces Modified group foo Group name: foo Description: some spaces GID: 141644 But as I wanted to have this patch only because of the failing user_mod operation in the migration.py plugin and since you plan to replace it in your WIP migration performance patch with direct LDAP mod operation, I do not insist on pushing patch 359 and patch 358 would be sufficient. Martin Ok, and patch 358 works fine, ACK. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 358-359 Fix openldap migration errors
On 01/31/2013 08:36 PM, Rob Crittenden wrote: Martin Kosek wrote: These 2 attached patches were generated based on my debugging session with tsunamie and helping him dealing with migration from his openldap DS. With these applied, migrate-ds command no longer crashes with an error. I can lend my openldap instance I used when developing these patches. Martin Doesn't the second patch break the rule where the same enforcement is done on entering the data via a named option and setattr? If I understand this correctly the implication is that you couldn't do: ipa user-mod --description=' foo ' But you could do ipa user-mod --setattr description=' foo ' rob I don't think so. This patch just removes this restriction from *attr parameters themselves, the underlying parameter validators (i.e. description parameter) should be still applied. Though in case of the leading and trailing spaces, they somehow get trimmed: # ipa group-mod foo --setattr description=some spaces Modified group foo Group name: foo Description: some spaces GID: 141644 But as I wanted to have this patch only because of the failing user_mod operation in the migration.py plugin and since you plan to replace it in your WIP migration performance patch with direct LDAP mod operation, I do not insist on pushing patch 359 and patch 358 would be sufficient. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] More types of replicas in FreeIPA
Hello, I'm starting to work on my thesis about 'More types of replicas in FreeIPA' again. One of the main problems is the way how should the read-only replicas deal with KDC because they're not supposed to posses the Kerberos (krb) master key. The task was to investigate how is this solved in Active Directory and its Read Only Domain Controllers. I found out that the basic of RODC behaviour is described on technet page (http://technet.microsoft.com/en-us/library/cc754218%28v=ws.10%29.aspx). Login situation: RODC by default forwards the KRB requests to the DC. RODC then forwards the response back to the client and also requests the password to be replicated to RODC. Both the user and his host must be members of 'Allowed RODC Password Replication' group in order to let user's passwords being replicated to RODCs. Request services that the RODC doesn't have credentials for: Client sends TGS-REQ to RODC. RODC can read the TGT in the request, but doesn't have credentials for the service. So the request is forwarded to the DC. DC can decrypt the TGT that was created by RODC and sends back the TGS-RES that is forwarded to the client. (but it does not trust the RODC so it recalculates the privilege attribute certificate). RODC does not cache the credentials for the service. During my experiments the credentials got replicated to the RODC on the first log on of the user. The user's KRB requests were first forwarded to the DC. When the user got krbtgt and TGS for host, ldap and cifs, his TGT was revoked by RODC. He run through the auth. process again, but this time the requests were served by RODC only - no forwarding - and not TGS for host was requested. Unfortunately I can not still recognize how the keys are processed. There's barely any RPC communication - only one DCERPC packet exchange between RODC and DC that takes place when the user sends his first TGS request (this exchange happens also for the clients with disabled replication). It looks to me like the DC knows all the RODC keys. According to Technet, the MS implementation of Kerberos is able to recognize the key owner from the Key Version Number value. I think I can't get more info from the network traffic examination. Do you have any ideas or hints on further investigation of the problem? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 358-359 Fix openldap migration errors
On 01/31/2013 09:35 PM, Rob Crittenden wrote: Martin Kosek wrote: On 01/31/2013 08:36 PM, Rob Crittenden wrote: Martin Kosek wrote: These 2 attached patches were generated based on my debugging session with tsunamie and helping him dealing with migration from his openldap DS. With these applied, migrate-ds command no longer crashes with an error. I can lend my openldap instance I used when developing these patches. Martin Doesn't the second patch break the rule where the same enforcement is done on entering the data via a named option and setattr? If I understand this correctly the implication is that you couldn't do: ipa user-mod --description=' foo ' But you could do ipa user-mod --setattr description=' foo ' rob I don't think so. This patch just removes this restriction from *attr parameters themselves, the underlying parameter validators (i.e. description parameter) should be still applied. Though in case of the leading and trailing spaces, they somehow get trimmed: # ipa group-mod foo --setattr description=some spaces Modified group foo Group name: foo Description: some spaces GID: 141644 But as I wanted to have this patch only because of the failing user_mod operation in the migration.py plugin and since you plan to replace it in your WIP migration performance patch with direct LDAP mod operation, I do not insist on pushing patch 359 and patch 358 would be sufficient. Martin Ok, and patch 358 works fine, ACK. rob Patch 358 pushed to master, ipa-3-1, ipa-3-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 357 Use fully qualified CCACHE names
