[Freeipa-devel] Should we split up ipa-client?

2016-01-13 Thread Petr Viktorin 
Hello,
I'm planning to port the ipa-client to Python 3, and I'm likely to end
up shaking out some dusty corners of the codebase, rather than doing the
minimal amount of work :)
So I'd like to get your opinions before I commit significant time to this.

I think it would be beneficial to split ipa-client to better match both
how it's put in the RPMs these days, and how the rest of IPA is
organized. (And, to stop using autotools to "build" Python libraries...)

The resulting structure could look like this:

ipaclient/
- *.py
- setup.py

client-tools/
- man/*
- *.c
- *.h
- all the automake stuff
- current contents of ipa-install (Python scripts that go in /usr/sbin)

Removed:
- ipa-client.spec.in (included in freeipa.spec.in)
- NEWS (empty)
- README (entirely outdated)


Does this look like a reasonable direction to explore?

-- 
Petr Viktorin

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0124] ipa-csreplica-manage: remove extraneous ldap2 connection

2016-01-13 Thread Martin Basti 



On 11.01.2016 16:47, Martin Basti wrote:



On 11.01.2016 12:34, Martin Kosek wrote:

On 01/08/2016 06:31 PM, Martin Babinsky wrote:

On 01/08/2016 06:17 PM, Martin Basti wrote:


On 08.01.2016 17:18, Martin Babinsky wrote:

fixes ipa-csreplica-manage del blowing up due

https://fedorahosted.org/freeipa/ticket/5583

for master and ipa-4-3 only.


Give me patch plese!!

Auto-attach plugin would be most welcome.. here's the patch.

Back my developer days, I used this script for sending patches :-)

https://github.com/freeipa/freeipa-tools/blob/master/sendpatch.py

This let me (almost never) forget attaching the file(s) in the right 
format.



ACK


Pushed to:
master: a81e69a796fee2405252838d512e5b950f3be5d8
ipa-4-3: 6ef4bfb7b422af4e487043cdfec88845c3644d6a

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0121] consider IPA master removed from topology when request for host TGT fails

2016-01-13 Thread Martin Babinsky 

On 01/07/2016 05:38 PM, Martin Babinsky wrote:

On 01/07/2016 05:37 PM, Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/5584


And the patch is here.



self-NACK, there may be a better way to handle this. I will do some 
investigation and send updated patch.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0125] IPA upgrade: move replication ACIs to the mapping tree entry

2016-01-13 Thread Martin Babinsky 

On 01/13/2016 07:18 AM, Jan Cholasta wrote:

On 12.1.2016 19:13, Martin Babinsky wrote:

commit 6ea868e172738bdd6a8fae34e65126cdd134bbbe broke replica install
and management on IPA servers upgraded from pre-4.3 version. The
attached patch fixes this.

https://fedorahosted.org/freeipa/ticket/5575


Any reason to repeat the DN 3 times?

Besides that LGTM.



No other reason than not using brain during copy-pasting ACIs.

Attaching updated patch.

--
Martin^3 Babinsky
From fbb09447ee9de307e78ace3dfb70f01d57694be0 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Tue, 12 Jan 2016 18:59:11 +0100
Subject: [PATCH] IPA upgrade: move replication ACIs to the mapping tree entry

During IPA server upgrade from pre-4.3 versions, the ACIs permitting
manipulation of replication agreements are removed from the
'cn="$SUFFIX",cn=mapping tree,cn=config' and 'cn=o\3Dipaca,cn=mapping
tree,cn=config'. However they are never re-added breaking management and
installation of replicas.

This patch modifies the update process so that the ACIs are first added to the
'cn=mapping tree,cn=config' and then removed from the child entries.

https://fedorahosted.org/freeipa/ticket/5575
---
 install/updates/20-aci.update | 4 
 1 file changed, 4 insertions(+)

diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index cef842bbdf291762ef91d6be63c435b2f2161897..5526efa152340f14f17f833e32cbf8231693534f 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -63,8 +63,12 @@ dn: cn=tasks,cn=config
 add:aci:(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read, compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)
 
 # Allow hosts to read their replication agreements
+# replication ACIs should reside in cn=mapping tree,cn=config and be common for both suffixes
 dn: cn=mapping tree,cn=config
 add:aci: (target = "ldap:///cn=meTo($$dn),cn=*,cn=mapping tree,cn=config")(targetattr = "objectclass || cn")(version 3.0; acl "Allow hosts to read their replication agreements"; allow(read, search, compare) userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
+add: aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
 
 dn: cn="$SUFFIX",cn=mapping tree,cn=config
 remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0118] fix Py3 incompatible exception instantiation in replica install code

