Re: [Freeipa-devel] [PATCH 0280] Use master subdirectory for temporary files related to zones
On 4.9.2014 17:40, Martin Basti wrote: On 04/09/14 14:43, Petr Spacek wrote: Hello, Use master subdirectory for temporary files related to zones. This allows us to separate zone and non-zone metadata and also to separate master and (hypothetical) slave zones. Works fine. ACK Pushed to master: f942df399ded10399a1f5d378d5ca1cc959bb157 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0282] Create temporary directories with ug=rwx, o= permissions
On 5.9.2014 16:03, Martin Basti wrote: On 05/09/14 14:51, Petr Spacek wrote: On 5.9.2014 13:08, Martin Basti wrote: On 05/09/14 12:43, Petr Spacek wrote: On 4.9.2014 18:31, Martin Basti wrote: On 04/09/14 17:55, Petr Spacek wrote: Hello, Create temporary directories with ug=rwx,o= permissions. Zero group permissions do not allow to use POSIX ACLs which is undesirable. NACK It creates drwxr-x--- permissions (umask problem) Thank you for catching this. This version of the patch should fix the problem. It is not very nice but I don't see any better solution. It works! ACK with * * Patch doesn't change permissions for existing directories, but because patch pspacek-280, new version of bind plugin will create new file structure under new 'master' directory, so there is no problem with old directories with old permissions, isn't it? That is intentional. I don't want to change permissions if user decided to change them for some reason. ok, double ACK then :-) Pushed to master: 2bcf23d57eb67bf29d88bb1682ff32f58ee6a070 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0279] Always use task associated ISC event instead of global inst-task
On 3.9.2014 14:25, Martin Basti wrote: On 02/09/14 18:54, Petr Spacek wrote: Hello, Always use task associated with ISC event instead of global inst-task. This is necessary to prevent random crashes like: REQUIRE(task-state == task_state_running) failed https://fedorahosted.org/bind-dyndb-ldap/ticket/138 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Functional ACK Pushed to master: e3da71fcf26c0bd024f739d23ce431408fb9246d -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0281] Escape directory names generated from zone names
On 4.9.2014 17:42, Martin Basti wrote: On 04/09/14 16:41, Petr Spacek wrote: On 4.9.2014 16:32, Martin Basti wrote: On 04/09/14 15:46, Petr Spacek wrote: Hello, Escape directory names generated from zone names. Previously root zone '.' and zone names with characters like '/' caused scattering of temporary files all over dyndb-ldap working directory. https://fedorahosted.org/bind-dyndb-ldap/ticket/122 Patch please :-) And here is the patch ... Works for me. ACK Pushed to master: e3da71fcf26c0bd024f739d23ce431408fb9246d -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0284-0285] Update NEWS Bump NVR to 3.7
Hello,
Update NEWS for 3.7 release.
Pushed to master: e7e35ea7217e287bb1dc4aeca1185fcbc8bb5fae
Bump NVR to 3.7.
Pushed to master: 98725e5fedcfe9ff9e4e16ee1f2d7d20a1e00e30
--
Petr^2 Spacek
From e7e35ea7217e287bb1dc4aeca1185fcbc8bb5fae Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Mon, 8 Sep 2014 10:38:56 +0200
Subject: [PATCH] Update NEWS for 3.7 release.
Signed-off-by: Petr Spacek pspa...@redhat.com
---
NEWS | 4
1 file changed, 4 insertions(+)
diff --git a/NEWS b/NEWS
index d5e2d7ba98e003c160867b15f230e2a91a37e5f6..17589ff91227b1c2830dcbd4c7d2ac053fd67449 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,7 @@
+3.7
+=
+[1] Kerberos ticket expiration is now handled correctly.
+
3.6
=
[1] Crash triggered by invalid SOA record was fixed.
--
1.9.3
From 98725e5fedcfe9ff9e4e16ee1f2d7d20a1e00e30 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Mon, 8 Sep 2014 10:40:17 +0200
Subject: [PATCH] Bump NVR to 3.7.
