Re: [Freeipa-devel] [PATCH] Workaround for trac N 5348
On 10/09/2015 09:15 AM, Jan Pazdziora wrote: > On Fri, Oct 09, 2015 at 09:01:46AM +0200, Milan Kubík wrote: >> >> Perhaps we could use pytest's expected fail (xfail) or skip marker. [1] It >> would prevent test from failing in the report and once the underlying issue >> is fixed, it will raise as an unexpected pass. >> >> It could be used as a temporary solution, once the issue is fixed, we would >> remove the mark from the test. This would probably need some workflow to be >> defined for these cases. > > That works but please note that this is not about test passing or > failing, this is about some extra steps needed in the test body to > achieve deterministic situation in which running that final check > makes sense. > > I can imagine that simple > > # workaround 5348 > time.sleep(20) > > and then some script which would find all these comments and compare > them to resolved tickets might be enough. > I like this idea the most. Keeping this information in Trac is not much practical. Having a note in the comment annotating the particular workaround, however, is quite neat. Imho we can start such convention. Keeping a keyword in a comment is not a heavy process. Also, I wouldn't be strict about it, as we already have a couple of workarounds, and not every time a workaround has a exact mapping to a particular ticket. Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Workaround for trac N 5348
On Fri, Oct 09, 2015 at 10:31:32AM +0200, Tomas Babej wrote: > > a heavy process. Also, I wouldn't be strict about it, as we already have > a couple of workarounds, and not every time a workaround has a exact > mapping to a particular ticket. Frankly, this worries me much more than not having ticket for some trivial change to the code base. If there's workaround in tests, it's some action that we do but users/admins don't in their real setups. And that can cause failures for our users that we don't see or even no longer know about because in our tests, we've cleverly worked around them. Either that workaround step is needed and needs to be documented, or that step should not be needed and there should be a ticket describing the issue. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Workaround for trac N 5348
On 9.10.2015 11:03, Jan Pazdziora wrote: > On Fri, Oct 09, 2015 at 10:31:32AM +0200, Tomas Babej wrote: >> >> a heavy process. Also, I wouldn't be strict about it, as we already have >> a couple of workarounds, and not every time a workaround has a exact >> mapping to a particular ticket. > > Frankly, this worries me much more than not having ticket for some > trivial change to the code base. > > If there's workaround in tests, it's some action that we do but > users/admins don't in their real setups. And that can cause failures > for our users that we don't see or even no longer know about because > in our tests, we've cleverly worked around them. > > Either that workaround step is needed and needs to be documented, or > that step should not be needed and there should be a ticket describing > the issue. +1 -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0078-0081] ipa-client-install autodiscovery code improvements
On 9.10.2015 09:14, Petr Spacek wrote: > On 8.10.2015 19:09, Martin Babinsky wrote: >> These patches fix https://fedorahosted.org/freeipa/ticket/4305 >> >> Actually only the last patch does the work itself (suppress autodiscovery >> when >> installing client on master), but when I saw the state of autodiscovery code >> I >> have taken the liberty to clean it up a bit. >> >> Patch #78 has separate versions for master and 4-2 branch, other patches >> should apply on top of it in both branches. > > Uh, I have to say that I'm not big fan of this patch. This will simply hide > fact that your DNS is terribly misconfigured and other things will fail later > on. To underline this point, this exercise will not be necessary when https://fedorahosted.org/freeipa/ticket/5087 is solved (some incomplete patches are on the list already) because the problem should be detected before installation even starts. Personally I would rather finish #5087 and do not spend more time on #4305. Petr^2 Spacek > Also, even if we decide that it is what we want, I'm not sure what are > implications for the master. Will it configure to use SSSD for auto-discovery > as a fallback (when services on local master are not running)? > > If not, what will happen when IPA is not running on that particular master? > Will the admin be able to log-in with IPA credentials? > > > Nitpicks: >> +if options.on_master: >> +set_ipa_domain_params(ds, options.server, options.domain, >> + options.realm_name, CACERT) > > It seems that set_ipa_domain_params should be class method of "ds" because it > touches only instance variables and nothing else:-- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Workaround for trac N 5348
