Re: [Freeipa-devel] [PATCH] 0173 Fix ipa-cldap plugin to follow Samba Netlogon response
On 01/19/2015 10:52 AM, Sumit Bose wrote: On Mon, Jan 19, 2015 at 10:25:34AM +0100, Martin Kosek wrote: On 01/16/2015 06:25 PM, Simo Sorce wrote: On Fri, 16 Jan 2015 17:44:12 +0200 Alexander Bokovoy aboko...@redhat.com wrote: On Fri, 16 Jan 2015, Simo Sorce wrote: On Fri, 16 Jan 2015 10:37:36 +0200 Alexander Bokovoy aboko...@redhat.com wrote: Hi, attached patch fixes https://fedorahosted.org/freeipa/ticket/4827 It is worth noting that MS-ADTS spec is wrong on this, I'm going to get Microsoft to fix the spec as Windows Server 2012 responds in the same way both on LDAP ping and mailslot ping while documentation insists on them being different. Thanks to Stephan Metzemacher (Samba Team) who noticed we are producing wrong output here. Details are in the patch and in the ticket. I would prefer to keep the define rather than the new 'pusher' variable, other than that it looks good to me. Updated patch attached. LGTM! Is that an ACK? :-) It Sumit or anyone else confirms it indeed works, we can push... I thought it is :-) Nevertheless I had this patch in my tree while testing Alexander's other patch and didn't see any issues with AD. So, since Simo like to code and it passes my tests this is now an ACK. Ok then - pushed to: master: 5672eb14def7b2010f1d08825eec58ff1444073f ipa-4-1: 426759f47fbef2b902afd975c7bcffc178192ace Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0185] Use dyndns_update instead of deprecated ipa_dyndns_update in sssd.conf
On 19/01/15 13:24, Jakub Hrozek wrote: On Mon, Jan 19, 2015 at 01:13:12PM +0100, Martin Kosek wrote: On 01/19/2015 01:03 PM, Martin Basti wrote: ipa_dyndns_update option is deprecated in sssd. Patch attached. Can you please create a ticket? It is a non-trivial change. I am also wondering if somebody from SSSD could double check that the dyndns configuration added to sssd.conf by ipa-client-install is indeed sane and recommended. LGTM. Ticket: https://fedorahosted.org/freeipa/ticket/4849 Patch with ticket attached. -- Martin Basti From 350722650a77f628fd8eb5cb7250d18ddedff10b Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Mon, 19 Jan 2015 12:56:25 +0100 Subject: [PATCH] Use dyndns_update instead of deprecated sssd option ipa_dyndns_update is deprecatd in SSSD, dyndns_update shoul be used instead. https://fedorahosted.org/freeipa/ticket/4849 --- ipa-client/ipa-install/ipa-client-install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 78df2089739746beb9347c00e41c12d9f6eb0fbe..db501649a6a326def4af0c2829eca025046cc90f 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1279,7 +1279,7 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, clie domain.set_option('ldap_tls_cacert', CACERT) if options.dns_updates: -domain.set_option('ipa_dyndns_update', True) +domain.set_option('dyndns_update', True) if options.krb5_offline_passwords: domain.set_option('krb5_store_password_if_offline', True) -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On 01/14/2015 10:27 PM, Martin Kosek wrote: Adding freeipa-devel back. On 01/14/2015 05:58 PM, Simo Sorce wrote: On Wed, 14 Jan 2015 17:47:51 +0100 Martin Kosek mko...@redhat.com wrote: -add:aci:'(targetfilter=(objectclass=nsContainer))(version 3.0; acl Deny read access to replica configuration; deny(read, search, compare) userdn = ldap:///anyone;;)' +remove:aci:'(targetfilter=(objectclass=nsContainer))(version 3.0; acl Deny read access to replica configuration; deny(read, search, compare) userdn = ldap:///anyone;;)' Why this removal ? It is in the patch description. This container stores winsync replicas. With this deny ACI, admin or anyone else besides Directory Manager can see the replicas as deny rules take precedence and this one is scoped for ldap://anyone. My thinking was that this container is not too secret anyway, the only information that user get is name of the winsync'ed AD. +dn: cn=config +add:aci: '(version 3.0;acl permission:Add Configuration Sub-Entries;allow (add) groupdn = ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX;)' Doesn't this allow REplication admin to add any object anywhere in cn=config ? This would be too broad. It does. I wanted to narrow it with targetfilter '(targetfilter = (cn=changelog5))' but, it did not work for me, ADD was rejected. Not sure why though, when I used '(targetfilter = (objectclass=extensibleobject))', it worked fine. I fear this is some problem in DS targetfilter evaluation during ADD operation, CCing Ludwig for reference. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hi! This works for me. If all concerns regarding PermissionV2 and ACIs in general are resolved we can push. -- David Kupka ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0173 Fix ipa-cldap plugin to follow Samba Netlogon response
