Re: [Freeipa-devel] [PATCH 0011-0012][RFE] ipa-replica-manage: automatically clean dangling RUVs

[Stanislav Laznicka]

On 01/14/2016 04:59 PM, Petr Vobornik wrote:

On 01/14/2016 04:16 PM, Ludwig Krispenz wrote:


On 01/14/2016 03:59 PM, Stanislav Laznicka wrote:

On 01/14/2016 03:21 PM, Rob Crittenden wrote:

Stanislav Laznicka wrote:

Please see the rebased patches attached.

On 01/13/2016 02:01 PM, Martin Basti wrote:


On 18.12.2015 12:46, Stanislav Laznicka wrote:

Hi,

Attached are the patches for auto-find and clean of dangling
(cs)ruvs. Currently, the cleaning of an RUV waits for all 
replicas to

be online, even on --force. If that were an issue, I can make the
command fail before trying to clean any of RUVs. However, the 
user is
shown a replica is offline and is prompted to confirm the 
cleaning so

the possible wait should not be a problem I believe.

Standa L.



Hello,

patches needs rebase, I cannot apply them.

Will this confuse people? Currently, for good or bad, there are two
commands for managing the two different topologies. This mixes some CA
work into ipa-replica-manage.

rob


Well, in the patch, I was just following the discussion at
https://fedorahosted.org/freeipa/ticket/5411. Ludwig mentions that
ipa-csreplica-manage should go deprecated and does not want to enhance
it. Also, the only thing the code does is removing trash from the ds
so it makes sense to me to do it in just one command, as well as the
users might expect that, too.

I guess it would be possible to add an option that would select which
of the subtrees should be cleaned of RUVs. It should stay as one
command nonetheless. Adding such an option for this command would then
probably mean all the commands should have it as it would make more
sense, though.

Let me add Petr and Ludwig to CC: as they both had inputs on keeping
the command in just ipa-replica-manage.

yes, that was the idea to keep ipa-csreplica-manage (which does not have
clean-ruv,..) for domain-level 0, but not add new features. Also
"ipa-replica-manage del" now triggers the ruv cleaning of ipaca



Yes, ipa-csreplica-manage should be deprecated.

I think that one of the reasons why dangling CA RUVs are not uncommon 
is that users forget about `ipa-csreplica-manage del` command when 
removing a replica.


New `ipa-replica-manage del` also removes replication agreements and 
therefore cleans RUVs of CA suffix (on domain level 1). In this 
context it is not inconsistent.


Btw, one of the good example why this commands will be helpful is 
following bz, especially a sentence in: 
https://bugzilla.redhat.com/show_bug.cgi?id=1295971#c5

"""
I had some mistakes to clean some valid RUV, for example, 52 for eupre1
"""

We should think about list-clean-ruv and abort-clean-ruv commands. 
There is no counterpart for CA suffix now. Could be in different patch.


With clean-dangling-ruvs command it would be good to deprecate 
clean-ruv command of ipa-replica-manage - should be different patch.


I'm not sure if it should abort if some replica is down. Maybe yes 
until https://fedorahosted.org/freeipa/ticket/5396 is fixed.


The path set misses update of man page.
Attached are the patches with the description for the man page. Abort of 
the clean-dangling-ruv operation on any replica offline status was also 
added.
From 3fe1ec52fb222f4b6e3066e61bfd5e3c0f9b7bd7 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 18 Dec 2015 10:30:44 +0100
Subject: [PATCH 1/2] Listing and cleaning RUV extended for CA suffix

https://fedorahosted.org/freeipa/ticket/5411
---
 install/tools/ipa-replica-manage | 36 +++-
 ipaserver/install/replication.py |  2 +-
 2 files changed, 24 insertions(+), 14 deletions(-)

diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index e4af7b2fd9a40482dfa75d275d528221a1bc22ad..188e2c73a41aa1fd476475f74128b85b7383b09e 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -345,7 +345,7 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False):
 