On Fri, Oct 09, 2015 at 09:01:46AM +0200, Milan Kubík wrote: > > Perhaps we could use pytest's expected fail (xfail) or skip marker. [1] It > would prevent test from failing in the report and once the underlying issue > is fixed, it will raise as an unexpected pass. > > It could be used as a temporary solution, once the issue is fixed, we would > remove the mark from the test. This would probably need some workflow to be > defined for these cases. That works but please note that this is not about test passing or failing, this is about some extra steps needed in the test body to achieve deterministic situation in which running that final check makes sense. I can imagine that simple # workaround 5348 time.sleep(20) and then some script which would find all these comments and compare them to resolved tickets might be enough. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Workaround for trac N 5348
On 10/08/2015 02:50 PM, Martin Basti wrote: On 10/08/2015 02:39 PM, Martin Kosek wrote: On 10/08/2015 02:08 PM, Oleg Fayans wrote: Hi, On 10/08/2015 11:18 AM, Jan Pazdziora wrote: On Thu, Oct 08, 2015 at 11:12:37AM +0200, Oleg Fayans wrote: When the ticket is addressed and these workarounds are no longer needed -- what is our process for finding these workarounds and reverting them, so that the tests test the real, expected behaviour? As per discussion with Martin Basti, it was decided that this workaround will only be applied to the current 4-2 branch, not to the upstream. In That sounds like a reasonable plan for this issue. upstream the issue itself will (supposedly) be solved Except currently it's not, so (IIUIC) you will keep having nondeterministic failures in master. I was mostly interested in the general approach that we have to workarounds -- how do we track them, how do we make sure they don't stick in tests forever, even after the issue was already properly addressed. That's actually a great point. I personally would like tickets to have one more field: "workaround" containing the address of a workaround in the format "path_to_the_file:line_number" or better even - a commit id of this workaround, so that once the ticket is resolved, we could easily find what to reverse. Please don't add any more trac fields, there is too many of them already :-) Keyword may serve better for now... +1 new trac field for a few workarounds per year is not worth it. Perhaps we could use pytest's expected fail (xfail) or skip marker. [1] It would prevent test from failing in the report and once the underlying issue is fixed, it will raise as an unexpected pass. It could be used as a temporary solution, once the issue is fixed, we would remove the mark from the test. This would probably need some workflow to be defined for these cases. [1]: https://pytest.org/latest/skipping.html -- Milan Kubik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Workaround for trac N 5348
On 10/09/2015 09:01 AM, Milan Kubík wrote: On 10/08/2015 02:50 PM, Martin Basti wrote: On 10/08/2015 02:39 PM, Martin Kosek wrote: On 10/08/2015 02:08 PM, Oleg Fayans wrote: Hi, On 10/08/2015 11:18 AM, Jan Pazdziora wrote: On Thu, Oct 08, 2015 at 11:12:37AM +0200, Oleg Fayans wrote: When the ticket is addressed and these workarounds are no longer needed -- what is our process for finding these workarounds and reverting them, so that the tests test the real, expected behaviour? As per discussion with Martin Basti, it was decided that this workaround will only be applied to the current 4-2 branch, not to the upstream. In That sounds like a reasonable plan for this issue. upstream the issue itself will (supposedly) be solved Except currently it's not, so (IIUIC) you will keep having nondeterministic failures in master. I was mostly interested in the general approach that we have to workarounds -- how do we track them, how do we make sure they don't stick in tests forever, even after the issue was already properly addressed. That's actually a great point. I personally would like tickets to have one more field: "workaround" containing the address of a workaround in the format "path_to_the_file:line_number" or better even - a commit id of this workaround, so that once the ticket is resolved, we could easily find what to reverse. Please don't add any more trac fields, there is too many of them already :-) Keyword may serve better for now... +1 new trac field for a few workarounds per year is not worth it. Perhaps we could use pytest's expected fail (xfail) or skip marker. [1] It would prevent test from failing in the report and once the underlying issue is fixed, it will raise as an unexpected pass. It could be used as a temporary solution, once the issue is fixed, we would remove the mark from the test. This would probably need some workflow to be defined for these cases. [1]: https://pytest.org/latest/skipping.html I write faster than I read. The issue at hand here is diffeerent use case. :) -- Milan Kubik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0078-0081] ipa-client-install autodiscovery code improvements
