[Freeipa-devel] [PATCH] 912 vault: validate vault type
https://fedorahosted.org/freeipa/ticket/5211 -- Petr Vobornik From 3c62cdcc7e6e564dc34c1ef2a4262cdd3b36f91d Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Tue, 18 Aug 2015 12:50:54 +0200 Subject: [PATCH] vault: validate vault type https://fedorahosted.org/freeipa/ticket/5211 --- API.txt | 6 +++--- VERSION | 4 ++-- ipalib/plugins/vault.py | 5 +++-- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/API.txt b/API.txt index 9dbf86aedf2a1b62dabab21fb30bbceb2f0f237b..4d8d9dc3d3c38d4740bda3574396ecd85877b805 100644 --- a/API.txt +++ b/API.txt @@ -5423,7 +5423,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False) option: Bytes('ipavaultpublickey', attribute=True, cli_name='public_key', multivalue=False, required=False) option: Bytes('ipavaultsalt', attribute=True, cli_name='salt', multivalue=False, required=False) -option: Str('ipavaulttype', attribute=True, autofill=True, cli_name='type', default=u'standard', multivalue=False, required=False) +option: StrEnum('ipavaulttype', attribute=True, autofill=True, cli_name='type', default=u'standard', multivalue=False, required=False, values=(u'standard', u'symmetric', u'asymmetric')) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('service?') @@ -5513,7 +5513,7 @@ arg: Str('criteria?', noextrawhitespace=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('cn', attribute=True, autofill=False, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=False) option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) -option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', default=u'standard', multivalue=False, query=True, required=False) +option: StrEnum('ipavaulttype', attribute=True, autofill=False, cli_name='type', default=u'standard', multivalue=False, query=True, required=False, values=(u'standard', u'symmetric', u'asymmetric')) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('pkey_only?', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') @@ -5536,7 +5536,7 @@ option: Str('delattr*', cli_name='delattr', exclude='webui') option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) option: Bytes('ipavaultpublickey', attribute=True, autofill=False, cli_name='public_key', multivalue=False, required=False) option: Bytes('ipavaultsalt', attribute=True, autofill=False, cli_name='salt', multivalue=False, required=False) -option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', default=u'standard', multivalue=False, required=False) +option: StrEnum('ipavaulttype', attribute=True, autofill=False, cli_name='type', default=u'standard', multivalue=False, required=False, values=(u'standard', u'symmetric', u'asymmetric')) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) diff --git a/VERSION b/VERSION index c42bea06522dae55e1a89ff94ae394594086b467..32f231a499a0e216a73c7334ed2361057d4b7ab7 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=149 -# Last change: edewata - Added CLI param and ACL for vault service operations +IPA_API_VERSION_MINOR=150 +# Last change: pvoborni - change type of vault type option to StrEnum diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index 88c63071f04462aa240a70d3a3eeac2d04e66062..70304c33b181a4c8d2278bfa1a7003c241fce064 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -38,7 +38,7 @@ import krbV from ipalib.frontend import Command, Object, Local from ipalib import api, errors -from ipalib import Bytes, Str, Flag +from ipalib import Bytes, Flag, Str, StrEnum from ipalib import output from ipalib.crud import PKQuery, Retrieve, Update from ipalib.plugable import Registry @@ -277,11 +277,12 @@ class vault(LDAPObject): label=_('Description'), doc=_('Vault description'), ), -Str( +StrEnum( 'ipavaulttype?', cli_name='type', label=_('Type'), doc=_('Vault type'), +values=(u'standard', u'symmetric', u'asymmetric', ), default=u'standard',
[Freeipa-devel] [PATCH 0058] ipa-restore: check whether DS is running before attempting connection
https://fedorahosted.org/freeipa/ticket/4838 -- Martin^3 Babinsky From d86aae6c3fef4dea1afbbdbacbc978afbbfa5fcf Mon Sep 17 00:00:00 2001 From: Martin Babinsky mbabi...@redhat.com Date: Tue, 18 Aug 2015 12:47:46 +0200 Subject: [PATCH] ipa-restore: check whether DS is running before attempting connection https://fedorahosted.org/freeipa/ticket/4838 --- ipaserver/install/ipa_restore.py | 7 +++ 1 file changed, 7 insertions(+) diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 65cb49355a0567446debe9c367aa3c1bc5a12e1c..b69ea90001a6fd03d0fddde8844870d1aa9c3704 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -410,6 +410,13 @@ class Restore(admintool.AdminTool): ''' Create an ldapi connection and bind to it using autobind as root. ''' +instance_name = installutils.realm_to_serverid(api.env.realm) + +if not services.knownservices.dirsrv.is_running(instance_name): +raise admintool.ScriptError( +directory server instance is not running/configured +) + if self._conn is not None: return self._conn -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Unable to install bits from ipa-4-2 branch
On 17.8.2015 16:47, Milan Kubík wrote: On 08/17/2015 04:44 PM, Milan Kubík wrote: On 08/17/2015 10:23 AM, Martin Basti wrote: On 08/12/2015 01:10 PM, Milan Kubík wrote: On 08/10/2015 04:41 PM, Jan Cholasta wrote: Dne 10.8.2015 v 16:03 Milan Kubík napsal(a): Forwarded Message Subject: Re: [Freeipa-devel] Unable to install bits from ipa-4-2 branch Date: Mon, 10 Aug 2015 15:55:35 +0200 From: Jan Cholasta jchol...@redhat.com To: Milan Kubík mku...@redhat.com CC: Martin Kosek mko...@redhat.com Dne 10.8.2015 v 15:31 Milan Kubík napsal(a): On 08/10/2015 03:22 PM, Jan Cholasta wrote: Dne 7.8.2015 v 09:17 Martin Kosek napsal(a): On 08/07/2015 08:46 AM, Jan Cholasta wrote: Dne 7.8.2015 v 08:44 Martin Kosek napsal(a): On 08/06/2015 05:26 PM, Milan Kubík wrote: Hi list, I just noticed that the bits built from ipa-4-2 branch cannot be installed. The freeipa packages built have version such as freeipa-server-dns-4.2.0-0.20150806083844Zjenkins9git2812242.fc22.x86_64 The version check in the spec file makes the server-dns package obsolete the server package from tha same build. The cause is the commit [1]. This issue blocks us from running tests on ipa-4-2 branch. Should we bump the minor version on this branch to 4.2.1? [1]: https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=f555fe95dba9ec453fa10f160089dcc5404f724a Cheers, Milan Why does the spec calls for # upgrade path from monolithic -server to -server + -server-dns Obsoletes: %{name}-server = 4.2.0 and not for # upgrade path from monolithic -server to -server + -server-dns Obsoletes: %{name}-server 4.2.0 ? Is that the root cause of these issues? AFAIK this would break updates from 4.2.0 to 4.2.1. I wonder how it could break the upgrade... Patch attached. This won't help as long as we build something like freeipa-server-dns-4.2.0-0.20150810111037Zjenkins11gitad6a87e Right. Updated patch attached. It will break updates from pre-server-dns git builds, but install should be fine. -- Jan Cholasta ACK, thanks. Self-NACK, as this also breaks updates from freeipa-4.2.0-0 from the freeipa-4.2 COPR. Updated patch attached. Hi, thanks for the patch. It works as far as updating from 4.1, the copr build (correctly replaces freeipa-server package) as well as upgrade from earlier build from repository. If there are no objections, ACK from me. Milan Pushed to ipa-4-2: 5d5240b9db3b9e6f29351c65272a363b253cd2d3 Ok, while checking this manually it seemed to work, the jenkins build names the package in a way that produces this error. The patch has no effect in automation, unfortunatelly. The build on jenkins adds the release version, when built manually, the name is xyz.4.2.0.DATE+hash-string. Error: package freeipa-server-dns-4.2.0-0.20150817084102Zjenkins28git5d5240b.fc22.x86_64 obsoletes freeipa-server = 4.2.0.0 provided by freeipa-server-4.2.0-0.20150817084102Zjenkins28git5d5240b.fc22.x86_64 Late answer to Lukas, this is n:m scenario. I'm not sure what to do if one subpackage retains the original name, though. That being said, I can change the schema by which jenkins marks release version on the rpms it builds. This will provide a hacky way around this issue by creating 4.2.0.2015... provided by the timestamp. This is the scheme used by make rpms, so I'd say go for it. Otherwise, changing the Obsoletes line to: Obsoletes: %{name}-server = 4.2.0.0-0.0 should fix it. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0297] ULC: add user-stage command
On 08/18/2015 09:55 AM, Martin Basti wrote: On 08/18/2015 09:50 AM, thierry bordaz wrote: On 08/17/2015 08:33 PM, Martin Basti wrote: Hello, the 'user-stage' command replaces 'stageuser-add --from-delete' command. https://fedorahosted.org/freeipa/ticket/5041 Thierry can you check If I don't break everything, it works for me, but the one never knows. Honza can you please check the framework side? I use self.api.Object.stageuser.add.* in user command, I'm not sure if this is right way, but it works. Patch attached. I created it in hurry, I'm expecting NACK :D Just question at the end: should I implement way Active user - stageuser? IMHO it would be implemented internally by calling 'user-del --preserve' inside 'user-stage'. Hi Martin, There is a small failure with VERSION (edewata pushed his patch first ;-) ) git apply -v /tmp/freeipa-mbasti-0297-Add-user-stage-command.patch Checking patch API.txt... Checking patch VERSION... error: while searching for: # # IPA_API_VERSION_MAJOR=2 IPA_API_VERSION_MINOR=148 # Last change: ftweedal - add --out option to user-show error: patch failed: VERSION:90 error: VERSION: patch does not apply Checking patch ipalib/plugins/stageuser.py... Checking patch ipalib/plugins/user.py... There is many pending patches that may change VERSION number, I will change it to right one before push. Does code looks good for you? Hi Martin, Just a question, there is no additional permission. Did you test being 'admin' ? thanks theirry -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Unable to install bits from ipa-4-2 branch
On 08/18/2015 11:37 AM, Jan Cholasta wrote: On 17.8.2015 16:47, Milan Kubík wrote: On 08/17/2015 04:44 PM, Milan Kubík wrote: On 08/17/2015 10:23 AM, Martin Basti wrote: On 08/12/2015 01:10 PM, Milan Kubík wrote: On 08/10/2015 04:41 PM, Jan Cholasta wrote: Dne 10.8.2015 v 16:03 Milan Kubík napsal(a): Forwarded Message Subject: Re: [Freeipa-devel] Unable to install bits from ipa-4-2 branch Date: Mon, 10 Aug 2015 15:55:35 +0200 From: Jan Cholasta jchol...@redhat.com To: Milan Kubík mku...@redhat.com CC: Martin Kosek mko...@redhat.com Dne 10.8.2015 v 15:31 Milan Kubík napsal(a): On 08/10/2015 03:22 PM, Jan Cholasta wrote: Dne 7.8.2015 v 09:17 Martin Kosek napsal(a): On 08/07/2015 08:46 AM, Jan Cholasta wrote: Dne 7.8.2015 v 08:44 Martin Kosek napsal(a): On 08/06/2015 05:26 PM, Milan Kubík wrote: Hi list, I just noticed that the bits built from ipa-4-2 branch cannot be installed. The freeipa packages built have version such as freeipa-server-dns-4.2.0-0.20150806083844Zjenkins9git2812242.fc22.x86_64 The version check in the spec file makes the server-dns package obsolete the server package from tha same build. The cause is the commit [1]. This issue blocks us from running tests on ipa-4-2 branch. Should we bump the minor version on this branch to 4.2.1? [1]: https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=f555fe95dba9ec453fa10f160089dcc5404f724a Cheers, Milan Why does the spec calls for # upgrade path from monolithic -server to -server + -server-dns Obsoletes: %{name}-server = 4.2.0 and not for # upgrade path from monolithic -server to -server + -server-dns Obsoletes: %{name}-server 4.2.0 ? Is that the root cause of these issues? AFAIK this would break updates from 4.2.0 to 4.2.1. I wonder how it could break the upgrade... Patch attached. This won't help as long as we build something like freeipa-server-dns-4.2.0-0.20150810111037Zjenkins11gitad6a87e Right. Updated patch attached. It will break updates from pre-server-dns git builds, but install should be fine. -- Jan Cholasta ACK, thanks. Self-NACK, as this also breaks updates from freeipa-4.2.0-0 from the freeipa-4.2 COPR. Updated patch attached. Hi, thanks for the patch. It works as far as updating from 4.1, the copr build (correctly replaces freeipa-server package) as well as upgrade from earlier build from repository. If there are no objections, ACK from me. Milan Pushed to ipa-4-2: 5d5240b9db3b9e6f29351c65272a363b253cd2d3 Ok, while checking this manually it seemed to work, the jenkins build names the package in a way that produces this error. The patch has no effect in automation, unfortunatelly. The build on jenkins adds the release version, when built manually, the name is xyz.4.2.0.DATE+hash-string. Error: package freeipa-server-dns-4.2.0-0.20150817084102Zjenkins28git5d5240b.fc22.x86_64 obsoletes freeipa-server = 4.2.0.0 provided by freeipa-server-4.2.0-0.20150817084102Zjenkins28git5d5240b.fc22.x86_64 Late answer to Lukas, this is n:m scenario. I'm not sure what to do if one subpackage retains the original name, though. That being said, I can change the schema by which jenkins marks release version on the rpms it builds. This will provide a hacky way around this issue by creating 4.2.0.2015... provided by the timestamp. This is the scheme used by make rpms, so I'd say go for it. Otherwise, changing the Obsoletes line to: Obsoletes: %{name}-server = 4.2.0.0-0.0 should fix it. The released packages don't really use that much numbers. Just freeipa-component-MAJOR.MINOR.RELEASE-PKGREL.arch... First three defined by freeipa, -X by fedora. Therefore, I don't think we should use 4.2.0.0. In jenkins I have changed it to use IPA_VERSION_IS_GIT_SNAPSHOT=yes which changes the naming schema allowing this hack to work. The jobs weren't using the VERSION script this way before, however. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 911 vault: normalize service principal in service vault, operations
Hi, On 18.8.2015 12:38, Petr Vobornik wrote: https://fedorahosted.org/freeipa/ticket/5233 s/normalizer=lambda value: normalize_principal(value)/normalizer=normalize_principal/. Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 472-473] vault: Fix param labels in output of vault owner commands
On 08/17/2015 09:43 AM, Jan Cholasta wrote: Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/5214. Honza ACK, pushed to: master: * d2da0d89d194f198728b858800dfec447c5d9595 baseldap: Allow overriding member param label in LDAPModMember * d9e9e5088fe3e093e3291a5e8877e8651645fc61 vault: Fix param labels in output of vault owner commands ipa-4-2: * 649a1a7c65d5ba99183dd0437d9ab4f20fa05530 baseldap: Allow overriding member param label in LDAPModMember * f66d7043dc2f35bdc7f7f3774ecbc12046b7feef vault: Fix param labels in output of vault owner commands -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0297] ULC: add user-stage command