 return True
 
-def get_ruv(realm, host, dirman_passwd, nolookup=False):
+def get_ruv(realm, host, dirman_passwd, nolookup=False, ca=False):
 """
 Return the RUV entries as a list of tuples: (hostname, rid)
 """
@@ -354,7 +354,10 @@ def get_ruv(realm, host, dirman_passwd, nolookup=False):
 enforce_host_existence(host)
 
 try:
-thisrepl = replication.ReplicationManager(realm, host, dirman_passwd)
+if ca:
+thisrepl = replication.get_cs_replication_manager(realm, host, dirman_passwd)
+else:
+thisrepl = replication.ReplicationManager(realm, host, dirman_passwd)
 except Exception as e:
 print("Failed to connect to server %s: %s" % (host, e))
 sys.exit(1)
@@ -362,7 +365,7 @@ def get_ruv(realm, host, dirman_passwd, nolookup=False):
 search_filter = '(&(nsuniqueid=---)(objectclass=nstombstone))'
 try:
 entries = thisrepl.conn.get_entries(
-

[Freeipa-devel] [PATCH 0397] ipapython: Use custom datetime to LDAP generalized time

[Tomas Babej]

Hi,

For the dates older than 1900, Python is unable to convert the datetime
representation to string using strftime:

https://bugs.python.org/issue1777412

Work around the issue adding a custom method to convert the datetime
objects to LDAP generalized time strings.

https://fedorahosted.org/freeipa/ticket/5579

Tomas
From d746dd233c07b0dc81f539f502844a16e5cc97e2 Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Fri, 15 Jan 2016 12:20:12 +0100
Subject: [PATCH] ipapython: Use custom datetime to LDAP generalized time
 converter

For the dates older than 1900, Python is unable to convert the datetime
representation to string using strftime:

https://bugs.python.org/issue1777412

Work around the issue adding a custom method to convert the datetime
objects to LDAP generalized time strings.

https://fedorahosted.org/freeipa/ticket/5579
---
 daemons/dnssec/ipa-ods-exporter  |  5 +
 ipalib/cli.py|  5 +++--
 ipalib/rpc.py|  6 +++---
 ipapython/ipaldap.py |  4 ++--
 ipapython/ipautil.py | 17 +
 ipaserver/install/ipa_otptoken_import.py |  4 ++--
 6 files changed, 28 insertions(+), 13 deletions(-)

diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter
index 2aa936040c373e366e7e15539ed6e3413aac7d55..b2df53dee0ecb8cc08fcde9c20e17f72588b18de 100755
--- a/daemons/dnssec/ipa-ods-exporter
+++ b/daemons/dnssec/ipa-ods-exporter
@@ -83,9 +83,6 @@ def dnskey_flags_to_text_set(flags):
 mask <<= 1
 return flags_set
 
-def datetime2ldap(dt):
-return dt.strftime(ipalib.constants.LDAP_GENERALIZED_TIME_FORMAT)
-
 def sql2datetime(sql_time):
 """Convert SQL date format from local time zone into UTC."""
 localtz = dateutil.tz.tzlocal()
@@ -276,7 +273,7 @@ def get_ods_keys(zone_name):
 
 key_data.update(sql2ldap_algorithm(row['algorithm']))
 key_id = "%s-%s-%s" % (key_type,
-   datetime2ldap(key_data['idnsSecKeyCreated']),
+   ipautil.datetime_to_ldap_gentime(key_data['idnsSecKeyCreated']),
row['HSMkey_id'])
 
 key_data.update(sql2ldap_keyid(row['HSMkey_id']))
diff --git a/ipalib/cli.py b/ipalib/cli.py
index 3b1b5a39371845d59bab07ac2fc32de598a469be..58fbf048fdda4278bec0846486837fd35a581526 100644
--- a/ipalib/cli.py
+++ b/ipalib/cli.py
@@ -56,11 +56,12 @@ from ipalib import plugable
 from ipalib.errors import (PublicError, CommandError, HelpError, InternalError,
NoSuchNamespaceError, ValidationError, NotFound,
NotConfiguredError, PromptFailed)
-from ipalib.constants import CLI_TAB, LDAP_GENERALIZED_TIME_FORMAT
+from ipalib.constants import CLI_TAB
 from ipalib.parameters import File, Str, Enum, Any, Flag
 from ipalib.text import _
 from ipalib import api  # pylint: disable=unused-import
 from ipapython.dnsutil import DNSName
+from ipapython import ipautil
 
 import datetime
 
@@ -169,7 +170,7 @@ class textui(backend.Backend):
 if type(value) is bytes:
 return base64.b64encode(value)
 elif type(value) is datetime.datetime:
-return value.strftime(LDAP_GENERALIZED_TIME_FORMAT)
+return ipautil.datetime_to_ldap_gentime(value)
 elif isinstance(value, DNSName):
 return unicode(value)
 else:
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index a165491adea5366a14a86d7c8bd6337e36fd1b44..a2ca7cb3374e28074332c8827ab51088cc83a5e7 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -185,7 +185,7 @@ def xml_wrap(value, version):
 if capabilities.client_has_capability(version, 'datetime_values'):
 return DateTime(value)
 else:
-return value.strftime(LDAP_GENERALIZED_TIME_FORMAT)
+return ipautil.datetime_to_ldap_gentime(value)
 
 if isinstance(value, DNSName):
 if capabilities.client_has_capability(version, 'dns_name_values'):
@@ -304,9 +304,9 @@ def json_encode_binary(val, version):
 return str(val)
 elif isinstance(val, datetime.datetime):
 if capabilities.client_has_capability(version, 'datetime_values'):
-return {'__datetime__': val.strftime(LDAP_GENERALIZED_TIME_FORMAT)}
+return {'__datetime__': ipautil.datetime_to_ldap_gentime(val)}
 else:
-return val.strftime(LDAP_GENERALIZED_TIME_FORMAT)
+return ipautil.datetime_to_ldap_gentime(val)
 elif isinstance(val, DNSName):
 if capabilities.client_has_capability(version, 'dns_name_values'):
 return {'__dns_name__': unicode(val)}
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 28bfcb5c2ee2140d38f17248fc9c90861cd251e4..d916fd62698a0ff6fe023357238ec33b5ae099b9 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -38,7 +38,7 @@ import six
 
 from ipalib import errors, _
 from ipalib.constants 

Re: [Freeipa-devel] [PATCH 536] ipapython: remove default_encoding_utf8

[Tomas Babej]

On 01/12/2016 10:24 AM, Jan Cholasta wrote:
> On 6.1.2016 12:33, Christian Heimes wrote:
>> On 2016-01-05 11:30, Tomas Babej wrote:
>>>
>>>
>>> On 01/05/2016 08:54 AM, Jan Cholasta wrote:
 Hi,

 the attached patch replaces the default_encoding_utf8 binary module
 with
 2 lines of equivalent Python code.

 Honza



>>>
>>> This looks fine to me, however, I wonder, why this approach was ever
>>> taken? The sys.setdefaultencoding is available in all versions of Python
>>> ever supported by FreeIPA.
>>>
>>> Is it possible we're missing something here? Or was this option simply
>>> overlooked?
>>
>> sys.setdefaultencoding() is not available unless you use a hack and
>> reload the sys module. The function is hidden for a very good reason. It
>> can and will break internal assumption as well as libraries in bad, hard
>> to detect ways. For example it wreaks havoc on hashing for dicts and
>> sets.
>>
>> The blog posting
>> https://anonbadger.wordpress.com/2015/06/16/why-sys-setdefaultencoding-will-break-code/
>>
>> explains the problem in much greater detail.
> 
> Tomáši, does this answer your question?
> 

Not really, I was more curious as to why the current, more complex
solution using the C extension was ever preferred over pure python version.

> Updated patch attached.

Patch works fine, ACK.

Pushed to master: 7e56b4bbd79d9d42af23babc7496dd15d85d28ea

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0121] consider IPA master removed from topology when request for host TGT fails

[Martin Babinsky]

On 01/14/2016 10:31 PM, Simo Sorce wrote:

On Wed, 2016-01-13 at 17:31 +0100, Martin Babinsky wrote:

On 01/13/2016 10:31 AM, Martin Babinsky wrote:

On 01/07/2016 05:38 PM, Martin Babinsky wrote:

On 01/07/2016 05:37 PM, Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/5584


And the patch is here.




self-NACK, there may be a better way to handle this. I will do some
investigation and send updated patch.


Attaching updated patch.


A failure to obtain a tgt may be due to other reasons (for example the
KDC crashed), why are you trying to use this test ?
Isn't it sufficient to see there is no host entry in the directory ?

Simo.

There were some corner cases I encountered, mostly concerning a cleanup 
after unsuccessful replica promotion.


You may sometimes end up in a state where local DS is working, but KDC 
crashed and the krb5.conf is still pointing at a remote one. In that 
case "malformed" replica's local host entry exist, but when such host 
tries to get TGT, the AS-REQ goes to remote KDC from other master.


However, if the admin had in the mean time cleaned up this host's 
kerberos principals/keys, the crashed replica gets one of the following 
errors:


Client not found in Kerberos database
Client credentials have been revoked
Generic preauthentication failure

These were printed out as errors during uninstall, but were actually 
expected in situation like this. It is true that the code should check 
and ignore these specific errors.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin

[Filip Skola]

Hi,

sending rebased patch on top of 58c42ddac0964a8cce7c1e1faa7516da53f028ad.

Includes a "fix" for the rename-to-invalid-username issue for the new version.

F.

- Original Message -
> Hi,
> 
> I don't know what is causing the \r\n issue. I use vim and than send each
> email with claws-mail. Didn't spot this issue when trying emailing the patch
> to my other address. I'm trying to send it from zimbra now, let me know if
> that helped pls.
> 
> Fix for the stageuser plugin issues caused by this patch should have been
> included in the last update; I think the remaining issue is not caused by
> UserTracker changes. Please correct me, if I'm wrong.
> 
> > There is some issue with "test_rename_to_too_long_login" test. It fails but
> > actually this is false positive because it is possible to create login upto
> > 255 characters. I don't know why test mentions 32 characters without any
> > other modified setup.
> > NACK for now.
> >  - alich -
> 
> This has been changed. This test still fails, though.
> 
> Filip
> 
> > 
> > 
> > - Original Message -
> > > From: "Aleš Mareček" 
> > > To: "Filip Škola" 
> > > Cc: freeipa-devel@redhat.com, "Milan Kubík" 
> > > Sent: Thursday, December 10, 2015 4:11:47 PM
> > > Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin
> > > 
> > > Ah, sorry, haven't realized there had been devel list attached.
> > > Ok, there is some problem with \r\n in the patch.
> > > Filip, please take a look at it...
> > > Thanks...
> > >  - alich -
> > > 
> > > - Original Message -
> > > > From: "Filip Škola" 
> > > > To: "Aleš Mareček" 
> > > > Cc: freeipa-devel@redhat.com, "Milan Kubík" 
> > > > Sent: Thursday, December 10, 2015 11:29:52 AM
> > > > Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin
> > > > 
> > > > Hi,
> > > > 
> > > > this if fixed. Also issues with test_stageuser_plugin caused by
> > > > UserTracker changes should be fixed here.
> > > > 
> > > > Filip
> > > > 
> > > > 
> > > > On Mon, 7 Dec 2015 09:29:31 -0500 (EST)
> > > > Aleš Mareček  wrote:
> > > > 
> > > > > NACK.
> > > > > 
> > > > > $ ./make-lint
> > > > > * Module ipatests.test_xmlrpc.test_user_plugin
> > > > > ipatests/test_xmlrpc/test_user_plugin.py:42:
> > > > > [E0611(no-name-in-module), ] No name 'ldaptracker' in module
> > > > > 'ipatests.test_xmlrpc')
> > > > > 
> > > > > $ grep ldaptracker ipatests/test_xmlrpc/test_user_plugin.py
> > > > > from ipatests.test_xmlrpc.ldaptracker import Tracker
> > > > > $ ls ipatests/test_xmlrpc/ldaptracker*
> > > > > ls: cannot access ipatests/test_xmlrpc/ldaptracker*: No such file or
> > > > > directory
> > > > > 
> > > > > 
> > > > > - Original Message -
> > > > > > From: "Filip Škola" 
> > > > > > To: "Milan Kubík" 
> > > > > > Cc: freeipa-devel@redhat.com
> > > > > > Sent: Thursday, December 3, 2015 5:38:43 PM
> > > > > > Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin
> > > > > > 
> > > > > > Hi,
> > > > > > 
> > > > > > sending corrected version.
> > > > > > 
> > > > > > F.
> > > > > > 
> > > > > > On Thu, 12 Nov 2015 14:03:19 +0100
> > > > > > Milan Kubík  wrote:
> > > > > > 
> > > > > > > On 11/10/2015 12:13 PM, Filip Škola wrote:
> > > > > > > > Hi,
> > > > > > > >
> > > > > > > > fixed.
> > > > > > > >
> > > > > > > > F.
> > > > > > > >
> > > > > > > > On Tue, 10 Nov 2015 10:52:45 +0100
> > > > > > > > Milan Kubík  wrote:
> > > > > > > >
> > > > > > > >> On 11/09/2015 04:35 PM, Filip Škola wrote:
> > > > > > > >>> Another patch was applied in the meantime.
> > > > > > > >>>
> > > > > > > >>> Attaching an updated version.
> > > > > > > >>>
> > > > > > > >>> F.
> > > > > > > >>>
> > > > > > > >>> On Mon, 9 Nov 2015 13:35:02 +0100
> > > > > > > >>> Milan Kubík  wrote:
> > > > > > > >>>
> > > > > > >  On 11/06/2015 11:32 AM, Filip Škola wrote:
> > > > > > >  Hi,
> > > > > > >  the patch doesn't apply.
> > > > > > > 
> > > > > > > >> Please fix this.
> > > > > > > >>
> > > > > > > >>   ipatests/test_xmlrpc/test_user_plugin.py:1419:
> > > > > > > >> [E0602(undefined-variable),
> > > > > > > >> TestDeniedBindWithExpiredPrincipal.teardown_class] Undefined
> > > > > > > >> variable 'user1')
> > > > > > > >>
> > > > > > > >> Also, use the version numbers for your changed patches.
> > > > > > > >>
> > > > > > > >
> > > > > > > >
> > > > > > > Thanks for the patch. Several issues:
> > > > > > > 
> > > > > > > 1. Use dict.items instead of dict.iteritems, for python3
> > > > > > > compatibility
> > > > > > > 
> > > > > > > 2. What is the purpose of TestPrepare class? The 'purge' methods
> > > > > > > do not call any ipa commands.
> > > > > > > Tracker.make_fixture should be used to make the Tracked resources
> > > > > > > clean 

[Freeipa-devel] [PATCH 0398] logger: Use warning instead of warn

[Tomas Babej]

Hi,

this should build up to another pylint-related patch Martin^2 has in works.