On 01/16/2015 06:25 PM, Simo Sorce wrote: On Fri, 16 Jan 2015 17:44:12 +0200 Alexander Bokovoy aboko...@redhat.com wrote: On Fri, 16 Jan 2015, Simo Sorce wrote: On Fri, 16 Jan 2015 10:37:36 +0200 Alexander Bokovoy aboko...@redhat.com wrote: Hi, attached patch fixes https://fedorahosted.org/freeipa/ticket/4827 It is worth noting that MS-ADTS spec is wrong on this, I'm going to get Microsoft to fix the spec as Windows Server 2012 responds in the same way both on LDAP ping and mailslot ping while documentation insists on them being different. Thanks to Stephan Metzemacher (Samba Team) who noticed we are producing wrong output here. Details are in the patch and in the ticket. I would prefer to keep the define rather than the new 'pusher' variable, other than that it looks good to me. Updated patch attached. LGTM! Is that an ACK? :-) It Sumit or anyone else confirms it indeed works, we can push... Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0172 Support Samba PASSDB 0.2.0 aka interface version 24
On Mon, 19 Jan 2015, Martin Kosek wrote: On 01/16/2015 05:06 PM, Sumit Bose wrote: On Mon, Jan 12, 2015 at 04:55:33PM +0200, Alexander Bokovoy wrote: Hi, Samba project renamed libpdb library we use in ipa-sam module to libsamba-passdb due to naming clash with some other library popular in academic circles (details are in https://bugzilla.samba.org/show_bug.cgi?id=10355) The change will become visible with Samba 4.2.0 release and is actually already visible in Rawhide as it packages Samba 4.2 pre-releases. Attached fix is introducing support for both Samba 4.2 and 4.2+. I've tested that it builds properly against Samba 4.2 in Rawhide and against Samba 4.1 in Fedora 21, and proper symbols exposed (disassembled the code in pdb_init_ipasam to see if address of ipasam_id_to_sid is assigned to the struct member) but I haven't deployed Rawhide to actually test FreeIPA with trusts yet. https://fedorahosted.org/freeipa/ticket/4778 -- / Alexander Bokovoy This patch does not break F21 in my testing and allows building FreeIPA on platforms with samba-4.2, ACK. Thanks to both! Pushed to master: d57efb74bb6ad91b029f39ed4e482c41f8ba If the patch is also needed in ipa-4-1 branch, we can backport it there as well. Yes, you can safely add it to 4.1, I've tested that. The patch covers both libraries specifically to allow us to use the same code for Rawhide and older distros. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 491 Replication Administrators cannot remove replication
Replication agreement deletion requires read access to DNA range setting. The read access was accidently removed during PermissionV2 refactoring. Add the read ACI back as a special SYSTEM permission. https://fedorahosted.org/freeipa/ticket/4848 -- Martin Kosek mko...@redhat.com Supervisor, Software Engineering - Identity Management Team Red Hat Inc. From ec2b2da43ba0ae708225259212d99e0b39686954 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Mon, 19 Jan 2015 12:42:11 +0100 Subject: [PATCH] Replication Administrators cannot remove replication agreements Replication agreement deletion requires read access to DNA range setting. The read access was accidently removed during PermissionV2 refactoring. Add the read ACI back as a special SYSTEM permission. https://fedorahosted.org/freeipa/ticket/4848 --- install/updates/40-replication.update | 11 +++ 1 file changed, 11 insertions(+) diff --git a/install/updates/40-replication.update b/install/updates/40-replication.update index 619d14663eeb6f692864c960dfd3542fc22cb581..f46ab19f0090ba313880e6d99636f50397f8d33b 100644 --- a/install/updates/40-replication.update +++ b/install/updates/40-replication.update @@ -14,3 +14,14 @@ dn: cn=Modify DNA dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config add:aci: '(targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl permission:Modify DNA Range;allow (write) groupdn = ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX;)' + +dn: cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: ipapermission +default:cn: Read DNA Range +default:ipapermissiontype: SYSTEM +default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX + +dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config +add:aci: '(targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThreshold || dnaType || objectclass)(version 3.0;acl permission:Read DNA Range;allow (read, search, compare) groupdn = ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX;)' -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0172 Support Samba PASSDB 0.2.0 aka interface version 24