On 08/18/2015 10:02 AM, Martin Basti wrote: On 08/18/2015 09:59 AM, thierry bordaz wrote: On 08/18/2015 09:55 AM, Martin Basti wrote: On 08/18/2015 09:50 AM, thierry bordaz wrote: On 08/17/2015 08:33 PM, Martin Basti wrote: Hello, the 'user-stage' command replaces 'stageuser-add --from-delete' command. https://fedorahosted.org/freeipa/ticket/5041 Thierry can you check If I don't break everything, it works for me, but the one never knows. Honza can you please check the framework side? I use self.api.Object.stageuser.add.* in user command, I'm not sure if this is right way, but it works. Patch attached. I created it in hurry, I'm expecting NACK :D Just question at the end: should I implement way Active user - stageuser? IMHO it would be implemented internally by calling 'user-del --preserve' inside 'user-stage'. Hi Martin, There is a small failure with VERSION (edewata pushed his patch first ;-) ) git apply -v /tmp/freeipa-mbasti-0297-Add-user-stage-command.patch Checking patch API.txt... Checking patch VERSION... error: while searching for: # # IPA_API_VERSION_MAJOR=2 IPA_API_VERSION_MINOR=148 # Last change: ftweedal - add --out option to user-show error: patch failed: VERSION:90 error: VERSION: patch does not apply Checking patch ipalib/plugins/stageuser.py... Checking patch ipalib/plugins/user.py... There is many pending patches that may change VERSION number, I will change it to right one before push. Does code looks good for you? Hi Martin, Just a question, there is no additional permission. Did you test being 'admin' ? thanks theirry No I didn't,. I preserver all permission, the original permissions should work. Martin Hi Martin, Running a test script, I have an issue with ipa stageuser-add --first=t --last=b tb1 ipa: ERROR: an internal error has occurred [Tue Aug 18 11:16:56.440658 2015] [wsgi:error] [pid 10486] ipa: INFO: [jsonserver_kerb] stage...@abc.idm.lab.eng.brq.redhat.com: stageuser_add(u'tb1', givenname=u't', sn=u'b', cn=u't b', displayname=u't b', initials=u'tb', gecos=u't b', krbprincipalname=u't...@abc.idm.lab.eng.brq.redhat.com', random=False, all=False, raw=False, version=u'2.149', no_members=False): AttributeError [Tue Aug 18 11:21:25.198021 2015] [wsgi:error] [pid 10485] ipa: ERROR: non-public: AttributeError: 'DN' object has no attribute 'setdefault' [Tue Aug 18 11:21:25.198053 2015] [wsgi:error] [pid 10485] Traceback (most recent call last): [Tue Aug 18 11:21:25.198058 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 347, in wsgi_execute [Tue Aug 18 11:21:25.198062 2015] [wsgi:error] [pid 10485] result = self.Command[name](*args, **options) [Tue Aug 18 11:21:25.198066 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 443, in __call__ [Tue Aug 18 11:21:25.198070 2015] [wsgi:error] [pid 10485] ret = self.run(*args, **options) [Tue Aug 18 11:21:25.198081 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 760, in run [Tue Aug 18 11:21:25.198133 2015] [wsgi:error] [pid 10485] return self.execute(*args, **options) [Tue Aug 18 11:21:25.198139 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py, line 1227, in execute [Tue Aug 18 11:21:25.198144 2015] [wsgi:error] [pid 10485] *keys, **options) [Tue Aug 18 11:21:25.198147 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py, line 373, in pre_callback [Tue Aug 18 11:21:25.198151 2015] [wsgi:error] [pid 10485] attrs_list, *keys, **options) [Tue Aug 18 11:21:25.198155 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py, line 277, in set_default_values_pre_callback [Tue Aug 18 11:21:25.198159 2015] [wsgi:error] [pid 10485] entry_attrs.setdefault('description', []) [Tue Aug 18 11:21:25.198163 2015] [wsgi:error] [pid 10485] AttributeError: 'DN' object has no attribute 'setdefault' [Tue Aug 18 11:21:25.199276 2015] [wsgi:error] [pid 10485] ipa: INFO: [jsonserver_session] stage...@abc.idm.lab.eng.brq.redhat.com: stageuser_add(u'tb1', givenname=u't', sn=u'b', cn=u't b', displayname=u't b', initials=u'tb', gecos=u't b', krbprincipalname=u't...@abc.idm.lab.eng.brq.redhat.com', random=False, all=False, raw=False, version=u'2.149', no_members=False): AttributeError The new set_default_values_pre_callback, can not use the set_default function. It is not clear why. entry_attrs is one of pre_callback parameter. Should set_default_values_pre_callback be a subfonction of pre_callback ? thanks thierry -- Manage your subscription for the Freeipa-devel mailing list:
Re: [Freeipa-devel] [PATCH] 0195 harden trust-fetch-domains oddjobd script
On Tue, 18 Aug 2015, Alexander Bokovoy wrote: On Mon, 17 Aug 2015, Tomas Babej wrote: On 08/17/2015 09:03 AM, Alexander Bokovoy wrote: On Mon, 17 Aug 2015, Tomas Babej wrote: On 08/13/2015 04:29 PM, Alexander Bokovoy wrote: Hi, see commit message for details. Hi, code-wise this looks good to me. Unfortunately, I have not been able to verify in my setup that it fixes the issue in the linked BZ: $ echo Secret123456 | ipa trust-add --type=ad ad.test --range-type ipa-ad-trust --admin Administrator --password Added Active Directory trust for realm ad.test Realm name: ad.test Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924 SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Established and verified $ idrange-find 2 ranges matched Range name: AD.TEST_id_range First Posix ID of the range: 19120 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-1469936554-2294197481-461507924 Range type: Active Directory domain range Range name: IPA.TEST_id_range First Posix ID of the range: 69520 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Number of entries returned 2 However, I have one child subdomain in the setup: $ ipa trustdomain-find Realm name: ad.test Domain name: ad.test Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924 Domain enabled: True Domain name: sub.ad.test Domain NetBIOS name: SUB Domain Security Identifier: S-1-5-21-10134726-2575992721-4229914074 Domain enabled: True Number of entries returned 2 Look for AVCs, if there are any. Also start abrtd and it should pick up any python exceptions in the helper as 'crashes'. Right. Insufficient LDAP permissions caused the following backtrace in the oddjob helper: ipaldap.py:948:error_handler:ACIError: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'. Traceback (most recent call last): File /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains, line 216, in module trusted_domain, name, **dom) File /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py, line 347, in add_range ipanttrusteddomainsid=dom_sid) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 443, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 760, in run return self.execute(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py, line 1234, in execute self._exc_wrapper(keys, options, ldap.add_entry)(entry_attrs) File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py, line 1145, in wrapped return func(*call_args, **call_kwargs) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1442, in add_entry self.conn.add_s(str(entry.dn), attrs.items()) File /usr/lib64/python2.7/contextlib.py, line 35, in __exit__ self.gen.throw(type, value, traceback) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 948, in error_handler raise errors.ACIError(info=info) ACIError: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'. Local variables in innermost frame: info: Insufficient 'add' privilege to add the entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'. arg_desc: None self: ipaserver.plugins.ldap2.ldap2() e: INSUFFICIENT_ACCESS({'info': Insufficient 'add' privilege to add the entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.\n, 'desc': 'Insufficient access'},) desc: 'Insufficient access' Updated patch attached. You can install freeipa from my COPR abbra/freeipa-oneway (you need mkosek/freeipa-master COPR for dependencies) to test. .. and use abbra/sssd-kkdcproxy for sssd git master -- you'll need it to allow SSSD to properly handle keytabs chowned to sssd:sssd by the helper. With abbra/freeipa-oneway, abbra/sssd-kkdcproxy,
[Freeipa-devel] [PATCH 474] install: Fix CA-less replica install
Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/5226. Honza -- Jan Cholasta From bb7cd6dffd5fc2e4f2693ed114113764b28409e1 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 18 Aug 2015 12:51:26 +0200 Subject: [PATCH] install: Fix CA-less replica install https://fedorahosted.org/freeipa/ticket/5226 --- ipaserver/install/server/replicainstall.py | 17 + 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index ac0f6a3..664a0ba 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -573,14 +573,15 @@ def install(installer): otpd.create_instance('OTPD', config.host_name, config.dirman_password, ipautil.realm_to_suffix(config.realm_name)) -CA = cainstance.CAInstance( -config.realm_name, certs.NSS_DIR, -dogtag_constants=dogtag_constants) -CA.dm_password = config.dirman_password - -CA.configure_certmonger_renewal() -CA.import_ra_cert(config.dir + /ra.p12) -CA.fix_ra_perms() +if ipautil.file_exists(config.dir + /cacert.p12): +CA = cainstance.CAInstance( +config.realm_name, certs.NSS_DIR, +dogtag_constants=dogtag_constants) +CA.dm_password = config.dirman_password + +CA.configure_certmonger_renewal() +CA.import_ra_cert(config.dir + /ra.p12) +CA.fix_ra_perms() # The DS instance is created before the keytab, add the SSL cert we # generated -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0297] ULC: add user-stage command
On 08/18/2015 09:50 AM, thierry bordaz wrote: On 08/17/2015 08:33 PM, Martin Basti wrote: Hello, the 'user-stage' command replaces 'stageuser-add --from-delete' command. https://fedorahosted.org/freeipa/ticket/5041 Thierry can you check If I don't break everything, it works for me, but the one never knows. Honza can you please check the framework side? I use self.api.Object.stageuser.add.* in user command, I'm not sure if this is right way, but it works. Patch attached. I created it in hurry, I'm expecting NACK :D Just question at the end: should I implement way Active user - stageuser? IMHO it would be implemented internally by calling 'user-del --preserve' inside 'user-stage'. Hi Martin, There is a small failure with VERSION (edewata pushed his patch first ;-) ) git apply -v /tmp/freeipa-mbasti-0297-Add-user-stage-command.patch Checking patch API.txt... Checking patch VERSION... error: while searching for: # # IPA_API_VERSION_MAJOR=2 IPA_API_VERSION_MINOR=148 # Last change: ftweedal - add --out option to user-show error: patch failed: VERSION:90 error: VERSION: patch does not apply Checking patch ipalib/plugins/stageuser.py... Checking patch ipalib/plugins/user.py... There is many pending patches that may change VERSION number, I will change it to right one before push. Does code looks good for you? -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0195 harden trust-fetch-domains oddjobd script
On Mon, 17 Aug 2015, Tomas Babej wrote: On 08/17/2015 09:03 AM, Alexander Bokovoy wrote: On Mon, 17 Aug 2015, Tomas Babej wrote: On 08/13/2015 04:29 PM, Alexander Bokovoy wrote: Hi, see commit message for details. Hi, code-wise this looks good to me. Unfortunately, I have not been able to verify in my setup that it fixes the issue in the linked BZ: $ echo Secret123456 | ipa trust-add --type=ad ad.test --range-type ipa-ad-trust --admin Administrator --password Added Active Directory trust for realm ad.test Realm name: ad.test Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924 SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Established and verified $ idrange-find 2 ranges matched Range name: AD.TEST_id_range First Posix ID of the range: 19120 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-1469936554-2294197481-461507924 Range type: Active Directory domain range Range name: IPA.TEST_id_range First Posix ID of the range: 69520 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Number of entries returned 2 However, I have one child subdomain in the setup: $ ipa trustdomain-find Realm name: ad.test Domain name: ad.test Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924 Domain enabled: True Domain name: sub.ad.test Domain NetBIOS name: SUB Domain Security Identifier: S-1-5-21-10134726-2575992721-4229914074 Domain enabled: True Number of entries returned 2 Look for AVCs, if there are any. Also start abrtd and it should pick up any python exceptions in the helper as 'crashes'. Right. Insufficient LDAP permissions caused the following backtrace in the oddjob helper: ipaldap.py:948:error_handler:ACIError: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'. Traceback (most recent call last): File /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains, line 216, in module trusted_domain, name, **dom) File /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py, line 347, in add_range ipanttrusteddomainsid=dom_sid) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 443, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 760, in run return self.execute(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py, line 1234, in execute self._exc_wrapper(keys, options, ldap.add_entry)(entry_attrs) File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py, line 1145, in wrapped return func(*call_args, **call_kwargs) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1442, in add_entry self.conn.add_s(str(entry.dn), attrs.items()) File /usr/lib64/python2.7/contextlib.py, line 35, in __exit__ self.gen.throw(type, value, traceback) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 948, in error_handler raise errors.ACIError(info=info) ACIError: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'. Local variables in innermost frame: info: Insufficient 'add' privilege to add the entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'. arg_desc: None self: ipaserver.plugins.ldap2.ldap2() e: INSUFFICIENT_ACCESS({'info': Insufficient 'add' privilege to add the entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.\n, 'desc': 'Insufficient access'},) desc: 'Insufficient access' Updated patch attached. You can install freeipa from my COPR abbra/freeipa-oneway (you need mkosek/freeipa-master COPR for dependencies) to test. -- / Alexander Bokovoy From eb667407662906b609282b13f87129c80c058a9f Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Thu, 13 Aug 2015 17:18:57 +0300 Subject: [PATCH] trusts: harden
Re: [Freeipa-devel] [PATCH 0297] ULC: add user-stage command
On 08/18/2015 09:55 AM, Martin Basti wrote: On 08/18/2015 09:50 AM, thierry bordaz wrote: On 08/17/2015 08:33 PM, Martin Basti wrote: Hello, the 'user-stage' command replaces 'stageuser-add --from-delete' command. https://fedorahosted.org/freeipa/ticket/5041 Thierry can you check If I don't break everything, it works for me, but the one never knows. Honza can you please check the framework side? I use self.api.Object.stageuser.add.* in user command, I'm not sure if this is right way, but it works. Patch attached. I created it in hurry, I'm expecting NACK :D Just question at the end: should I implement way Active user - stageuser? IMHO it would be implemented internally by calling 'user-del --preserve' inside 'user-stage'. Hi Martin, There is a small failure with VERSION (edewata pushed his patch first ;-) ) git apply -v /tmp/freeipa-mbasti-0297-Add-user-stage-command.patch Checking patch API.txt... Checking patch VERSION... error: while searching for: # # IPA_API_VERSION_MAJOR=2 IPA_API_VERSION_MINOR=148 # Last change: ftweedal - add --out option to user-show error: patch failed: VERSION:90 error: VERSION: patch does not apply Checking patch ipalib/plugins/stageuser.py... Checking patch ipalib/plugins/user.py... There is many pending patches that may change VERSION number, I will change it to right one before push. Does code looks good for you? Yes it looks good, but I am still testing it. I will be back to you with my test results. thanks thierry -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Regression in client-install [master]