On 8.10.2015 19:09, Martin Babinsky wrote: > These patches fix https://fedorahosted.org/freeipa/ticket/4305 > > Actually only the last patch does the work itself (suppress autodiscovery when > installing client on master), but when I saw the state of autodiscovery code I > have taken the liberty to clean it up a bit. > > Patch #78 has separate versions for master and 4-2 branch, other patches > should apply on top of it in both branches. Uh, I have to say that I'm not big fan of this patch. This will simply hide fact that your DNS is terribly misconfigured and other things will fail later on. Also, even if we decide that it is what we want, I'm not sure what are implications for the master. Will it configure to use SSSD for auto-discovery as a fallback (when services on local master are not running)? If not, what will happen when IPA is not running on that particular master? Will the admin be able to log-in with IPA credentials? Nitpicks: > +if options.on_master: > +set_ipa_domain_params(ds, options.server, options.domain, > + options.realm_name, CACERT) It seems that set_ipa_domain_params should be class method of "ds" because it touches only instance variables and nothing else: -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Workaround for trac N 5348
On 09.10.2015 22:04, Oleg Fayans wrote: On 10/09/2015 11:03 AM, Jan Pazdziora wrote: On Fri, Oct 09, 2015 at 10:31:32AM +0200, Tomas Babej wrote: a heavy process. Also, I wouldn't be strict about it, as we already have a couple of workarounds, and not every time a workaround has a exact mapping to a particular ticket. Frankly, this worries me much more than not having ticket for some trivial change to the code base. If there's workaround in tests, it's some action that we do but users/admins don't in their real setups. And that can cause failures for our users that we don't see or even no longer know about because in our tests, we've cleverly worked around them. I guess, the global question of whether to do workarounds in tests to make them pass or not is older than the very oldest profession on earth. I must admit, I am on Jan's side here. I would prefer to implement the approach proposed by Milan: mark the test scenario as expected failure (if it is crucial to make the whole run pass), or better even to leave it as it is: just so that each red CI run would remind of the necessity to fix the original issue. This all is a theory, however. What do we do with this particular case? It's an edge case (does anyone except root zone admins sign a root zone?). Should we probably disable the whole scenario? Or just leave it failing as it is? This bug does not happen just for root zone. Other zones are affected too. I would leave it failing, we have to fix it. Either that workaround step is needed and needs to be documented, or that step should not be needed and there should be a ticket describing the issue. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] HOWTO: Troubleshooting SUDO
Hi, I just submitted a sudo troubleshooting guide [1]. If you find anything missing, please, let me know. [1] https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN
Jan Orel wrote: > Hello, > > this patch removes (IMHO) redundat check in cert_show, which fails when > host tries to re-submit certificate of different host/service which he > can manage. > > I also reported the bug here: > https://bugzilla.redhat.com/show_bug.cgi?id=1269089 > > I tired to run the tests as well and it doesn't seem to break anything. > Any feedpack appriciated. This works around the "Retrieve Certificates from the CA" ACL when done as a host. I guess if the hostname isn't the subject then the host for the subject needs to be read and then look to see if hostname is in the managed_by list. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0009] WebUI: Disappearing automember rule expressions
Hi, please see the patch attached. Standa L. From 8bb771ad0f2f015ea1ebbdf7291ed5c7ae2a0a9b Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Fri, 9 Oct 2015 13:32:33 +0200 Subject: [PATCH] Fixes disappearing automember expressions https://fedorahosted.org/freeipa/ticket/5353 --- install/ui/src/freeipa/automember.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/install/ui/src/freeipa/automember.js b/install/ui/src/freeipa/automember.js index 5eff3e69bdb014a3057bf9532e420cede416e8bf..0a73967290e742bf8ebc4920f6c2ee3cd52bdd2f 100644 --- a/install/ui/src/freeipa/automember.js +++ b/install/ui/src/freeipa/automember.js @@ -516,7 +516,8 @@ IPA.automember.condition_widget = function(spec) { var i = results.length - 1; while (i >= 0) { if (results[i].completed === 1){ -that.reload_facet({ result: results[i] }); +that.reload_facet({ error: results[i].error, id: null, +result: results[i] }); return; } i--; @@ -776,4 +777,4 @@ exp.register = function() { phases.on('registration', exp.register); return exp; -}); \ No newline at end of file +}); -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0197 client referral support for trusted domain principal