On 01/31/2013 07:07 PM, Alexander Bokovoy wrote: On Thu, 31 Jan 2013, Martin Kosek wrote: On 01/31/2013 05:01 PM, Alexander Bokovoy wrote: On Wed, 30 Jan 2013, Martin Kosek wrote: Some parts of install scripts used only ccache name as returned by krbV.CCache.name attribute. However, when this name is used again to initialize krbV.CCache object or when it is used in KRB5CCNAME environmental variable, it fails for new DIR type of CCACHE. We should always use both CCACHE type and name when referring to them to avoid these crashes. ldap2 backend was also updated to accept directly krbV.CCache object which contains everything we need to authenticate with ccache. https://fedorahosted.org/freeipa/ticket/3381 Minor comment: there are few cleanups of 'import krbV' in places where Kerberos functions are not used. Maybe it would be better to separate them into their own patch to avoid rebasing issues in future? Sure, good idea. Attaching both patches. ACK to both now. Thanks! Pushed to master, ipa-3-1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 361 ipa-adtrust-install should ask for SID generation
On 01/31/2013 07:06 PM, Alexander Bokovoy wrote: On Thu, 31 Jan 2013, Martin Kosek wrote: On 01/31/2013 04:29 PM, Alexander Bokovoy wrote: On Thu, 31 Jan 2013, Martin Kosek wrote: When ipa-adtrust-install is run, check if there are any objects that need to have SID generated. If yes, interactively ask the user if the sidgen task should be run. https://fedorahosted.org/freeipa/ticket/3195 ... I would still run this check in options.unattended mode and reported warning, for accounting purposes. Could you please make so? Sure! Updated patch attached. Thanks! I have only small addition: +object_count = len(entries) +if object_count 0: +print +print WARNING: %d existing users or groups do not have a SID identifier assigned. \ +% len(entries) +print Installer can run a task to have ipa-sidgen Directory Server plugin generate +print the SID identifier for all these users. Please note, the in case of a high +print number of users and groups, the operation might lead to high replication +print traffic and performance degradation. Refer to ipa-adtrust-install(1) man page +print for details. +print +if not options.unattended: +if ipautil.user_input(Do you want to run the ipa-sidgen task?, default=False, +allow_empty=False): +options.add_sids = True ... to make the text of warning consistent it would be good to add + else: + print Unattended mode was selected, installer will *not* run ipa-sidgen task! And here is the updated patch. Martin From 83dd0656ce61416412d0540ebe3ec332b353d221 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 31 Jan 2013 15:08:08 +0100 Subject: [PATCH] ipa-adtrust-install should ask for SID generation When ipa-adtrust-install is run, check if there are any objects that need have SID generated. If yes, interactively ask the user if the sidgen task should be run. https://fedorahosted.org/freeipa/ticket/3195 --- install/tools/ipa-adtrust-install | 48 ++- 1 file changed, 42 insertions(+), 6 deletions(-) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 17f2f0e98d08863c9e48595d219bffb148490921..9759ee5c7f996685e04ad0a90da05804392ec1e9 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -275,12 +275,6 @@ def main(): ip_address = str(ip) root_logger.debug(will use ip_address: %s\n, ip_address) -if not options.unattended: -print -print The following operations may take some minutes to complete. -print Please wait until the prompt is returned. -print - admin_password = options.admin_password if not (options.unattended or admin_password): admin_password = read_admin_password(options.admin_name) @@ -320,6 +314,48 @@ def main(): set_and_check_netbios_name(options.netbios_name, options.unattended) +if not options.add_sids: +# The filter corresponds to ipa_sidgen_task.c LDAP search filter +filter = '((objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \ + '(|(objectclass=posixaccount)(objectclass=posixgroup)' \ + '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))' +base_dn = api.env.basedn +try: +root_logger.debug(Searching for objects with missing SID with +filter=%s, base_dn=%s, filter, base_dn) +(entries, truncated) = api.Backend.ldap2.find_entries(filter=filter, +base_dn=base_dn, attrs_list=['']) +except errors.NotFound: +# All objects have SIDs assigned +pass +except (errors.DatabaseError, errors.NetworkError), e: +print Could not retrieve a list of objects that need a SID identifier assigned: +print unicode(e) +else: +object_count = len(entries) +if object_count 0: +print +print WARNING: %d existing users or groups do not have a SID identifier assigned. \ +% len(entries) +print Installer can run a task to have ipa-sidgen Directory Server plugin generate +print the SID identifier for all these users. Please note, the in case of a high +print number of users and groups, the operation might lead to high replication +print traffic and performance degradation. Refer to ipa-adtrust-install(1) man page +print for details. +print +if options.unattended: +print Unattended mode was