On 2015-08-18 08:55, Tomas Babej wrote: On 08/18/2015 03:25 AM, Simo Sorce wrote: I see a regression in the client install now that the python-kerberos - python-gssapi patches have landed. Reverting that single patch makes the issue go away, is anyone else seeing this ? Simo. I believe you're talking about https://fedorahosted.org/freeipa/ticket/5225 I can confirm reverting the gssapi patch did solve the issue yesterday (this is obvious, since the exception originates in the python-gssapi code). Tomas The bug has been reported and fixed upstream: https://github.com/pythongssapi/python-gssapi/issues/72. Updating the package in Fedora to latest upstream release should solve the problem. Please wait with reverting. Michael -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0297] ULC: add user-stage command
On 08/18/2015 09:59 AM, thierry bordaz wrote: On 08/18/2015 09:55 AM, Martin Basti wrote: On 08/18/2015 09:50 AM, thierry bordaz wrote: On 08/17/2015 08:33 PM, Martin Basti wrote: Hello, the 'user-stage' command replaces 'stageuser-add --from-delete' command. https://fedorahosted.org/freeipa/ticket/5041 Thierry can you check If I don't break everything, it works for me, but the one never knows. Honza can you please check the framework side? I use self.api.Object.stageuser.add.* in user command, I'm not sure if this is right way, but it works. Patch attached. I created it in hurry, I'm expecting NACK :D Just question at the end: should I implement way Active user - stageuser? IMHO it would be implemented internally by calling 'user-del --preserve' inside 'user-stage'. Hi Martin, There is a small failure with VERSION (edewata pushed his patch first ;-) ) git apply -v /tmp/freeipa-mbasti-0297-Add-user-stage-command.patch Checking patch API.txt... Checking patch VERSION... error: while searching for: # # IPA_API_VERSION_MAJOR=2 IPA_API_VERSION_MINOR=148 # Last change: ftweedal - add --out option to user-show error: patch failed: VERSION:90 error: VERSION: patch does not apply Checking patch ipalib/plugins/stageuser.py... Checking patch ipalib/plugins/user.py... There is many pending patches that may change VERSION number, I will change it to right one before push. Does code looks good for you? Hi Martin, Just a question, there is no additional permission. Did you test being 'admin' ? thanks theirry No I didn't,. I preserver all permission, the original permissions should work. Martin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi
On 2015-08-17 21:10, Robbie Harwood wrote: Michael Šimáček msima...@redhat.com writes: Attaching new revision of the patch. Changes from the previous: - ldap2's connect now chooses the bind type same way as in ipaldap - get_default_realm usages replaced by api.env.realm - fixed missing third kinit attempt in trust-fetch-domains - removed rewrapping gssapi errors to ccache errors in krb_utils - updated some parts of exception handling This patch doesn't seem to apply to master. Can you update it or indicate what you're patching against? Thanks! Attaching patch rebased on top of current master. Michael From 098a0288d384ef8f5d33cc61a1007a514b5f64b9 Mon Sep 17 00:00:00 2001 From: Michael Simacek msima...@redhat.com Date: Mon, 20 Jul 2015 16:04:07 +0200 Subject: [PATCH] Port from python-krbV to python-gssapi python-krbV library is deprecated and doesn't work with python 3. Replacing all it's usages with python-gssapi. - Removed Backend.krb and KRB5_CCache classes They were wrappers around krbV classes that cannot really work without them - Added few utility functions for querying GSSAPI credentials in krb_utils module. They provide replacements for KRB5_CCache. - Merged two kinit_keytab functions - Changed ldap plugin connection defaults to match ipaldap - Unified getting default realm Using api.env.realm instead of krbV call --- BUILD.txt | 2 +- doc/examples/python-api.py| 4 +- freeipa.spec.in | 7 +- install/oddjob/com.redhat.idm.trust-fetch-domains | 75 ++--- install/tools/ipa-adtrust-install | 16 +- install/tools/ipa-csreplica-manage| 5 +- install/tools/ipa-replica-manage | 7 +- ipa-client/ipa-client.spec.in | 2 +- ipa-client/ipa-install/ipa-client-automount | 4 +- ipa-client/ipa-install/ipa-client-install | 8 +- ipalib/krb_utils.py | 337 +- ipalib/plugins/kerberos.py| 125 ipalib/plugins/passwd.py | 6 +- ipalib/plugins/vault.py | 7 +- ipalib/rpc.py | 9 +- ipalib/util.py| 12 - ipapython/config.py | 11 - ipapython/ipautil.py | 28 +- ipaserver/install/ipa_cacert_manage.py| 7 +- ipaserver/install/ipa_ldap_updater.py | 4 +- ipaserver/install/ipa_otptoken_import.py | 7 +- ipaserver/install/ipa_winsync_migrate.py | 8 +- ipaserver/install/ldapupdate.py | 10 +- ipaserver/install/schemaupdate.py | 4 +- ipaserver/install/server/upgrade.py | 3 +- ipaserver/plugins/join.py | 13 +- ipaserver/plugins/ldap2.py| 60 ++-- ipaserver/rpcserver.py| 25 +- ipatests/test_cmdline/cmdline.py | 5 +- ipatests/test_cmdline/test_ipagetkeytab.py| 23 +- ipatests/test_xmlrpc/test_dns_plugin.py | 3 +- ipatests/test_xmlrpc/test_netgroup_plugin.py | 6 +- ipatests/test_xmlrpc/test_permission_plugin.py| 3 +- lite-server.py| 16 +- make-lint | 4 +- 35 files changed, 234 insertions(+), 632 deletions(-) delete mode 100644 ipalib/plugins/kerberos.py diff --git a/BUILD.txt b/BUILD.txt index 53012b14d05673d4fbc4d0567e877348d5e78444..4507fa357375edc09377368ab3d1eb1c48994a61 100644 --- a/BUILD.txt +++ b/BUILD.txt @@ -20,7 +20,7 @@ systemd-units samba-devel samba-python libwbclient-devel libtalloc-devel \ libtevent-devel nspr-devel nss-devel openssl-devel openldap-devel krb5-devel \ krb5-workstation libuuid-devel libcurl-devel xmlrpc-c-devel popt-devel \ autoconf automake m4 libtool gettext python-devel python-ldap \ -python-setuptools python-krbV python-nss python-netaddr python-gssapi \ +python-setuptools python-nss python-netaddr python-gssapi \ python-rhsm pyOpenSSL pylint python-polib libipa_hbac-python python-memcached \ sssd python-lxml python-pyasn1 python-qrcode-core python-dns m2crypto \ check libsss_idmap-devel libsss_nss_idmap-devel java-headless rhino \ diff --git a/doc/examples/python-api.py b/doc/examples/python-api.py index 805925f262774edca20fd0f31eda214b83a24fc9..215bb915370ffaac9fb64747a42bb2422b69a6e0 100755 --- a/doc/examples/python-api.py +++ b/doc/examples/python-api.py @@ -37,9 +37,7 @@ api.finalize() # Backend.ldap.connect(), otherwise Backend.rpcclient.connect(). if api.env.in_server: -api.Backend.ldap2.connect( -ccache=api.Backend.krb.default_ccname() - ) +api.Backend.ldap2.connect() else: api.Backend.rpcclient.connect() diff --git a/freeipa.spec.in
Re: [Freeipa-devel] Regression in client-install [master]
On 08/18/2015 03:25 AM, Simo Sorce wrote: I see a regression in the client install now that the python-kerberos - python-gssapi patches have landed. Reverting that single patch makes the issue go away, is anyone else seeing this ? Simo. I believe you're talking about https://fedorahosted.org/freeipa/ticket/5225 I can confirm reverting the gssapi patch did solve the issue yesterday (this is obvious, since the exception originates in the python-gssapi code). Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0297] ULC: add user-stage command
On 08/17/2015 08:33 PM, Martin Basti wrote: Hello, the 'user-stage' command replaces 'stageuser-add --from-delete' command. https://fedorahosted.org/freeipa/ticket/5041 Thierry can you check If I don't break everything, it works for me, but the one never knows. Honza can you please check the framework side? I use self.api.Object.stageuser.add.* in user command, I'm not sure if this is right way, but it works. Patch attached. I created it in hurry, I'm expecting NACK :D Just question at the end: should I implement way Active user - stageuser? IMHO it would be implemented internally by calling 'user-del --preserve' inside 'user-stage'. Hi Martin, There is a small failure with VERSION (edewata pushed his patch first ;-) ) git apply -v /tmp/freeipa-mbasti-0297-Add-user-stage-command.patch Checking patch API.txt... Checking patch VERSION... error: while searching for: # # IPA_API_VERSION_MAJOR=2 IPA_API_VERSION_MINOR=148 # Last change: ftweedal - add --out option to user-show error: patch failed: VERSION:90 error: VERSION: patch does not apply Checking patch ipalib/plugins/stageuser.py... Checking patch ipalib/plugins/user.py... -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0002] TEST: Stageuser plugin
On 08/14/2015 06:32 PM, Lenka Doudova wrote: Yes, that is correct - it's malfunctioning behavior of the plugin - command 'stageuser-add --from-delete', which is discussed in another thread. I left this test case for so long as it's not fixed/changed. If the command remains and is fixed, the test case will be valid, if it's changed I'll fix the test case to reflect the new command. Lenka On 08/14/2015 05:39 PM, Martin Basti wrote: On 08/14/2015 11:04 AM, Lenka Doudova wrote: NACK syntax error, missing ')' -from ipatests.util import assert_equal, assert_not_equal, raises +from ipatests.util import ( +assert_equal, assert_not_equal, raises, assert_deepequal I cannot apply this patch, please check it Sorry for the error, corrected patch attached. I also added two testcases that Thierry proposed, and changed names of few methods (original ones were confusing). Lenka I got this error FAILURES = TestPreserved.test_staged_from_preserved _ self = ipatests.test_xmlrpc.test_stageuser_plugin.TestPreserved object at 0x7ffb94811350, user = ipatests.test_xmlrpc.test_user_plugin.UserTracker object at 0x7ffb949e7190 stageduser = ipatests.test_xmlrpc.test_stageuser_plugin.StageUserTracker object at 0x7ffb94811c50 def test_staged_from_preserved(self, user, stageduser): user.make_preserved_user() stageduser.ensure_missing() stageduser = StageUserTracker(user.uid, user.givenname, user.sn) stageduser.create_from_preserved(user) command = user.make_create_command(from_delete=True) E TypeError: make_create_command() got an unexpected keyword argument 'from_delete' test_xmlrpc/test_stageuser_plugin.py:718: TypeError -- Captured stdout setup -- Ran command: ipalib.plugins.stageuser.stageuser_del()(u'suser1', version=u'2.148'): NotFound: suser1: stage user not found -- Captured stdout call --- Ran command: ipalib.plugins.user.user_add()(u'auser1', givenname=u'active', sn=u'user', version=u'2.148'): OK Ran command: ipalib.plugins.user.user_del()(u'auser1', preserve=True, no_preserve=False, version=u'2.148'): OK Martin^2 Okay then, please fix this error in a new patch. Patch for replacement of stageuser-add --from delete already landed in devel list (patch mbasti-0297) If you want to have this test in ipa-4-2 branch, please send rebased version. Current patch applies only on master. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 911 vault: normalize service principal in service vault, operations
On 08/18/2015 12:42 PM, Jan Cholasta wrote: Hi, On 18.8.2015 12:38, Petr Vobornik wrote: https://fedorahosted.org/freeipa/ticket/5233 s/normalizer=lambda value: normalize_principal(value)/normalizer=normalize_principal/. Honza Fixed, updated patch attached -- Petr Vobornik From 0abd75e9d2d3826cff4225013e6084767f03f9b1 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Tue, 18 Aug 2015 12:14:36 +0200 Subject: [PATCH] vault: normalize service principal in service vault operations https://fedorahosted.org/freeipa/ticket/5233 --- ipalib/plugins/vault.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index 88c63071f04462aa240a70d3a3eeac2d04e66062..a1508b63b8c8aa506eadad415ecf7fa4942c74fc 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -47,6 +47,7 @@ from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\ LDAPModMember, pkey_to_value from ipalib.request import context from ipalib.plugins.user import split_principal +from ipalib.plugins.service import normalize_principal from ipalib import _, ngettext from ipaplatform.paths import paths from ipapython.dn import DN @@ -214,6 +215,7 @@ vault_options = ( Str( 'service?', doc=_('Service name of the service vault'), +normalizer=normalize_principal, ), Flag( 'shared?', -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0058] ipa-restore: check whether DS is running before attempting connection
On 18.8.2015 13:41, Martin Basti wrote: On 08/18/2015 01:16 PM, Alexander Bokovoy wrote: On Tue, 18 Aug 2015, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/4838 -- Martin^3 Babinsky From d86aae6c3fef4dea1afbbdbacbc978afbbfa5fcf Mon Sep 17 00:00:00 2001 From: Martin Babinsky mbabi...@redhat.com Date: Tue, 18 Aug 2015 12:47:46 +0200 Subject: [PATCH] ipa-restore: check whether DS is running before attempting connection https://fedorahosted.org/freeipa/ticket/4838 --- ipaserver/install/ipa_restore.py | 7 +++ 1 file changed, 7 insertions(+) diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 65cb49355a0567446debe9c367aa3c1bc5a12e1c..b69ea90001a6fd03d0fddde8844870d1aa9c3704 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -410,6 +410,13 @@ class Restore(admintool.AdminTool): ''' Create an ldapi connection and bind to it using autobind as root. ''' +instance_name = installutils.realm_to_serverid(api.env.realm) + +if not services.knownservices.dirsrv.is_running(instance_name): +raise admintool.ScriptError( +directory server instance is not running/configured +) + if self._conn is not None: return self._conn ACK. Pushed to: master: 31776755b47f44f894e4f2bb256aca1c5262b8a8 ipa-4-2: e4b8cffdb4e017874bb7f12a7ca362b927ead67a I didn't try, but I'm pretty sure this patch breaks ipa-restore on systems without IPA installed, which was not at all the point of the ticket - the point was to replace the Unable to get connection, skipping disabling agreements: Unable to bind to LDAP server: [Errno 2] No such file or directory error message with something meaningful in such a case. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0058] ipa-restore: check whether DS is running before attempting connection
On 08/18/2015 02:51 PM, Jan Cholasta wrote: On 18.8.2015 14:24, Martin Babinsky wrote: On 08/18/2015 02:05 PM, Jan Cholasta wrote: On 18.8.2015 13:41, Martin Basti wrote: On 08/18/2015 01:16 PM, Alexander Bokovoy wrote: On Tue, 18 Aug 2015, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/4838 -- Martin^3 Babinsky From d86aae6c3fef4dea1afbbdbacbc978afbbfa5fcf Mon Sep 17 00:00:00 2001 From: Martin Babinsky mbabi...@redhat.com Date: Tue, 18 Aug 2015 12:47:46 +0200 Subject: [PATCH] ipa-restore: check whether DS is running before attempting connection https://fedorahosted.org/freeipa/ticket/4838 --- ipaserver/install/ipa_restore.py | 7 +++ 1 file changed, 7 insertions(+) diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 65cb49355a0567446debe9c367aa3c1bc5a12e1c..b69ea90001a6fd03d0fddde8844870d1aa9c3704 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -410,6 +410,13 @@ class Restore(admintool.AdminTool): ''' Create an ldapi connection and bind to it using autobind as root. ''' +instance_name = installutils.realm_to_serverid(api.env.realm) + +if not services.knownservices.dirsrv.is_running(instance_name): +raise admintool.ScriptError( +directory server instance is not running/configured +) + if self._conn is not None: return self._conn ACK. Pushed to: master: 31776755b47f44f894e4f2bb256aca1c5262b8a8 ipa-4-2: e4b8cffdb4e017874bb7f12a7ca362b927ead67a I didn't try, but I'm pretty sure this patch breaks ipa-restore on systems without IPA installed, which was not at all the point of the ticket - the point was to replace the Unable to get connection, skipping disabling agreements: Unable to bind to LDAP server: [Errno 2] No such file or directory error message with something meaningful in such a case. I have just now tested ipa-restore without installed IPA master and it works just fine. The point of my patch was no not even try to connect to DS if the instance is not running/configured and raise an error telling this fact to the user, instead of timing out on connection and then raising a generic exception. So unless I missed something it should be ok. I stand corrected. It was the ScriptError that made me suspicious. Sorry for the noise. Yeah in retrospect it was not the best exception to raise in this case. I was probably influenced by the fact that ScriptError gets thrown around so much in the ipa_restore code and got a bit lazy :). -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Regression in client-install [master]