On Thu, Oct 08, 2015 at 01:36:23PM +0300, Alexander Bokovoy wrote: > On Mon, 05 Oct 2015, Sumit Bose wrote: > >On Thu, Sep 03, 2015 at 06:22:05PM +0300, Alexander Bokovoy wrote: > >>On Thu, 03 Sep 2015, Alexander Bokovoy wrote: > >>>Hi, > >>> > >>>attached patch adds support for issuing client referrals when FreeIPA > >>>KDC is asked to give a TGT for a principal from a trusted forest. > >>> > >>>We return a matching forest name as a realm and KDC then returns an > >>>error pointing a client to a direction of that realm. You can see how it > >>>looks with http://fpaste.org/263064/14412849/ -- it shows behavior for > >>>both 'kinit -E -C' and 'kinit -E'. > >>> > >>>Note that current MIT Kerberos KDC has a bug that prevents us from > >>>responding with a correct client referral. A patched version for Fedora > >>>22 is available in COPR abbra/krb5-test, a fix to upstream krb5 is > >>>https://github.com/krb5/krb5/pull/323/ and I'm working on filing bugs to > >>>Fedora and RHEL versions. > >>> > >>>With the version in my abbra/krb5-test COPR you can test the patch with > >>>the help of kinit like fpaste URL above shows. > >>After discussing with Simo and Sumit, here is updated patch that > >>operates directly on 'search_for' krb5_principal and avoids > >>strchr()/strrchr() and additional memory allocations -- it uses > >>memrchr() to find '@' in the last component of the search_for principal > >>and considers the part of the component after '@' as an enterprise realm > >>to check. > > > >The patch looks good and works as advertised. I've tested in a IPA > >domain which trusts two different forests. All requests to the forest > >roots and child domains where properly redirected. I tested with your > >krb5 test build and with MIT Kerberos 1.14 which contains the needed > >fix. > > > >Nevertheless there are a view points I want to discuss: > > > >- missing support for AD's Alternative Domain Suffixes, this is > > important to allow AD users to login in with their "Email-Address" > > (which is the typical reference for a user name with an alternative > > domain suffix). I think this is not strictly related to the given > > ticket, so it can be solved in the context of a new ticket, do you > > agree? > Yes, please add a separate ticket. We need to do a bit more here: > - extend schema to allow adding the attribute for alternative domain > suffixes > - switch to use different DCE RPC call to retrieve forest trust > information. We can do it now that we have a call-out mechanism and > can isolate access to TDO credentials (this is long standing issue > first identified by Metze as part of cross-forest trust support for > Samba 4.3) > - Make possible to associate alternative domain suffixes with IPA > realm. We have support for realm domains already but we don't allow > to use them yet for the same call as in the above item. https://fedorahosted.org/freeipa/ticket/5354 > > >- referrals from outside. If I call 'kinit -E admin@IPA.DOMAIN' from a > > client in a trusted AD forest I get a 'Client not found in database' > > error because AD tends to use lower case domain names in the referal > > response. The request is still properly send to the IPA KDC because > > DNS does not care about the case. The IPA KDC processes the request > > with the principal 'user\@IPA.DOMAIN@ipa.domain' until > > ipadb_is_princ_from_trusted_realm() returns KRB5_KDB_NOENTRY becasue > > it detects that the principal is from the local realm. I think it > > would be good to enhance your patch to handle this case. > This is a separate bug too. Please file a ticket. https://fedorahosted.org/freeipa/ticket/5356 > > > >- S4U2Self. MIT Kerberos 1.14 can now properly handle S4U2Self across > > domain and forest boundaries (I tested this in a setup with 2 AD > > forests with request going from a child domain to a child domain in > > the other forest. Unfortunately it is currently not working with IPA > > in neither direction (I guess the case issue from above might be the > > reason for the incoming request to fail). Here I think a new ticket > > would to good as well because some research might be needed and the > > issue might even be in the MIT code. (If you want to run some tests I > > can give you access to my test environment.) > I think we want to have this working, thus a ticket is due here. This is > something we'll most likely require for some advanced 2FA operations for > AD users. https://fedorahosted.org/freeipa/ticket/5357 bye, Sumit > > >Let me know if you prefer to handle the issues with other tickets, then > >I would ACK the patch as it is. > Please file separate tickets. > > -- > / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Workaround for trac N 5348
On 10/08/2015 11:18 AM, Oleg Fayans wrote: Done On 10/08/2015 10:37 AM, Martin Basti wrote: On 10/08/2015 09:13 AM, Oleg Fayans wrote: Hi Martin On 10/07/2015 04:30 PM, Martin Basti wrote: On 10/07/2015 04:13 PM, Oleg Fayans wrote: subj Workaround looks good, but I prefer not to push it in upstream tests, because it is not test failure. I agree, we should rather fix the original issue. But as a temporary solution, to satisfy downstream, it could do. Why is there this sleep, this might be useful in upstream tests too, but what is the reason to add sleep there? Without it I kept getting this error: E CalledProcessError: Command '['drill', '@localhost', '-k', '/etc/trusted-key.key', '-S', 'example.test.', 'SOA']' returned non-zero exit status 29 with --pdb option, though, my attempts to re-run the command succeeded, so I assumed it was a timing issue, and indeed, this 1 second sleep helped. # verify signatures +time.sleep(1) args = [ Attached is an updated version of the patch with Martin's remarks taken into account Can you please send this as separate patch? I would like to push this one. ACK Pushed to: master: 2b4354f37e7e775dae833d5e2e8824b43800855f ipa-4-2: f076da99946c0405162c88174e771a5cecfe9664 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling improvements
On 09/23/2015 02:40 PM, Martin Basti wrote: > > > On 09/22/2015 02:23 PM, Tomas Babej wrote: >> On 09/03/2015 04:34 PM, Alexander Bokovoy wrote: >>> On Thu, 03 Sep 2015, Tomas Babej wrote: Hi, this couple of patches fix https://fedorahosted.org/freeipa/ticket/5278 and improve our handling of realmdomains in general. >>> The code looks good to me. I haven't tested it yet, though. >>> >> Rebased on top of current master. > > Please fix tests too. > Updated patchset attached. Also fixed a minor spelling and syntax issues in the original patches. Tomas From e02e5cd1d084f7faef76f3995e9236b7ea0bb3f7 Mon Sep 17 00:00:00 2001 From: Tomas BabejDate: Thu, 3 Sep 2015 12:13:32 +0200 Subject: [PATCH] util: Add detect_dns_zone_realm_type helper https://fedorahosted.org/freeipa/ticket/5278 --- ipalib/util.py | 55 +++ 1 file changed, 55 insertions(+) diff --git a/ipalib/util.py b/ipalib/util.py index a37f67342259c1ef8bd31af1d9c40e453c3bf1cf..29b4ca160f1e63dfc2c233547028b5982242a3af 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -801,3 +801,58 @@ def get_topology_connection_errors(graph): if not_visited: connect_errors.append((m, list(visited), list(not_visited))) return connect_errors + +def detect_dns_zone_realm_type(api, domain): +""" +Detects the type of the realm that the given DNS zone belongs to. +Note: This method is heuristic. Possible values: + - 'current': For IPA domains belonging in the current realm. + - 'foreign': For domains belonging in a foreing kerberos realm. + - 'unknown': For domains whose allegiance could not be detected. +""" + +# First, try to detect _kerberos TXT record in the domain +# This would indicate that the domain belongs to IPA realm + +kerberos_prefix = DNSName('_kerberos') +domain_suffix = DNSName(domain) +kerberos_record_name = kerberos_prefix + domain_suffix + +response = None + +try: +result = resolver.query(kerberos_record_name, rdatatype.TXT) +answer = result.response.answer + +# IPA domain will have only one _kerberos TXT record +if (len(answer) == 1 and +len(answer[0]) == 1 and +answer[0].rdtype == rdatatype.TXT): + +record = answer[0][0] + +# If the record contains our current realm, it is 'ipa-current' +if record.to_text() == '"{0}"'.format(api.env.realm): +return 'current' +else: +return 'foreign' + +except DNSException as e: +pass + +# Try to detect AD specific record in the zone. +# This would indicate that the domain belongs to foreign (AD) realm + +gc_prefix = DNSName('_ldap._tcp.gc._msdcs') +ad_specific_record_name = gc_prefix + domain_suffix + +try: +# The presence of this record is enough, return foreign in such case +result = resolver.query(ad_specific_record_name, rdatatype.SRV) +return 'foreign' + +except DNSException as e: +pass + +# If we could not detect type with certainity, return unknown +return 'unknown' -- 2.1.0 From c1f93910a6f5cfaa0f46252b0c6f165e9257a5ae Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Thu, 3 Sep 2015 12:40:17 +0200 Subject: [PATCH] realmdomains: Minor style and wording improvements https://fedorahosted.org/freeipa/ticket/5278 --- ipalib/plugins/realmdomains.py | 75 +- 1 file changed, 60 insertions(+), 15 deletions(-) diff --git a/ipalib/plugins/realmdomains.py b/ipalib/plugins/realmdomains.py index f8f838d0ede85ee747a4b2f19129dc757fe837eb..27c4fa228b455e8de5e40dafb8be0e4a4e1d0d65 100644 --- a/ipalib/plugins/realmdomains.py +++ b/ipalib/plugins/realmdomains.py @@ -137,16 +137,46 @@ class