On 01/16/2015 05:06 PM, Sumit Bose wrote: On Mon, Jan 12, 2015 at 04:55:33PM +0200, Alexander Bokovoy wrote: Hi, Samba project renamed libpdb library we use in ipa-sam module to libsamba-passdb due to naming clash with some other library popular in academic circles (details are in https://bugzilla.samba.org/show_bug.cgi?id=10355) The change will become visible with Samba 4.2.0 release and is actually already visible in Rawhide as it packages Samba 4.2 pre-releases. Attached fix is introducing support for both Samba 4.2 and 4.2+. I've tested that it builds properly against Samba 4.2 in Rawhide and against Samba 4.1 in Fedora 21, and proper symbols exposed (disassembled the code in pdb_init_ipasam to see if address of ipasam_id_to_sid is assigned to the struct member) but I haven't deployed Rawhide to actually test FreeIPA with trusts yet. https://fedorahosted.org/freeipa/ticket/4778 -- / Alexander Bokovoy This patch does not break F21 in my testing and allows building FreeIPA on platforms with samba-4.2, ACK. bye, Sumit ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Thanks to both! Pushed to master: d57efb74bb6ad91b029f39ed4e482c41f8ba If the patch is also needed in ipa-4-1 branch, we can backport it there as well. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0173 Fix ipa-cldap plugin to follow Samba Netlogon response
On Mon, Jan 19, 2015 at 10:25:34AM +0100, Martin Kosek wrote: On 01/16/2015 06:25 PM, Simo Sorce wrote: On Fri, 16 Jan 2015 17:44:12 +0200 Alexander Bokovoy aboko...@redhat.com wrote: On Fri, 16 Jan 2015, Simo Sorce wrote: On Fri, 16 Jan 2015 10:37:36 +0200 Alexander Bokovoy aboko...@redhat.com wrote: Hi, attached patch fixes https://fedorahosted.org/freeipa/ticket/4827 It is worth noting that MS-ADTS spec is wrong on this, I'm going to get Microsoft to fix the spec as Windows Server 2012 responds in the same way both on LDAP ping and mailslot ping while documentation insists on them being different. Thanks to Stephan Metzemacher (Samba Team) who noticed we are producing wrong output here. Details are in the patch and in the ticket. I would prefer to keep the define rather than the new 'pusher' variable, other than that it looks good to me. Updated patch attached. LGTM! Is that an ACK? :-) It Sumit or anyone else confirms it indeed works, we can push... I thought it is :-) Nevertheless I had this patch in my tree while testing Alexander's other patch and didn't see any issues with AD. So, since Simo like to code and it passes my tests this is now an ACK. bye, Sumit Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0185] Use dyndns_update instead of deprecated ipa_dyndns_update in sssd.conf
On 01/19/2015 01:03 PM, Martin Basti wrote: ipa_dyndns_update option is deprecated in sssd. Patch attached. Can you please create a ticket? It is a non-trivial change. I am also wondering if somebody from SSSD could double check that the dyndns configuration added to sssd.conf by ipa-client-install is indeed sane and recommended. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0172 Support Samba PASSDB 0.2.0 aka interface version 24
On 01/19/2015 10:31 AM, Alexander Bokovoy wrote: On Mon, 19 Jan 2015, Martin Kosek wrote: On 01/16/2015 05:06 PM, Sumit Bose wrote: On Mon, Jan 12, 2015 at 04:55:33PM +0200, Alexander Bokovoy wrote: Hi, Samba project renamed libpdb library we use in ipa-sam module to libsamba-passdb due to naming clash with some other library popular in academic circles (details are in https://bugzilla.samba.org/show_bug.cgi?id=10355) The change will become visible with Samba 4.2.0 release and is actually already visible in Rawhide as it packages Samba 4.2 pre-releases. Attached fix is introducing support for both Samba 4.2 and 4.2+. I've tested that it builds properly against Samba 4.2 in Rawhide and against Samba 4.1 in Fedora 21, and proper symbols exposed (disassembled the code in pdb_init_ipasam to see if address of ipasam_id_to_sid is assigned to the struct member) but I haven't deployed Rawhide to actually test FreeIPA with trusts yet. https://fedorahosted.org/freeipa/ticket/4778 -- / Alexander Bokovoy This patch does not break F21 in my testing and allows building FreeIPA on platforms with samba-4.2, ACK. Thanks to both! Pushed to master: d57efb74bb6ad91b029f39ed4e482c41f8ba If the patch is also needed in ipa-4-1 branch, we can backport it there as well. Yes, you can safely add it to 4.1, I've tested that. The patch covers both libraries specifically to allow us to use the same code for Rawhide and older distros. Ok, makes sense. Pushed to ipa-4-1: ecd6896664115c933f2594020feaed6b41f19054 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0185] Use dyndns_update instead of deprecated ipa_dyndns_update in sssd.conf
On Mon, Jan 19, 2015 at 01:13:12PM +0100, Martin Kosek wrote: On 01/19/2015 01:03 PM, Martin Basti wrote: ipa_dyndns_update option is deprecated in sssd. Patch attached. Can you please create a ticket? It is a non-trivial change. I am also wondering if somebody from SSSD could double check that the dyndns configuration added to sssd.conf by ipa-client-install is indeed sane and recommended. LGTM. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 491 Replication Administrators cannot remove replication
On 19/01/15 12:45, Martin Kosek wrote: Replication agreement deletion requires read access to DNA range setting. The read access was accidently removed during PermissionV2 refactoring. Add the read ACI back as a special SYSTEM permission. https://fedorahosted.org/freeipa/ticket/4848 Works for me. ACK -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel