Re: [Freeipa-devel] [PATCH] small fixes related to running dnssec tests in RHEL
On 08/24/2015 01:28 PM, Oleg Fayans wrote: Hi, Could anyone review this. We are really blocked with testing on RHEL and Patch 0005 fixes it. Thank you. On 08/21/2015 10:52 AM, Oleg Fayans wrote: Hi list, Here are the the fixes for https://fedorahosted.org/freeipa/ticket/5240 plus pep8-related fixes, plus created a user-friendly error message at import error. obsoletes my previous patch PATCH 0003 ACK PATCH 0004 I don't know I dont think that this change is needed, we enforce pep8 only for new code, those kind of random changes make git blame hard to read. PATCH 0005 NACK If this is workaround for DNSSEC, it should be done only for DNSSEC test not globally for all tests. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0002] TEST: Stageuser plugin
... and adding a patch version applicable for master branch Lenka On 08/24/2015 12:14 PM, Lenka Doudova wrote: On 08/20/2015 03:48 PM, Martin Basti wrote: On 08/14/2015 06:32 PM, Lenka Doudova wrote: Yes, that is correct - it's malfunctioning behavior of the plugin - command 'stageuser-add --from-delete', which is discussed in another thread. I left this test case for so long as it's not fixed/changed. If the command remains and is fixed, the test case will be valid, if it's changed I'll fix the test case to reflect the new command. Lenka On 08/14/2015 05:39 PM, Martin Basti wrote: On 08/14/2015 11:04 AM, Lenka Doudova wrote: NACK syntax error, missing ')' -from ipatests.util import assert_equal, assert_not_equal, raises +from ipatests.util import ( +assert_equal, assert_not_equal, raises, assert_deepequal I cannot apply this patch, please check it Sorry for the error, corrected patch attached. I also added two testcases that Thierry proposed, and changed names of few methods (original ones were confusing). Lenka I got this error FAILURES = TestPreserved.test_staged_from_preserved _ self = ipatests.test_xmlrpc.test_stageuser_plugin.TestPreserved object at 0x7ffb94811350, user = ipatests.test_xmlrpc.test_user_plugin.UserTracker object at 0x7ffb949e7190 stageduser = ipatests.test_xmlrpc.test_stageuser_plugin.StageUserTracker object at 0x7ffb94811c50 def test_staged_from_preserved(self, user, stageduser): user.make_preserved_user() stageduser.ensure_missing() stageduser = StageUserTracker(user.uid, user.givenname, user.sn) stageduser.create_from_preserved(user) command = user.make_create_command(from_delete=True) E TypeError: make_create_command() got an unexpected keyword argument 'from_delete' test_xmlrpc/test_stageuser_plugin.py:718: TypeError -- Captured stdout setup -- Ran command: ipalib.plugins.stageuser.stageuser_del()(u'suser1', version=u'2.148'): NotFound: suser1: stage user not found -- Captured stdout call --- Ran command: ipalib.plugins.user.user_add()(u'auser1', givenname=u'active', sn=u'user', version=u'2.148'): OK Ran command: ipalib.plugins.user.user_del()(u'auser1', preserve=True, no_preserve=False, version=u'2.148'): OK Martin^2 ACK I cannot apply your patch on top of ipa-4-2 branch, can you send rebased version for ipa-4-2 branch? Attached. Applying works for me on ipa-4-2 branch, so I hope I finally got it right... Also this patch combines my previous patches 0002.3 + 0003. Lenka From 13d08961ff103bd6c1747ab689e8dc5e3f9294ea Mon Sep 17 00:00:00 2001 From: Lenka Doudova ldoud...@redhat.com Date: Mon, 24 Aug 2015 12:04:03 +0200 Subject: [PATCH] Automated test for stageuser plugin Ticket: https://fedorahosted.org/freeipa/ticket/3813 Test plan: http://www.freeipa.org/page/V4/User_Life-Cycle_Management/Test_Plan --- ipatests/test_xmlrpc/test_group_plugin.py | 202 +- ipatests/test_xmlrpc/test_stageuser_plugin.py | 888 ++ ipatests/test_xmlrpc/test_user_plugin.py | 339 ++ 3 files changed, 1428 insertions(+), 1 deletion(-) create mode 100644 ipatests/test_xmlrpc/test_stageuser_plugin.py diff --git a/ipatests/test_xmlrpc/test_group_plugin.py b/ipatests/test_xmlrpc/test_group_plugin.py index f7f619680065a43f90986cf7e1d81e8e41bdf8c2..8ef3900ef8b6775d2a07192c57fd1076fb967b34 100644 --- a/ipatests/test_xmlrpc/test_group_plugin.py +++ b/ipatests/test_xmlrpc/test_group_plugin.py @@ -21,13 +21,26 @@ Test the `ipalib/plugins/group.py` module. +import functools +import pytest + from ipalib import api, errors from ipatests.test_xmlrpc import objectclasses + HEAD from ipatests.test_xmlrpc.xmlrpc_test import ( Declarative, fuzzy_digits, fuzzy_uuid, fuzzy_set_ci, add_sid, add_oc) +=== +from xmlrpc_test import (Declarative, fuzzy_digits, fuzzy_uuid, fuzzy_set_ci, + add_sid, add_oc, XMLRPC_test, raises_exact) + Automated test for stageuser plugin from ipapython.dn import DN from ipatests.test_xmlrpc.test_user_plugin import get_user_result +from ipatests.test_xmlrpc.ldaptracker import Tracker +from ipatests.test_xmlrpc.test_user_plugin import UserTracker +from
Re: [Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi
On 23.8.2015 23:27, Michael Šimáček wrote: On 2015-08-21 15:52, Michael Šimáček wrote: On 2015-08-20 20:42, Robbie Harwood wrote: Michael Šimáček msima...@redhat.com writes: On 2015-08-20 12:32, Michael Šimáček wrote: Michael Šimáček msima...@redhat.com writes: Attaching new revision of the patch. Changes from the previous: - ldap2's connect now chooses the bind type same way as in ipaldap - get_default_realm usages replaced by api.env.realm - fixed missing third kinit attempt in trust-fetch-domains - removed rewrapping gssapi errors to ccache errors in krb_utils - updated some parts of exception handling Rebased on top of current master. One of the commits reintroduced krbV dependency that I didn't notice. Attaching updated revision. Only changes against previous revision are in files daemons/dnssec/ipa-dnskeysync-replica and daemons/dnssec/ipa-ods-exporter. This is much better, thanks! I've got some comments inline. +except gssapi.exceptions.GSSError: # If there was failure on using keytab, assume it is stale and retrieve again retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal) This code still bothers me a bit, but I think fixing it is probably beyond the scope of a python-gssapi port. The code catches all GSSAPI exceptions and retries to do the same thing with different keytab. So if there was a problem unrelated to keytab, the same exception will be raised again. Nothing will be ignored silently. +try: +creds = get_credentials(name=name, ccache_name=ccache_name) +# property access would raise exception if expired +if creds.lifetime 0: +return creds +except gssapi.exceptions.ExpiredCredentialsError: +return None Per rfc2744, lifetime is unsigned. It's not immediately clear what will happen when `creds.lifetime == 0`; perhaps an explicit `return Nune` in that case? I think the check is probably redundant, gssapi raises exception upon inquiring expired credentials. In trust-fetch-domains I just access the lifetime in try-except without using the value, so I could do the same here. It would be nice if gssapi provided some 'is_valid' or 'is_expired' method, so I wouldn't need to rely on side-effects of property access, which is hard to read and confuses pylint. # Setup LDAP connection try: -ctx = krbV.default_context() -ccache = ctx.default_ccache() -api.Backend.ldap2.connect(ccache) +api.Backend.ldap2.connect() cls.ldap = api.Backend.ldap2 -except krbV.Krb5Error as e: +except gssapi.exceptions.GSSError: sys.exit(Must have Kerberos credentials to migrate Winsync users.) Can you log the error here? The other places GSSError is being caught are doing a great job of either filtering-and-raising or logging-and-exiting, so thanks for fixing those. Yes, I'll update it in next revision of the patch. +# Ugly hack for test purposes only. GSSAPI has no way to get default ccache +# name, but we don't need it outside test server +def get_default_ccache_name(): +try: +out = check_output(['klist']) +except CalledProcessError: +raise RuntimeError(Default ccache not found. Did you kinit?) +match = re.match(r'^Ticket cache:\s*(\S+)', out) +if not match: +raise RuntimeError(Cannot obtain ccache name) +return match.group(1) Yup, this is still ugly. Ah well, it's only test code. I was trying to modify the code to not need the variable and just use the default, but it is used for manipulating it as a file - in production it is always defined by mod_auth_gssapi. So I'd keep this as is. Next revision of the patch. Changes from previous rev: printing exception in ipa_winsync_migrate and more thorough dealing with credentials expiration in krb_utils and trust-fetch-domains. 1) There is a merge conflict in freeipa.spec.in, please rebase the patch on top of current master. 2) pylint fails with: * Module ipa-ods-exporter daemons/dnssec/ipa-ods-exporter:23: [E0611(no-name-in-module), ] No name 'GSSError' in module 'gssapi') * Module ipa-dnskeysync-replica daemons/dnssec/ipa-dnskeysync-replica:15: [E0611(no-name-in-module), ] No name 'GSSError' in module 'gssapi') Both failures are caused by from gssapi import GSSError statement, which should read from gssapi.exceptions import GSSError. 3) ipa-adtrust-install fails with: admin password: Unrecognized error during check of admin rights: ad...@abc.idm.lab.eng.brq.redhat.com: user not found Apparently there is a user-show ad...@abc.idm.lab.eng.brq.redhat.com call where a user-show admin call should be. 4) ipa-client-automount fails with: Failed to obtain host TGT: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639111): Bad format in credentials cache Honza -- Jan Cholasta -- Manage your
Re: [Freeipa-devel] [PATCH] small fixes related to running dnssec tests in RHEL
Hi Martin, On 08/24/2015 02:36 PM, Martin Basti wrote: On 08/24/2015 01:28 PM, Oleg Fayans wrote: Hi, Could anyone review this. We are really blocked with testing on RHEL and Patch 0005 fixes it. Thank you. On 08/21/2015 10:52 AM, Oleg Fayans wrote: Hi list, Here are the the fixes for https://fedorahosted.org/freeipa/ticket/5240 plus pep8-related fixes, plus created a user-friendly error message at import error. obsoletes my previous patch PATCH 0003 ACK PATCH 0004 I don't know I dont think that this change is needed, we enforce pep8 only for new code, those kind of random changes make git blame hard to read. PATCH 0005 NACK If this is workaround for DNSSEC, it should be done only for DNSSEC test not globally for all tests. It's not only about dnssec: all integration tests are broken in RHEL due to the fact that ipa-replica-prepare behaves differently in RHEL than in Fedora, which causes the tests (desined on fedora) to fail at the step of replica installation. Once we find out the reason of this, we can revert this change, but for now we really, REALLY need a quick fix to move on. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0002] TEST: Stageuser plugin
NACK You have unmerged changes in the patch On 08/24/2015 02:14 PM, Lenka Doudova wrote: from ipatests.test_xmlrpc import objectclasses + HEAD from ipatests.test_xmlrpc.xmlrpc_test import ( Declarative, fuzzy_digits, fuzzy_uuid, fuzzy_set_ci, add_sid, add_oc) +=== +from xmlrpc_test import (Declarative, fuzzy_digits, fuzzy_uuid, fuzzy_set_ci, + add_sid, add_oc, XMLRPC_test, raises_exact) + Automated test for stageuser plugin from ipapython.dn import DN -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0006] Fixed installation failures
On 08/24/2015 12:55 PM, Oleg Fayans wrote: Hi all. The current issue [1] effectively blocks testing of 4.2 branch. Here is (one of the possible) solution, that proved to work. [1] https://www.redhat.com/archives/freeipa-devel/2015-August/msg00085.html The patch needs rebase for ipa-4-2 branch. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] small fixes related to running dnssec tests in RHEL
On 08/24/2015 02:36 PM, Martin Basti wrote: On 08/24/2015 01:28 PM, Oleg Fayans wrote: Hi, Could anyone review this. We are really blocked with testing on RHEL and Patch 0005 fixes it. Thank you. On 08/21/2015 10:52 AM, Oleg Fayans wrote: Hi list, Here are the the fixes for https://fedorahosted.org/freeipa/ticket/5240 plus pep8-related fixes, plus created a user-friendly error message at import error. obsoletes my previous patch PATCH 0003 ACK PATCH 0004 I don't know I dont think that this change is needed, we enforce pep8 only for new code, those kind of random changes make git blame hard to read. PATCH 0005 NACK If this is workaround for DNSSEC, it should be done only for DNSSEC test not globally for all tests. 0003: Pushed to: master: b93137c1964690cc6c20ad5e187aa70cc414554c ipa-4-2: 74c0bcce237faaba700ade6377753783d6a2a9bf 0005: Pushed to: master: b202afbcc0fe8cd1291784a3d261fce59b5646fd ipa-4-2: aa381746610bb280a906f6d73edd20877da1877d -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0058] dns: do not add (forward)zone if it is already resolvable.