2016-01-13 Thread Martin Basti 



On 11.01.2016 13:30, Martin Babinsky wrote:

On 01/08/2016 06:26 PM, Tomas Babej wrote:



On 01/07/2016 05:56 PM, Martin Babinsky wrote:

On 01/04/2016 09:02 AM, Martin Babinsky wrote:





I have created ticket to patch and added it to commit message:

https://fedorahosted.org/freeipa/ticket/5585





ACK for these changes, however, there are additional occurrences in the
code base, attaching a patch.

Tomas




ACK


Pushed to:
master: 50627004b83fe155767fb02b51099eba612a5855
ipa-4-3: 1181926c970e71cec728bed9ac4b16a2664ef97d

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [patch 0029, 0030] fixes for install tasks in integration tests

2016-01-13 Thread Martin Basti 



On 11.01.2016 11:59, Milan Kubík wrote:

On 01/07/2016 09:36 AM, Milan Kubík wrote:

0029: Add 10.in-addr.arpa. zone to ipa
0030: If the IP addresses in the topology are resolvable, do not add 
them to master.





Hi. I'm dropping 0029 for now. 0030 gets an update.

--
Milan Kubik



ACK

Pushed to:
master: c0133778ae6ea207aa3b184af54fea5803e2ac23
ipa-4-3: 850ea4cc8fa25c85c5a6869481c311b1f10611cc

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] Remove des3/arcfour from default enctypes

2016-01-13 Thread Alexander Bokovoy 

On Mon, 23 Nov 2015, Simo Sorce wrote:

Note, this does not touch the trust code because apparently we use only
arcfour there.

CCing Alexander to give me a comment about that, probably worth opening
a ticket specific to trusts.

Otherwise addresses #4740

Simo.

--
Simo Sorce * Red Hat, Inc * New York



From 70b4c8971ca623aa51e8e7d1f0e5d245a05c7396 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Mon, 23 Nov 2015 13:40:42 -0500
Subject: [PATCH] Use only AES enctypes by default

Remove des3 and arcfour from the defaults for new installs.

NOTE: the ipasam/dcerpc code sill uses arcfour

Signed-off-by: Simo Sorce 

Ticket: https://fedorahosted.org/freeipa/ticket/4740
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 14 +++---
install/share/kerberos.ldif  |  2 --
2 files changed, 3 insertions(+), 13 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c 
b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index 
1a8ef47b0fc6a932a4115dfa05ecf1a39c8e762f..5dc606d22305cf63a16feca30aab2728bb20b80d
 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -55,18 +55,10 @@ extern const char *ipa_realm_dn;
extern const char *ipa_etc_config_dn;
extern const char *ipa_pwd_config_dn;

-/* These are the default enc:salt types if nothing is defined.
- * TODO: retrieve the configure set of ecntypes either from the
- * kfc.conf file or by synchronizing the file content into
- * the directory */
+/* These are the default enc:salt types if nothing is defined in LDAP */
static const char *ipapwd_def_encsalts[] = {
-"des3-hmac-sha1:normal",
-/*"arcfour-hmac:normal",
-"des-hmac-sha1:normal",
-"des-cbc-md5:normal", */
-"des-cbc-crc:normal",
-/*"des-cbc-crc:v4",
-"des-cbc-crc:afs3", */
+"aes256-cts:special",
+"aes128-cts:special",
NULL
};

diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif
index 
41e77952adafaf28bfaa96b4c1f1a81ef96348be..1f556382e262ec1b71eb0f4267de0a987952d84d
 100644
--- a/install/share/kerberos.ldif
+++ b/install/share/kerberos.ldif
@@ -30,8 +30,6 @@ krbMaxTicketLife: 86400
krbMaxRenewableAge: 604800
krbDefaultEncSaltTypes: aes256-cts:special
krbDefaultEncSaltTypes: aes128-cts:special
-krbDefaultEncSaltTypes: des3-hmac-sha1:special
-krbDefaultEncSaltTypes: arcfour-hmac:special

# Default password Policy
dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
--
2.5.0


ACK.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Should we split up ipa-client?

2016-01-13 Thread Martin Babinsky 

On 01/13/2016 11:34 AM, Petr Viktorin wrote:

Hello,
I'm planning to port the ipa-client to Python 3, and I'm likely to end
up shaking out some dusty corners of the codebase, rather than doing the
minimal amount of work :)
So I'd like to get your opinions before I commit significant time to this.

I think it would be beneficial to split ipa-client to better match both
how it's put in the RPMs these days, and how the rest of IPA is
organized. (And, to stop using autotools to "build" Python libraries...)

The resulting structure could look like this:

ipaclient/
- *.py
- setup.py

client-tools/
- man/*
- *.c
- *.h
- all the automake stuff
- current contents of ipa-install (Python scripts that go in /usr/sbin)

Removed:
- ipa-client.spec.in (included in freeipa.spec.in)
- NEWS (empty)
- README (entirely outdated)


Does this look like a reasonable direction to explore?



Makes sense to me, this kind of work would be needed during client 
installer refactoring anyway (also, using autotools for python module 
installation hurts my brain a lot).


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0011-0012][RFE] ipa-replica-manage: automatically clean dangling RUVs

2016-01-13 Thread Martin Basti 



On 18.12.2015 12:46, Stanislav Laznicka wrote:

Hi,

Attached are the patches for auto-find and clean of dangling (cs)ruvs. 
Currently, the cleaning of an RUV waits for all replicas to be online, 
even on --force. If that were an issue, I can make the command fail 
before trying to clean any of RUVs. However, the user is shown a 
replica is offline and is prompted to confirm the cleaning so the 
possible wait should not be a problem I believe.


Standa L.



Hello,

patches needs rebase, I cannot apply them.
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 565] Fix potential aborts in KDB driver

2016-01-13 Thread Martin Babinsky 

On 01/05/2016 11:19 PM, Simo Sorce wrote:

On Tue, 2016-01-05 at 16:15 -0500, Simo Sorce wrote:

The LDAP context was not checked on the first api call and a context may
be null on some error conditions (LDAP server unreachable).

Always check that we have a valid context before calling the ldap API.

Builds abut it is untested.


Forgot to mention that this bug affects all 4.x versions and should
probably be backported on all maintained branches.

I opened a bug to track it too:
https://fedorahosted.org/freeipa/ticket/5577

Simo.


ACK. Please include the ticket URL in the commit message.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [TEST] Workaround for ticket N 5559

2016-01-13 Thread Petr Spacek 
On 13.1.2016 18:13, Martin Basti wrote:
> 
> 
> On 08.01.2016 10:12, Oleg Fayans wrote:
>> Passes lint, fixes an issue with replica installation failures due to
>> absence of corresponding reverse zone on master.
>>
>>
>>
> NACK
> 
> [ipa.ipatests.test_integration.host.Host.master.ParamikoTransport] RUN ['ipa',
> 'dnsrecord-add', '129.168.192.in-addr.arpa.', '101',
> '--ptr-hostname=master.ipa.test.']
> [ipa.ipatests.test_integration.host.Host.master.cmd21] RUN ['ipa',
> 'dnsrecord-add', '129.168.192.in-addr.arpa.', '101',
> '--ptr-hostname=master.ipa.test.']
> [ipa.ipatests.test_integration.host.Host.master.cmd21] ipa: ERROR: DNS is not
> configured
> [ipa.ipatests.test_integration.host.Host.master.cmd21] Exit code: 2

Also, we did not manage to reproduce the problem described in ticket #5559
with latest master for IPA and bind-dyndb-ldap devel branch, so it might not
be necessary to spend more time on this.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Should we split up ipa-client?

2016-01-13 Thread Jan Cholasta 

Hi,

On 13.1.2016 13:03, Martin Babinsky wrote:

On 01/13/2016 11:34 AM, Petr Viktorin wrote:

Hello,
I'm planning to port the ipa-client to Python 3, and I'm likely to end
up shaking out some dusty corners of the codebase, rather than doing the
minimal amount of work :)
So I'd like to get your opinions before I commit significant time to
this.

I think it would be beneficial to split ipa-client to better match both
how it's put in the RPMs these days, and how the rest of IPA is
organized. (And, to stop using autotools to "build" Python libraries...)

The resulting structure could look like this:

ipaclient/
- *.py
- setup.py


+1



client-tools/
- man/*
- *.c
- *.h
- all the automake stuff
- current contents of ipa-install (Python scripts that go in /usr/sbin)


I would rather s/client-tools/client/, as this stuff goes into the 
freeipa-*client* subpackage.


I'm not sure if this is what you are suggesting or not, but I would like 
the man page files to be in the same directory as the corresponding 
source code files.




Removed:
- ipa-client.spec.in (included in freeipa.spec.in)
- NEWS (empty)
- README (entirely outdated)


+1




Does this look like a reasonable direction to explore?



Makes sense to me, this kind of work would be needed during client
installer refactoring anyway (also, using autotools for python module
installation hurts my brain a lot).


Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 562-563] Fix ipa-sam to use the getkeytab control instead of the setkeytab control

2016-01-13 Thread Alexander Bokovoy 

On Thu, 03 Dec 2015, Simo Sorce wrote:

The first patch is preparatory and is needed in general now that we want
top allow alias and use krbCanonicalName as the canonical name when
multiple values are avilable in krbPrincipalName.

The second patch changes slightly how the interdomain trust account is
created so that the getkeytab control can generate the proper key (with
the right salt) for interop reasons with AD. The change should be
upgrade safe because keys are generate at account creation so older
accounts lacking the alias won't be a problem.

Fixes ##5495

This patchset seems to fall through cracks -- it was ACKed but not
committed.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] Remove des3/arcfour from default enctypes

2016-01-13 Thread Martin Basti 



On 13.01.2016 15:06, Alexander Bokovoy wrote:

On Mon, 23 Nov 2015, Simo Sorce wrote:

Note, this does not touch the trust code because apparently we use only
arcfour there.

CCing Alexander to give me a comment about that, probably worth opening
a ticket specific to trusts.

Otherwise addresses #4740

Simo.

--
Simo Sorce * Red Hat, Inc * New York



From 70b4c8971ca623aa51e8e7d1f0e5d245a05c7396 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Mon, 23 Nov 2015 13:40:42 -0500
Subject: [PATCH] Use only AES enctypes by default

Remove des3 and arcfour from the defaults for new installs.

NOTE: the ipasam/dcerpc code sill uses arcfour

Signed-off-by: Simo Sorce 

Ticket: https://fedorahosted.org/freeipa/ticket/4740
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 14 +++---
install/share/kerberos.ldif  |  2 --
2 files changed, 3 insertions(+), 13 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c 
b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index 
1a8ef47b0fc6a932a4115dfa05ecf1a39c8e762f..5dc606d22305cf63a16feca30aab2728bb20b80d 
100644

--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -55,18 +55,10 @@ extern const char *ipa_realm_dn;
extern const char *ipa_etc_config_dn;
extern const char *ipa_pwd_config_dn;

-/* These are the default enc:salt types if nothing is defined.
- * TODO: retrieve the configure set of ecntypes either from the
- * kfc.conf file or by synchronizing the file content into
- * the directory */
+/* These are the default enc:salt types if nothing is defined in 
LDAP */

static const char *ipapwd_def_encsalts[] = {
-"des3-hmac-sha1:normal",
-/*"arcfour-hmac:normal",
-"des-hmac-sha1:normal",
-"des-cbc-md5:normal", */
-"des-cbc-crc:normal",
-/*"des-cbc-crc:v4",
-"des-cbc-crc:afs3", */
+"aes256-cts:special",
+"aes128-cts:special",
NULL
};

diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif
index 
41e77952adafaf28bfaa96b4c1f1a81ef96348be..1f556382e262ec1b71eb0f4267de0a987952d84d 
100644

--- a/install/share/kerberos.ldif
+++ b/install/share/kerberos.ldif
@@ -30,8 +30,6 @@ krbMaxTicketLife: 86400
krbMaxRenewableAge: 604800
krbDefaultEncSaltTypes: aes256-cts:special
krbDefaultEncSaltTypes: aes128-cts:special
-krbDefaultEncSaltTypes: des3-hmac-sha1:special
-krbDefaultEncSaltTypes: arcfour-hmac:special

# Default password Policy
dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
--
2.5.0


ACK.


Pushed to:
master: 58ab032f1ae20454d4b9d760c7601fd8b44045f5
ipa-4-3: bad5b0247984635fe402283aee259f35a048df6b

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 565] Fix potential aborts in KDB driver

2016-01-13 Thread Martin Babinsky 

On 01/13/2016 03:30 PM, Simo Sorce wrote:

On Wed, 2016-01-13 at 14:02 +0100, Martin Babinsky wrote:

On 01/05/2016 11:19 PM, Simo Sorce wrote:

On Tue, 2016-01-05 at 16:15 -0500, Simo Sorce wrote:

The LDAP context was not checked on the first api call and a context may
be null on some error conditions (LDAP server unreachable).

Always check that we have a valid context before calling the ldap API.

Builds abut it is untested.


Forgot to mention that this bug affects all 4.x versions and should
probably be backported on all maintained branches.

I opened a bug to track it too:
https://fedorahosted.org/freeipa/ticket/5577

Simo.


ACK. Please include the ticket URL in the commit message.



Could you add it when pushing ?

Unless you need some other change in the patch it will be less churn
that way.

Simo.



Yes we could. I didn't realize that, sorry for the noise.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 565] Fix potential aborts in KDB driver

2016-01-13 Thread Martin Basti 



On 13.01.2016 15:31, Martin Babinsky wrote:

On 01/13/2016 03:30 PM, Simo Sorce wrote:

On Wed, 2016-01-13 at 14:02 +0100, Martin Babinsky wrote:

On 01/05/2016 11:19 PM, Simo Sorce wrote:

On Tue, 2016-01-05 at 16:15 -0500, Simo Sorce wrote:
The LDAP context was not checked on the first api call and a 
context may

be null on some error conditions (LDAP server unreachable).

Always check that we have a valid context before calling the ldap 
API.


Builds abut it is untested.


Forgot to mention that this bug affects all 4.x versions and should
probably be backported on all maintained branches.

I opened a bug to track it too:
https://fedorahosted.org/freeipa/ticket/5577

Simo.


ACK. Please include the ticket URL in the commit message.



Could you add it when pushing ?

Unless you need some other change in the patch it will be less churn
that way.

Simo.



Yes we could. I didn't realize that, sorry for the noise.

I do not know where to push it, ticket is still in needs triage, it has 
not been decided where it should go.


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 565] Fix potential aborts in KDB driver

2016-01-13 Thread Simo Sorce 
On Wed, 2016-01-13 at 15:49 +0100, Martin Basti wrote:
> 
> On 13.01.2016 15:31, Martin Babinsky wrote:
> > On 01/13/2016 03:30 PM, Simo Sorce wrote:
> >> On Wed, 2016-01-13 at 14:02 +0100, Martin Babinsky wrote:
> >>> On 01/05/2016 11:19 PM, Simo Sorce wrote:
>  On Tue, 2016-01-05 at 16:15 -0500, Simo Sorce wrote:
> > The LDAP context was not checked on the first api call and a 
> > context may
> > be null on some error conditions (LDAP server unreachable).
> >
> > Always check that we have a valid context before calling the ldap 
> > API.
> >
> > Builds abut it is untested.
> 
>  Forgot to mention that this bug affects all 4.x versions and should
>  probably be backported on all maintained branches.
> 
>  I opened a bug to track it too:
>  https://fedorahosted.org/freeipa/ticket/5577
> 
>  Simo.
> 
> >>> ACK. Please include the ticket URL in the commit message.
> >>>
> >>
> >> Could you add it when pushing ?
> >>
> >> Unless you need some other change in the patch it will be less churn
> >> that way.
> >>
> >> Simo.
> >>
> >
> > Yes we could. I didn't realize that, sorry for the noise.
> >
> I do not know where to push it, ticket is still in needs triage, it has 
> not been decided where it should go.

It definitely goes in master. You can push elsewhere as well later.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 565] Fix potential aborts in KDB driver

2016-01-13 Thread Simo Sorce 
On Wed, 2016-01-13 at 14:02 +0100, Martin Babinsky wrote:
> On 01/05/2016 11:19 PM, Simo Sorce wrote:
> > On Tue, 2016-01-05 at 16:15 -0500, Simo Sorce wrote:
> >> The LDAP context was not checked on the first api call and a context may
> >> be null on some error conditions (LDAP server unreachable).
> >>
> >> Always check that we have a valid context before calling the ldap API.
> >>
> >> Builds abut it is untested.
> >
> > Forgot to mention that this bug affects all 4.x versions and should
> > probably be backported on all maintained branches.
> >
> > I opened a bug to track it too:
> > https://fedorahosted.org/freeipa/ticket/5577
> >
> > Simo.
> >
> ACK. Please include the ticket URL in the commit message.
> 

Could you add it when pushing ?