realmdomains_mod(LDAPUpdate): del_domain = entry_attrs.get('del_domain') force = options.get('force') +current_domain = get_domain_name() + +missing_soa_ns_record_error = _( +"DNS zone for each realmdomain must contain " +"SOA or NS records. No records found for: %s" +) + +# User specified the list of domains explicitly if associateddomain: if add_domain or del_domain: -raise errors.MutuallyExclusiveError(reason=_("you cannot specify the --domain option together with --add-domain or --del-domain")) -if get_domain_name() not in associateddomain: -raise errors.ValidationError(name='domain', error=_("cannot delete domain of IPA server")) +raise errors.MutuallyExclusiveError( +reason=_( +"The --domain option cannot be used together " +"with --add-domain or --del-domain. Use --domain " +"to specify the whole realm domain list explicitly, " +
[Freeipa-devel] [PATCH 0058] Remove bind configuration detected question
Hello, Fix for https://fedorahosted.org/freeipa/ticket/5351 Thanks, Gabe From 509ea0b496fd3d2361df58b23ce6ec8fb0ac9b64 Mon Sep 17 00:00:00 2001 From: GabeDate: Fri, 9 Oct 2015 11:02:06 -0600 Subject: [PATCH] Remove bind configuration detected question https://fedorahosted.org/freeipa/ticket/5351 --- ipaserver/install/bindinstance.py | 7 --- ipaserver/install/dns.py | 4 2 files changed, 11 deletions(-) diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 4c4677590b7120b7f12cb014519f61673dd1d68a..1cbda7c6931c55247bb0207ae91fbbf5363ad867 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -63,13 +63,6 @@ named_conf_include_re = re.compile(r'\s*include\s+"(?P)"\s*;') named_conf_include_template = "include \"%(path)s\";\n" -def check_inst(unattended): -if not unattended and os.path.exists(NAMED_CONF): -msg = "Existing BIND configuration detected, overwrite?" -return ipautil.user_input(msg, False) - -return True - def create_reverse(): return ipautil.user_input("Do you want to configure the reverse zone?", True) diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py index 099e35dc331722607c8ca02cdbc7a0e66f8c4754..eb09af30b0f78f38ab1948d4dd01264f45dadf7c 100644 --- a/ipaserver/install/dns.py +++ b/ipaserver/install/dns.py @@ -144,10 +144,6 @@ def install_check(standalone, replica, options, hostname): False)): sys.exit("Aborted") -# Check bind packages are installed -if not bindinstance.check_inst(options.unattended): -sys.exit("Aborting installation.") - if options.disable_dnssec_master: _is_master() -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0057] Warn in no installation found when running ipa-server-install --uninstall
Hello, Fix for https://fedorahosted.org/freeipa/ticket/5341 Thanks, Gabe From 0400bf88987b56d1d3b7a0e665bec525fa81ed02 Mon Sep 17 00:00:00 2001 From: GabeDate: Fri, 9 Oct 2015 10:48:17 -0600 Subject: [PATCH] Warn if no installation found when running ipa-server-install --uninstall https://fedorahosted.org/freeipa/ticket/5341 --- ipaserver/install/server/install.py | 6 ++ 1 file changed, 6 insertions(+) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 13a59a0e6149dc22ded4a895db02516e9360e02b..ca93e7a6fd7276d9c0d82eb6f94575730759d858 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -954,6 +954,12 @@ def uninstall_check(installer): installer._installation_cleanup = False +if not is_ipa_configured(): +print("IPA server is not configured on this system.\n" + + "If you want to install the IPA server, please install " + + "it using 'ipa-server-install'.") +sys.exit(1) + fstore = sysrestore.FileStore(SYSRESTORE_DIR_PATH) sstore = sysrestore.StateFile(SYSRESTORE_DIR_PATH) -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0056] Enable nsaccountlock in user.py cli
Hello, This patch enables nsaccountlock in user.py cli. It is very handy to be able to search and find users with disabled/enabled accounts, etc. That said, I couldn't find why it was no_option in the first place, so I am not 100% sure if it breaks something or the reasoning behind no_option. Thanks, Gabe From 985f765d2e25d2ce454884cd4a9f66f9005824a7 Mon Sep 17 00:00:00 2001 From: GabeDate: Fri, 9 Oct 2015 07:22:07 -0600 Subject: [PATCH] Enable nsaccountlock in user.py for cli usage --- API.txt| 6 +++--- VERSION| 2 +- ipalib/plugins/user.py | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/API.txt b/API.txt index 4d36a9885157de13529573b3a386b4ef39eba176..b4df75bb66dab43bc9b7c249851f61efcc284e0f 100644 --- a/API.txt +++ b/API.txt @@ -5176,7 +5176,7 @@ option: Str('manager', attribute=True, cli_name='manager', multivalue=False, req option: Str('mobile', attribute=True, cli_name='mobile', multivalue=True, required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('noprivate', autofill=True, cli_name='noprivate', default=False) -option: Bool('nsaccountlock', attribute=True, cli_name='nsaccountlock', multivalue=False, required=False) +option: Bool('nsaccountlock', attribute=True, cli_name='disabled', multivalue=False, required=False) option: Str('ou', attribute=True, cli_name='orgunit', multivalue=False, required=False) option: Str('pager', attribute=True, cli_name='pager', multivalue=True, required=False) option: Str('postalcode', attribute=True, cli_name='postalcode', multivalue=False, required=False) @@ -5269,7 +5269,7 @@ option: Str('not_in_hbacrule*', cli_name='not_in_hbacrules', csv=True) option: Str('not_in_netgroup*', cli_name='not_in_netgroups', csv=True) option: Str('not_in_role*', cli_name='not_in_roles', csv=True) option: Str('not_in_sudorule*', cli_name='not_in_sudorules', csv=True) -option: Bool('nsaccountlock', attribute=True, autofill=False, cli_name='nsaccountlock', multivalue=False, query=True, required=False) +option: Bool('nsaccountlock', attribute=True, autofill=False, cli_name='disabled', multivalue=False, query=True, required=False) option: Str('ou', attribute=True, autofill=False, cli_name='orgunit', multivalue=False, query=True, required=False) option: Str('pager', attribute=True, autofill=False, cli_name='pager', multivalue=True, query=True, required=False) option: Flag('pkey_only?', autofill=True, default=False) @@ -5324,7 +5324,7 @@ option: Str('mail', attribute=True, autofill=False, cli_name='email', multivalue option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=False, required=False) option: Str('mobile', attribute=True, autofill=False, cli_name='mobile', multivalue=True, required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') -option: Bool('nsaccountlock', attribute=True, autofill=False, cli_name='nsaccountlock', multivalue=False, required=False) +option: Bool('nsaccountlock', attribute=True, autofill=False, cli_name='disabled', multivalue=False, required=False) option: Str('ou', attribute=True, autofill=False, cli_name='orgunit', multivalue=False, required=False) option: Str('pager', attribute=True, autofill=False, cli_name='pager', multivalue=True, required=False) option: Str('postalcode', attribute=True, autofill=False, cli_name='postalcode', multivalue=False, required=False) diff --git a/VERSION b/VERSION index e1df4694f678b1fb27da7785b94dc827f0f8f207..98b64017f320d1cb5e3015476f894d1ece1d2012 100644 --- a/VERSION +++ b/VERSION @@ -91,4 +91,4 @@ IPA_DATA_VERSION=2010061412 IPA_API_VERSION_MAJOR=2 IPA_API_VERSION_MINOR=156 -# Last change: pvoborni - add vault container commands +# Last change: galford - enable nssacountlock option in cli diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index cb47cbb4869cb978f87603817033580647cc2d17..802dc35f4321c69460fd13bc1103346ab1e30a50 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -340,8 +340,8 @@ class user(baseuser): takes_params = baseuser.takes_params + ( Bool('nsaccountlock?', +cli_name='disabled', label=_('Account disabled'), -flags=['no_option'], ), Bool('preserved?', label=_('Preserved user'), -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0059] ipa-adtrust-install: Print complete SRV record
Hello, I found this when reviewing DNS parts of IdM and AD integration guides. ipa-adtrust-install: Print complete SRV records. https://fedorahosted.org/freeipa/ticket/5358 -- Petr^2 Spacek From b10bd3b49c24c43a8540830303ab81250de6dd42 Mon Sep 17 00:00:00 2001 From: Petr SpacekDate: Fri, 9 Oct 2015 14:58:14 +0200 Subject: [PATCH] ipa-adtrust-install: Print complete SRV records https://fedorahosted.org/freeipa/ticket/5358 --- ipaserver/install/adtrustinstance.py | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index acc54ab83383b0b514fcd4f14d7480e0b38cb5b1..f7a7899906ca47b4901881fb6f4099ace1780741 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -593,9 +593,10 @@ class ADTRUSTInstance(service.Service): self.print_msg(err_msg) self.print_msg("Add the following service records to your DNS " \ "server for DNS zone %s: " % zone) -for srv in ipa_srv_rec: -for suff in win_srv_suffix: -self.print_msg(" - %s%s" % (srv[0], suff)) +for suff in win_srv_suffix: +for srv in ipa_srv_rec: +self.print_msg("%s%s IN SRV %s" % (srv[0], suff, " ".join(srv[1]))) +self.print_msg("") return for (srv, rdata, port) in ipa_srv_rec: -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN
Christian Heimes wrote: > On 2015-10-09 13:21, Jan Orel wrote: >> Hello, >> >> this patch removes (IMHO) redundat check in cert_show, which fails when >> host tries to re-submit certificate of different host/service which he >> can manage. >> >> I also reported the bug here: >> https://bugzilla.redhat.com/show_bug.cgi?id=1269089 >> >> I tired to run the tests as well and it doesn't seem to break anything. >> Any feedpack appriciated. > > Jan Cholasta, you implemented the check in 2011. What purpose does it have? > > hostname == CN has been deprecated by RFC 2818 for some time, see > https://tools.ietf.org/html/rfc2818#section-3.1 The current check is > also not sufficient to prevent forgery. Browsers and modern TLS > libraries completely ignore CN when a dNSName SAN extension is present. He just tweaked a pylint error, I did this code. The check isn't perfect (by far) but I don't think forgery is an issue. We're talking about retrieving a public cert, not doing a handshake. I think checking just the common name is ok because of the way IPA issues server certs. I'm not sure if SAN would even come into play in the case of checking this ACL. The only way I see this as being a problem is if a new profile is created for issuing server certs where the CN of the target host isn't in the subject. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] LXC NTP Problem