On Tue, 2015-08-18 at 10:11 +0200, Michael Šimáček wrote: On 2015-08-18 08:55, Tomas Babej wrote: On 08/18/2015 03:25 AM, Simo Sorce wrote: I see a regression in the client install now that the python-kerberos - python-gssapi patches have landed. Reverting that single patch makes the issue go away, is anyone else seeing this ? Simo. I believe you're talking about https://fedorahosted.org/freeipa/ticket/5225 I can confirm reverting the gssapi patch did solve the issue yesterday (this is obvious, since the exception originates in the python-gssapi code). Tomas The bug has been reported and fixed upstream: https://github.com/pythongssapi/python-gssapi/issues/72. Updating the package in Fedora to latest upstream release should solve the problem. Please wait with reverting. Please submit a patch to raise the minimum Requires, however I did not see the same bug, I will make sure I have the latest python-gssapi and retest. Simo. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Unable to install bits from ipa-4-2 branch
On 18.8.2015 12:14, Milan Kubík wrote: On 08/18/2015 11:37 AM, Jan Cholasta wrote: On 17.8.2015 16:47, Milan Kubík wrote: On 08/17/2015 04:44 PM, Milan Kubík wrote: On 08/17/2015 10:23 AM, Martin Basti wrote: On 08/12/2015 01:10 PM, Milan Kubík wrote: On 08/10/2015 04:41 PM, Jan Cholasta wrote: Dne 10.8.2015 v 16:03 Milan Kubík napsal(a): Forwarded Message Subject: Re: [Freeipa-devel] Unable to install bits from ipa-4-2 branch Date: Mon, 10 Aug 2015 15:55:35 +0200 From: Jan Cholasta jchol...@redhat.com To: Milan Kubík mku...@redhat.com CC: Martin Kosek mko...@redhat.com Dne 10.8.2015 v 15:31 Milan Kubík napsal(a): On 08/10/2015 03:22 PM, Jan Cholasta wrote: Dne 7.8.2015 v 09:17 Martin Kosek napsal(a): On 08/07/2015 08:46 AM, Jan Cholasta wrote: Dne 7.8.2015 v 08:44 Martin Kosek napsal(a): On 08/06/2015 05:26 PM, Milan Kubík wrote: Hi list, I just noticed that the bits built from ipa-4-2 branch cannot be installed. The freeipa packages built have version such as freeipa-server-dns-4.2.0-0.20150806083844Zjenkins9git2812242.fc22.x86_64 The version check in the spec file makes the server-dns package obsolete the server package from tha same build. The cause is the commit [1]. This issue blocks us from running tests on ipa-4-2 branch. Should we bump the minor version on this branch to 4.2.1? [1]: https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=f555fe95dba9ec453fa10f160089dcc5404f724a Cheers, Milan Why does the spec calls for # upgrade path from monolithic -server to -server + -server-dns Obsoletes: %{name}-server = 4.2.0 and not for # upgrade path from monolithic -server to -server + -server-dns Obsoletes: %{name}-server 4.2.0 ? Is that the root cause of these issues? AFAIK this would break updates from 4.2.0 to 4.2.1. I wonder how it could break the upgrade... Patch attached. This won't help as long as we build something like freeipa-server-dns-4.2.0-0.20150810111037Zjenkins11gitad6a87e Right. Updated patch attached. It will break updates from pre-server-dns git builds, but install should be fine. -- Jan Cholasta ACK, thanks. Self-NACK, as this also breaks updates from freeipa-4.2.0-0 from the freeipa-4.2 COPR. Updated patch attached. Hi, thanks for the patch. It works as far as updating from 4.1, the copr build (correctly replaces freeipa-server package) as well as upgrade from earlier build from repository. If there are no objections, ACK from me. Milan Pushed to ipa-4-2: 5d5240b9db3b9e6f29351c65272a363b253cd2d3 Ok, while checking this manually it seemed to work, the jenkins build names the package in a way that produces this error. The patch has no effect in automation, unfortunatelly. The build on jenkins adds the release version, when built manually, the name is xyz.4.2.0.DATE+hash-string. Error: package freeipa-server-dns-4.2.0-0.20150817084102Zjenkins28git5d5240b.fc22.x86_64 obsoletes freeipa-server = 4.2.0.0 provided by freeipa-server-4.2.0-0.20150817084102Zjenkins28git5d5240b.fc22.x86_64 Late answer to Lukas, this is n:m scenario. I'm not sure what to do if one subpackage retains the original name, though. That being said, I can change the schema by which jenkins marks release version on the rpms it builds. This will provide a hacky way around this issue by creating 4.2.0.2015... provided by the timestamp. This is the scheme used by make rpms, so I'd say go for it. Otherwise, changing the Obsoletes line to: Obsoletes: %{name}-server = 4.2.0.0-0.0 should fix it. The released packages don't really use that much numbers. That doesn't matter, what matters is how the numbers are compared. Just freeipa-component-MAJOR.MINOR.RELEASE-PKGREL.arch... First three defined by freeipa, -X by fedora. Therefore, I don't think we should use 4.2.0.0. The spec file is not used for Fedora, just for make rpms. In jenkins I have changed it to use IPA_VERSION_IS_GIT_SNAPSHOT=yes which changes the naming schema allowing this hack to work. The jobs weren't using the VERSION script this way before, however. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0058] ipa-restore: check whether DS is running before attempting connection
On Tue, 18 Aug 2015, Jan Cholasta wrote: On 18.8.2015 13:41, Martin Basti wrote: On 08/18/2015 01:16 PM, Alexander Bokovoy wrote: On Tue, 18 Aug 2015, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/4838 -- Martin^3 Babinsky From d86aae6c3fef4dea1afbbdbacbc978afbbfa5fcf Mon Sep 17 00:00:00 2001 From: Martin Babinsky mbabi...@redhat.com Date: Tue, 18 Aug 2015 12:47:46 +0200 Subject: [PATCH] ipa-restore: check whether DS is running before attempting connection https://fedorahosted.org/freeipa/ticket/4838 --- ipaserver/install/ipa_restore.py | 7 +++ 1 file changed, 7 insertions(+) diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 65cb49355a0567446debe9c367aa3c1bc5a12e1c..b69ea90001a6fd03d0fddde8844870d1aa9c3704 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -410,6 +410,13 @@ class Restore(admintool.AdminTool): ''' Create an ldapi connection and bind to it using autobind as root. ''' +instance_name = installutils.realm_to_serverid(api.env.realm) + +if not services.knownservices.dirsrv.is_running(instance_name): +raise admintool.ScriptError( +directory server instance is not running/configured +) + if self._conn is not None: return self._conn ACK. Pushed to: master: 31776755b47f44f894e4f2bb256aca1c5262b8a8 ipa-4-2: e4b8cffdb4e017874bb7f12a7ca362b927ead67a I didn't try, but I'm pretty sure this patch breaks ipa-restore on systems without IPA installed, which was not at all the point of the ticket - the point was to replace the Unable to get connection, skipping disabling agreements: Unable to bind to LDAP server: [Errno 2] No such file or directory error message with something meaningful in such a case. The code below 'if self._conn is not None:' is following: self._conn = ipaldap.IPAdmin(host=api.env.host, ldapi=True, protocol='ldapi', realm=api.env.realm) try: pw_name = pwd.getpwuid(os.geteuid()).pw_name self._conn.do_external_bind(pw_name) except Exception, e: raise admintool.ScriptError('Unable to bind to LDAP server: %s' % e) return self._conn So you'd get the same behavior as ipaldap.IPAdmin will attempt to connect to LDAP server (it calls ldap.initialize()) and try/except block will then fail. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0058] ipa-restore: check whether DS is running before attempting connection
On 18.8.2015 14:24, Martin Babinsky wrote: On 08/18/2015 02:05 PM, Jan Cholasta wrote: On 18.8.2015 13:41, Martin Basti wrote: On 08/18/2015 01:16 PM, Alexander Bokovoy wrote: On Tue, 18 Aug 2015, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/4838 -- Martin^3 Babinsky From d86aae6c3fef4dea1afbbdbacbc978afbbfa5fcf Mon Sep 17 00:00:00 2001 From: Martin Babinsky mbabi...@redhat.com Date: Tue, 18 Aug 2015 12:47:46 +0200 Subject: [PATCH] ipa-restore: check whether DS is running before attempting connection https://fedorahosted.org/freeipa/ticket/4838 --- ipaserver/install/ipa_restore.py | 7 +++ 1 file changed, 7 insertions(+) diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 65cb49355a0567446debe9c367aa3c1bc5a12e1c..b69ea90001a6fd03d0fddde8844870d1aa9c3704 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -410,6 +410,13 @@ class Restore(admintool.AdminTool): ''' Create an ldapi connection and bind to it using autobind as root. ''' +instance_name = installutils.realm_to_serverid(api.env.realm) + +if not services.knownservices.dirsrv.is_running(instance_name): +raise admintool.ScriptError( +directory server instance is not running/configured +) + if self._conn is not None: return self._conn ACK. Pushed to: master: 31776755b47f44f894e4f2bb256aca1c5262b8a8 ipa-4-2: e4b8cffdb4e017874bb7f12a7ca362b927ead67a I didn't try, but I'm pretty sure this patch breaks ipa-restore on systems without IPA installed, which was not at all the point of the ticket - the point was to replace the Unable to get connection, skipping disabling agreements: Unable to bind to LDAP server: [Errno 2] No such file or directory error message with something meaningful in such a case. I have just now tested ipa-restore without installed IPA master and it works just fine. The point of my patch was no not even try to connect to DS if the instance is not running/configured and raise an error telling this fact to the user, instead of timing out on connection and then raising a generic exception. So unless I missed something it should be ok. I stand corrected. It was the ScriptError that made me suspicious. Sorry for the noise. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 474] install: Fix CA-less replica install
On 08/18/2015 12:56 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/5226. Honza ACK -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0297] ULC: add user-stage command
On 08/18/2015 11:32 AM, thierry bordaz wrote: On 08/18/2015 10:02 AM, Martin Basti wrote: On 08/18/2015 09:59 AM, thierry bordaz wrote: On 08/18/2015 09:55 AM, Martin Basti wrote: On 08/18/2015 09:50 AM, thierry bordaz wrote: On 08/17/2015 08:33 PM, Martin Basti wrote: Hello, the 'user-stage' command replaces 'stageuser-add --from-delete' command. https://fedorahosted.org/freeipa/ticket/5041 Thierry can you check If I don't break everything, it works for me, but the one never knows. Honza can you please check the framework side? I use self.api.Object.stageuser.add.* in user command, I'm not sure if this is right way, but it works. Patch attached. I created it in hurry, I'm expecting NACK :D Just question at the end: should I implement way Active user - stageuser? IMHO it would be implemented internally by calling 'user-del --preserve' inside 'user-stage'. Hi Martin, There is a small failure with VERSION (edewata pushed his patch first ;-) ) git apply -v /tmp/freeipa-mbasti-0297-Add-user-stage-command.patch Checking patch API.txt... Checking patch VERSION... error: while searching for: # # IPA_API_VERSION_MAJOR=2 IPA_API_VERSION_MINOR=148 # Last change: ftweedal - add --out option to user-show error: patch failed: VERSION:90 error: VERSION: patch does not apply Checking patch ipalib/plugins/stageuser.py... Checking patch ipalib/plugins/user.py... There is many pending patches that may change VERSION number, I will change it to right one before push. Does code looks good for you? Hi Martin, Just a question, there is no additional permission. Did you test being 'admin' ? thanks theirry No I didn't,. I preserver all permission, the original permissions should work. Martin Hi Martin, Running a test script, I have an issue with ipa stageuser-add --first=t --last=b tb1 ipa: ERROR: an internal error has occurred [Tue Aug 18 11:16:56.440658 2015] [wsgi:error] [pid 10486] ipa: INFO: [jsonserver_kerb] stage...@abc.idm.lab.eng.brq.redhat.com: stageuser_add(u'tb1', givenname=u't', sn=u'b', cn=u't b', displayname=u't b', initials=u'tb', gecos=u't b', krbprincipalname=u't...@abc.idm.lab.eng.brq.redhat.com', random=False, all=False, raw=False, version=u'2.149', no_members=False): AttributeError [Tue Aug 18 11:21:25.198021 2015] [wsgi:error] [pid 10485] ipa: ERROR: non-public: AttributeError: 'DN' object has no attribute 'setdefault' [Tue Aug 18 11:21:25.198053 2015] [wsgi:error] [pid 10485] Traceback (most recent call last): [Tue Aug 18 11:21:25.198058 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 347, in wsgi_execute [Tue Aug 18 11:21:25.198062 2015] [wsgi:error] [pid 10485] result = self.Command[name](*args, **options) [Tue Aug 18 11:21:25.198066 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 443, in __call__ [Tue Aug 18 11:21:25.198070 2015] [wsgi:error] [pid 10485] ret = self.run(*args, **options) [Tue Aug 18 11:21:25.198081 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 760, in run [Tue Aug 18 11:21:25.198133 2015] [wsgi:error] [pid 10485] return self.execute(*args, **options) [Tue Aug 18 11:21:25.198139 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py, line 1227, in execute [Tue Aug 18 11:21:25.198144 2015] [wsgi:error] [pid 10485] *keys, **options) [Tue Aug 18 11:21:25.198147 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py, line 373, in pre_callback [Tue Aug 18 11:21:25.198151 2015] [wsgi:error] [pid 10485] attrs_list, *keys, **options) [Tue Aug 18 11:21:25.198155 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py, line 277, in set_default_values_pre_callback [Tue Aug 18 11:21:25.198159 2015] [wsgi:error] [pid 10485] entry_attrs.setdefault('description', []) [Tue Aug 18 11:21:25.198163 2015] [wsgi:error] [pid 10485] AttributeError: 'DN' object has no attribute 'setdefault' [Tue Aug 18 11:21:25.199276 2015] [wsgi:error] [pid 10485] ipa: INFO: [jsonserver_session] stage...@abc.idm.lab.eng.brq.redhat.com: stageuser_add(u'tb1', givenname=u't', sn=u'b', cn=u't b', displayname=u't b', initials=u'tb', gecos=u't b', krbprincipalname=u't...@abc.idm.lab.eng.brq.redhat.com', random=False, all=False, raw=False, version=u'2.149', no_members=False): AttributeError The new set_default_values_pre_callback, can not use the set_default function. It is not clear why. entry_attrs is one of pre_callback parameter. Should
Re: [Freeipa-devel] [PATCH 0058] ipa-restore: check whether DS is running before attempting connection
On 08/18/2015 01:16 PM, Alexander Bokovoy wrote: On Tue, 18 Aug 2015, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/4838 -- Martin^3 Babinsky From d86aae6c3fef4dea1afbbdbacbc978afbbfa5fcf Mon Sep 17 00:00:00 2001 From: Martin Babinsky mbabi...@redhat.com Date: Tue, 18 Aug 2015 12:47:46 +0200 Subject: [PATCH] ipa-restore: check whether DS is running before attempting connection https://fedorahosted.org/freeipa/ticket/4838 --- ipaserver/install/ipa_restore.py | 7 +++ 1 file changed, 7 insertions(+) diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 65cb49355a0567446debe9c367aa3c1bc5a12e1c..b69ea90001a6fd03d0fddde8844870d1aa9c3704 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -410,6 +410,13 @@ class Restore(admintool.AdminTool): ''' Create an ldapi connection and bind to it using autobind as root. ''' +instance_name = installutils.realm_to_serverid(api.env.realm) + +if not services.knownservices.dirsrv.is_running(instance_name): +raise admintool.ScriptError( +directory server instance is not running/configured +) + if self._conn is not None: return self._conn ACK. Pushed to: master: 31776755b47f44f894e4f2bb256aca1c5262b8a8 ipa-4-2: e4b8cffdb4e017874bb7f12a7ca362b927ead67a -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Regression in client-install [master]
On Tue, 2015-08-18 at 08:55 +0200, Tomas Babej wrote: On 08/18/2015 03:25 AM, Simo Sorce wrote: I see a regression in the client install now that the python-kerberos - python-gssapi patches have landed. Reverting that single patch makes the issue go away, is anyone else seeing this ? Simo. I believe you're talking about https://fedorahosted.org/freeipa/ticket/5225 I can confirm reverting the gssapi patch did solve the issue yesterday (this is obvious, since the exception originates in the python-gssapi code). No I had a completely different backtrace, my client install was correctly pinging the json endpoint and then complaining it couldn't find a negotiate response. Simo. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0058] ipa-restore: check whether DS is running before attempting connection
On Tue, 18 Aug 2015, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/4838 -- Martin^3 Babinsky From d86aae6c3fef4dea1afbbdbacbc978afbbfa5fcf Mon Sep 17 00:00:00 2001 From: Martin Babinsky mbabi...@redhat.com Date: Tue, 18 Aug 2015 12:47:46 +0200 Subject: [PATCH] ipa-restore: check whether DS is running before attempting connection https://fedorahosted.org/freeipa/ticket/4838 --- ipaserver/install/ipa_restore.py | 7 +++ 1 file changed, 7 insertions(+) diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 65cb49355a0567446debe9c367aa3c1bc5a12e1c..b69ea90001a6fd03d0fddde8844870d1aa9c3704 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -410,6 +410,13 @@ class Restore(admintool.AdminTool): ''' Create an ldapi connection and bind to it using autobind as root. ''' +instance_name = installutils.realm_to_serverid(api.env.realm) + +if not services.knownservices.dirsrv.is_running(instance_name): +raise admintool.ScriptError( +directory server instance is not running/configured +) + if self._conn is not None: return self._conn ACK. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 911 vault: normalize service principal in service vault, operations
On 18.8.2015 13:07, Petr Vobornik wrote: On 08/18/2015 12:42 PM, Jan Cholasta wrote: Hi, On 18.8.2015 12:38, Petr Vobornik wrote: https://fedorahosted.org/freeipa/ticket/5233 s/normalizer=lambda value: normalize_principal(value)/normalizer=normalize_principal/. Honza Fixed, updated patch attached ACK. Pushed to: master: 76ab7d9bae1a1381af9e7ed51297b00823cce857 ipa-4-2: c38e8c3ceb63673815dcf4269b67075f4b10f5cb -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 912 vault: validate vault type
On 18.8.2015 12:52, Petr Vobornik wrote: https://fedorahosted.org/freeipa/ticket/5211 ACK. Pushed to: master: 6941f4eec70456c542fb565405eed02cceb54e10 ipa-4-2: c34b288a69e7859c5153e0f6e8e449ee8fe46eb4 -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0058] ipa-restore: check whether DS is running before attempting connection
On 08/18/2015 02:05 PM, Jan Cholasta wrote: On 18.8.2015 13:41, Martin Basti wrote: On 08/18/2015 01:16 PM, Alexander Bokovoy wrote: On Tue, 18 Aug 2015, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/4838 -- Martin^3 Babinsky From d86aae6c3fef4dea1afbbdbacbc978afbbfa5fcf Mon Sep 17 00:00:00 2001 From: Martin Babinsky mbabi...@redhat.com Date: Tue, 18 Aug 2015 12:47:46 +0200 Subject: [PATCH] ipa-restore: check whether DS is running before attempting connection https://fedorahosted.org/freeipa/ticket/4838 --- ipaserver/install/ipa_restore.py | 7 +++ 1 file changed, 7 insertions(+) diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 65cb49355a0567446debe9c367aa3c1bc5a12e1c..b69ea90001a6fd03d0fddde8844870d1aa9c3704 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -410,6 +410,13 @@ class Restore(admintool.AdminTool): ''' Create an ldapi connection and bind to it using autobind as root. ''' +instance_name = installutils.realm_to_serverid(api.env.realm) + +if not services.knownservices.dirsrv.is_running(instance_name): +raise admintool.ScriptError( +directory server instance is not running/configured +) + if self._conn is not None: return self._conn ACK. Pushed to: master: 31776755b47f44f894e4f2bb256aca1c5262b8a8 ipa-4-2: e4b8cffdb4e017874bb7f12a7ca362b927ead67a I didn't try, but I'm pretty sure this patch breaks ipa-restore on systems without IPA installed, which was not at all the point of the ticket - the point was to replace the Unable to get connection, skipping disabling agreements: Unable to bind to LDAP server: [Errno 2] No such file or directory error message with something meaningful in such a case. I have just now tested ipa-restore without installed IPA master and it works just fine. The point of my patch was no not even try to connect to DS if the instance is not running/configured and raise an error telling this fact to the user, instead of timing out on connection and then raising a generic exception. So unless I missed something it should be ok. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0298] Server Upgrade: start DS before CA is started
On 08/18/2015 07:14 PM, Martin Basti wrote: On 08/18/2015 07:05 PM, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5232 Patch attached. Self-NACK, I sent wrong patch The correct patch attached. From 4b2ce935b0f9f6c5fcdb6aa00b55ce2654b09e0f Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Tue, 18 Aug 2015 18:01:09 +0200 Subject: [PATCH] Server Upgrade: Start DS before CA is started. https://fedorahosted.org/freeipa/ticket/5232 --- ipaserver/install/server/upgrade.py | 14 -- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index d7480d7cd5477de389ae044e11beea02a278e7d3..f8a4ff28242dc51c5a9496859d464bbe789a3ce3 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1328,6 +1328,13 @@ def upgrade_configuration(): raise RuntimeError(ipa-rewrite.conf doesn't exists (is this server?)) # Ok, we are an IPA server, do the additional tests +ds_serverid = installutils.realm_to_serverid(api.env.realm) +ds = dsinstance.DsInstance() + +# start DS, CA will not start without running DS, and cause error +ds_running = ds.is_running() +if not ds_running: +ds.start(ds_serverid) check_certs() @@ -1359,7 +1366,6 @@ def upgrade_configuration(): 'ca.crl.MasterCRL.enableCRLUpdates', '=') sub_dict['CLONE']='#' if crl.lower() == 'true' else '' -ds_serverid = installutils.realm_to_serverid(api.env.realm) ds_dirname = dsinstance.config_dirname(ds_serverid) upgrade_file(sub_dict, paths.HTTPD_IPA_CONF, @@ -1396,7 +1402,6 @@ def upgrade_configuration(): http.change_mod_nss_port_from_http() http.configure_certmonger_renewal_guard() -ds = dsinstance.DsInstance() ds.configure_dirsrv_ccache() # ldap2 connection is not valid after DS restart, close connection otherwise @@ -1526,6 +1531,11 @@ def upgrade_configuration(): set_sssd_domain_option('ipa_server_mode', 'True') +if ds_running and not ds.is_running(): +ds.start(ds_serverid) +elif not ds_running and ds.is_running(): +ds.stop(ds_serverid) + def upgrade_check(options): try: -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [patch 0010] Python list comprehension leak breaking the test execution
On Mon, 17 Aug 2015, Nathaniel McCallum wrote: On Mon, 2015-08-10 at 17:43 +0200, Milan Kubík wrote: Hi all, this patch fixes problem described in the ticket [1] that caused the test run to fail completely at every other or so run. I took the liberty to fix most of the pep8 issues while I was at it. Thanks to Jan Cholasta for help with identifying this one. [1]: https://fedorahosted.org/freeipa/ticket/5192 I think the right answer is to move this to python-cryptography. We already have python-cryptography as a dependency. And in this case the crypto code is pretty well self-contained. Aside from nss database initialization, nss is only used in: * convertAlgorithm() (constants only) * XMLDecryptor (actual decryption code) The migration should be straightforward. It is probably a 1 day task. I could probably tackle it later this week. Should we do this? I think we should -- for FreeIPA 4.3 or 4.4. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0298] Server Upgrade: start DS before CA is started
https://fedorahosted.org/freeipa/ticket/5232 Patch attached. From 1f583442cb5c239de84e0f11046baa30d4b12636 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Tue, 18 Aug 2015 18:01:09 +0200 Subject: [PATCH] Server Upgrade: Start DS before CA is started. https://fedorahosted.org/freeipa/ticket/5232 --- ipaserver/install/server/upgrade.py | 14 -- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index d7480d7cd5477de389ae044e11beea02a278e7d3..0f0fae0103c8d38d19258e662dcb82f6148f2fee 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1328,6 +1328,13 @@ def upgrade_configuration(): raise RuntimeError(ipa-rewrite.conf doesn't exists (is this server?)) # Ok, we are an IPA server, do the additional tests +ds_serverid = installutils.realm_to_serverid(api.env.realm) +ds = dsinstance.DsInstance() + +# start DS, CA will not start without running DS, and cause error +ds_running = ds.is_running(ds_serverid) +if not ds_running: +ds.start(ds_serverid) check_certs() @@ -1359,7 +1366,6 @@ def upgrade_configuration(): 'ca.crl.MasterCRL.enableCRLUpdates', '=') sub_dict['CLONE']='#' if crl.lower() == 'true' else '' -ds_serverid = installutils.realm_to_serverid(api.env.realm) ds_dirname = dsinstance.config_dirname(ds_serverid) upgrade_file(sub_dict, paths.HTTPD_IPA_CONF, @@ -1396,7 +1402,6 @@ def upgrade_configuration(): http.change_mod_nss_port_from_http() http.configure_certmonger_renewal_guard() -ds = dsinstance.DsInstance() ds.configure_dirsrv_ccache() # ldap2 connection is not valid after DS restart, close connection otherwise @@ -1526,6 +1531,11 @@ def upgrade_configuration(): set_sssd_domain_option('ipa_server_mode', 'True') +if ds_running and not ds.is_running(ds_serverid): +ds.start(ds_serverid) +elif not ds_running and ds.is_running(ds_serverid): +ds.stop(ds_serverid) + def upgrade_check(options): try: -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.
On 31/07/15 18:31, Martin Basti wrote: On 28/07/15 09:52, David Kupka wrote: On 27/07/15 16:45, David Kupka wrote: On 15/01/15 17:13, David Kupka wrote: On 01/15/2015 03:22 PM, David Kupka wrote: On 01/15/2015 12:43 PM, David Kupka wrote: On 01/12/2015 06:34 PM, Martin Basti wrote: On 09/01/15 14:43, David Kupka wrote: On 01/07/2015 04:15 PM, Martin Basti wrote: On 07/01/15 12:27, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4249 Thank you for patch: 1) -root_logger.error(Cannot update DNS records! - Failed to connect to server '%s'., server) +ips = get_local_ipaddresses() +except CalledProcessError as e: +root_logger.error(Cannot update DNS records. %s % e) IMO the error message should be more specific, add there something like Unable to get local IP addresses. at least in log.debug() 2) +lines = ipresult[0].replace('\\', '').split('\n') .replace() is not needed 3) +if len(ips) == 0: if not ips: is more pythonic by PEP8 Thanks for catching these. Updated patch attached. merciful NACK Thank you for the patch, unfortunately I hit one issue which needs to be resolved. If sync PTR is activated in zone settings, and reverse zone doesn't exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print Error message, 'DNS update failed'. In fact, all A/ records was succesfully updated, only PTR records failed. Bind log: named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' named-pkcs11[28652]: PTR record synchronization (addition) for A/ 'vm-101.example.com.' refused: unable to find active reverse zone for IP address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found With IPv6 we have several addresses from different reverse zones and this situation may happen often. I suggest following: 1) Print list of addresses which will be updated. (Now if update fails, user needs to read log, which addresses installer tried to update) 2) Split nsupdates per A/ record. 3a) If failed, check with DNS query if A/ and PTR record are there and print proper error message 3b) Just print A/ (or PTR) record may not be updated for particular IP address. Any other suggestions are welcome. After long discussion with DNS and UX guru I've implemented it this way: 1. Call nsupdate only once with all updates. 2. Verify that the expected records are resolvable. 3. If no print list of missing A/, list of missing PTR records and list to mismatched PTR record. As this is running inside client we can't much more and it's up to user to check what's rotten in his DNS setup. Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel One more change to behave well in -crazy- exotic environments that resolves more PTR records for single IP. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Yet another change to make language nerds and our UX guru happy :-) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased patch attached. Updated patch attached. Just for record this patch is for dualstack/IPv6 support. IMO this ticket also requires to fix ipa-join to support IPv6. I still have doubts to have multihomed support as default, this may be unexpected change of ipa-client-install behavior. I know, is hard to detect which addresses user want to register in IPA without crystal ball, but it should not be impossible :-) . I propose following solution: To add new options: --multihomed or --all-ip-address - all IP addresses from client will be used --ip-address - adress which will be registered on (IPA) DNS server --ip-address-interface - interface from which address will be registered 0) without any option specified, current behavior will be used + IPv6 * detect which address is used to communicate with IPA server * detect interface where this address belongs * use ipv4 and all ipv6 addresses of this interface * if --enable-dns-updates=true: configure SSSD as is configured now: automatically detect which address is used + patched SSSD will also updates proper IPv6 address 1) --multihomed or --all-ip-addresses (this is multihomed ticket) * all adresses will be used * if --enable-dns-updates=true: SSSD will be configured to send all ip_addresses 2) --ip-address option specified: * only specified addresses will be used (+ check if this addresses exist locally) * if --enable-dns-updates=true: ERROR dynamic updates may change this address (user should choose static vs dynamic) 3) --ip-address-interface option specified: * only addresses from specified interfaces will be used * if --enable-dns-updates=true: SSSD will be configured to
Re: [Freeipa-devel] [PATCH 0060] user-undel: Fix error messages.
On 08/17/2015 03:39 PM, David Kupka wrote: On 14/08/15 17:18, Martin Basti wrote: On 08/13/2015 08:17 AM, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/5207 Requires patch freeipa-jcholast-471.1. NACK This patch causes internal server error ipa user-del user --preserve [Fri Aug 14 17:16:13.691565 2015] [wsgi:error] [pid 3210] ipa: ERROR: non-public: TypeError: %d format: a number is required, not str [Fri Aug 14 17:16:13.691605 2015] [wsgi:error] [pid 3210] Traceback (most recent call last): [Fri Aug 14 17:16:13.691610 2015] [wsgi:error] [pid 3210] File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 347, in wsgi_execute [Fri Aug 14 17:16:13.691614 2015] [wsgi:error] [pid 3210] result = self.Command[name](*args, **options) [Fri Aug 14 17:16:13.691618 2015] [wsgi:error] [pid 3210] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 457, in __call__ [Fri Aug 14 17:16:13.691622 2015] [wsgi:error] [pid 3210] self.validate_output(ret, options['version']) [Fri Aug 14 17:16:13.691626 2015] [wsgi:error] [pid 3210] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 950, in validate_output [Fri Aug 14 17:16:13.691630 2015] [wsgi:error] [pid 3210] o.validate(self, value, version) [Fri Aug 14 17:16:13.691634 2015] [wsgi:error] [pid 3210] File /usr/lib/python2.7/site-packages/ipalib/output.py, line 151, in validate [Fri Aug 14 17:16:13.691638 2015] [wsgi:error] [pid 3210] types[0], type(value), value)) [Fri Aug 14 17:16:13.691642 2015] [wsgi:error] [pid 3210] TypeError: %d format: a number is required, not str [Fri Aug 14 17:16:13.692063 2015] [wsgi:error] [pid 3210] ipa: INFO: [jsonserver_session] ad...@example.com: user_del((u'user',), continue=False, preserve=True, version=u'2.148'): TypeError (END) Thanks for catching this. Updated patch attached. ACK Pushed to: master: 65b8c622070f61ad01a2a1706564911620b022bc ipa-4-2: 6005dfb5857af5ae46efd2984b06a9a35efb7917 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0039 Prohibit deletion of included profiles
On 08/13/2015 12:09 PM, Fraser Tweedale wrote: On Thu, Aug 13, 2015 at 12:31:27PM +0300, Alexander Bokovoy wrote: On Thu, 13 Aug 2015, Fraser Tweedale wrote: On Thu, Aug 13, 2015 at 12:01:09PM +0300, Alexander Bokovoy wrote: On Thu, 13 Aug 2015, Fraser Tweedale wrote: On Thu, Aug 13, 2015 at 09:53:35AM +0300, Alexander Bokovoy wrote: On Thu, 13 Aug 2015, Fraser Tweedale wrote: The attached patch fixes https://fedorahosted.org/freeipa/ticket/5198 Thanks, Fraser From 0dd316bf0cbab7b6701bd69f142e82b30bee25b8 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale ftwee...@redhat.com Date: Thu, 13 Aug 2015 02:32:54 -0400 Subject: [PATCH] Prohibit deletion of included profiles Deletion of included profiles, including the default profile, should not be allowed. Detect this case and raise an error. Also update the included profiles collection to use namedtuple, making it easier to access the various components. Fixes: https://fedorahosted.org/freeipa/ticket/5198 --- ipalib/plugins/certprofile.py | 13 +++-- ipapython/dogtag.py | 8 +--- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py index 1dd4f403ee4461b83c053eb36019a8896506bb81..03bdd28728dc864adcd7305ddbff34a23405e78f 100644 --- a/ipalib/plugins/certprofile.py +++ b/ipalib/plugins/certprofile.py @@ -3,6 +3,7 @@ # import re +from operator import attrgetter from ipalib import api, Bool, File, Str from ipalib import output, util @@ -14,6 +15,7 @@ from ipalib.plugins.baseldap import ( from ipalib.request import context from ipalib import ngettext from ipalib.text import _ +from ipapython.dogtag import INCLUDED_PROFILES from ipapython.version import API_VERSION from ipalib import errors @@ -287,9 +289,16 @@ class certprofile_del(LDAPDelete): __doc__ = _(Delete a Certificate Profile.) msg_summary = _('Deleted profile %(value)s') -def execute(self, *args, **kwargs): +def pre_callback(self, ldap, dn, *keys, **options): ca_enabled_check() -return super(certprofile_del, self).execute(*args, **kwargs) + +if keys[0] in map(attrgetter('profile_id'), INCLUDED_PROFILES): +raise errors.ValidationError(name='profile_id', +error=_(Included profile '%(profile_id)s' cannot be deleted) +% {'profile_id': keys[0]} +) + +return dn I think you also want to protect the included profiles from renaming. This is already the case. I'm also wondering about certprofile-mod changing the profile content and changing profileID there to point to existing profile. Would this affect CA operation? Renaming profile / changing profile-id / pointing it to a different profile is not possible. Changing profile content *is* currently possible. Given that we have custom profiles now, there is an argument to be made that we should prevent profile-mod for updating the Dogtag configuration of predefined profiles. If we did that, we would probably also want to allow admins to change which is the default profile, i.e. changing the default to some custom profile they added. And if we did that, then perhaps we should let them specify a different default profile for users vs hosts/services! How deep does this rabbit hole go? :) All the above makes sense and should be done in terms of proper hardening and usability fixes. I don't think it is a bottomless hole, though, just a normal work we have to do to make certificate profiles nice and usable :) Right; I'll file tickets for these explored regions of the hole, and leave the unexplored depths for another day. -- / Alexander Bokovoy Pushed to: ipa-4-2: 9ca156c85919108d0c13718384dc196075364398 master: 27988f1b836874d6b1df0659bc95390636caeb78 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0297] ULC: add user-stage command
Thank you for the patch, I checked it, I just changed permission name to have all first letters in uppercase as others. Updated merged patch attached. On 08/18/2015 05:34 PM, thierry bordaz wrote: On 08/18/2015 04:13 PM, thierry bordaz wrote: On 08/18/2015 04:04 PM, Martin Basti wrote: On 08/18/2015 03:49 PM, thierry bordaz wrote: On 08/18/2015 03:06 PM, Martin Basti wrote: On 08/18/2015 11:32 AM, thierry bordaz wrote: On 08/18/2015 10:02 AM, Martin Basti wrote: On 08/18/2015 09:59 AM, thierry bordaz wrote: On 08/18/2015 09:55 AM, Martin Basti wrote: On 08/18/2015 09:50 AM, thierry bordaz wrote: On 08/17/2015 08:33 PM, Martin Basti wrote: Hello, the 'user-stage' command replaces 'stageuser-add --from-delete' command. https://fedorahosted.org/freeipa/ticket/5041 Thierry can you check If I don't break everything, it works for me, but the one never knows. Honza can you please check the framework side? I use self.api.Object.stageuser.add.* in user command, I'm not sure if this is right way, but it works. Patch attached. I created it in hurry, I'm expecting NACK :D Just question at the end: should I implement way Active user - stageuser? IMHO it would be implemented internally by calling 'user-del --preserve' inside 'user-stage'. Hi Martin, There is a small failure with VERSION (edewata pushed his patch first ;-) ) git apply -v /tmp/freeipa-mbasti-0297-Add-user-stage-command.patch Checking patch API.txt... Checking patch VERSION... error: while searching for: # # IPA_API_VERSION_MAJOR=2 IPA_API_VERSION_MINOR=148 # Last change: ftweedal - add --out option to user-show error: patch failed: VERSION:90 error: VERSION: patch does not apply Checking patch ipalib/plugins/stageuser.py... Checking patch ipalib/plugins/user.py... There is many pending patches that may change VERSION number, I will change it to right one before push. Does code looks good for you? Hi Martin, Just a question, there is no additional permission. Did you test being 'admin' ? thanks theirry No I didn't,. I preserver all permission, the original permissions should work. Martin Hi Martin, Running a test script, I have an issue with ipa stageuser-add --first=t --last=b tb1 ipa: ERROR: an internal error has occurred [Tue Aug 18 11:16:56.440658 2015] [wsgi:error] [pid 10486] ipa: INFO: [jsonserver_kerb] stage...@abc.idm.lab.eng.brq.redhat.com: stageuser_add(u'tb1', givenname=u't', sn=u'b', cn=u't b', displayname=u't b', initials=u'tb', gecos=u't b', krbprincipalname=u't...@abc.idm.lab.eng.brq.redhat.com', random=False, all=False, raw=False, version=u'2.149', no_members=False): AttributeError [Tue Aug 18 11:21:25.198021 2015] [wsgi:error] [pid 10485] ipa: ERROR: non-public: AttributeError: 'DN' object has no attribute 'setdefault' [Tue Aug 18 11:21:25.198053 2015] [wsgi:error] [pid 10485] Traceback (most recent call last): [Tue Aug 18 11:21:25.198058 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 347, in wsgi_execute [Tue Aug 18 11:21:25.198062 2015] [wsgi:error] [pid 10485] result = self.Command[name](*args, **options) [Tue Aug 18 11:21:25.198066 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 443, in __call__ [Tue Aug 18 11:21:25.198070 2015] [wsgi:error] [pid 10485] ret = self.run(*args, **options) [Tue Aug 18 11:21:25.198081 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 760, in run [Tue Aug 18 11:21:25.198133 2015] [wsgi:error] [pid 10485] return self.execute(*args, **options) [Tue Aug 18 11:21:25.198139 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py, line 1227, in execute [Tue Aug 18 11:21:25.198144 2015] [wsgi:error] [pid 10485] *keys, **options) [Tue Aug 18 11:21:25.198147 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py, line 373, in pre_callback [Tue Aug 18 11:21:25.198151 2015] [wsgi:error] [pid 10485] attrs_list, *keys, **options) [Tue Aug 18 11:21:25.198155 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py, line 277, in set_default_values_pre_callback [Tue Aug 18 11:21:25.198159 2015] [wsgi:error] [pid 10485] entry_attrs.setdefault('description', []) [Tue Aug 18 11:21:25.198163 2015] [wsgi:error] [pid 10485] AttributeError: 'DN' object has no attribute 'setdefault' [Tue Aug 18 11:21:25.199276 2015] [wsgi:error] [pid 10485] ipa: INFO: [jsonserver_session] stage...@abc.idm.lab.eng.brq.redhat.com: stageuser_add(u'tb1',
Re: [Freeipa-devel] [PATCH 0059] improve the handling of krb5-related errors in dnssec daemons
On 08/18/2015 06:41 PM, Martin Babinsky wrote: This patch fixes https://fedorahosted.org/freeipa/ticket/5229 and also improves the handling of Kerberos errors in other DNSSEC daemons. -- Martin^3 Babinsky Pushed to: ipa-4-2: a9f010fc286bee163601cbf0b512c6170501a1e9 master: 3506938a75cd189d137332f1f71ac469a9d6036e -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 475] vault: Fix vault-find with criteria
Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/5212. Honza -- Jan Cholasta From 6d6a8bc20fc83788b14696ad731ed0dd579acf30 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 18 Aug 2015 21:11:52 +0200 Subject: [PATCH] vault: Fix vault-find with criteria https://fedorahosted.org/freeipa/ticket/5212 --- ipalib/plugins/vault.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index 4d430ee..ff021a6 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -802,7 +802,7 @@ class vault_find(LDAPSearch): raise errors.InvocationError( format=_('KRA service is not enabled')) -base_dn = self.obj.get_dn(*args, **options) +base_dn = self.obj.get_dn(None, **options) return (filter, base_dn, scope) -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0298] Server Upgrade: start DS before CA is started
On 08/18/2015 07:05 PM, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5232 Patch attached. Self-NACK, I sent wrong patch -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 476] vault: Add container information to vault command results
Hi, the attached patch fixes part of https://fedorahosted.org/freeipa/ticket/5150. Christian is working on a fix for the other part of the ticket. Honza -- Jan Cholasta From a6095d43ca0df96b349c0fb9f3d69db12569a62c Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 18 Aug 2015 21:44:13 +0200 Subject: [PATCH] vault: Add container information to vault command results https://fedorahosted.org/freeipa/ticket/5150 --- ipalib/plugins/vault.py | 44 1 file changed, 44 insertions(+) diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index 4d430ee..c379118 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -322,6 +322,21 @@ class vault(LDAPObject): label=_('Failed owners'), flags=['no_create', 'no_update', 'no_search'], ), +Str( +'service?', +label=_('Vault service'), +flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, +), +Flag( +'shared?', +label=_('Shared vault'), +flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, +), +Str( +'username?', +label=_('Vault user'), +flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, +), ) def get_dn(self, *keys, **options): @@ -523,6 +538,17 @@ class vault(LDAPObject): raise errors.AuthenticationError( message=_('Invalid credentials')) +def get_container_attribute(self, entry, options): +if options.get('raw', False): +return +container_dn = DN(self.container_dn, self.api.env.basedn) +if entry.dn.endswith(DN(('cn', 'services'), container_dn)): +entry['service'] = entry.dn[1]['cn'] +elif entry.dn.endswith(DN(('cn', 'shared'), container_dn)): +entry['shared'] = True +elif entry.dn.endswith(DN(('cn', 'users'), container_dn)): +entry['username'] = entry.dn[1]['cn'] + @register() class vault_add(PKQuery, Local): @@ -738,6 +764,10 @@ class vault_add_internal(LDAPCreate): return dn +def post_callback(self, ldap, dn, entry, *keys, **options): +self.obj.get_container_attribute(entry, options) +return dn + @register() class vault_del(LDAPDelete): @@ -806,6 +836,11 @@ class vault_find(LDAPSearch): return (filter, base_dn, scope) +def post_callback(self, ldap, entries, truncated, *args, **options): +for entry in entries: +self.obj.get_container_attribute(entry, options) +return truncated + def exc_callback(self, args, options, exc, call_func, *call_args, **call_kwargs): if call_func.__name__ == 'find_entries': @@ -836,6 +871,10 @@ class vault_mod(LDAPUpdate): return dn +def post_callback(self, ldap, dn, entry_attrs, *keys, **options): +self.obj.get_container_attribute(entry_attrs, options) +return dn + @register() class vault_show(LDAPRetrieve): @@ -854,6 +893,10 @@ class vault_show(LDAPRetrieve): return dn +def post_callback(self, ldap, dn, entry_attrs, *keys, **options): +self.obj.get_container_attribute(entry_attrs, options) +return dn + @register() class vaultconfig(Object): @@ -1452,6 +1495,7 @@ class VaultModMember(LDAPModMember): def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): for fail in failed.itervalues(): fail['services'] = fail.pop('service', []) +self.obj.get_container_attribute(entry_attrs, options) return completed, dn -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.
On 08/18/2015 08:02 PM, David Kupka wrote: On 31/07/15 18:31, Martin Basti wrote: On 28/07/15 09:52, David Kupka wrote: On 27/07/15 16:45, David Kupka wrote: On 15/01/15 17:13, David Kupka wrote: On 01/15/2015 03:22 PM, David Kupka wrote: On 01/15/2015 12:43 PM, David Kupka wrote: On 01/12/2015 06:34 PM, Martin Basti wrote: On 09/01/15 14:43, David Kupka wrote: On 01/07/2015 04:15 PM, Martin Basti wrote: On 07/01/15 12:27, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4249 Thank you for patch: 1) -root_logger.error(Cannot update DNS records! - Failed to connect to server '%s'., server) +ips = get_local_ipaddresses() +except CalledProcessError as e: +root_logger.error(Cannot update DNS records. %s % e) IMO the error message should be more specific, add there something like Unable to get local IP addresses. at least in log.debug() 2) +lines = ipresult[0].replace('\\', '').split('\n') .replace() is not needed 3) +if len(ips) == 0: if not ips: is more pythonic by PEP8 Thanks for catching these. Updated patch attached. merciful NACK Thank you for the patch, unfortunately I hit one issue which needs to be resolved. If sync PTR is activated in zone settings, and reverse zone doesn't exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print Error message, 'DNS update failed'. In fact, all A/ records was succesfully updated, only PTR records failed. Bind log: named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' named-pkcs11[28652]: PTR record synchronization (addition) for A/ 'vm-101.example.com.' refused: unable to find active reverse zone for IP address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found With IPv6 we have several addresses from different reverse zones and this situation may happen often. I suggest following: 1) Print list of addresses which will be updated. (Now if update fails, user needs to read log, which addresses installer tried to update) 2) Split nsupdates per A/ record. 3a) If failed, check with DNS query if A/ and PTR record are there and print proper error message 3b) Just print A/ (or PTR) record may not be updated for particular IP address. Any other suggestions are welcome. After long discussion with DNS and UX guru I've implemented it this way: 1. Call nsupdate only once with all updates. 2. Verify that the expected records are resolvable. 3. If no print list of missing A/, list of missing PTR records and list to mismatched PTR record. As this is running inside client we can't much more and it's up to user to check what's rotten in his DNS setup. Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel One more change to behave well in -crazy- exotic environments that resolves more PTR records for single IP. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Yet another change to make language nerds and our UX guru happy :-) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased patch attached. Updated patch attached. Just for record this patch is for dualstack/IPv6 support. IMO this ticket also requires to fix ipa-join to support IPv6. I still have doubts to have multihomed support as default, this may be unexpected change of ipa-client-install behavior. I know, is hard to detect which addresses user want to register in IPA without crystal ball, but it should not be impossible :-) . I propose following solution: To add new options: --multihomed or --all-ip-address - all IP addresses from client will be used --ip-address - adress which will be registered on (IPA) DNS server --ip-address-interface - interface from which address will be registered 0) without any option specified, current behavior will be used + IPv6 * detect which address is used to communicate with IPA server * detect interface where this address belongs * use ipv4 and all ipv6 addresses of this interface * if --enable-dns-updates=true: configure SSSD as is configured now: automatically detect which address is used + patched SSSD will also updates proper IPv6 address 1) --multihomed or --all-ip-addresses (this is multihomed ticket) * all adresses will be used * if --enable-dns-updates=true: SSSD will be configured to send all ip_addresses 2) --ip-address option specified: * only specified addresses will be used (+ check if this addresses exist locally) * if --enable-dns-updates=true: ERROR dynamic updates may change this address (user should choose static vs dynamic) 3) --ip-address-interface option specified: * only addresses from specified interfaces will be used * if
Re: [Freeipa-devel] [PATCH 0059] improve the handling of krb5-related errors in dnssec daemons
On 08/18/2015 09:13 PM, Martin Basti wrote: On 08/18/2015 06:41 PM, Martin Babinsky wrote: This patch fixes https://fedorahosted.org/freeipa/ticket/5229 and also improves the handling of Kerberos errors in other DNSSEC daemons. -- Martin^3 Babinsky Pushed to: ipa-4-2: a9f010fc286bee163601cbf0b512c6170501a1e9 master: 3506938a75cd189d137332f1f71ac469a9d6036e I forgot to write ACK, so ACK. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 374 Fixed vault container ownership.