Unless you need some other change in the patch it will be less churn
that way.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [TEST] Workaround for ticket N 5559

2016-01-13 Thread Martin Basti 



On 08.01.2016 10:12, Oleg Fayans wrote:

Passes lint, fixes an issue with replica installation failures due to
absence of corresponding reverse zone on master.




NACK

[ipa.ipatests.test_integration.host.Host.master.ParamikoTransport] RUN 
['ipa', 'dnsrecord-add', '129.168.192.in-addr.arpa.', '101', 
'--ptr-hostname=master.ipa.test.']
[ipa.ipatests.test_integration.host.Host.master.cmd21] RUN ['ipa', 
'dnsrecord-add', '129.168.192.in-addr.arpa.', '101', 
'--ptr-hostname=master.ipa.test.']
[ipa.ipatests.test_integration.host.Host.master.cmd21] ipa: ERROR: DNS 
is not configured

[ipa.ipatests.test_integration.host.Host.master.cmd21] Exit code: 2

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica

2016-01-13 Thread Martin Basti 



On 13.01.2016 17:59, Rob Crittenden wrote:

Martin Babinsky wrote:

fixes https://fedorahosted.org/freeipa/ticket/5584

In order to ensure consistent behavior with ipa-client-install, I opted
to reuse the configure_openldap_conf() function and restoring the config
from client sysrestore before modifying it.

If you think this approach is not optimal please propose an alternative
solution.

You could also just do an action set on URI to change the value, right?
It would need a new function but it would be very small.

If you do end up keeping this I'd want a new commit message for moving
the code to include why you're moving it (to avoid the need to deference
the ticket).

rob


NACK

Traceback (most recent call last):
  File "./makeapi", line 459, in 
sys.exit(main())
  File "./makeapi", line 430, in main
api.finalize()
  File "/root/freeipa/ipalib/plugable.py", line 658, in finalize
self.__do_if_not_done('load_plugins')
  File "/root/freeipa/ipalib/plugable.py", line 372, in __do_if_not_done
getattr(self, name)()
  File "/root/freeipa/ipalib/plugable.py", line 536, in load_plugins
self.import_plugins(module)
  File "/root/freeipa/ipalib/plugable.py", line 574, in import_plugins
module = importlib.import_module(name)
  File "/usr/lib64/python2.7/importlib/__init__.py", line 37, in 
import_module

__import__(name)
  File "/root/freeipa/ipalib/plugins/baseuser.py", line 33, in 
from ipapython.ipautil import ipa_generate_password
  File "/root/freeipa/ipapython/ipautil.py", line 49, in 
from ipaclient.ipachangeconf import IPAChangeConf
ImportError: No module named ipaclient.ipachangeconf
Traceback (most recent call last):
  File "./makeaci", line 35, in 
from ipapython.ipaldap import LDAPClient
  File "/root/freeipa/ipapython/ipaldap.py", line 41, in 
from ipapython.ipautil import (
  File "/root/freeipa/ipapython/ipautil.py", line 49, in 
from ipaclient.ipachangeconf import IPAChangeConf
ImportError: No module named ipaclient.ipachangeconf
Makefile:138: recipe for target 'version-update' failed

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica

2016-01-13 Thread Martin Babinsky 

On 01/13/2016 05:42 PM, Martin Babinsky wrote:

fixes https://fedorahosted.org/freeipa/ticket/5584

In order to ensure consistent behavior with ipa-client-install, I opted
to reuse the configure_openldap_conf() function and restoring the config
from client sysrestore before modifying it.

If you think this approach is not optimal please propose an alternative
solution.




messed up the mail again oh well.

This is the correct ticket URL:
https://fedorahosted.org/freeipa/ticket/5488

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0121] consider IPA master removed from topology when request for host TGT fails

2016-01-13 Thread Martin Babinsky 

On 01/13/2016 10:31 AM, Martin Babinsky wrote:

On 01/07/2016 05:38 PM, Martin Babinsky wrote:

On 01/07/2016 05:37 PM, Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/5584


And the patch is here.




self-NACK, there may be a better way to handle this. I will do some
investigation and send updated patch.


Attaching updated patch.

--
Martin^3 Babinsky
From 0fe8f5e989f62c716f1de8159ca4d8c498106784 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 7 Jan 2016 16:48:11 +0100
Subject: [PATCH 1/3] uninstallation: more robust check for master removal from
 topology

When uninstalling IPA master in domain level 1 topology, the code that checks
for correct removal from topology will now consider failures to lookup host
entry in local LDAP and to obtain host TGT as a sign that the master entry was
already removed.

https://fedorahosted.org/freeipa/ticket/5584
---
 ipaserver/install/server/install.py | 37 +++--
 1 file changed, 31 insertions(+), 6 deletions(-)

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 8a57886cd91bc4dbb06d30b457844499d3ff6cec..aa048cc6d05490ec38e4f2808e7874cd8312704b 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -4,6 +4,7 @@
 
 from __future__ import print_function
 
+import gssapi
 import os
 import pickle
 import pwd
@@ -291,26 +292,50 @@ def common_cleanup(func):
 
 
 def check_master_deleted(api, masters, interactive):
+"""
+Determine whether the IPA master was removed from the domain level 1
+topology. The function first tries to locally lookup the master host entry
+and fetches host prinicipal from DS. Then we attempt to acquire host TGT,
+contact the other masters one at a time and query for the existence of the
+host entry for our IPA master.
+
+:param api: instance of API object
+:param masters: list of masters to contact
+:param interactive: whether run in interactive mode. The user will be
+prompted for action if the removal status cannot be determined
+:return: True if the master is not part of the topology anymore as
+determined by the following conditions:
+* the host entry does not exist in local DS
+* we fail to get host TGT
+* GSSAPI connection to remote DS fails on invalid authentication
+* if we are the only master
+False otherwise
+"""
 try:
 host_princ = api.Command.host_show(
 api.env.host)['result']['krbprincipalname'][0]
-except Exception as e:
-root_logger.warning(
-"Failed to get host principal name: {0}".format(e)
+except errors.NotFound:
+root_logger.debug(
+"Host entry for {} already deleted".format(api.env.host)
 )
+return True
+except Exception as e:
+root_logger.warning("Failed to get host principal name: {0}".format(e))
 return False
 
 ccache_path = os.path.join('/', 'tmp', 'krb5cc_host')
 with ipautil.private_ccache(ccache_path):
+# attempt to get host TGT. Failure to do this indicates that the
+# master was removed from topology
 try:
 ipautil.kinit_keytab(host_princ, paths.KRB5_KEYTAB, ccache_path)
-except Exception as e:
-root_logger.error(
+except gssapi.exceptions.GSSError as e:
+root_logger.debug(
 "Kerberos authentication as '{0}' failed: {1}".format(
 host_princ, e
 )
 )
-return False
+return True
 
 last_server = True
 for master in masters:
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0402] Warn user about possibility to loss CA, KRA, DNSSEC master during uninstall

2016-01-13 Thread Martin Basti 

https://fedorahosted.org/freeipa/ticket/5544

Patch attached.
From a882c48058cca2564265546e557e9d7d542a9553 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 13 Jan 2016 17:27:06 +0100
Subject: [PATCH] Warn about potential loss of CA, KRA, DNSSEC during uninstall

If connection do LDAP failed (or LDAP server is down) we cannot verify
if there is any additonal instance of CA, KRA, DNSSEC master.
In this case a user is warned and promted to confirm uninstallation.

https://fedorahosted.org/freeipa/ticket/5544
---
 ipaserver/install/server/install.py | 12 +++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 8a57886cd91bc4dbb06d30b457844499d3ff6cec..49e97eb667a322898acc3a064f4eae5381ded918 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -1078,8 +1078,18 @@ def uninstall_check(installer):
 msg = ("\nWARNING: Failed to connect to Directory Server to find "
"information about replication agreements. Uninstallation "
"will continue despite the possible existing replication "
-   "agreements.\n\n")
+   "agreements.\n\n"
+   "If this server is the last instance of CA, KRA, or DNSSEC "
+   "master, uninstallation may result in data loss.\n\n"
+)
 print(textwrap.fill(msg, width=80, replace_whitespace=False))
+
+if (installer.interactive and not user_input(
+"Are you sure you want to continue with the uninstall "
+"procedure?", False)):
+print("")
+print("Aborting uninstall operation.")
+sys.exit(1)
 else:
 dns.uninstall_check(options)
 
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code