Hi I really wont to deploy my freeipa server on LXC, but i cannot complete the installation because of NTP dont run on LXC Containers With --no-ntp wont either run, installation just stop when trying to start ntpd Help Mvh Martin Jørgensen TLF: 28738893 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN
On 9.10.2015 15:00, Christian Heimes wrote: On 2015-10-09 13:21, Jan Orel wrote: Hello, this patch removes (IMHO) redundat check in cert_show, which fails when host tries to re-submit certificate of different host/service which he can manage. I also reported the bug here: https://bugzilla.redhat.com/show_bug.cgi?id=1269089 I tired to run the tests as well and it doesn't seem to break anything. Any feedpack appriciated. Jan Cholasta, you implemented the check in 2011. What purpose does it have? I did not, it was added in commit 2e8bae59 by Rob. hostname == CN has been deprecated by RFC 2818 for some time, see https://tools.ietf.org/html/rfc2818#section-3.1 The current check is also not sufficient to prevent forgery. Browsers and modern TLS libraries completely ignore CN when a dNSName SAN extension is present. Christian -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN
On 2015-10-09 15:11, Jan Cholasta wrote: > On 9.10.2015 15:00, Christian Heimes wrote: >> On 2015-10-09 13:21, Jan Orel wrote: >>> Hello, >>> >>> this patch removes (IMHO) redundat check in cert_show, which fails when >>> host tries to re-submit certificate of different host/service which he >>> can manage. >>> >>> I also reported the bug here: >>> https://bugzilla.redhat.com/show_bug.cgi?id=1269089 >>> >>> I tired to run the tests as well and it doesn't seem to break anything. >>> Any feedpack appriciated. >> >> Jan Cholasta, you implemented the check in 2011. What purpose does it >> have? > > I did not, it was added in commit 2e8bae59 by Rob. Sorry, I didn't check the context, just the output of $ git annotate ipalib/plugins/cert.py | grep common_name signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Workaround for trac N 5348
On 10/09/2015 11:03 AM, Jan Pazdziora wrote: On Fri, Oct 09, 2015 at 10:31:32AM +0200, Tomas Babej wrote: a heavy process. Also, I wouldn't be strict about it, as we already have a couple of workarounds, and not every time a workaround has a exact mapping to a particular ticket. Frankly, this worries me much more than not having ticket for some trivial change to the code base. If there's workaround in tests, it's some action that we do but users/admins don't in their real setups. And that can cause failures for our users that we don't see or even no longer know about because in our tests, we've cleverly worked around them. I guess, the global question of whether to do workarounds in tests to make them pass or not is older than the very oldest profession on earth. I must admit, I am on Jan's side here. I would prefer to implement the approach proposed by Milan: mark the test scenario as expected failure (if it is crucial to make the whole run pass), or better even to leave it as it is: just so that each red CI run would remind of the necessity to fix the original issue. This all is a theory, however. What do we do with this particular case? It's an edge case (does anyone except root zone admins sign a root zone?). Should we probably disable the whole scenario? Or just leave it failing as it is? Either that workaround step is needed and needs to be documented, or that step should not be needed and there should be a ticket describing the issue. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] LXC NTP Problem
On 10/09/2015 03:42 PM, Martin Jørgensen wrote: Hi I really wont to deploy my freeipa server on LXC, but i cannot complete the installation because of NTP dont run on LXC Containers With --no-ntp wont either run, installation just stop when trying to start ntpd Help Mvh Martin Jørgensen TLF: 28738893 Hello, can you share log of installation /var/log/ipaserver-install.log I'm not a container guru, but get IPA into containers may be tricky. Here are some docker related materials, which might be useful: http://www.adelton.com/docs/docker/complex-application-in-container https://github.com/adelton/docker-freeipa https://www.freeipa.org/page/Docker Martin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code