Re: [Freeipa-devel] [PATCHES] from Debian

2015-10-06 Thread Martin Basti 



On 10/05/2015 05:46 PM, Martin Basti wrote:



On 10/05/2015 03:41 PM, Timo Aaltonen wrote:

On 05.10.2015 16:37, Martin Basti wrote:


On 10/05/2015 03:31 PM, Simo Sorce wrote:

On 05/10/15 09:08, Timo Aaltonen wrote:

 Hi

Here are a few prep patches to get off the list before getting to
discuss how to add Debian platform support..


LGTM.

Simo.



IMO this should be written in this way (I didn't test)

ipautil.run([paths.GENERATE_RNDC_KEY])

Yes you're right, here's an updated version.




ACK

Pushed to master: 7059117ec32bfad8ec802d472b0f7d2b6cb12d2a


Pushed to ipa-4-2: b8a2104fb55026275067bb3d8732dbf5612bb2e8

The elders of FreeIPA decided that this should go to ipa-4-2 too

https://fedorahosted.org/freeipa/ticket/5343

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization

2015-10-06 Thread Jakub Hrozek 
On Tue, Oct 06, 2015 at 08:32:29AM -0400, Simo Sorce wrote:
> On 06/10/15 08:04, David Kupka wrote:
> >On 06/10/15 13:35, Simo Sorce wrote:
> >>On 06/10/15 03:51, thierry bordaz wrote:
> >>>On 10/06/2015 07:19 AM, David Kupka wrote:
> On 05/10/15 16:12, Simo Sorce wrote:
> >On 05/10/15 09:00, Martin Babinsky wrote:
> >>These patches implement the plumbing required to properly support
> >>canonicalization of Kerberos principals (
> >>https://fedorahosted.org/freeipa/ticket/3864).
> >>
> >>Setting multiple principal aliases on hosts/services is beyond the
> >>scope
> >>of this patchset and should be done after these patches are pushed.
> >>
> >>I will try to send some tests for the patches later this week.
> >>
> >>Please review the hell out of them.
> >
> >LGTM, I do not see any issue at quick visual inspection.
> >What about the performance regression with the indexes ? Is that bug
> >fixed in 389ds ?
> >
> >Simo.
> >
> >
> 
> The issue is still there. Thierry investigated this in 389 DS and IIUC
> he is not sure if it's bug or completely missing feature. Therefore we
> still don't know how much time is needed there.
> 
> >>>Hi,
> >>>that is correct.
> >>>I can reproduce the problem. Although the matching rule (in my test
> >>>caseIgnoreIA5Match) is found, it has no registered indexing function, so
> >>>the setting (nsMatchingRule) is ignored.
> >>>I do not know if the indexing function is missing or there is a bug so
> >>>that the matching rule "forget" to register it.
> >>>This feature is documented but I can not find any QA test around it, so
> >>>I do not know yet if it is a regression or if it was not enabled at all.
> >>>
> >>>I do not expect rapid progress on it. How urgent is it ? 7.3 ?
> >>>For the moment I can think to only two workarounds:
> >>>
> >>>  * use filtered matching rule (preferred)
> >>>  * change the attribute syntax/matching rule, in the schema (I would
> >>>discourage this one because changing the schema is risky)
> >>
> >>We can't change the syntax at this point.
> >>
> >>Well this patchset is blocked until the 389 ds bug is fixed (the
> >>performance regression is too big to just put it in and hope) so I guess
> >>we'll have to negotiate a time for the fix.
> >>
> >>Simo.
> >>
> >
> >I agree that we really shouldn't change schema.
> >
> >But I don't think the patches're necessary blocked by this issue.
> >Canonicalization was never supported in FreeIPA and when it is not
> >requested the performance is not effected at all. We could merge patches
> >as soon as they're carefully reviewed and tested to avoid tedious
> >rebasing and start using the new functionality when 389 DS gets fixed.
> 
> The fact we didn't do canonicalization this way doesn't mean clients aren't
> asking for it.
> 
> I think Windows clients ask for canonicalization by default, and in SSSD I
> see we turn on by default krb5_canonicalize in the IPA nd LDAP case (oddly
> enough not in the AD case ?)
> 
> So SSSD's authentication requests would end up hitting this case all the
> time if I am reading the code correctly (CCed Jakub to confirm/dispel this).

We ask for canonicalization always in IPA and LDAP, but also whenever
enterprise principals are used, which is true for AD provider.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-06 Thread Jan Pazdziora 
On Mon, Oct 05, 2015 at 09:47:14AM -0400, Simo Sorce wrote:
> On 05/10/15 09:42, Oleg Fayans wrote:
> >1. At one point ipa-replica-install on a configured client has thrown
> >the following error:
> >
> >Configuring ipa-custodia
> >   [1/5]: Generating ipa-custodia config file
> >   [2/5]: Generating ipa-custodia keys
> >   [3/5]: Importing RA Key
> >   [error] HTTPError: 502 Server Error: Proxy Error
> >Your system may be partly configured.
> >Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >
> >ipa.ipapython.install.cli.install_tool(Replica): ERROR502 Server
> >Error: Proxy Error
> >
> >(corresponding part of the error log of dirsrv attached)
> 
> Seem like the peer server was unreachable ?
> Was there a networking problem ?

I've hit the same issue, during demo today, on a third replica I was
creating. I was using four VMs on my laptop so no networking issue
should have caused that.