Signed-off-by: Petr Spacek pspa...@redhat.com
---
configure.ac | 2 +-
contrib/bind-dyndb-ldap.spec | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index 91fb8994ba5c735f3448255c3fc123b033416773..e2811cdc86e338ecbeb6ce9d58fc5972e3afea31 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
AC_PREREQ([2.59])
-AC_INIT([bind-dyndb-ldap], [3.6], [freeipa-devel@redhat.com])
+AC_INIT([bind-dyndb-ldap], [3.7], [freeipa-devel@redhat.com])
AM_INIT_AUTOMAKE([-Wall foreign dist-bzip2])
diff --git a/contrib/bind-dyndb-ldap.spec b/contrib/bind-dyndb-ldap.spec
index 6343b6cb2e85e6dd65a318b1be295351a291249c..638926eeaf121e175ec4957a7b040e4d0eaae6d2 100644
--- a/contrib/bind-dyndb-ldap.spec
+++ b/contrib/bind-dyndb-ldap.spec
@@ -1,7 +1,7 @@
%define VERSION %{version}
Name: bind-dyndb-ldap
-Version:3.6
+Version:3.7
Release:0%{?dist}
Summary:LDAP back-end plug-in for BIND
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0286-0287] Bump NVR to 4.5Update NEWS for 4.5 release
Hello,
Update NEWS for 4.5 release.
Pushed to v4:7df9330f84316d6157663c0fa371d108a75e2621
Bump NVR to 4.5.
Pushed to v4: ae718be25366575e0b41e55b862ce579527375ad
--
Petr^2 Spacek
From 7df9330f84316d6157663c0fa371d108a75e2621 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Mon, 8 Sep 2014 10:38:56 +0200
Subject: [PATCH] Update NEWS for 4.5 release.
Signed-off-by: Petr Spacek pspa...@redhat.com
---
NEWS | 5 +
1 file changed, 5 insertions(+)
diff --git a/NEWS b/NEWS
index edfe8d71298843d1e9380a49baa49d86a52a8481..abdcc22447ad8c608577763b142a7a21d11b9bda 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,8 @@
+4.5
+=
+[1] Kerberos ticket expiration is now handled correctly.
+https://fedorahosted.org/bind-dyndb-ldap/ticket/131
+
4.4
[1] Error handling for zone loading was fixed.
--
1.9.3
From ae718be25366575e0b41e55b862ce579527375ad Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Mon, 8 Sep 2014 10:47:41 +0200
Subject: [PATCH] Bump NVR to 4.5.
Signed-off-by: Petr Spacek pspa...@redhat.com
---
configure.ac | 2 +-
contrib/bind-dyndb-ldap.spec | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index 3febad84fb51ec24b4d4c141db80379452085695..d98d0b8f148e6e652d3036403bf89787da5e7de3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
AC_PREREQ([2.59])
-AC_INIT([bind-dyndb-ldap], [4.4], [freeipa-devel@redhat.com])
+AC_INIT([bind-dyndb-ldap], [4.5], [freeipa-devel@redhat.com])
AM_INIT_AUTOMAKE([-Wall foreign dist-bzip2])
diff --git a/contrib/bind-dyndb-ldap.spec b/contrib/bind-dyndb-ldap.spec
index f501b71672fe6569c3f65ecaee3c0ccb7593cb6e..e848b6a32a59d5fdb15591cf001e817cd7a0cdb1 100644
--- a/contrib/bind-dyndb-ldap.spec
+++ b/contrib/bind-dyndb-ldap.spec
@@ -1,7 +1,7 @@
%define VERSION %{version}
Name: bind-dyndb-ldap
-Version:4.4
+Version:4.5
Release:0%{?dist}
Summary:LDAP back-end plug-in for BIND
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0283] Fix root zone handling
On 05/09/14 19:47, Petr Spacek wrote: On 5.9.2014 17:40, Petr Spacek wrote: Hello, Fix root zone handling. syncrepl_update() was buggy in a way which could cause accidental zone removal. Test case: A server with two zones: '.' and 'test.' Zone '.': . NS ns1.test. . NS ns2.test. test. NS ns1.test. test. NS ns2.test. Zone 'test.': test. NS ns1.test. test. NS ns2.test. ns1.test. A 192.0.2.1 ns2.test. A 192.0.2.2 Removing whole name 'test.' from zone '.' will cause removal of zone 'test.' instead of removing NS records from zone '.'. And fix the fix ... ACK -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0283] Fix root zone handling
On 8.9.2014 11:45, Martin Basti wrote: On 05/09/14 19:47, Petr Spacek wrote: On 5.9.2014 17:40, Petr Spacek wrote: Hello, Fix root zone handling. syncrepl_update() was buggy in a way which could cause accidental zone removal. Test case: A server with two zones: '.' and 'test.' Zone '.': . NS ns1.test. . NS ns2.test. test. NS ns1.test. test. NS ns2.test. Zone 'test.': test. NS ns1.test. test. NS ns2.test. ns1.test. A 192.0.2.1 ns2.test. A 192.0.2.2 Removing whole name 'test.' from zone '.' will cause removal of zone 'test.' instead of removing NS records from zone '.'. And fix the fix ... ACK Thanks! Pushed to master: 2d4a48880ec6572214ccee531f4ff9afbc8c8367 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0288-0290] Clarify that idnsZoneActive attribute is not supportedUpdate naming rules for working directoriesUpdate link to patches for BIND
Hello,
Clarify that idnsZoneActive attribute is not supported.