On 08/20/2015 10:28 AM, David Kupka wrote: On 31/07/15 13:32, Martin Basti wrote: On 30/07/15 14:38, Martin Basti wrote: On 29/07/15 16:12, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/5087 NACK You forgot to update API.txt file Thanks for catching that. Updated patch attached. I'm just curious, what is the reason to check if forward zone exists? IMO forwardzone must exists somewhere as the master zone. I don't think we should check forwardzones, this may give too many false positive errors. AIUI if the zone exist somewhere and is resolvable there is no need to add it as a forward zone. If user for some reason want to do it he's hiding the original zone and we should not allow this (without --force). Note: Petr2 agreed with David's solution LGTM, works as expected, but this patch prevents users to add conflicting zones via webUI (there is no --force field). We should improve webUI together with this patch. Martin^2 Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi
On 2015-08-24 14:50, Jan Cholasta wrote: On 23.8.2015 23:27, Michael Šimáček wrote: On 2015-08-21 15:52, Michael Šimáček wrote: On 2015-08-20 20:42, Robbie Harwood wrote: Michael Šimáček msima...@redhat.com writes: On 2015-08-20 12:32, Michael Šimáček wrote: Michael Šimáček msima...@redhat.com writes: Attaching new revision of the patch. Changes from the previous: - ldap2's connect now chooses the bind type same way as in ipaldap - get_default_realm usages replaced by api.env.realm - fixed missing third kinit attempt in trust-fetch-domains - removed rewrapping gssapi errors to ccache errors in krb_utils - updated some parts of exception handling Rebased on top of current master. One of the commits reintroduced krbV dependency that I didn't notice. Attaching updated revision. Only changes against previous revision are in files daemons/dnssec/ipa-dnskeysync-replica and daemons/dnssec/ipa-ods-exporter. This is much better, thanks! I've got some comments inline. +except gssapi.exceptions.GSSError: # If there was failure on using keytab, assume it is stale and retrieve again retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal) This code still bothers me a bit, but I think fixing it is probably beyond the scope of a python-gssapi port. The code catches all GSSAPI exceptions and retries to do the same thing with different keytab. So if there was a problem unrelated to keytab, the same exception will be raised again. Nothing will be ignored silently. +try: +creds = get_credentials(name=name, ccache_name=ccache_name) +# property access would raise exception if expired +if creds.lifetime 0: +return creds +except gssapi.exceptions.ExpiredCredentialsError: +return None Per rfc2744, lifetime is unsigned. It's not immediately clear what will happen when `creds.lifetime == 0`; perhaps an explicit `return Nune` in that case? I think the check is probably redundant, gssapi raises exception upon inquiring expired credentials. In trust-fetch-domains I just access the lifetime in try-except without using the value, so I could do the same here. It would be nice if gssapi provided some 'is_valid' or 'is_expired' method, so I wouldn't need to rely on side-effects of property access, which is hard to read and confuses pylint. # Setup LDAP connection try: -ctx = krbV.default_context() -ccache = ctx.default_ccache() -api.Backend.ldap2.connect(ccache) +api.Backend.ldap2.connect() cls.ldap = api.Backend.ldap2 -except krbV.Krb5Error as e: +except gssapi.exceptions.GSSError: sys.exit(Must have Kerberos credentials to migrate Winsync users.) Can you log the error here? The other places GSSError is being caught are doing a great job of either filtering-and-raising or logging-and-exiting, so thanks for fixing those. Yes, I'll update it in next revision of the patch. +# Ugly hack for test purposes only. GSSAPI has no way to get default ccache +# name, but we don't need it outside test server +def get_default_ccache_name(): +try: +out = check_output(['klist']) +except CalledProcessError: +raise RuntimeError(Default ccache not found. Did you kinit?) +match = re.match(r'^Ticket cache:\s*(\S+)', out) +if not match: +raise RuntimeError(Cannot obtain ccache name) +return match.group(1) Yup, this is still ugly. Ah well, it's only test code. I was trying to modify the code to not need the variable and just use the default, but it is used for manipulating it as a file - in production it is always defined by mod_auth_gssapi. So I'd keep this as is. Next revision of the patch. Changes from previous rev: printing exception in ipa_winsync_migrate and more thorough dealing with credentials expiration in krb_utils and trust-fetch-domains. 1) There is a merge conflict in freeipa.spec.in, please rebase the patch on top of current master. Done. 2) pylint fails with: * Module ipa-ods-exporter daemons/dnssec/ipa-ods-exporter:23: [E0611(no-name-in-module), ] No name 'GSSError' in module 'gssapi') * Module ipa-dnskeysync-replica daemons/dnssec/ipa-dnskeysync-replica:15: [E0611(no-name-in-module), ] No name 'GSSError' in module 'gssapi') Both failures are caused by from gssapi import GSSError statement, which should read from gssapi.exceptions import GSSError. Fixed. 3) ipa-adtrust-install fails with: admin password: Unrecognized error during check of admin rights: ad...@abc.idm.lab.eng.brq.redhat.com: user not found Apparently there is a user-show ad...@abc.idm.lab.eng.brq.redhat.com call where a user-show admin call should be. Fixed. python-gssapi has a display_as method that could pull the name from it, but it doesn't work in current version, therefore using partition to split on '@' 4) ipa-client-automount fails
Re: [Freeipa-devel] [PATCH 020] Change internal rsa_(public|private)_key variable names