On the replica (being promoted), /var/log/ipareplica-install.log ends with

On the master, in the error_log, I see

[Tue Oct 06 13:22:33.196769 2015] [wsgi:error] [pid 10789] ipa: INFO: 
[jsonserver_session] ad...@example.test: 
service_add(u'HTTP/ipa-4.example.t...@example.test', version=u'2.112'): SUCCESS
[Tue Oct 06 13:22:39.231882 2015] [wsgi:error] [pid 10788] ipa: INFO: 
[xmlserver] host/ipa-4.example.t...@example.test: 
cert_request(u'MIIDWDCCAkACAQAwHTEbMBkGA1UEAxMSaXBhLTQuZXhhbXBsZS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn1pFdI1FuH1ad882x27i+oi3alabIt1hZjeGyT2zfEWaLajgAcDtT1RjWWFzrWtn9YJAe+3cm7R21MI8eFS1aCBlPaRgBLtefaakQy99k8p3IC8LwZxX9bvPPTuZVuF73DYXmaQAgpe/W7TLhCSFwZqht5D8aG0B7qm2E+mpclqKdlbk9egq8K8zFxs4mbLAuEd95wpSBJWnuaTPwRzrjpniCdl5OFof+ImTIMTVS6+5RUxB6KCi5WpGLbrAZWpHZ80a+weo0RK098r1GMT7LSTTZvOmJ22d15Ub0vQXTqVgAMVtt221vEZ1ZhRsLTbeh89JsDKOonNWk6VwOsYHnQIDAQABoIH1MCUGCSqGSIb3DQEJFDEYHhYAUwBlAHIAdgBlAHIALQBDAGUAcgB0MIHLBgkqhkiG9w0BCQ4xgb0wgbowgYcGA1UdEQEBAAR9MHugNAYKKwYBBAGCNxQCA6AmDCRIVFRQL2lwYS00LmV4YW1wbGUudGVzdEBFWEFNUExFLlRFU1SgQwYGKwYBBQICoDkwN6AOGwxFWEFNUExFLlRFU1ShJTAjoAMCAQGhHDAaGwRIVFRQGxJpcGEtNC5leGFtcGxlLnRlc3QwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQUZsVqOSFYBWZnFs42WMXGAag8w20wDQYJKoZIhvcNAQELBQADggEBAJDlTLM1Iyb4We61xIXttSReAbi0seO/ZevSiPN+orHdr+YLSD!
 
pbS6CSXm5X9Asvlo8iu0iRFrj/CUJAyPu+M7v+lfr3VwrKErycrczt5O4xgGPGfs0XODSlwQOG57SUyQyLXdyLPJtks/ah/LkfbCevew0cjhSnjEN7RpbV6Azh05vMyzF6J7NXlRLFzDDcz099Tug4Siuwsi/Y3AD0b+IR6I1ZOfLKzzzSEu+sC32JzaVythN3TbPqjeyGy/on3JsQTlznzn2LEVVoPioyF1oHyI7hG1OheTNjCoZXgfJUp1Ftct6YhsfhzglORcbmqDL00DdCU/789G5IworCCYo=',
 principal=u'HTTP/ipa-4.example.t...@example.test', add=True, version=u'2.51'): 
SUCCESS
[Tue Oct 06 13:22:47.652434 2015] [proxy_http:error] [pid 1394] (20014)Internal 
error: [client 192.168.100.229:49031] AH01102: error reading status line from 
remote server httpd-UDS:0
[Tue Oct 06 13:22:47.652476 2015] [proxy:error] [pid 1394] [client 
192.168.100.229:49031] AH00898: Error reading from remote server returned by 
/ipa/keys/ra/ipaCert
[Tue Oct 06 13:24:31.017069 2015] [wsgi:error] [pid 10789] ipa: INFO: 
[jsonserver_kerb] ad...@example.test: ping(): SUCCESS

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-06 Thread Jan Pazdziora 
On Tue, Oct 06, 2015 at 12:26:14PM -0400, Simo Sorce wrote:
> 
> Was custodia running ?
> Can you check its log file ?

/etc/ipa/custodia/custodia.conf suggests

auditlog = /var/log/ipa-custodia.audit.log

but that file does not exist at all. So either it was not running,
or it failed to create that log file.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0058] Avoid ipa-dnskeysync-replica & ipa-ods-exporter crashes caused by exceeding LDAP limit

2015-10-06 Thread Martin Basti 



On 10/06/2015 09:46 AM, Petr Spacek wrote:

Hello,

Avoid ipa-dnskeysync-replica & ipa-ods-exporter crashes caused by exceeding
LDAP limits.

https://bugzilla.redhat.com/show_bug.cgi?id=1268027


NACK

* Module ipa-dnskeysync-replica
daemons/dnssec/ipa-dnskeysync-replica:156: [E0602(undefined-variable), ] 
Undefined variable 'api')

* Module ipa-ods-exporter
daemons/dnssec/ipa-ods-exporter:505: [E0602(undefined-variable), ] 
Undefined variable 'api')


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0058] Avoid ipa-dnskeysync-replica & ipa-ods-exporter crashes caused by exceeding LDAP limit

2015-10-06 Thread Petr Spacek 
On 6.10.2015 10:10, Martin Basti wrote:
> On 10/06/2015 09:46 AM, Petr Spacek wrote:
>> Hello,
>>
>> Avoid ipa-dnskeysync-replica & ipa-ods-exporter crashes caused by exceeding
>> LDAP limits.
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1268027
>>
> NACK
> 
> * Module ipa-dnskeysync-replica
> daemons/dnssec/ipa-dnskeysync-replica:156: [E0602(undefined-variable), ]
> Undefined variable 'api')
> * Module ipa-ods-exporter
> daemons/dnssec/ipa-ods-exporter:505: [E0602(undefined-variable), ] Undefined
> variable 'api')

Sorry, I'm idiot. Fixed patch is attached.

-- 
Petr^2 Spacek
From e3eef31e37ee67555b7a913342c79f30a35d5ea5 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Tue, 6 Oct 2015 09:43:43 +0200
Subject: [PATCH] Avoid ipa-dnskeysync-replica & ipa-ods-exporter crashes
 caused by exceeding LDAP limits

ldap2 internally does LDAP search to find out what LDAP search limits
should be used (!). The problem is that this internal search has hardcoded
limits and throws LimitExceeded exception when DS is too slow.