Pushed to master: 2481cdd2133741e987d5ab7c8995ccf156109461
Update naming rules for working directories.
Pushed to master: 972c158cf330bc66da990b12f5cd41e57a39eb38
Update link to patches for BIND.
Pushed to master: 282184e45fae28c28f8fd98b1fb1672d7382d3da
--
Petr^2 Spacek
From 282184e45fae28c28f8fd98b1fb1672d7382d3da Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Mon, 8 Sep 2014 11:56:57 +0200
Subject: [PATCH] Update link to patches for BIND.
Signed-off-by: Petr Spacek pspa...@redhat.com
---
README | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README b/README
index 4e3082b3b6fd6d7f8abcdb9f4c0803569eb0f896..5dafcb6e58f9a3e7785fa2d665fc70e6f2800053 100644
--- a/README
+++ b/README
@@ -6,7 +6,7 @@ database back-end capabilities. For now, it requires that BIND is patched
to support dynamic loading of database back-ends. You can get a patch
for your version here:
- http://github.com/mnagy/bind-dynamic_db/downloads
+ https://github.com/spacekpe/bind-dynamic_db
Hopefully, the patch will once be included in the official BIND release.
--
1.9.3
From 972c158cf330bc66da990b12f5cd41e57a39eb38 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Mon, 8 Sep 2014 12:03:29 +0200
Subject: [PATCH] Update naming rules for working directories.
Signed-off-by: Petr Spacek pspa...@redhat.com
---
README | 21 +
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/README b/README
index 5dafcb6e58f9a3e7785fa2d665fc70e6f2800053..5efea6c80dee82360ef510be26f1f62c410818d5 100644
--- a/README
+++ b/README
@@ -326,6 +326,7 @@ directory (default is
These sub-directories will contain temporary files like zone dump, zone
journal, zone keys etc.
The path is relative to directory specified in BIND options.
+ See section 6 (DNSSEC) for examples.
5.2 Sample configuration
@@ -351,7 +352,7 @@ will register a new zone with BIND. The LDAP back-end will keep each
record it gets from LDAP in its memory.
Working directory for the plug-in will be /var/named/dyndb-ldap/my_db_name/,
so hypothetical zone example.com will use sub-directory
-/var/named/dyndb-ldap/my_db_name/example.com/.
+/var/named/dyndb-ldap/my_db_name/master/example.com/.
5.3 Configuration in LDAP
-
@@ -388,17 +389,29 @@ Key management has to be handled by user, i.e. user has to
generate/delete keys and configure key timestamps as appropriate.
Key directory for particular DNS zone is automatically configured to value:
-plugin-instance-dir/zone-name/keys
+plugin-instance-dir/master/zone-name/keys
plugin-instance-dir is described in section 5.1.3 of this file.
-zone-name is textual representation of zone name without trailing period.
+zone-name is (transformed) textual representation of zone name without
+trailing period.
+
+Zone name will be automatically transformed before usage:
+- root zone is translated to '@' to prevent collision with filesystem '.'
+- digits, hyphen and underscore are left intact
+- letters of English alphabet are downcased
+- all other characters are escaped using %ASCII_HEX form, e.g. '/' = '%2F'
+- final dot is omited
+- labels are separated with '.'
Example:
* BIND directory: /var/named
* bind-dyndb-ldap directory: dyndb-ldap
* LDAP instance name: ipa
* DNS zone: example.com.
-* Resulting keys directory: /var/named/dyndb-ldap/ipa/example.com/keys
+* Resulting keys directory: /var/named/dyndb-ldap/ipa/master/example.com/keys
+
+* DNS zone: TEST.0/1.a.