On 07/28/2015 04:28 PM, Simo Sorce wrote: On Tue, 2015-07-28 at 16:18 +0200, Christian Heimes wrote: In two places the vault plugin refers to rsa public or rsa private key although the code can handle just any kind of asymmetric algorithms, e.g. ECDSA. The patch just renames the occurences to avoid more confusion in the future. LGTM. Simo. ACK Pushed to: master: cee5d9007e7db84f24bc8e387ec7ff784495ab9f ipa-4-2: 5f557686ffbbfd738e9d4f440a91a68fd421bad6 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi
On Mon, 2015-08-24 at 17:18 +0200, Michael Šimáček wrote: On 2015-08-24 14:50, Jan Cholasta wrote: On 23.8.2015 23:27, Michael Šimáček wrote: On 2015-08-21 15:52, Michael Šimáček wrote: On 2015-08-20 20:42, Robbie Harwood wrote: Michael Šimáček msima...@redhat.com writes: On 2015-08-20 12:32, Michael Šimáček wrote: Michael Šimáček msima...@redhat.com writes: Attaching new revision of the patch. Changes from the previous: - ldap2's connect now chooses the bind type same way as in ipaldap - get_default_realm usages replaced by api.env.realm - fixed missing third kinit attempt in trust-fetch-domains - removed rewrapping gssapi errors to ccache errors in krb_utils - updated some parts of exception handling Rebased on top of current master. One of the commits reintroduced krbV dependency that I didn't notice. Attaching updated revision. Only changes against previous revision are in files daemons/dnssec/ipa-dnskeysync-replica and daemons/dnssec/ipa-ods-exporter. This is much better, thanks! I've got some comments inline. +except gssapi.exceptions.GSSError: # If there was failure on using keytab, assume it is stale and retrieve again retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal) This code still bothers me a bit, but I think fixing it is probably beyond the scope of a python-gssapi port. The code catches all GSSAPI exceptions and retries to do the same thing with different keytab. So if there was a problem unrelated to keytab, the same exception will be raised again. Nothing will be ignored silently. +try: +creds = get_credentials(name=name, ccache_name=ccache_name) +# property access would raise exception if expired +if creds.lifetime 0: +return creds +except gssapi.exceptions.ExpiredCredentialsError: +return None Per rfc2744, lifetime is unsigned. It's not immediately clear what will happen when `creds.lifetime == 0`; perhaps an explicit `return Nune` in that case? I think the check is probably redundant, gssapi raises exception upon inquiring expired credentials. In trust-fetch-domains I just access the lifetime in try-except without using the value, so I could do the same here. It would be nice if gssapi provided some 'is_valid' or 'is_expired' method, so I wouldn't need to rely on side-effects of property access, which is hard to read and confuses pylint. # Setup LDAP connection try: -ctx = krbV.default_context() -ccache = ctx.default_ccache() -api.Backend.ldap2.connect(ccache) +api.Backend.ldap2.connect() cls.ldap = api.Backend.ldap2 -except krbV.Krb5Error as e: +except gssapi.exceptions.GSSError: sys.exit(Must have Kerberos credentials to migrate Winsync users.) Can you log the error here? The other places GSSError is being caught are doing a great job of either filtering-and-raising or logging-and-exiting, so thanks for fixing those. Yes, I'll update it in next revision of the patch. +# Ugly hack for test purposes only. GSSAPI has no way to get default ccache +# name, but we don't need it outside test server +def get_default_ccache_name(): +try: +out = check_output(['klist']) +except CalledProcessError: +raise RuntimeError(Default ccache not found. Did you kinit?) +match = re.match(r'^Ticket cache:\s*(\S+)', out) +if not match: +raise RuntimeError(Cannot obtain ccache name) +return match.group(1) Yup, this is still ugly. Ah well, it's only test code. I was trying to modify the code to not need the variable and just use the default, but it is used for manipulating it as a file - in production it is always defined by mod_auth_gssapi. So I'd keep this as is. Next revision of the patch. Changes from previous rev: printing exception in ipa_winsync_migrate and more thorough dealing with credentials expiration in krb_utils and trust-fetch-domains. 1) There is a merge conflict in freeipa.spec.in, please rebase the patch on top of current master. Done. 2) pylint fails with: * Module ipa-ods-exporter daemons/dnssec/ipa-ods-exporter:23: [E0611(no-name-in-module), ] No name 'GSSError' in module 'gssapi') * Module ipa-dnskeysync-replica daemons/dnssec/ipa-dnskeysync-replica:15: [E0611(no-name-in-module), ] No name 'GSSError' in module 'gssapi') Both failures are caused by from gssapi import GSSError statement, which should read from gssapi.exceptions import GSSError. Fixed. 3) ipa-adtrust-install fails with: admin password: Unrecognized error during check of admin rights: ad...@abc.idm.lab.eng.brq.redhat.com: user not found Apparently there is a user-show
Re: [Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi
On 2015-08-24 17:49, Simo Sorce wrote: On Mon, 2015-08-24 at 17:18 +0200, Michael Šimáček wrote: On 2015-08-24 14:50, Jan Cholasta wrote: On 23.8.2015 23:27, Michael Šimáček wrote: On 2015-08-21 15:52, Michael Šimáček wrote: On 2015-08-20 20:42, Robbie Harwood wrote: Michael Šimáček msima...@redhat.com writes: On 2015-08-20 12:32, Michael Šimáček wrote: Michael Šimáček msima...@redhat.com writes: Attaching new revision of the patch. Changes from the previous: - ldap2's connect now chooses the bind type same way as in ipaldap - get_default_realm usages replaced by api.env.realm - fixed missing third kinit attempt in trust-fetch-domains - removed rewrapping gssapi errors to ccache errors in krb_utils - updated some parts of exception handling Rebased on top of current master. One of the commits reintroduced krbV dependency that I didn't notice. Attaching updated revision. Only changes against previous revision are in files daemons/dnssec/ipa-dnskeysync-replica and daemons/dnssec/ipa-ods-exporter. This is much better, thanks! I've got some comments inline. +except gssapi.exceptions.GSSError: # If there was failure on using keytab, assume it is stale and retrieve again retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal) This code still bothers me a bit, but I think fixing it is probably beyond the scope of a python-gssapi port. The code catches all GSSAPI exceptions and retries to do the same thing with different keytab. So if there was a problem unrelated to keytab, the same exception will be raised again. Nothing will be ignored silently. +try: +creds = get_credentials(name=name, ccache_name=ccache_name) +# property access would raise exception if expired +if creds.lifetime 0: +return creds +except gssapi.exceptions.ExpiredCredentialsError: +return None Per rfc2744, lifetime is unsigned. It's not immediately clear what will happen when `creds.lifetime == 0`; perhaps an explicit `return Nune` in that case? I think the check is probably redundant, gssapi raises exception upon inquiring expired credentials. In trust-fetch-domains I just access the lifetime in try-except without using the value, so I could do the same here. It would be nice if gssapi provided some 'is_valid' or 'is_expired' method, so I wouldn't need to rely on side-effects of property access, which is hard to read and confuses pylint. # Setup LDAP connection try: -ctx = krbV.default_context() -ccache = ctx.default_ccache() -api.Backend.ldap2.connect(ccache) +api.Backend.ldap2.connect() cls.ldap = api.Backend.ldap2 -except krbV.Krb5Error as e: +except gssapi.exceptions.GSSError: sys.exit(Must have Kerberos credentials to migrate Winsync users.) Can you log the error here? The other places GSSError is being caught are doing a great job of either filtering-and-raising or logging-and-exiting, so thanks for fixing those. Yes, I'll update it in next revision of the patch. +# Ugly hack for test purposes only. GSSAPI has no way to get default ccache +# name, but we don't need it outside test server +def get_default_ccache_name(): +try: +out = check_output(['klist']) +except CalledProcessError: +raise RuntimeError(Default ccache not found. Did you kinit?) +match = re.match(r'^Ticket cache:\s*(\S+)', out) +if not match: +raise RuntimeError(Cannot obtain ccache name) +return match.group(1) Yup, this is still ugly. Ah well, it's only test code. I was trying to modify the code to not need the variable and just use the default, but it is used for manipulating it as a file - in production it is always defined by mod_auth_gssapi. So I'd keep this as is. Next revision of the patch. Changes from previous rev: printing exception in ipa_winsync_migrate and more thorough dealing with credentials expiration in krb_utils and trust-fetch-domains. 1) There is a merge conflict in freeipa.spec.in, please rebase the patch on top of current master. Done. 2) pylint fails with: * Module ipa-ods-exporter daemons/dnssec/ipa-ods-exporter:23: [E0611(no-name-in-module), ] No name 'GSSError' in module 'gssapi') * Module ipa-dnskeysync-replica daemons/dnssec/ipa-dnskeysync-replica:15: [E0611(no-name-in-module), ] No name 'GSSError' in module 'gssapi') Both failures are caused by from gssapi import GSSError statement, which should read from gssapi.exceptions import GSSError. Fixed. 3) ipa-adtrust-install fails with: admin password: Unrecognized error during check of admin rights: ad...@abc.idm.lab.eng.brq.redhat.com: user not found Apparently there is a user-show ad...@abc.idm.lab.eng.brq.redhat.com call where a user-show admin call should be. Fixed. python-gssapi has a display_as method that could pull the name from it, but it
[Freeipa-devel] kra an ca instance installation
Why do we have cainstance.py and ca.py and krainstance.py and kra.py in ipaserver/install when you always need both files to do anything around installation of the ca ? Is there a motivation ? Or can I simply provide a patch to remove the ca.py and kra.py files an unify all code in the proper *instance.py file ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi
Michael Šimáček msima...@redhat.com writes: On 2015-08-24 17:49, Simo Sorce wrote: On Mon, 2015-08-24 at 17:18 +0200, Michael Šimáček wrote: On 2015-08-24 14:50, Jan Cholasta wrote: On 23.8.2015 23:27, Michael Šimáček wrote: 3) ipa-adtrust-install fails with: admin password: Unrecognized error during check of admin rights: ad...@abc.idm.lab.eng.brq.redhat.com: user not found Apparently there is a user-show ad...@abc.idm.lab.eng.brq.redhat.com call where a user-show admin call should be. Fixed. python-gssapi has a display_as method that could pull the name from it, but it doesn't work in current version, therefore using partition to split on '@' It's actually a bug in MIT Krb5, as we noted in your bug[0]. So this: -user = api.Command.user_show(unicode(principal[0]))['result'] +user = api.Command.user_show(principal.partition('@')[0])['result'] is working around a bug in specific Kerberos versions. If people are okay with merging such code, then I guess this is fine; I would personally not do so because there is not a clear point at which it can be removed. At the very least, we should wait until we see what versions of krb5 MIT is going to fix. Otherwise, looks good. [0]: https://github.com/pythongssapi/python-gssapi/issues/79 signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0003] Bump python-gssapi version to 1.1.2
On 23.8.2015 22:15, Michael Šimáček wrote: On 2015-08-21 17:13, Michael Šimáček wrote: python-gssapi had a bug in exception handling that caused exceptions to be shadowed by LookupError. The new version should fix the problem. https://fedorahosted.org/freeipa/ticket/5225 I accidentally based it on top of unmerged patch. Attaching the same patch based on current master. Pushed to master: 584788a91ac14577d75f5e1651ed8cdeb80a6d6c -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES] 0696-0710 More modernization
On 24.8.2015 07:50, Jan Cholasta wrote: On 21.8.2015 14:50, Christian Heimes wrote: On 2015-08-21 12:55, Petr Viktorin wrote: On 08/14/2015 07:44 PM, Petr Viktorin wrote: Hello, These patches bring IPA another step towards compatibility with Python 3. Most of these were made by fixers from the python-modernize tool, but I reviewed and edited the results. Here are the patches rebased to current master. 0696.2-Remove-use-of-sys.exc_value ACK 0697.2-Don-t-use-a-tuple-in-function-arguments I prefer operator.itemgetter() over the hard-to-read lambda expression key=lambda k_v: (k_v[1], k_v[0]). import operator example = dict(a=3, ba=2, b=2, c=1) sorted(example.items(), key=operator.itemgetter(1, 0)) [('c', 1), ('b', 2), ('ba', 2), ('a', 3)] 0698.2-Add-python-six-to-dependencies ACK 0699.2-Remove-the-unused-pygettext-script ACK 0700.2-Use-six.string_types-instead-of-basestring LGTM, but I need to have a closer look at some places. I noticed a couple of asserts that should be if ... raise ValueError instead. python -o disables asserts. It seems you missed a few basestrings in ipapython/dn.py. 0701.2-Use-Python3-compatible-dict-method-names NACK Why are you replacing iteritems() with items() instead of using six.iteritems()? Please use sorted(reference) instead of sorted(reference.keys()), set(tree) instead of set(tree.keys()) and list(somedict) instead of list(somedict.keys()), too. The keys() call is unnecessary and frowned upon. 0702.2-Replace-filter-calls-with-list-comprehensions In Python 2 list comprehensions leak the internal loop variable. It might be better to write a generator expression with list() instead of [] list comprehension. 0703.2-Use-six.moves.input-instead-of-raw_input ACK The code is fine, but pylint won't like it. For Dogtag I had to disable pylint warnings W0622 and F0401. 0704.2-Use-six.integer_types-instead-of-long-int ACK hint: For type checks you can also use the numbers module. There are still some (int, long)s in ipalib/parameters.py, ipalib/rpc.py, ipalib/util.py, ipapython/cookie.py, ipapython/dn.py and ipapython/ipaldap.py Also, there are bare longs in ipapython/install/cli.py, ipaserver/dcerpc.py, ipaserver/install/ipa_otptoken_import.py and ipatests/test_ipalib/test_parameters.py. 0705.2-Replace-uses-of-map See comment for 0702 It seems you missed a few map()s in ipalib/plugins/certprofile.py, ipalib/plugins/dns.py, ipalib/plugins/sudorule.py and ipatests/test_xmlrpc/test_add_remove_cert_cmd.py. 706.2-Use-next-function-on-iterators ACK These are generator objects in ipapython/install/core.py. I'm not sure what the usual convention is, but I would think that the gen.next() calls should be replaced with gen.send(None) instead of next(gen), so that the generators are accessed consistently using methods (gen.send()/gen.throw()/gen.close()). 0707.2-Use-the-print-function LGTM There are too many chances to review. Let's hope the automatic conversion tool did its job correctly. I see some print statements in ipapython/dn.py. 0708.2-Use-new-style-raise-syntax ACK 0709.2-Use-six.reraise ACK Instead of calling six.reraise from raise_exc_info, could you replace the two occurences of raise_exc_info(exc_info) with six.reraise(*exc_info) and remove raise_exc_info? 0710.2-Modernize-use-of-range NACK Please use six.moves.range. It defaults to xrange() in Python 2. I also see a couple of additional opportunities for enumerate(): for i in range(len(kw['attrs'])): kw['attrs'][i] = unicode(kw['attrs'][i]) for i, s in enumerate(kw['attrs']): kw['attrs'][i] = unicode(s) 0711.2-Convert-zip-result-to-list ACK The code isn't beautiful but it's just a test. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0002] TEST: Stageuser plugin
On 08/20/2015 03:48 PM, Martin Basti wrote: On 08/14/2015 06:32 PM, Lenka Doudova wrote: Yes, that is correct - it's malfunctioning behavior of the plugin - command 'stageuser-add --from-delete', which is discussed in another thread. I left this test case for so long as it's not fixed/changed. If the command remains and is fixed, the test case will be valid, if it's changed I'll fix the test case to reflect the new command. Lenka On 08/14/2015 05:39 PM, Martin Basti wrote: On 08/14/2015 11:04 AM, Lenka Doudova wrote: NACK syntax error, missing ')' -from ipatests.util import assert_equal, assert_not_equal, raises +from ipatests.util import ( +assert_equal, assert_not_equal, raises, assert_deepequal I cannot apply this patch, please check it Sorry for the error, corrected patch attached. I also added two testcases that Thierry proposed, and changed names of few methods (original ones were confusing). Lenka I got this error FAILURES = TestPreserved.test_staged_from_preserved _ self = ipatests.test_xmlrpc.test_stageuser_plugin.TestPreserved object at 0x7ffb94811350, user = ipatests.test_xmlrpc.test_user_plugin.UserTracker object at 0x7ffb949e7190 stageduser = ipatests.test_xmlrpc.test_stageuser_plugin.StageUserTracker object at 0x7ffb94811c50 def test_staged_from_preserved(self, user, stageduser): user.make_preserved_user() stageduser.ensure_missing() stageduser = StageUserTracker(user.uid, user.givenname, user.sn) stageduser.create_from_preserved(user) command = user.make_create_command(from_delete=True) E TypeError: make_create_command() got an unexpected keyword argument 'from_delete' test_xmlrpc/test_stageuser_plugin.py:718: TypeError -- Captured stdout setup -- Ran command: ipalib.plugins.stageuser.stageuser_del()(u'suser1', version=u'2.148'): NotFound: suser1: stage user not found -- Captured stdout call --- Ran command: ipalib.plugins.user.user_add()(u'auser1', givenname=u'active', sn=u'user', version=u'2.148'): OK Ran command: ipalib.plugins.user.user_del()(u'auser1', preserve=True, no_preserve=False, version=u'2.148'): OK Martin^2 ACK I cannot apply your patch on top of ipa-4-2 branch, can you send rebased version for ipa-4-2 branch? Attached. Applying works for me on ipa-4-2 branch, so I hope I finally got it right... Also this patch combines my previous patches 0002.3 + 0003. Lenka From 4741d8bfe93e4540ea3f4a7ff731ed90d879dcea Mon Sep 17 00:00:00 2001 From: Lenka Doudova ldoud...@redhat.com Date: Mon, 24 Aug 2015 12:04:03 +0200 Subject: [PATCH] Automated test for stageuser plugin Ticket: https://fedorahosted.org/freeipa/ticket/3813 Test plan: http://www.freeipa.org/page/V4/User_Life-Cycle_Management/Test_Plan --- ipatests/test_xmlrpc/test_group_plugin.py | 199 +- ipatests/test_xmlrpc/test_stageuser_plugin.py | 888 ++ ipatests/test_xmlrpc/test_user_plugin.py | 340 +- 3 files changed, 1421 insertions(+), 6 deletions(-) create mode 100644 ipatests/test_xmlrpc/test_stageuser_plugin.py diff --git a/ipatests/test_xmlrpc/test_group_plugin.py b/ipatests/test_xmlrpc/test_group_plugin.py index af9e653ff2d1accca99a859ba88beb16f278d4a8..d668b399e8c8398005f5dd1e26620c896fe51ab4 100644 --- a/ipatests/test_xmlrpc/test_group_plugin.py +++ b/ipatests/test_xmlrpc/test_group_plugin.py @@ -21,13 +21,21 @@ Test the `ipalib/plugins/group.py` module. +import functools +import pytest + from ipalib import api, errors from ipatests.test_xmlrpc import objectclasses from xmlrpc_test import (Declarative, fuzzy_digits, fuzzy_uuid, fuzzy_set_ci, - add_sid, add_oc) + add_sid, add_oc, XMLRPC_test, raises_exact) from ipapython.dn import DN from ipatests.test_xmlrpc.test_user_plugin import get_user_result +from ipatests.test_xmlrpc.ldaptracker import Tracker +from ipatests.test_xmlrpc.test_user_plugin import UserTracker +from ipatests.util import assert_deepequal + + group1 = u'testgroup1' group2 = u'testgroup2' group3 = u'testgroup3' @@ -1146,4 +1154,191 @@ class test_group_full_set_of_objectclass_not_available_post_detach(Declarative): }, ),
Re: [Freeipa-devel] [PATCH] 0196 trusts: format Kerberos principal properly when fetching trust topology
On 24.8.2015 10:44, Tomas Babej wrote: On 08/20/2015 02:21 PM, Alexander Bokovoy wrote: Hi, one more fix for the problem with trusts that Scott Poore found when verifying fixes to bug https://bugzilla.redhat.com/show_bug.cgi?id=1250190 Details are in the commit message. ACK, this fixes the issue in case of two-way trusts. $ echo Secret123456 | ipa trust-add --type=ad ad.test --range-type ipa-ad-trust --admin Administrator --password --two-way=TRUE Added Active Directory trust for realm ad.test Realm name: ad.test Domain NetBIOS name: AD ... Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified $ ipa idrange-find 3 ranges matched Range name: AD.TEST_id_range ... Range type: Active Directory domain range Range name: IPA.TEST_id_range ... Range type: local domain range Range name: SUB.AD.TEST_id_range ... Range type: Active Directory domain range Number of entries returned 3 Tomas Pushed to: master: 1255dbf2fde068787d711c1fb60946a254d1782c ipa-4-2: e13a5ed26e96436d4a7ebb2329f7f9666581008d -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0006] Fixed installation failures
Hi all. The current issue [1] effectively blocks testing of 4.2 branch. Here is (one of the possible) solution, that proved to work. [1] https://www.redhat.com/archives/freeipa-devel/2015-August/msg00085.html -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From a1cad62c373009dd78d5ef7e4c978e3dda728f87 Mon Sep 17 00:00:00 2001 From: Oleg Fayans ofay...@redhat.com Date: Mon, 24 Aug 2015 12:52:07 +0200 Subject: [PATCH] Fixed installation failure --- freeipa.spec.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 57d3d26e94aab6267143793943268175ed440586..6a3c2af80c1e6de8a782527c9ab4c76b20ebc2bd 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -169,7 +169,7 @@ Obsoletes: %{alt_name}-server %{version} Obsoletes: freeipa-server-selinux 3.3.0 # upgrade path from monolithic -server to -server + -server-dns -Obsoletes: %{name}-server = 4.2.0 +Obsoletes: %{name}-server = 4.2.0-0.0 # Versions of nss-pam-ldapd 0.8.4 require a mapping from uniqueMember to # member. @@ -206,7 +206,7 @@ Conflicts: %{alt_name}-server-dns Obsoletes: %{alt_name}-server-dns %{version} # upgrade path from monolithic -server to -server + -server-dns -Obsoletes: %{name}-server = 4.2.0 +Obsoletes: %{name}-server = 4.2.0-0.0 %description server-dns IPA integrated DNS server with support for automatic DNSSEC signing. -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Unable to install bits from ipa-4-2 branch
Hi, On 08/18/2015 11:37 AM, Jan Cholasta wrote: On 17.8.2015 16:47, Milan Kubík wrote: On 08/17/2015 04:44 PM, Milan Kubík wrote: On 08/17/2015 10:23 AM, Martin Basti wrote: On 08/12/2015 01:10 PM, Milan Kubík wrote: On 08/10/2015 04:41 PM, Jan Cholasta wrote: Dne 10.8.2015 v 16:03 Milan Kubík napsal(a): Forwarded Message Subject: Re: [Freeipa-devel] Unable to install bits from ipa-4-2 branch Date: Mon, 10 Aug 2015 15:55:35 +0200 From: Jan Cholasta jchol...@redhat.com To: Milan Kubík mku...@redhat.com CC: Martin Kosek mko...@redhat.com Dne 10.8.2015 v 15:31 Milan Kubík napsal(a): On 08/10/2015 03:22 PM, Jan Cholasta wrote: Dne 7.8.2015 v 09:17 Martin Kosek napsal(a): On 08/07/2015 08:46 AM, Jan Cholasta wrote: Dne 7.8.2015 v 08:44 Martin Kosek napsal(a): On 08/06/2015 05:26 PM, Milan Kubík wrote: Hi list, I just noticed that the bits built from ipa-4-2 branch cannot be installed. The freeipa packages built have version such as freeipa-server-dns-4.2.0-0.20150806083844Zjenkins9git2812242.fc22.x86_64 The version check in the spec file makes the server-dns package obsolete the server package from tha same build. The cause is the commit [1]. This issue blocks us from running tests on ipa-4-2 branch. Should we bump the minor version on this branch to 4.2.1? [1]: https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=f555fe95dba9ec453fa10f160089dcc5404f724a Cheers, Milan Why does the spec calls for # upgrade path from monolithic -server to -server + -server-dns Obsoletes: %{name}-server = 4.2.0 and not for # upgrade path from monolithic -server to -server + -server-dns Obsoletes: %{name}-server 4.2.0 ? Is that the root cause of these issues? AFAIK this would break updates from 4.2.0 to 4.2.1. I wonder how it could break the upgrade... Patch attached. This won't help as long as we build something like freeipa-server-dns-4.2.0-0.20150810111037Zjenkins11gitad6a87e Right. Updated patch attached. It will break updates from pre-server-dns git builds, but install should be fine. -- Jan Cholasta ACK, thanks. Self-NACK, as this also breaks updates from freeipa-4.2.0-0 from the freeipa-4.2 COPR. Updated patch attached. Hi, thanks for the patch. It works as far as updating from 4.1, the copr build (correctly replaces freeipa-server package) as well as upgrade from earlier build from repository. If there are no objections, ACK from me. Milan Pushed to ipa-4-2: 5d5240b9db3b9e6f29351c65272a363b253cd2d3 Ok, while checking this manually it seemed to work, the jenkins build names the package in a way that produces this error. The patch has no effect in automation, unfortunatelly. The build on jenkins adds the release version, when built manually, the name is xyz.4.2.0.DATE+hash-string. Error: package freeipa-server-dns-4.2.0-0.20150817084102Zjenkins28git5d5240b.fc22.x86_64 obsoletes freeipa-server = 4.2.0.0 provided by freeipa-server-4.2.0-0.20150817084102Zjenkins28git5d5240b.fc22.x86_64 Late answer to Lukas, this is n:m scenario. I'm not sure what to do if one subpackage retains the original name, though. That being said, I can change the schema by which jenkins marks release version on the rpms it builds. This will provide a hacky way around this issue by creating 4.2.0.2015... provided by the timestamp. This is the scheme used by make rpms, so I'd say go for it. Otherwise, changing the Obsoletes line to: Obsoletes: %{name}-server = 4.2.0.0-0.0 should fix it. The problem is still observed. I am not sure how can we change the naming scheme of the packages (freeipa-4.2.0-2015* to freeipa-4.2.0.2015*). Could we implement the change in freeipa.spec.in, proposed by Jan? I mean, Obsoletes: %{name}-server = 4.2.0.0-0.0 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0196 trusts: format Kerberos principal properly when fetching trust topology
On 08/20/2015 02:21 PM, Alexander Bokovoy wrote: Hi, one more fix for the problem with trusts that Scott Poore found when verifying fixes to bug https://bugzilla.redhat.com/show_bug.cgi?id=1250190 Details are in the commit message. ACK, this fixes the issue in case of two-way trusts. $ echo Secret123456 | ipa trust-add --type=ad ad.test --range-type ipa-ad-trust --admin Administrator --password --two-way=TRUE Added Active Directory trust for realm ad.test Realm name: ad.test Domain NetBIOS name: AD ... Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified $ ipa idrange-find 3 ranges matched Range name: AD.TEST_id_range ... Range type: Active Directory domain range Range name: IPA.TEST_id_range ... Range type: local domain range Range name: SUB.AD.TEST_id_range ... Range type: Active Directory domain range Number of entries returned 3 Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] small fixes related to running dnssec tests in RHEL
Hi, Could anyone review this. We are really blocked with testing on RHEL and Patch 0005 fixes it. Thank you. On 08/21/2015 10:52 AM, Oleg Fayans wrote: Hi list, Here are the the fixes for https://fedorahosted.org/freeipa/ticket/5240 plus pep8-related fixes, plus created a user-friendly error message at import error. obsoletes my previous patch -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Adding client-side functionality in Vault
Hi, Recently I posted the following patches which are still pending review: * 371-2: Added support for changing vault encryption. * 375-1: Added mechanism to copy vault secrets. Here are the tickets: * https://fedorahosted.org/freeipa/ticket/5176 * https://fedorahosted.org/freeipa/ticket/5223 These patches add new functionality to the following commands: * vault-mod: changing vault encryption * vault-archive: copying a secret from a vault into an existing vault * vault-add: copying a secret from a vault into a new vault The changes are quite similar. In order to change the vault encryption or to copy the vault secret, the old secret has to be retrieved with the old encryption parameters, then the secret will be rearchived with the new encryption parameters. The thing is these operations have to be done on the client side since the encryption/decryption is done using a key only known to the client. This also means that even if the server is upgraded, someone using an old client will not be able to utilize the new functionality unless the client is upgraded too. Also, the old vault-mod actually has a bug because it will update the vault encryption attributes without rearchiving the secret. Should we require old clients to upgrade? Or should we continue to accept old clients, but the buggy operation will now be rejected? Is this considered breaking backward compatibility? Thanks. -- Endi S. Dewata -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 0040 certprofile: prevent rename (modrdn)
The attached patch fixes https://fedorahosted.org/freeipa/ticket/5247. Thanks, Fraser From 2cb4ab6eeedccc3471ed9bf983add4687ecd5c1a Mon Sep 17 00:00:00 2001 From: Fraser Tweedale ftwee...@redhat.com Date: Mon, 24 Aug 2015 20:25:10 -0400 Subject: [PATCH] certprofile: prevent rename (modrdn) Fixes: https://fedorahosted.org/freeipa/ticket/5247 --- ipalib/plugins/certprofile.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py index 007cc543406b7e5705fd7474f3685cd6a9ce6aca..a0ffa38608400860994c771e4eba81304ead27be 100644 --- a/ipalib/plugins/certprofile.py +++ b/ipalib/plugins/certprofile.py @@ -323,8 +323,9 @@ class certprofile_mod(LDAPUpdate): def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): ca_enabled_check() # Once a profile id is set it cannot be changed -if 'cn' in entry_attrs: -raise errors.ACIError(info=_('cn is immutable')) +if 'rename' in options or 'cn' in entry_attrs: +raise errors.ProtectedEntryError(label='certprofile', key=keys[0], +reason=_('Certificate profiles cannot be renamed')) if 'file' in options: with self.api.Backend.ra_certprofile as profile_api: profile_api.disable_profile(keys[0]) -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code