DNSSEC daemons do not need any abstractions from ldap2 so we are going
to use ipaldap directly. This will avoid the unnecessary search and
associated risks.

https://bugzilla.redhat.com/show_bug.cgi?id=1268027
---
 daemons/dnssec/ipa-dnskeysync-replica | 6 ++
 daemons/dnssec/ipa-ods-exporter   | 6 ++
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica
index 77b962414e8754779f8655064031da454856ae14..b6f4be5ec449e2167be8ec3ef12ad24977985f43 100755
--- a/daemons/dnssec/ipa-dnskeysync-replica
+++ b/daemons/dnssec/ipa-dnskeysync-replica
@@ -28,7 +28,6 @@ from ipapython.dn import DN
 from ipapython.ipa_log_manager import root_logger, standard_logging_setup
 from ipapython import ipaldap
 from ipapython import ipautil
-from ipaserver.plugins.ldap2 import ldap2
 from ipaplatform.paths import paths
 
 from ipapython.dnssec.abshsm import sync_pkcs11_metadata, ldap2p11helper_api_params, wrappingmech_name2id
@@ -154,10 +153,9 @@ os.environ['KRB5CCNAME'] = ccache_filename
 log.debug('Got TGT')
 
 # LDAP initialization
-ldap = ipalib.api.Backend[ldap2]
-# fixme
+ldap = ipaldap.LDAPClient(ipalib.api.env.ldap_uri)
 log.debug('Connecting to LDAP')
-ldap.connect(ccache=ccache_filename)
+ldap.gssapi_bind()
 log.debug('Connected')
 
 
diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter
index c8d7dbeee2879548793677652c208b7979c88197..b90157c4e271098ae42fb3e02a01fa910ec373fc 100755
--- a/daemons/dnssec/ipa-ods-exporter
+++ b/daemons/dnssec/ipa-ods-exporter
@@ -38,7 +38,6 @@ from ipapython.dn import DN
 from ipapython.ipa_log_manager import root_logger, standard_logging_setup
 from ipapython import ipaldap
 from ipapython import ipautil
-from ipaserver.plugins.ldap2 import ldap2
 from ipaplatform.paths import paths
 
 from ipapython.dnssec.abshsm import sync_pkcs11_metadata, wrappingmech_name2id
@@ -503,10 +502,9 @@ log.debug('Got TGT')
 
 # LDAP initialization
 dns_dn = DN(ipalib.api.env.container_dns, ipalib.api.env.basedn)
-ldap = ipalib.api.Backend[ldap2]
-# fixme
+ldap = ipaldap.LDAPClient(ipalib.api.env.ldap_uri)
 log.debug('Connecting to LDAP')
-ldap.connect(ccache=ccache_name)
+ldap.gssapi_bind()
 log.debug('Connected')
 
 
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0006-0010] Low hanging fruit for #5343 -- platform abstractions

2015-10-06 Thread Timo Aaltonen 

Hi

  So here's the first batch of quick patches for ticket #5343. They're
only compile-tested so far (so no stupid mistakes I hope), as I don't
have 4.2+ working yet. Wonder how the quotes in the last patch work, but
at least make-lint didn't laugh too hard..

-- 
t
From 15b30829c53a7e02ddc997c17559d755b751c9d6 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Tue, 6 Oct 2015 16:02:37 +0300
Subject: [PATCH 1/2] ipaplatform: Add HTTPD_USER to constants

https://fedorahosted.org/freeipa/ticket/5343
---
 ipaplatform/base/constants.py   |  1 +
 ipaserver/install/cainstance.py |  3 ++-
 ipaserver/install/certs.py  |  3 ++-
 ipaserver/install/httpinstance.py   | 11 ++-
 ipaserver/install/ipa_server_certinstall.py |  3 ++-
 5 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
index cef829e2d3886db00ae6d0299ddcf325d1add80e..3f78822f99d9fbe815901301f4e6855105e73eea 100644
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@@ -8,4 +8,5 @@ This base platform module exports platform dependant constants.
 
 
 class BaseConstantsNamespace(object):
+HTTPD_USER = "apache"
 IPA_DNS_PACKAGE_NAME = "freeipa-server-dns"
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index c4788816ab702e9409c9bc44a91fcbd95dce018d..6deaef57c025cb55da9fcaf7620a54565f6701c7 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -48,6 +48,7 @@ from ipalib import pkcs10, x509
 from ipalib import errors
 
 from ipaplatform import services
+from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipaplatform.tasks import tasks
 
@@ -1103,7 +1104,7 @@ class CAInstance(DogtagInstance):
 os.chmod(self.ra_agent_db + "/key3.db", 0o640)
 os.chmod(self.ra_agent_db + "/secmod.db", 0o640)
 
-pent = pwd.getpwnam("apache")
+pent = pwd.getpwnam(constants.HTTPD_USER)
 os.chown(self.ra_agent_db + "/cert8.db", 0, pent.pw_gid )
 os.chown(self.ra_agent_db + "/key3.db", 0, pent.pw_gid )
 os.chown(self.ra_agent_db + "/secmod.db", 0, pent.pw_gid )
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 3e07ee398fa47beb02f54940a0246d58ae2267ae..d85344ede993840845af63c377525699425a9382 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -42,6 +42,7 @@ from ipalib import pkcs10, x509, api
 from ipalib.errors import CertificateOperationError
 from ipalib.text import _
 from ipaplatform import services
+from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 
 # Apache needs access to this database so we need to create it
@@ -519,7 +520,7 @@ class CertDB(object):
 f.close()
 pwdfile.close()
 # TODO: replace explicit uid by a platform-specific one
-self.set_perms(self.pwd_conf, uid="apache")
+self.set_perms(self.pwd_conf, uid=constants.HTTPD_USER)
 
 def find_root_cert(self, nickname):
 """
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index ee4853a3f9a8a42bd050fd8b208fc2419c323512..a7fdfb1a21a8c62f57503cfaca68b30e4f26244f 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -41,6 +41,7 @@ import ipapython.errors
 from ipaserver.install import sysupgrade
 from ipalib import api
 from ipalib import errors
+from ipaplatform.constants import constants
 from ipaplatform.tasks import tasks
 from ipaplatform.paths import paths
 from ipaplatform import services
@@ -52,7 +53,7 @@ SELINUX_BOOLEAN_SETTINGS = dict(
 )
 
 KDCPROXY_USER = 'kdcproxy'
-
+HTTPD_USER = constants.HTTPD_USER
 
 def httpd_443_configured():
 """
@@ -188,14 +189,14 @@ class HTTPInstance(service.Service):
 self.move_service(self.principal)
 self.add_cert_to_service()
 
-pent = pwd.getpwnam("apache")
+pent = pwd.getpwnam(HTTPD_USER)
 os.chown(paths.IPA_KEYTAB, pent.pw_uid, pent.pw_gid)
 
 def remove_httpd_ccache(self):
 # Clean up existing ccache
 # Make sure that empty env is passed to avoid passing KRB5CCNAME from
 # current env
-ipautil.run(['kdestroy', '-A'], runas='apache', raiseonerr=False, env={})
+ipautil.run(['kdestroy', '-A'], runas=HTTPD_USER, raiseonerr=False, env={})
 
 def __configure_http(self):
 target_fname = paths.HTTPD_IPA_CONF
@@ -324,7 +325,7 @@ class HTTPInstance(service.Service):
 os.chmod(certs.NSS_DIR + "/secmod.db", 0o660)
 os.chmod(certs.NSS_DIR + "/pwdfile.txt", 0o660)
 
-pent = pwd.getpwnam("apache")
+pent = pwd.getpwnam(HTTPD_USER)
 os.chown(certs.NSS_DIR + "/cert8.db", 0, pent.pw_gid )
 os.chown(certs.NSS_DIR + "/key3.db", 0, pent.pw_gid )
 os.chown(certs.NSS_DIR + "/secmod.db", 0, pent.pw_gid )
@@ -493,7

Re: [Freeipa-devel] [PATCHES] More Python 3 porting

2015-10-06 Thread Petr Viktorin 
On 10/05/2015 07:56 AM, Jan Cholasta wrote:
> On 2.10.2015 13:09, Petr Viktorin wrote:
>> On 10/01/2015 03:15 PM, Jan Cholasta wrote:
>>> Hi,
>>>
>>> On 1.10.2015 13:01, Martin Basti wrote:


 On 09/30/2015 10:25 AM, Petr Viktorin wrote:
> On 09/23/2015 04:46 PM, Petr Viktorin wrote:
>> On 09/22/2015 02:59 PM, David Kupka wrote:
>>> On 18/09/15 17:00, Petr Viktorin wrote:
 Hello,
 Here are more patches that bring IPA closer to Python 3
 compatibility.
>> [...]
>
 LGTM

 I ran xmlrpc tests, DNSSEC ci tests, backup and restore CI test and
 everything works
>>>
>>> Patches 713-719: ACK
>>>
>>>
>>> Patch 720:
>>>
>>> You missed:
>>>
>>> ipa-client/ipa-install/ipa-client-install:32:from ConfigParser
>>> import RawConfigParser
>>
>>
>> Thanks, fixed.
>>
>>> Patches 721-722: ACK
>>>
>>>
>>> Patch 723:
>>>
>>> Why the "NoneType = type(None)" in parameters.py? It is used only at:
>>>
>>> ipalib/parameters.py:388:type = NoneType  # Ouch, this wont be very
>>> useful in the real world!
>>
>> I believe this is less confusing than `type = type(None)`, but I can
>> change that if needed.
> 
> I don't care which one is used TBH, just that it is done consistently
> accross the whole patch, and this seemed like the simpler thing to do.

OK, changed.


>>> Patch 724:
>>>
>>> The SSHPublicKey class was written with the assumption that "str" means
>>> binary data, so unless I'm missing something, you only need to replace
>>> "str" with "bytes".
>>
>> It specifically did take non-binary data as str:
>>
>> -if isinstance(key, str) and key[:3] != '\0\0\0':
>> -key = key.decode(encoding)
> 
> I don't follow, this is quite obviously binary data. It reads: "If key
> is binary and does not start with 3 null bytes, decode it to text using
> the specified encoding."

Sorry, I meant binary data.

>> I've removed this for Python 3, where text data shouldn't be in bytes.
>>
>> Since this means the '\0\0\0' check is skipped in __init__ under Python
>> 3, I've added it also to _parse_raw.
> 
> When the SSH integration feature was first introduced, SSH public keys
> were stored in the raw binary form in LDAP, i.e. not text data. We still
> need to support that, so support for binary data and the 3 null check
> must remain in SSHPublicKey.
> 
>>
>> It's not necessary to dispatch to "_parse_raw" or "_parse_base64 or
>> _parse_openssh" based on type, but I believe this makes the control flow
>> clearer to follow.
>>
>>> Patch 725: ACK
>>
>>
> 
> 


-- 
Petr Viktorin

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES] More Python 3 porting

2015-10-06 Thread Petr Viktorin 
Please ignore that mail, I sent an unfinished draft by mistake.

On 10/06/2015 12:02 PM, Petr Viktorin wrote:
[...]
> 
> OK, changed.
> 
> 
 Patch 724:

 The SSHPublicKey class was written with the assumption that "str" means
 binary data, so unless I'm missing something, you only need to replace
 "str" with "bytes".
>>>
>>> It specifically did take non-binary data as str:
>>>
>>> -if isinstance(key, str) and key[:3] != '\0\0\0':
>>> -key = key.decode(encoding)
>>
>> I don't follow, this is quite obviously binary data. It reads: "If key
>> is binary and does not start with 3 null bytes, decode it to text using
>> the specified encoding."
> 
> Sorry, I meant binary data.
> 




-- 
Petr Viktorin

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization

2015-10-06 Thread Simo Sorce 

On 06/10/15 03:51, thierry bordaz wrote:

On 10/06/2015 07:19 AM, David Kupka wrote:

On 05/10/15 16:12, Simo Sorce wrote:

On 05/10/15 09:00, Martin Babinsky wrote:

These patches implement the plumbing required to properly support
canonicalization of Kerberos principals (
https://fedorahosted.org/freeipa/ticket/3864).

Setting multiple principal aliases on hosts/services is beyond the
scope
of this patchset and should be done after these patches are pushed.

I will try to send some tests for the patches later this week.

Please review the hell out of them.


LGTM, I do not see any issue at quick visual inspection.
What about the performance regression with the indexes ? Is that bug
fixed in 389ds ?

Simo.




The issue is still there. Thierry investigated this in 389 DS and IIUC
he is not sure if it's bug or completely missing feature. Therefore we
still don't know how much time is needed there.


Hi,
that is correct.
I can reproduce the problem. Although the matching rule (in my test
caseIgnoreIA5Match) is found, it has no registered indexing function, so
the setting (nsMatchingRule) is ignored.
I do not know if the indexing function is missing or there is a bug so
that the matching rule "forget" to register it.
This feature is documented but I can not find any QA test around it, so
I do not know yet if it is a regression or if it was not enabled at all.

I do not expect rapid progress on it. How urgent is it ? 7.3 ?
For the moment I can think to only two workarounds:

  * use filtered matching rule (preferred)
  * change the attribute syntax/matching rule, in the schema (I would
discourage this one because changing the schema is risky)


We can't change the syntax at this point.

Well this patchset is blocked until the 389 ds bug is fixed (the 
performance regression is too big to just put it in and hope) so I guess 
we'll have to negotiate a time for the fix.


Simo.

--
Simo Sorce * Red Hat, Inc * New York

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization

2015-10-06 Thread David Kupka 

On 06/10/15 13:35, Simo Sorce wrote:

On 06/10/15 03:51, thierry bordaz wrote:

On 10/06/2015 07:19 AM, David Kupka wrote:

On 05/10/15 16:12, Simo Sorce wrote:

On 05/10/15 09:00, Martin Babinsky wrote:

These patches implement the plumbing required to properly support
canonicalization of Kerberos principals (
https://fedorahosted.org/freeipa/ticket/3864).

Setting multiple principal aliases on hosts/services is beyond the
scope
of this patchset and should be done after these patches are pushed.

I will try to send some tests for the patches later this week.

Please review the hell out of them.


LGTM, I do not see any issue at quick visual inspection.
What about the performance regression with the indexes ? Is that bug
fixed in 389ds ?

Simo.




The issue is still there. Thierry investigated this in 389 DS and IIUC
he is not sure if it's bug or completely missing feature. Therefore we
still don't know how much time is needed there.


Hi,
that is correct.
I can reproduce the problem. Although the matching rule (in my test
caseIgnoreIA5Match) is found, it has no registered indexing function, so
the setting (nsMatchingRule) is ignored.
I do not know if the indexing function is missing or there is a bug so
that the matching rule "forget" to register it.
This feature is documented but I can not find any QA test around it, so
I do not know yet if it is a regression or if it was not enabled at all.

I do not expect rapid progress on it. How urgent is it ? 7.3 ?
For the moment I can think to only two workarounds:

  * use filtered matching rule (preferred)
  * change the attribute syntax/matching rule, in the schema (I would
discourage this one because changing the schema is risky)


We can't change the syntax at this point.

Well this patchset is blocked until the 389 ds bug is fixed (the
performance regression is too big to just put it in and hope) so I guess
we'll have to negotiate a time for the fix.

Simo.



I agree that we really shouldn't change schema.

But I don't think the patches're necessary blocked by this issue. 
Canonicalization was never supported in FreeIPA and when it is not 
requested the performance is not effected at all. We could merge patches 
as soon as they're carefully reviewed and tested to avoid tedious 
rebasing and start using the new functionality when 389 DS gets fixed.


--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [patch 0022] ipatests: remove the ipatests specific config from ipaplatform

2015-10-06 Thread Milan Kubík 

To keep the test specific configuration in the ipatest package.

Patch attached.

--
Milan Kubik

From 49701f9775e59bd19bc62295af6ed332f1aa054b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?= 
Date: Tue, 6 Oct 2015 14:55:49 +0200
Subject: [PATCH] ipatests: remove the ipatests specific config from
 ipaplatform

Move the test only configuration for Network Manager entirely
into ipatests part of the tree.
---
 ipaplatform/base/paths.py   |  1 -
 ipatests/test_integration/env_config.py |  1 +
 ipatests/test_integration/tasks.py  | 11 ---
 3 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index a272143d0053451c017c0df613951cc0e6d52c54..3292cbfdcfde7c96bc4b4d241e5aa8c20534d602 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -354,6 +354,5 @@ class BasePathNamespace(object):
 DB2BAK = '/usr/sbin/db2bak'
 KDCPROXY_CONFIG = '/etc/ipa/kdcproxy/kdcproxy.conf'
 CERTMONGER = '/usr/sbin/certmonger'
-NETWORK_MANAGER_CONFIG_DIR = '/etc/NetworkManager/conf.d'
 
 path_namespace = BasePathNamespace
diff --git a/ipatests/test_integration/env_config.py b/ipatests/test_integration/env_config.py
index d16a3430d04968575583b84a945db4bc7f7b0e93..5c6fd4f7ef0366135ae5ee47e56e668513109fcf 100644
--- a/ipatests/test_integration/env_config.py
+++ b/ipatests/test_integration/env_config.py
@@ -33,6 +33,7 @@ from ipatests.test_integration.config import Config, Domain
 