+* Resulting keys directory: /var/named/dyndb-ldap/ipa/master/test.0%2F1.a/keys
Make sure that keys directory and files is readable by user used for BIND.
--
1.9.3
From 2481cdd2133741e987d5ab7c8995ccf156109461 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Mon, 8 Sep 2014 12:09:46 +0200
Subject: [PATCH] Clarify that idnsZoneActive attribute is not supported.
Signed-off-by: Petr Spacek pspa...@redhat.com
---
README | 16 +++-
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/README b/README
index 5efea6c80dee82360ef510be26f1f62c410818d5..fe452029965357f15915afcf87af4ea41c45cfd1 100644
--- a/README
+++ b/README
@@ -155,6 +155,11 @@ Attributes:
masters aren't synchronized. It will cause problems with zone
transfers from multiple masters to single slave.
+* idnsZoneActive
+Boolean which speicifies if particular DNS zone should be loaded
+or not. This option is not supported in versions = 4.0.
+https://fedorahosted.org/bind-dyndb-ldap/ticket/127
+
* nSEC3PARAMRecord
NSEC3PARAM resource record definition according to RFC5155.
Zone without NSEC3PARAM RR will use NSEC by default.
@@ -345,11 +350,12 @@ dynamic-db my_db_name {
With this configuration, the LDAP back-end will try to connect to server
ldap.example.com with simple authentication, without any password. It
-will then do an
Re: [Freeipa-devel] [PATCH] 742 webui: adjust behavior of bounce url
On 4.9.2014 01:25, Endi Sukma Dewata wrote: On 8/21/2014 11:06 AM, Petr Vobornik wrote: based on: http://www.redhat.com/archives/freeipa-devel/2014-August/msg00073.html - bounce url param was renamed from 'redirect' to 'url' - support for 'delay' param added Behavior: - Continue to next page link is shown if 'url' is present - page is no longer automatically redirected if 'url' is present - automatic redirect is controlled by 'delay' param - it specifies number of seconds until redirection - info message 'You will be redirected in Xs' is show to notify the user that something will happen. It's useful even if delay is 0 or negative because redirection might be slow. - counter is decremented every second - delay is ignored if parsed as NaN https://fedorahosted.org/freeipa/ticket/4440 ACK. Pushed to: master: 050431c4dd70f024b1644137fb0ad4881ed9e32b ipa-4-1: c946029ba304efe808106da13e1bfd58135821be Just one thing, when the delay=0 and the direction happens quickly, the users might see the confirmation and the redirection messages displayed briefly on the screen but they cannot read it because it's too quick, which might leave them wondering what it was. I think delay=0 is a special case where we want a seamless integration with 3rd party application. If the password reset is completed successfully, it should just display the next page in the 3rd party application. Users shouldn't see a 'redirection' message. To them it's all one application. On the other hand it is handy if they delay is not small, e.g., 2s, because user sees that something is happening. Added to a list of things for discussion with Kyle. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 743 webui: do not show login error when switching back from otp sync screen
On 4.9.2014 04:09, Endi Sukma Dewata wrote: On 8/22/2014 6:51 AM, Petr Vobornik wrote: Errors should reflect only a result of last operation. https://fedorahosted.org/freeipa/ticket/4470 Fixes issue found by Endi: Try logging in with an incorrect password/OTP. After you get a login error click Sync OTP Token. Once the sync is completed it will go back to the login page with a Token was synchronized message that disappears in a few seconds, but the old login error still appears which is confusing. Error messages in the UI should only reflect the last executed operation. ACK. Pushed to: master: 5e36cc5215209294c9728fa4c2034d4c248acd68 ipa-4-1: e77f0b92ae9fafce148bd16093605dfb0358a41d -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 744 webui: switch associators if default doesn't work
On 4.9.2014 20:33, Endi Sukma Dewata wrote:
On 8/22/2014 11:29 AM, Petr Vobornik wrote:
Ticket: https://fedorahosted.org/freeipa/ticket/4507
Support for delegating RBAC roles to service principals added new
attribute members. [1][2] Most of Web UI was automatically extended but
the defaults chose wrong associator for service's memberof_role facet
traditionally it would be solved by
{
$type: 'association',
name: 'memberof_role',
associator: IPA.serial_associator
}
This patch tries to make the auto-magic functionality little bit less
stupid to eliminate a need for ^^ patches. It's far from perfect -
doesn't support things like:
{
$type: 'association',
name: 'memberof_sudorule',
associator: IPA.serial_associator,
add_method: 'add_user',
remove_method: 'remove_user'
}
[1]
https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=8fabd6dde152fc394bd4f093d93c8a46e5b2851b
[2] https://fedorahosted.org/freeipa/ticket/3164
ACK.