On 08/13/2015 05:24 PM, Endi Sukma Dewata wrote: On 8/13/2015 9:18 AM, Martin Basti wrote: The vault-add command has been fixed such that if the user/service private vault container does not exist yet it will be created and owned by the user/service instead of the vault creator. https://fedorahosted.org/freeipa/ticket/5194 I cannot apply this patch, are there any additional required patches? I have current ipa master branch git am freeipa-edewata-0374-Fixed-vault-container-ownership.patch -3 Applying: Fixed vault container ownership. error: invalid object 100644 427b1ea1588af2fb09a99181b8773abdf8099b8d for 'ipalib/plugins/vault.py' fatal: git-write-tree: error building trees Repository lacks necessary blobs to fall back on 3-way merge. Cannot fall back to three-way merge. Rebased. This patch doesn't have any dependency. ACK Pushed to master: 419754b1c11139435ae5b5082a51026da0d5e730 Pushed to ipa-4-2: e110f6da2f42c4cd52ae73c7aad2421559da56a2 -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 911 vault: normalize service principal in service vault, operations
https://fedorahosted.org/freeipa/ticket/5233 -- Petr Vobornik From 74a37069b5c8a7aece1030bc34bfde89401922c8 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Tue, 18 Aug 2015 12:14:36 +0200 Subject: [PATCH] vault: normalize service principal in service vault operations https://fedorahosted.org/freeipa/ticket/5233 --- ipalib/plugins/vault.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index 88c63071f04462aa240a70d3a3eeac2d04e66062..adccf2727967bd1a4bf1d16b69b6c8c9ca333ae1 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -47,6 +47,7 @@ from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\ LDAPModMember, pkey_to_value from ipalib.request import context from ipalib.plugins.user import split_principal +from ipalib.plugins.service import normalize_principal from ipalib import _, ngettext from ipaplatform.paths import paths from ipapython.dn import DN @@ -214,6 +215,7 @@ vault_options = ( Str( 'service?', doc=_('Service name of the service vault'), +normalizer=lambda value: normalize_principal(value), ), Flag( 'shared?', -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] cert profiles - test plan + patches
On 08/11/2015 03:17 AM, Fraser Tweedale wrote: On Mon, Aug 10, 2015 at 11:36:31AM +0200, Milan Kubík wrote: On 08/05/2015 02:57 PM, Milan Kubík wrote: Hi list, I'm sending the test plan [1] for certificate profiles and preliminary patches for it. The plan covers basic CRUD test and some corner cases. I'm open to more suggestions. More complicated tests involving certificate profiles will require the code (and tests) for CA ACLs merged, so it's not there at the moment. There are some unfinished test cases in places I wasn't sure what the result should be. We need to iterate through these to fix it. [1]: http://www.freeipa.org/page/V4/Certificate_Profiles/Test_Plan Cheers, Milan Hi all, have you had some time to look at the code and proposal? Today I want to write a basic CRUD test for the ACLs as well as a few test cases to check if the ACL is being enforced. It should make it into wiki today or by tomorrow. I'll send an update then. Cheers, Milan Hi Milan, I have reviewed the V4/Certificate_Profiles/Test_Plan. Couple of comments: - Test case: Import profile with incorrect values - Expected result: refused with error. - A simple way to provoke this condition is to add a number to ``policyset.serverCertSet.list``. - A similar test case should exist for certprofile-mod. - Test case: Delete default profile - As discussed elsewhere, expected result should be failure. I filed ticket #5198 to make it so :) I will review the patch soon. Cheers, Fraser Hello, how is the review going? I'd like to have at least the tracker (patch 0008) reviewed (and merged :) if possible. It will be needed in CA ACL tests. Cheers, Milan -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0297] ULC: add user-stage command
On 08/18/2015 04:04 PM, Martin Basti wrote: On 08/18/2015 03:49 PM, thierry bordaz wrote: On 08/18/2015 03:06 PM, Martin Basti wrote: On 08/18/2015 11:32 AM, thierry bordaz wrote: On 08/18/2015 10:02 AM, Martin Basti wrote: On 08/18/2015 09:59 AM, thierry bordaz wrote: On 08/18/2015 09:55 AM, Martin Basti wrote: On 08/18/2015 09:50 AM, thierry bordaz wrote: On 08/17/2015 08:33 PM, Martin Basti wrote: Hello, the 'user-stage' command replaces 'stageuser-add --from-delete' command. https://fedorahosted.org/freeipa/ticket/5041 Thierry can you check If I don't break everything, it works for me, but the one never knows. Honza can you please check the framework side? I use self.api.Object.stageuser.add.* in user command, I'm not sure if this is right way, but it works. Patch attached. I created it in hurry, I'm expecting NACK :D Just question at the end: should I implement way Active user - stageuser? IMHO it would be implemented internally by calling 'user-del --preserve' inside 'user-stage'. Hi Martin, There is a small failure with VERSION (edewata pushed his patch first ;-) ) git apply -v /tmp/freeipa-mbasti-0297-Add-user-stage-command.patch Checking patch API.txt... Checking patch VERSION... error: while searching for: # # IPA_API_VERSION_MAJOR=2 IPA_API_VERSION_MINOR=148 # Last change: ftweedal - add --out option to user-show error: patch failed: VERSION:90 error: VERSION: patch does not apply Checking patch ipalib/plugins/stageuser.py... Checking patch ipalib/plugins/user.py... There is many pending patches that may change VERSION number, I will change it to right one before push. Does code looks good for you? Hi Martin, Just a question, there is no additional permission. Did you test being 'admin' ? thanks theirry No I didn't,. I preserver all permission, the original permissions should work. Martin Hi Martin, Running a test script, I have an issue with ipa stageuser-add --first=t --last=b tb1 ipa: ERROR: an internal error has occurred [Tue Aug 18 11:16:56.440658 2015] [wsgi:error] [pid 10486] ipa: INFO: [jsonserver_kerb] stage...@abc.idm.lab.eng.brq.redhat.com: stageuser_add(u'tb1', givenname=u't', sn=u'b', cn=u't b', displayname=u't b', initials=u'tb', gecos=u't b', krbprincipalname=u't...@abc.idm.lab.eng.brq.redhat.com', random=False, all=False, raw=False, version=u'2.149', no_members=False): AttributeError [Tue Aug 18 11:21:25.198021 2015] [wsgi:error] [pid 10485] ipa: ERROR: non-public: AttributeError: 'DN' object has no attribute 'setdefault' [Tue Aug 18 11:21:25.198053 2015] [wsgi:error] [pid 10485] Traceback (most recent call last): [Tue Aug 18 11:21:25.198058 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 347, in wsgi_execute [Tue Aug 18 11:21:25.198062 2015] [wsgi:error] [pid 10485] result = self.Command[name](*args, **options) [Tue Aug 18 11:21:25.198066 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 443, in __call__ [Tue Aug 18 11:21:25.198070 2015] [wsgi:error] [pid 10485] ret = self.run(*args, **options) [Tue Aug 18 11:21:25.198081 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 760, in run [Tue Aug 18 11:21:25.198133 2015] [wsgi:error] [pid 10485] return self.execute(*args, **options) [Tue Aug 18 11:21:25.198139 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py, line 1227, in execute [Tue Aug 18 11:21:25.198144 2015] [wsgi:error] [pid 10485] *keys, **options) [Tue Aug 18 11:21:25.198147 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py, line 373, in pre_callback [Tue Aug 18 11:21:25.198151 2015] [wsgi:error] [pid 10485] attrs_list, *keys, **options) [Tue Aug 18 11:21:25.198155 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py, line 277, in set_default_values_pre_callback [Tue Aug 18 11:21:25.198159 2015] [wsgi:error] [pid 10485] entry_attrs.setdefault('description', []) [Tue Aug 18 11:21:25.198163 2015] [wsgi:error] [pid 10485] AttributeError: 'DN' object has no attribute 'setdefault' [Tue Aug 18 11:21:25.199276 2015] [wsgi:error] [pid 10485] ipa: INFO: [jsonserver_session] stage...@abc.idm.lab.eng.brq.redhat.com: stageuser_add(u'tb1', givenname=u't', sn=u'b', cn=u't b', displayname=u't b', initials=u'tb', gecos=u't b', krbprincipalname=u't...@abc.idm.lab.eng.brq.redhat.com', random=False, all=False, raw=False, version=u'2.149', no_members=False): AttributeError The new
Re: [Freeipa-devel] [PATCH 0297] ULC: add user-stage command
On 08/18/2015 03:06 PM, Martin Basti wrote: On 08/18/2015 11:32 AM, thierry bordaz wrote: On 08/18/2015 10:02 AM, Martin Basti wrote: On 08/18/2015 09:59 AM, thierry bordaz wrote: On 08/18/2015 09:55 AM, Martin Basti wrote: On 08/18/2015 09:50 AM, thierry bordaz wrote: On 08/17/2015 08:33 PM, Martin Basti wrote: Hello, the 'user-stage' command replaces 'stageuser-add --from-delete' command. https://fedorahosted.org/freeipa/ticket/5041 Thierry can you check If I don't break everything, it works for me, but the one never knows. Honza can you please check the framework side? I use self.api.Object.stageuser.add.* in user command, I'm not sure if this is right way, but it works. Patch attached. I created it in hurry, I'm expecting NACK :D Just question at the end: should I implement way Active user - stageuser? IMHO it would be implemented internally by calling 'user-del --preserve' inside 'user-stage'. Hi Martin, There is a small failure with VERSION (edewata pushed his patch first ;-) ) git apply -v /tmp/freeipa-mbasti-0297-Add-user-stage-command.patch Checking patch API.txt... Checking patch VERSION... error: while searching for: # # IPA_API_VERSION_MAJOR=2 IPA_API_VERSION_MINOR=148 # Last change: ftweedal - add --out option to user-show error: patch failed: VERSION:90 error: VERSION: patch does not apply Checking patch ipalib/plugins/stageuser.py... Checking patch ipalib/plugins/user.py... There is many pending patches that may change VERSION number, I will change it to right one before push. Does code looks good for you? Hi Martin, Just a question, there is no additional permission. Did you test being 'admin' ? thanks theirry No I didn't,. I preserver all permission, the original permissions should work. Martin Hi Martin, Running a test script, I have an issue with ipa stageuser-add --first=t --last=b tb1 ipa: ERROR: an internal error has occurred [Tue Aug 18 11:16:56.440658 2015] [wsgi:error] [pid 10486] ipa: INFO: [jsonserver_kerb] stage...@abc.idm.lab.eng.brq.redhat.com: stageuser_add(u'tb1', givenname=u't', sn=u'b', cn=u't b', displayname=u't b', initials=u'tb', gecos=u't b', krbprincipalname=u't...@abc.idm.lab.eng.brq.redhat.com', random=False, all=False, raw=False, version=u'2.149', no_members=False): AttributeError [Tue Aug 18 11:21:25.198021 2015] [wsgi:error] [pid 10485] ipa: ERROR: non-public: AttributeError: 'DN' object has no attribute 'setdefault' [Tue Aug 18 11:21:25.198053 2015] [wsgi:error] [pid 10485] Traceback (most recent call last): [Tue Aug 18 11:21:25.198058 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 347, in wsgi_execute [Tue Aug 18 11:21:25.198062 2015] [wsgi:error] [pid 10485] result = self.Command[name](*args, **options) [Tue Aug 18 11:21:25.198066 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 443, in __call__ [Tue Aug 18 11:21:25.198070 2015] [wsgi:error] [pid 10485] ret = self.run(*args, **options) [Tue Aug 18 11:21:25.198081 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 760, in run [Tue Aug 18 11:21:25.198133 2015] [wsgi:error] [pid 10485] return self.execute(*args, **options) [Tue Aug 18 11:21:25.198139 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py, line 1227, in execute [Tue Aug 18 11:21:25.198144 2015] [wsgi:error] [pid 10485] *keys, **options) [Tue Aug 18 11:21:25.198147 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py, line 373, in pre_callback [Tue Aug 18 11:21:25.198151 2015] [wsgi:error] [pid 10485] attrs_list, *keys, **options) [Tue Aug 18 11:21:25.198155 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py, line 277, in set_default_values_pre_callback [Tue Aug 18 11:21:25.198159 2015] [wsgi:error] [pid 10485] entry_attrs.setdefault('description', []) [Tue Aug 18 11:21:25.198163 2015] [wsgi:error] [pid 10485] AttributeError: 'DN' object has no attribute 'setdefault' [Tue Aug 18 11:21:25.199276 2015] [wsgi:error] [pid 10485] ipa: INFO: [jsonserver_session] stage...@abc.idm.lab.eng.brq.redhat.com: stageuser_add(u'tb1', givenname=u't', sn=u'b', cn=u't b', displayname=u't b', initials=u'tb', gecos=u't b', krbprincipalname=u't...@abc.idm.lab.eng.brq.redhat.com', random=False, all=False, raw=False, version=u'2.149', no_members=False): AttributeError The new set_default_values_pre_callback, can not use the set_default function. It is not clear why. entry_attrs is
Re: [Freeipa-devel] [PATCH 474] install: Fix CA-less replica install
On 18.8.2015 15:12, Martin Babinsky wrote: On 08/18/2015 12:56 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/5226. Honza ACK Thanks. The commit message was not correct so I fixed it. Pushed to: master: ff1e66375c8fd7ac036220b0f6d5cf206fa36a6a ipa-4-2: bfe937715236e71037f05885293afb3d1c8d2227 -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0297] ULC: add user-stage command
On 08/18/2015 03:49 PM, thierry bordaz wrote: On 08/18/2015 03:06 PM, Martin Basti wrote: On 08/18/2015 11:32 AM, thierry bordaz wrote: On 08/18/2015 10:02 AM, Martin Basti wrote: On 08/18/2015 09:59 AM, thierry bordaz wrote: On 08/18/2015 09:55 AM, Martin Basti wrote: On 08/18/2015 09:50 AM, thierry bordaz wrote: On 08/17/2015 08:33 PM, Martin Basti wrote: Hello, the 'user-stage' command replaces 'stageuser-add --from-delete' command. https://fedorahosted.org/freeipa/ticket/5041 Thierry can you check If I don't break everything, it works for me, but the one never knows. Honza can you please check the framework side? I use self.api.Object.stageuser.add.* in user command, I'm not sure if this is right way, but it works. Patch attached. I created it in hurry, I'm expecting NACK :D Just question at the end: should I implement way Active user - stageuser? IMHO it would be implemented internally by calling 'user-del --preserve' inside 'user-stage'. Hi Martin, There is a small failure with VERSION (edewata pushed his patch first ;-) ) git apply -v /tmp/freeipa-mbasti-0297-Add-user-stage-command.patch Checking patch API.txt... Checking patch VERSION... error: while searching for: # # IPA_API_VERSION_MAJOR=2 IPA_API_VERSION_MINOR=148 # Last change: ftweedal - add --out option to user-show error: patch failed: VERSION:90 error: VERSION: patch does not apply Checking patch ipalib/plugins/stageuser.py... Checking patch ipalib/plugins/user.py... There is many pending patches that may change VERSION number, I will change it to right one before push. Does code looks good for you? Hi Martin, Just a question, there is no additional permission. Did you test being 'admin' ? thanks theirry No I didn't,. I preserver all permission, the original permissions should work. Martin Hi Martin, Running a test script, I have an issue with ipa stageuser-add --first=t --last=b tb1 ipa: ERROR: an internal error has occurred [Tue Aug 18 11:16:56.440658 2015] [wsgi:error] [pid 10486] ipa: INFO: [jsonserver_kerb] stage...@abc.idm.lab.eng.brq.redhat.com: stageuser_add(u'tb1', givenname=u't', sn=u'b', cn=u't b', displayname=u't b', initials=u'tb', gecos=u't b', krbprincipalname=u't...@abc.idm.lab.eng.brq.redhat.com', random=False, all=False, raw=False, version=u'2.149', no_members=False): AttributeError [Tue Aug 18 11:21:25.198021 2015] [wsgi:error] [pid 10485] ipa: ERROR: non-public: AttributeError: 'DN' object has no attribute 'setdefault' [Tue Aug 18 11:21:25.198053 2015] [wsgi:error] [pid 10485] Traceback (most recent call last): [Tue Aug 18 11:21:25.198058 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 347, in wsgi_execute [Tue Aug 18 11:21:25.198062 2015] [wsgi:error] [pid 10485] result = self.Command[name](*args, **options) [Tue Aug 18 11:21:25.198066 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 443, in __call__ [Tue Aug 18 11:21:25.198070 2015] [wsgi:error] [pid 10485] ret = self.run(*args, **options) [Tue Aug 18 11:21:25.198081 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 760, in run [Tue Aug 18 11:21:25.198133 2015] [wsgi:error] [pid 10485] return self.execute(*args, **options) [Tue Aug 18 11:21:25.198139 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py, line 1227, in execute [Tue Aug 18 11:21:25.198144 2015] [wsgi:error] [pid 10485] *keys, **options) [Tue Aug 18 11:21:25.198147 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py, line 373, in pre_callback [Tue Aug 18 11:21:25.198151 2015] [wsgi:error] [pid 10485] attrs_list, *keys, **options) [Tue Aug 18 11:21:25.198155 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py, line 277, in set_default_values_pre_callback [Tue Aug 18 11:21:25.198159 2015] [wsgi:error] [pid 10485] entry_attrs.setdefault('description', []) [Tue Aug 18 11:21:25.198163 2015] [wsgi:error] [pid 10485] AttributeError: 'DN' object has no attribute 'setdefault' [Tue Aug 18 11:21:25.199276 2015] [wsgi:error] [pid 10485] ipa: INFO: [jsonserver_session] stage...@abc.idm.lab.eng.brq.redhat.com: stageuser_add(u'tb1', givenname=u't', sn=u'b', cn=u't b', displayname=u't b', initials=u'tb', gecos=u't b', krbprincipalname=u't...@abc.idm.lab.eng.brq.redhat.com', random=False, all=False, raw=False, version=u'2.149', no_members=False): AttributeError The new set_default_values_pre_callback, can not use the