 TESTHOST_PREFIX = 'TESTHOST_'
 
+IPATEST_NETWORK_MANAGER_CONFIG = '/etc/NetworkManager/conf.d/20-ipatest-unmanaged-resolv.conf'
 
 _SettingInfo = collections.namedtuple('Setting', 'name var_name default')
 _setting_infos = (
diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index c9ecf2645183d5f368694d3446ddf2853de22a2a..355b38992616e364b959ba381c03015046edbda2 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -35,14 +35,13 @@ from ipaplatform.paths import paths
 from ipapython.dn import DN
 from ipapython.ipa_log_manager import log_mgr
 from ipatests.test_integration import util
-from ipatests.test_integration.env_config import env_to_script
+from ipatests.test_integration.env_config import (
+env_to_script, IPATEST_NETWORK_MANAGER_CONFIG)
 from ipatests.test_integration.host import Host
 from ipalib.util import get_reverse_zone_default
 
 log = log_mgr.get_logger(__name__)
 
-IPATEST_NM_CONFIG = '20-ipatest-unmanaged-resolv.conf'
-
 
 def prepare_reverse_zone(host, ip):
 zone = get_reverse_zone_default(ip)
@@ -125,9 +124,8 @@ def modify_nm_resolv_conf_settings(host):
 return
 
 config = "[main]\ndns=none\n"
-path = os.path.join(paths.NETWORK_MANAGER_CONFIG_DIR, IPATEST_NM_CONFIG)
 
-host.put_file_contents(path, config)
+host.put_file_contents(IPATEST_NETWORK_MANAGER_CONFIG, config)
 host.run_command(['systemctl', 'restart', 'NetworkManager'],
  raiseonerr=False)
 
@@ -136,8 +134,7 @@ def undo_nm_resolv_conf_settings(host):
 if not host_service_active(host, 'NetworkManager'):
 return
 
-path = os.path.join(paths.NETWORK_MANAGER_CONFIG_DIR, IPATEST_NM_CONFIG)
-host.run_command(['rm', '-f', path], raiseonerr=False)
+host.run_command(['rm', '-f', IPATEST_NETWORK_MANAGER_CONFIG], raiseonerr=False)
 host.run_command(['systemctl', 'restart', 'NetworkManager'],
  raiseonerr=False)
 
-- 
2.6.1

From 52294d1ec92c4e8340273891b761bef9c22c65ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?= 
Date: Tue, 6 Oct 2015 14:55:49 +0200
Subject: [PATCH] ipatests: remove the ipatests specific config from
 ipaplatform

Move the test only configuration for Network Manager entirely
into ipatests part of the tree.
---
 ipaplatform/base/paths.py   |  1 -
 ipatests/test_integration/env_config.py |  1 +
 ipatests/test_integration/tasks.py  | 11 ---
 3 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 0d2c4c17769ef643ba2d6c9991d910cf6e00858d..d2fcd8c708c08069f469beb332bfc1b793a8e903 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -355,6 +355,5 @@ class BasePathNamespace(object):
 DB2BAK = '/usr/sbin/db2bak'
 KDCPROXY_CONFIG = '/etc/ipa/kdcproxy/kdcproxy.conf'
 CERTMONGER = '/usr/sbin/certmonger'
-NETWORK_MANAGER_CONFIG_DIR = '/etc/NetworkManager/conf.d'
 
 path_namespace = BasePathNamespace
diff --git a/ipatests/test_integration/env_config.py b/ipatests/test_integration/env_config.py
index 96062bef30ec067faa644dc060af8531f5e899c9..82e412d39e41bd273ec8ae9c43481e93ba6e050e 100644
--- a/ipatests/test_integration/env_config.py
+++ b/ipatests/test_integration/env_config.py
@@ -35,6 +35,7 @@ from ipatests.test_integration.config import Config, Domain
 
 TESTHOST_PREFIX = 'TESTHOST_'

Re: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization

2015-10-06 Thread Simo Sorce 

On 06/10/15 08:04, David Kupka wrote:

On 06/10/15 13:35, Simo Sorce wrote:

On 06/10/15 03:51, thierry bordaz wrote:

On 10/06/2015 07:19 AM, David Kupka wrote:

On 05/10/15 16:12, Simo Sorce wrote:

On 05/10/15 09:00, Martin Babinsky wrote:

These patches implement the plumbing required to properly support
canonicalization of Kerberos principals (
https://fedorahosted.org/freeipa/ticket/3864).

Setting multiple principal aliases on hosts/services is beyond the
scope
of this patchset and should be done after these patches are pushed.

I will try to send some tests for the patches later this week.

Please review the hell out of them.


LGTM, I do not see any issue at quick visual inspection.
What about the performance regression with the indexes ? Is that bug
fixed in 389ds ?

Simo.




The issue is still there. Thierry investigated this in 389 DS and IIUC
he is not sure if it's bug or completely missing feature. Therefore we
still don't know how much time is needed there.


Hi,
that is correct.
I can reproduce the problem. Although the matching rule (in my test
caseIgnoreIA5Match) is found, it has no registered indexing function, so
the setting (nsMatchingRule) is ignored.
I do not know if the indexing function is missing or there is a bug so
that the matching rule "forget" to register it.
This feature is documented but I can not find any QA test around it, so
I do not know yet if it is a regression or if it was not enabled at all.

I do not expect rapid progress on it. How urgent is it ? 7.3 ?
For the moment I can think to only two workarounds:

  * use filtered matching rule (preferred)
  * change the attribute syntax/matching rule, in the schema (I would
discourage this one because changing the schema is risky)


We can't change the syntax at this point.

Well this patchset is blocked until the 389 ds bug is fixed (the
performance regression is too big to just put it in and hope) so I guess
we'll have to negotiate a time for the fix.