Pushed to:
master: f70eafaedbdc4a511338979198f9459ee5b47807
ipa-4-1: cb2dc9c5efaee6344daa32a9717336345a22f022
--
Petr Vobornik
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 745 webui: notify psw change success only once
On 4.9.2014 20:37, Endi Sukma Dewata wrote: On 8/29/2014 3:40 AM, Petr Vobornik wrote: Password change initiated from header menu notified success twice. First one in `dialogs.password.dialog` and second one in a success callback. The second notification was removed. Caused by: https://fedorahosted.org/freeipa/changeset/870db2f677dff01750aeec104c90fce3ca0e54be/ ACK. Pushed to: ipa-4-1: f8fc3bbcd84e12d4f918fe05910c9e664fc0b07c master: ad6001fc2e70b6e7dbbe986f4243dd785f1bd3b2 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Announcing FreeIPA 4.0.2
The FreeIPA team is proud to announce FreeIPA v4.0.2! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds will be available for Fedora 21. Builds for Fedora 20 are available in the official [https://copr.fedoraproject.org/coprs/mkosek/freeipa/ COPR repository]. == Highlights in 4.0.2 == === Enhancements === * TOTP watermark support was added. The last token interval is now being added to database and replicated in FreeIPA realm. Note that the number of writes is kept the same as an unnecessary LDAP write was eliminated. * Effective Attributes widget in the Add Permission Web UI page was improved * ipa-csreplica-manage can now set CA renewal master * trust-add is now capable of ensuring conditions for a Trust are met prior to establishing it in complex environments (e.g. only adding trust via AD DC with a PDC role in a forest root domain, falling back when no closest AD DC is available for the local site) === Bug fixes === * Server installation with certificates signed by external CA could crash with IndexError * ipa-client-install could add duplicate sss to /etc/nsswitch.conf when configuring sudo * ipa-client-install crashed when non-zero minSSF was set on FreeIPA server * Installers and helper tools now communicate with certmonger via its DBUS API instead of manipulating its configuration files, fixing the related intermittent uninstallation failures * idrange-* commands no longer allow unsupported range types (ipa-ad-winsync, ipa-ipa-trust) * user-add no longer fails when --user-auth-type is specified * Entries in Schema Compatibility tree are now accessible anonymously by default to aid legacy clients. == Known Issues == * The Directory Server may crash during install due to 389-ds bug 47889 (https://fedorahosted.org/389/ticket/47889). * Enumeration in SSSD may fail due to 389-ds bug 47885 (https://fedorahosted.org/389/ticket/47885). * Zone removal may misbehave due to a bind-dyndb-ldap bug. If FreeIPA is used to manage DNS root zones, bind-dyndb-ldap 5.1 or higher is recommended. Bind-dyndb-ldap 5.2 was built for Fedora 20 (http://copr.fedoraproject.org/coprs/mkosek/freeipa/build/31135/), 21 (https://admin.fedoraproject.org/updates/bind-dyndb-ldap-5.2-1.fc21), rawhide (http://koji.fedoraproject.org/koji/buildinfo?buildID=575841). == Upgrading == An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance. Please note that if you are doing the upgrade in special environment (e.g. FedUp) which does not allow running the LDAP server during upgrade process, upgrade scripts need to be run manually after the first boot: # ipa-ldap-updater --upgrade # ipa-upgradeconfig Also note that the performance improvements require an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of users may require several minutes to finish. If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks, not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded. Downgrading a server once upgraded is not supported. Upgrading from 3.3.0 and later versions is supported. Upgrading from previous versions is not supported and has not been tested. An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Detailed Changelog since 4.0.1 == === Alexander Bokovoy (5) === * ipaserver/dcerpc.py: if search of a closest GC failed, try to find any GC * ipaserver/dcerpc.py: make PDC discovery more robust * ipaserver/dcerpc.py: Avoid hitting issue with transitive trusts on Windows Server prior to 2012 * ipaserver/dcerpc.py: be more open to what domains can be seen through the forest trust * ipaserver/dcerpc.py: Make sure trust is established only to forest root domain === David Kupka (7) === * Fix group-remove-member crash when group is removed from a protected group * test group: remove group from protected group. * Verify otptoken timespan is valid * Add record(s) to /etc/host when IPA is configured as DNS server. * Use certmonger D-Bus API instead of messing with its files. * Do not restart apache server when not necessary. * Allow user to force Kerberos realm during installation. === Gabe (1) === * ipa trust-add command should be interactive === Jakub Hrozek (1) === * CLIENT: Explicitly require python-backports-ssl_match_hostname === Jan Cholasta (11) === * Check
[Freeipa-devel] [PATCH 0032] Hardcoded lib dir in freeipa.spec
Hello,
This patch should fix https://fedorahosted.org/freeipa/ticket/4528
Thanks,
Gabe
From c015531054b9392981b15617953ccc34d840f0ba Mon Sep 17 00:00:00 2001
From: Gabe redhatri...@gmail.com
Date: Mon, 8 Sep 2014 07:57:50 -0600
Subject: [PATCH] Hardcoded lib dir in freeipa.spec
- Migrate hardcoded tmpfiles.d paths to %{_tmpfilesdir} macro in spec file
https://fedorahosted.org/freeipa/ticket/4528
---
freeipa.spec.in |6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 1b9f3b5ac5798b147defb542424bbfd560cf75b2..8e949db9471e3947fca416d06f00fd65d7af8e52 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -391,8 +391,8 @@ install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_
mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
# NOTE: systemd specific section
-mkdir -p %{buildroot}%{_prefix}/lib/tmpfiles.d
-install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_prefix}/lib/tmpfiles.d/%{name}.conf
+mkdir -p %{buildroot}%{_tmpfilesdir}
+install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{name}.conf
# END
mkdir -p %{buildroot}%{_localstatedir}/run/
@@ -596,7 +596,7 @@ fi
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
# NOTE: systemd specific section
-%{_prefix}/lib/tmpfiles.d/%{name}.conf
+%{_tmpfilesdir}/%{name}.conf
%attr(644,root,root) %{_unitdir}/ipa.service
%attr(644,root,root) %{_unitdir}/ipa_memcached.service
%attr(644,root,root) %{_unitdir}/ipa-otpd.socket
--
1.7.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0009 Detect and configure all usable IP addresses.
On 02/09/14 16:55, David Kupka wrote: The patch now depends on freeipa-dkupka-0012 as both modifies the same part of code. On 09/02/2014 10:29 AM, David Kupka wrote: Forget to add str() conversion to some places when removing map(). Now it should be working again. On 08/27/2014 02:24 PM, David Kupka wrote: Patch modified according to jcholast's personally-delivered feedback: 1) use action='append' instead of that ugly parsing 2) do not use map(), FreeIPA doesn't like it On 08/25/2014 05:04 PM, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/3575 Also should fix https://bugzilla.redhat.com/show_bug.cgi?id=1128380 as installation is no longer interrupted when multiple IPs are resolved. But it does not add the option to change the IP address during second run. I haven't tested it yet, I only take a look because there may be conflict with 'dns root zone support' refactoring 1) +for ns_ip_address in nameserver_ip_address: +add_zone(self.domain, self.zonemgr, dns_backup=self.dns_backup, +ns_hostname=api.env.host, ns_ip_address=ns_ip_address, +force=True) Are you sure this will work? Domain name is the same, so no new zone will be created (DuplicateEntry exception is handled inside add_zone function). IMO you should call add_zone only once. BTW: I will change the add_zone function in refactoring , ns_hostname wil be remove, and ns_ip_address will take an p+ipv6 address 2) +resolv_txt = '' +for ip_address in self.ip_address: +resolv_txt += search +self.domain+\nnameserver +str(ip_address)+\n There is multiple search statements. search example.com nameserver 192.168.1.1 search example.com nameserver 2001:db8::1 ... and also there si a limit of namesevers which can be in resolv.conf, but I dont know if we care, statements over limit should be just ignored. http://linux.die.net/man/5/resolv.conf 3) self.ip_address is confusing for me, I'm expecting only one address. Could it be ip_addresses or ip_address_list? Ask the framework gurus :-) -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