[Freeipa-devel] [PATCH 0059] improve the handling of krb5-related errors in dnssec daemons
This patch fixes https://fedorahosted.org/freeipa/ticket/5229 and also improves the handling of Kerberos errors in other DNSSEC daemons. -- Martin^3 Babinsky From 3c430dc6591583ff36c0551fcb8238f2633f3e6b Mon Sep 17 00:00:00 2001 From: Martin Babinsky mbabi...@redhat.com Date: Tue, 18 Aug 2015 18:33:37 +0200 Subject: [PATCH] improve the handling of krb5-related errors in dnssec daemons ipa-dnskeysync* and ipa-ods-exporter handle kerberos errors more gracefully instead of crashing with tracebacks. https://fedorahosted.org/freeipa/ticket/5229 --- daemons/dnssec/ipa-dnskeysync-replica | 10 +- daemons/dnssec/ipa-dnskeysyncd| 4 ++-- daemons/dnssec/ipa-ods-exporter | 10 +- 3 files changed, 20 insertions(+), 4 deletions(-) diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica index 551c2f21d5b85b76a7281f719ce722a6c5830cf7..b80b38962957f922cc871ead471f8da0831bec4d 100755 --- a/daemons/dnssec/ipa-dnskeysync-replica +++ b/daemons/dnssec/ipa-dnskeysync-replica @@ -12,6 +12,7 @@ from binascii import hexlify from datetime import datetime import dns.dnssec import fcntl +from krbV import Krb5Error import logging import os from pprint import pprint @@ -141,7 +142,14 @@ log.setLevel(level=logging.DEBUG) PRINCIPAL = str('%s/%s' % (DAEMONNAME, ipalib.api.env.host)) log.debug('Kerberos principal: %s', PRINCIPAL) ccache_filename = os.path.join(WORKDIR, 'ipa-dnskeysync-replica.ccache') -ipautil.kinit_keytab(PRINCIPAL, paths.IPA_DNSKEYSYNCD_KEYTAB, ccache_filename) + +try: +ipautil.kinit_keytab(PRINCIPAL, paths.IPA_DNSKEYSYNCD_KEYTAB, + ccache_filename, attempts=5) +except Krb5Error as e: +log.critical('Kerberos authentication failed: %s', e) +sys.exit(1) + os.environ['KRB5CCNAME'] = ccache_filename log.debug('Got TGT') diff --git a/daemons/dnssec/ipa-dnskeysyncd b/daemons/dnssec/ipa-dnskeysyncd index 93e1cd5184de17aae734801932c8b0635aaabdfd..fa54806f9709907d20ed161945f005875d4a6f30 100755 --- a/daemons/dnssec/ipa-dnskeysyncd +++ b/daemons/dnssec/ipa-dnskeysyncd @@ -66,9 +66,9 @@ PRINCIPAL = str('%s/%s' % (DAEMONNAME, api.env.host)) log.debug('Kerberos principal: %s', PRINCIPAL) ccache_filename = os.path.join(WORKDIR, 'ipa-dnskeysyncd.ccache') try: -ipautil.kinit_keytab(PRINCIPAL, KEYTAB_FB, ccache_filename) +ipautil.kinit_keytab(PRINCIPAL, KEYTAB_FB, ccache_filename, attempts=5) except Exception as ex: -log.critical(ex) +log.critical(Kerberos authentication failed: %s, ex) # signal failure and let init system to restart the daemon sys.exit(1) os.environ['KRB5CCNAME'] = ccache_filename diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter index 4c6649c2fbfe77e563ab70276a92b59201fcbace..4d5423797fc9d4bdd0a432bac96b8209bb98c6d8 100755 --- a/daemons/dnssec/ipa-ods-exporter +++ b/daemons/dnssec/ipa-ods-exporter @@ -20,6 +20,7 @@ from datetime import datetime import dateutil.tz import dns.dnssec import fcntl +from krbV import Krb5Error import logging import os import subprocess @@ -482,7 +483,14 @@ ipalib.api.finalize() PRINCIPAL = str('%s/%s' % (DAEMONNAME, ipalib.api.env.host)) log.debug('Kerberos principal: %s', PRINCIPAL) ccache_name = os.path.join(WORKDIR, 'ipa-ods-exporter.ccache') -ipautil.kinit_keytab(PRINCIPAL, paths.IPA_ODS_EXPORTER_KEYTAB, ccache_name) + +try: +ipautil.kinit_keytab(PRINCIPAL, paths.IPA_ODS_EXPORTER_KEYTAB, ccache_name, + attempts=5) +except Krb5Error as e: +log.critical('Kerberos authentication failed: %s', e) +sys.exit(1) + os.environ['KRB5CCNAME'] = ccache_name log.debug('Got TGT') -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0195 harden trust-fetch-domains oddjobd script
On 08/18/2015 06:00 PM, Tomas Babej wrote: On 08/18/2015 11:56 AM, Alexander Bokovoy wrote: On Tue, 18 Aug 2015, Alexander Bokovoy wrote: On Mon, 17 Aug 2015, Tomas Babej wrote: On 08/17/2015 09:03 AM, Alexander Bokovoy wrote: On Mon, 17 Aug 2015, Tomas Babej wrote: On 08/13/2015 04:29 PM, Alexander Bokovoy wrote: Hi, see commit message for details. Hi, code-wise this looks good to me. Unfortunately, I have not been able to verify in my setup that it fixes the issue in the linked BZ: $ echo Secret123456 | ipa trust-add --type=ad ad.test --range-type ipa-ad-trust --admin Administrator --password Added Active Directory trust for realm ad.test Realm name: ad.test Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924 SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Established and verified $ idrange-find 2 ranges matched Range name: AD.TEST_id_range First Posix ID of the range: 19120 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-1469936554-2294197481-461507924 Range type: Active Directory domain range Range name: IPA.TEST_id_range First Posix ID of the range: 69520 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Number of entries returned 2 However, I have one child subdomain in the setup: $ ipa trustdomain-find Realm name: ad.test Domain name: ad.test Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924 Domain enabled: True Domain name: sub.ad.test Domain NetBIOS name: SUB Domain Security Identifier: S-1-5-21-10134726-2575992721-4229914074 Domain enabled: True Number of entries returned 2 Look for AVCs, if there are any. Also start abrtd and it should pick up any python exceptions in the helper as 'crashes'. Right. Insufficient LDAP permissions caused the following backtrace in the oddjob helper: ipaldap.py:948:error_handler:ACIError: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'. Traceback (most recent call last): File /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains, line 216, in module trusted_domain, name, **dom) File /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py, line 347, in add_range ipanttrusteddomainsid=dom_sid) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 443, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 760, in run return self.execute(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py, line 1234, in execute self._exc_wrapper(keys, options, ldap.add_entry)(entry_attrs) File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py, line 1145, in wrapped return func(*call_args, **call_kwargs) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1442, in add_entry self.conn.add_s(str(entry.dn), attrs.items()) File /usr/lib64/python2.7/contextlib.py, line 35, in __exit__ self.gen.throw(type, value, traceback) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 948, in error_handler raise errors.ACIError(info=info) ACIError: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'. Local variables in innermost frame: info: Insufficient 'add' privilege to add the entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'. arg_desc: None self: ipaserver.plugins.ldap2.ldap2() e: INSUFFICIENT_ACCESS({'info': Insufficient 'add' privilege to add the entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.\n, 'desc': 'Insufficient access'},) desc: 'Insufficient access' Updated patch attached. You can install freeipa from my COPR abbra/freeipa-oneway (you need mkosek/freeipa-master COPR for dependencies) to test. .. and use abbra/sssd-kkdcproxy for sssd git master -- you'll need it to allow SSSD to properly handle
Re: [Freeipa-devel] [PATCH 0297] ULC: add user-stage command
On 08/18/2015 04:13 PM, thierry bordaz wrote: On 08/18/2015 04:04 PM, Martin Basti wrote: On 08/18/2015 03:49 PM, thierry bordaz wrote: On 08/18/2015 03:06 PM, Martin Basti wrote: On 08/18/2015 11:32 AM, thierry bordaz wrote: On 08/18/2015 10:02 AM, Martin Basti wrote: On 08/18/2015 09:59 AM, thierry bordaz wrote: On 08/18/2015 09:55 AM, Martin Basti wrote: On 08/18/2015 09:50 AM, thierry bordaz wrote: On 08/17/2015 08:33 PM, Martin Basti wrote: Hello, the 'user-stage' command replaces 'stageuser-add --from-delete' command. https://fedorahosted.org/freeipa/ticket/5041 Thierry can you check If I don't break everything, it works for me, but the one never knows. Honza can you please check the framework side? I use self.api.Object.stageuser.add.* in user command, I'm not sure if this is right way, but it works. Patch attached. I created it in hurry, I'm expecting NACK :D Just question at the end: should I implement way Active user - stageuser? IMHO it would be implemented internally by calling 'user-del --preserve' inside 'user-stage'. Hi Martin, There is a small failure with VERSION (edewata pushed his patch first ;-) ) git apply -v /tmp/freeipa-mbasti-0297-Add-user-stage-command.patch Checking patch API.txt... Checking patch VERSION... error: while searching for: # # IPA_API_VERSION_MAJOR=2 IPA_API_VERSION_MINOR=148 # Last change: ftweedal - add --out option to user-show error: patch failed: VERSION:90 error: VERSION: patch does not apply Checking patch ipalib/plugins/stageuser.py... Checking patch ipalib/plugins/user.py... There is many pending patches that may change VERSION number, I will change it to right one before push. Does code looks good for you? Hi Martin, Just a question, there is no additional permission. Did you test being 'admin' ? thanks theirry No I didn't,. I preserver all permission, the original permissions should work. Martin Hi Martin, Running a test script, I have an issue with ipa stageuser-add --first=t --last=b tb1 ipa: ERROR: an internal error has occurred [Tue Aug 18 11:16:56.440658 2015] [wsgi:error] [pid 10486] ipa: INFO: [jsonserver_kerb] stage...@abc.idm.lab.eng.brq.redhat.com: stageuser_add(u'tb1', givenname=u't', sn=u'b', cn=u't b', displayname=u't b', initials=u'tb', gecos=u't b', krbprincipalname=u't...@abc.idm.lab.eng.brq.redhat.com', random=False, all=False, raw=False, version=u'2.149', no_members=False): AttributeError [Tue Aug 18 11:21:25.198021 2015] [wsgi:error] [pid 10485] ipa: ERROR: non-public: AttributeError: 'DN' object has no attribute 'setdefault' [Tue Aug 18 11:21:25.198053 2015] [wsgi:error] [pid 10485] Traceback (most recent call last): [Tue Aug 18 11:21:25.198058 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 347, in wsgi_execute [Tue Aug 18 11:21:25.198062 2015] [wsgi:error] [pid 10485] result = self.Command[name](*args, **options) [Tue Aug 18 11:21:25.198066 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 443, in __call__ [Tue Aug 18 11:21:25.198070 2015] [wsgi:error] [pid 10485] ret = self.run(*args, **options) [Tue Aug 18 11:21:25.198081 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 760, in run [Tue Aug 18 11:21:25.198133 2015] [wsgi:error] [pid 10485] return self.execute(*args, **options) [Tue Aug 18 11:21:25.198139 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py, line 1227, in execute [Tue Aug 18 11:21:25.198144 2015] [wsgi:error] [pid 10485] *keys, **options) [Tue Aug 18 11:21:25.198147 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py, line 373, in pre_callback [Tue Aug 18 11:21:25.198151 2015] [wsgi:error] [pid 10485] attrs_list, *keys, **options) [Tue Aug 18 11:21:25.198155 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py, line 277, in set_default_values_pre_callback [Tue Aug 18 11:21:25.198159 2015] [wsgi:error] [pid 10485] entry_attrs.setdefault('description', []) [Tue Aug 18 11:21:25.198163 2015] [wsgi:error] [pid 10485] AttributeError: 'DN' object has no attribute 'setdefault' [Tue Aug 18 11:21:25.199276 2015] [wsgi:error] [pid 10485] ipa: INFO: [jsonserver_session] stage...@abc.idm.lab.eng.brq.redhat.com: stageuser_add(u'tb1', givenname=u't', sn=u'b', cn=u't b', displayname=u't b', initials=u'tb', gecos=u't b', krbprincipalname=u't...@abc.idm.lab.eng.brq.redhat.com', random=False, all=False, raw=False,
Re: [Freeipa-devel] [PATCH] 0195 harden trust-fetch-domains oddjobd script
On 08/18/2015 11:56 AM, Alexander Bokovoy wrote: On Tue, 18 Aug 2015, Alexander Bokovoy wrote: On Mon, 17 Aug 2015, Tomas Babej wrote: On 08/17/2015 09:03 AM, Alexander Bokovoy wrote: On Mon, 17 Aug 2015, Tomas Babej wrote: On 08/13/2015 04:29 PM, Alexander Bokovoy wrote: Hi, see commit message for details. Hi, code-wise this looks good to me. Unfortunately, I have not been able to verify in my setup that it fixes the issue in the linked BZ: $ echo Secret123456 | ipa trust-add --type=ad ad.test --range-type ipa-ad-trust --admin Administrator --password Added Active Directory trust for realm ad.test Realm name: ad.test Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924 SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Established and verified $ idrange-find 2 ranges matched Range name: AD.TEST_id_range First Posix ID of the range: 19120 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-1469936554-2294197481-461507924 Range type: Active Directory domain range Range name: IPA.TEST_id_range First Posix ID of the range: 69520 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Number of entries returned 2 However, I have one child subdomain in the setup: $ ipa trustdomain-find Realm name: ad.test Domain name: ad.test Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924 Domain enabled: True Domain name: sub.ad.test Domain NetBIOS name: SUB Domain Security Identifier: S-1-5-21-10134726-2575992721-4229914074 Domain enabled: True Number of entries returned 2 Look for AVCs, if there are any. Also start abrtd and it should pick up any python exceptions in the helper as 'crashes'. Right. Insufficient LDAP permissions caused the following backtrace in the oddjob helper: ipaldap.py:948:error_handler:ACIError: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'. Traceback (most recent call last): File /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains, line 216, in module trusted_domain, name, **dom) File /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py, line 347, in add_range ipanttrusteddomainsid=dom_sid) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 443, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 760, in run return self.execute(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py, line 1234, in execute self._exc_wrapper(keys, options, ldap.add_entry)(entry_attrs) File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py, line 1145, in wrapped return func(*call_args, **call_kwargs) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1442, in add_entry self.conn.add_s(str(entry.dn), attrs.items()) File /usr/lib64/python2.7/contextlib.py, line 35, in __exit__ self.gen.throw(type, value, traceback) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 948, in error_handler raise errors.ACIError(info=info) ACIError: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'. Local variables in innermost frame: info: Insufficient 'add' privilege to add the entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'. arg_desc: None self: ipaserver.plugins.ldap2.ldap2() e: INSUFFICIENT_ACCESS({'info': Insufficient 'add' privilege to add the entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.\n, 'desc': 'Insufficient access'},) desc: 'Insufficient access' Updated patch attached. You can install freeipa from my COPR abbra/freeipa-oneway (you need mkosek/freeipa-master COPR for dependencies) to test. .. and use abbra/sssd-kkdcproxy for sssd git master --