Simo.



I agree that we really shouldn't change schema.

But I don't think the patches're necessary blocked by this issue.
Canonicalization was never supported in FreeIPA and when it is not
requested the performance is not effected at all. We could merge patches
as soon as they're carefully reviewed and tested to avoid tedious
rebasing and start using the new functionality when 389 DS gets fixed.


The fact we didn't do canonicalization this way doesn't mean clients 
aren't asking for it.


I think Windows clients ask for canonicalization by default, and in SSSD 
I see we turn on by default krb5_canonicalize in the IPA nd LDAP case 
(oddly enough not in the AD case ?)


So SSSD's authentication requests would end up hitting this case all the 
time if I am reading the code correctly (CCed Jakub to confirm/dispel this).


Simo.

--
Simo Sorce * Red Hat, Inc * New York

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [patch 0022] ipatests: remove the ipatests specific config from ipaplatform

2015-10-06 Thread Milan Kubík 

On 10/06/2015 03:01 PM, Milan Kubík wrote:

To keep the test specific configuration in the ipatest package.

Patch attached.




Self NACK. This is not necessary in upstream.

--
Milan Kubik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Remaining issues before adding Debian platform support

2015-10-06 Thread Tomas Babej 


On 10/05/2015 07:00 PM, Martin Basti wrote:
> 
> 
> On 10/05/2015 05:00 PM, Timo Aaltonen wrote:
>> Hi
>>
>>I'm not sure if the goal is to be able to build IPA on Debian from
>> git/tarballs, but here's a list of what would need to be fixed first to
>> get there:
>>
>> - places where usernames have been hardcoded need something like
>> ipaplatform/base/paths.py:
>>apache -> www-data in:
>>* ipaserver/install/httpinstance.py
>>* ipaserver/install/ipa_server_certinstall.py
>>* ipaserver/install/cainstance.py
>>* ipaserver/install/certs.py
> this can be extracted to ipaplatform/base/constants.py
> 

Yes, constants.py can be leveraged for this purpose. We added it not
that long ago, so you may have missed it.

Task left here is to actually abstract those values.

>>named -> bind in:
>>* ipaserver/install/bindinstance.py
> this is quite tricky,
> for named_user the right location is to ipaplatform/base/constants.py
> 
> for service, you can look in ipaplatform/redhat/services.py there is
> already mapping named to named.pkcs11, we can do something similar in
> debian platform specification, debian_system_units['named'] =
> 'bind.service'

Correct. Debian should define its own services.py where the name of the
service can be overridden.

> However if you want to replace named with bind completely, it requires
> much more changes.
> 

Martin, what are the effort necessary here?

>>
>> - config/service files that use hardcoded paths in them need to be moved
>> to a template, and use paths.py macros:
>>* install/conf/ipa.conf
>>* init/systemd/ipa_memcached.service
>>
>> - same but with hardcoded usernames
>>* init/ipa_memcached.conf
> A discussion with other developer is needed how to resolve these files

Converting to templates sounds resonable to me. We already have
machinery to do this (ipautil.template_file), so this is a
straightforward change.

>>
>> - ipaserver/install/httpinstance.py needs to run "a2enmod/a2dismod nss"
>> because libapache2-mod-nss doesn't enable it on install (can't remember
>> why, but there was a good reason..)
> We did installer changes, Honza may know if this is possible.

This may be a step which calls out to a platform task - by default, this
would be an empty operation, on Debian, it would run whatever pre-setup
steps needed.

I wonder if we should generalize this, but probably not before a need
arises.

>>
>> - various places using Fedora-specific libpaths (/usr/lib vs.
>> /usr/lib64), whereas on Debian these are /usr/lib/, see
>> https://wiki.debian.org/Multiarch/Tuples
> I might be wrong, but I found different issues:
>>* ipaserver/install/ldapupdate.py
> this affects update files, and the same issue is for ldif files
> We can replace path '/var/lib(64)' with substitute variable in those
> files, and create a platform specific method to determine the correct
> path, or just substitute with value from ipaplatform/base/paths
>>* ipapython/certmonger.py
>>* ipaserver/install/certs.py
>>* ipaserver/install/ipa_backup.py
>>* ipaserver/install/ipa_restore.py
> Here for libpath we can use ipaplatform task.py or path.py if it is enough
> The occurrences of /var/lib/ipa/backup should be in ipaplatform/paths

Constants or Paths namespace should handle this case.

>>
>> - ntp daemon defaults use a different variable name (OPTIONS vs
>> NTPD_OPTS), and quotes (" vs. ')
>>* ipaserver/install/ntpinstance.py
> IMO here also default pools should be excluded to constants as a list of
> ntp servers per platform.
> OPTIONS can be excluded to ipaplatform/constants.py
> Probably the " or ' issue can be handled in the same way

Constants can probably handle this, if not, a platform specific task can
be used.

>>
>> - "Include conf.d/ipa-rewrite.conf" in httpinstance.py needs to use an
>> absolute path with HTTPD_CONF_D, or HTTPD_CONF_D repurposed to only have
>> 'conf.d' on Fedora and then conf-enabled on Debian
> ok

Probably a full path should be used here.

>>
>> - install/share/bind.named.conf.template needs to drop the default zone
>> on Debian, since that's already configured via includes (-> bind fails
>> to start), so a template file with an exception for Debian would fix it
> The solution here can be augeas, but I'm not sure if we will able to
> move to augeas soon enough.
> This is the same issue as with ipa.conf

We don't need to wait for augueas, just have a platform task (doing
nothing on Fedora) that will alter the named.conf file during its
generation.

>>
>> - Makefile needs to use --install-layout=deb for setup.py

I guess we can have a platform env variable for the Makefile?

>>
>> - ipa-client/ipa-install/ipa-client-automount needs to check for
>> variable named 'NEED_GSSD' on debian, so ipaplatform/base/vars.py? (same
>> for NTPD_OPTS)
> Leaving this for others.

It can be abstracted into a platform specific task.

>>
>>
>> There.. that should be all I think :) Oh, forgot that currently dnssec
>> needs to be

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-06 Thread Simo Sorce 

On 06/10/15 11:06, Jan Pazdziora wrote:

On Mon, Oct 05, 2015 at 09:47:14AM -0400, Simo Sorce wrote:

On 05/10/15 09:42, Oleg Fayans wrote:

1. At one point ipa-replica-install on a configured client has thrown
the following error:

Configuring ipa-custodia
   [1/5]: Generating ipa-custodia config file
   [2/5]: Generating ipa-custodia keys
   [3/5]: Importing RA Key
   [error] HTTPError: 502 Server Error: Proxy Error
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR502 Server
Error: Proxy Error

(corresponding part of the error log of dirsrv attached)


Seem like the peer server was unreachable ?
Was there a networking problem ?


I've hit the same issue, during demo today, on a third replica I was
creating. I was using four VMs on my laptop so no networking issue
should have caused that.

On the replica (being promoted), /var/log/ipareplica-install.log ends with

On the master, in the error_log, I see

[Tue Oct 06 13:22:33.196769 2015] [wsgi:error] [pid 10789] ipa: INFO: 
[jsonserver_session] ad...@example.test: 
service_add(u'HTTP/ipa-4.example.t...@example.test', version=u'2.112'): SUCCESS
[Tue Oct 06 13:22:39.231882 2015] [wsgi:error] [pid 10788] ipa: INFO: 
[xmlserver] host/ipa-4.example.t...@example.test: 
cert_request(u'MIIDWDCCAkACAQAwHTEbMBkGA1UEAxMSaXBhLTQuZXhhbXBsZS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn1pFdI1FuH1ad882x27i+oi3alabIt1hZjeGyT2zfEWaLajgAcDtT1RjWWFzrWtn9YJAe+3cm7R21MI8eFS1aCBlPaRgBLtefaakQy99k8p3IC8LwZxX9bvPPTuZVuF73DYXmaQAgpe/W7TLhCSFwZqht5D8aG0B7qm2E+mpclqKdlbk9egq8K8zFxs4mbLAuEd95wpSBJWnuaTPwRzrjpniCdl5OFof+ImTIMTVS6+5RUxB6KCi5WpGLbrAZWpHZ80a+weo0RK098r1GMT7LSTTZvOmJ22d15Ub0vQXTqVgAMVtt221vEZ1ZhRsLTbeh89JsDKOonNWk6VwOsYHnQIDAQABoIH1MCUGCSqGSIb3DQEJFDEYHhYAUwBlAHIAdgBlAHIALQBDAGUAcgB0MIHLBgkqhkiG9w0BCQ4xgb0wgbowgYcGA1UdEQEBAAR9MHugNAYKKwYBBAGCNxQCA6AmDCRIVFRQL2lwYS00LmV4YW1wbGUudGVzdEBFWEFNUExFLlRFU1SgQwYGKwYBBQICoDkwN6AOGwxFWEFNUExFLlRFU1ShJTAjoAMCAQGhHDAaGwRIVFRQGxJpcGEtNC5leGFtcGxlLnRlc3QwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQUZsVqOSFYBWZnFs42WMXGAag8w20wDQYJKoZIhvcNAQELBQADggEBAJDlTLM1Iyb4We61xIXttSReAbi0seO/ZevSiPN+orHdr+YL!

SDpbS6CSXm
5X9Asvlo8iu0iRFrj/CUJAyPu+M7v+lfr3VwrKErycrczt5O4xgGPGfs0XODSlwQOG57SUyQyLXdyLPJtks/ah/LkfbCevew0cjhSnjEN7RpbV6Azh05vMyzF6J7NXlRLFzDDcz099Tug4Siuwsi/Y3AD0b+IR6I1ZOfLKzzzSEu+sC32JzaVythN3TbPqjeyGy/on3JsQTlznzn2LEVVoPioyF1oHyI7hG1OheTNjCoZXgfJUp1Ftct6YhsfhzglORcbmqDL00DdCU/789G5IworCCYo=',
 principal=u'HTTP/ipa-4.example.t...@example.test', add=True, version=u'2.51'): 
SUCCESS

[Tue Oct 06 13:22:47.652434 2015] [proxy_http:error] [pid 1394] (20014)Internal 
error: [client 192.168.100.229:49031] AH01102: error reading status line from 
remote server httpd-UDS:0
[Tue Oct 06 13:22:47.652476 2015] [proxy:error] [pid 1394] [client 
192.168.100.229:49031] AH00898: Error reading from remote server returned by 
/ipa/keys/ra/ipaCert
[Tue Oct 06 13:24:31.017069 2015] [wsgi:error] [pid 10789] ipa: INFO: 
[jsonserver_kerb] ad...@example.test: ping(): SUCCESS


Was custodia running ?
Can you check its log file ?

Simo.

--
Simo Sorce * Red Hat, Inc * New York

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0054] Update FreeIPA package description

2015-10-06 Thread Martin Basti 



On 10/05/2015 09:55 AM, Petr Spacek wrote:

On 2.10.2015 14:32, Gabe Alford wrote:

Bump for review.

Sorry for delay. I like the new text, ACK.

Petr^2 Spacek


On Mon, Sep 21, 2015 at 9:37 AM, Gabe Alford  wrote:


Hello,

Fix for https://fedorahosted.org/freeipa/ticket/5284

Thanks,

Gabe

Patch needs rebase, I did it before push.

Pushed to master: a6d9c40f14ef608946a88c86d8fe7c9793225e44
Pushed to ipa-4-2: 0667794ef65caab69bc6389f49b76ab7f37fae37



--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code