Tomas

From b5e445c1dfdd469a7b85ba418b910f2a85fa470f Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Fri, 15 Jan 2016 16:25:33 +0100
Subject: [PATCH] logger: Use warning instead of warn

---
 install/tools/ipa-httpd-kdcproxy | 10 +-
 ipa-client/ipaclient/ipadiscovery.py |  6 +++---
 ipalib/plugins/dns.py|  2 +-
 ipalib/plugins/migration.py  | 16 
 ipalib/plugins/passwd.py |  2 +-
 ipalib/plugins/permission.py |  4 ++--
 ipaserver/dcerpc.py  |  2 +-
 ipaserver/install/ipa_otptoken_import.py |  2 +-
 ipaserver/install/ipa_replica_prepare.py |  2 +-
 ipaserver/install/ipa_restore.py |  2 +-
 ipatests/pytest_plugins/integration.py   |  2 +-
 11 files changed, 25 insertions(+), 25 deletions(-)

diff --git a/install/tools/ipa-httpd-kdcproxy b/install/tools/ipa-httpd-kdcproxy
index 5e9863f8bd82e1628030b0b767a6697ab2a1d7bd..5e67f61a6e2b3fe26532323d773bd502ac52f454 100755
--- a/install/tools/ipa-httpd-kdcproxy
+++ b/install/tools/ipa-httpd-kdcproxy
@@ -141,7 +141,7 @@ class KDCProxyConfig(object):
 try:
 valid = self.validate_symlink()
 except ConfigFileError as e:
-self.log.warn("Cannot enable KDC proxy: %s " % e)
+self.log.warning("Cannot enable KDC proxy: %s " % e)
 return False
 
 if valid:
@@ -149,7 +149,7 @@ class KDCProxyConfig(object):
 return True
 
 if not os.path.isfile(self.conf):
-self.log.warn("'%s' does not exist", self.conf)
+self.log.warning("'%s' does not exist", self.conf)
 return False
 
 # create the symbolic link
@@ -163,7 +163,7 @@ class KDCProxyConfig(object):
 try:
 valid = self.validate_symlink()
 except CheckError as e:
-self.log.warn("Cannot disable KDC proxy: %s " % e)
+self.log.warning("Cannot disable KDC proxy: %s " % e)
 return False
 
 if valid:
@@ -203,8 +203,8 @@ def main(debug=DEBUG, time_limit=TIME_LIMIT):
 api.log.info('KDC proxy disabled')
 return 0
 except CheckError as e:
-api.log.warn(str(e))
-api.log.warn('Disabling KDC proxy')
+api.log.warning(str(e))
+api.log.warning('Disabling KDC proxy')
 cfg.remove_symlink()
 return 0
 except Exception as e:
diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py
index 2e51293c2db35d655b1d9936103a729bd61a60ae..45a71e190e56d33d51d37f16ae61a7b4c28df521 100644
--- a/ipa-client/ipaclient/ipadiscovery.py
+++ b/ipa-client/ipaclient/ipadiscovery.py
@@ -266,14 +266,14 @@ class IPADiscovery(object):
 # via DNS
 break
 elif ldapret[0] == NOT_IPA_SERVER:
-root_logger.warn(
+root_logger.warning(
'Skip %s: not an IPA server', server)
 elif ldapret[0] == NO_LDAP_SERVER:
-root_logger.warn(
+root_logger.warning(
'Skip %s: LDAP server is not responding, unable to verify if '
'this is an IPA server', server)
 else:
-root_logger.warn(
+root_logger.warning(
'Skip %s: cannot verify if this is an IPA server', server)
 
 # If one of LDAP servers checked rejects access (maybe anonymous
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index 59cb0ea3982256e9d98b8216207514e28e229d03..55f2609d7081112df2adc909a9c928b50fccdfb1 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -3514,7 +3514,7 @@ class dnsrecord(LDAPObject):
 except dns.resolver.NoNameservers as e:
 # Do not raise exception if we have got SERVFAILs.
 # Maybe the user has created an invalid zone intentionally.
-self.log.warn('waiting for DNS answer {%s}: got {%s}; '
+self.log.warning('waiting for DNS answer {%s}: got {%s}; '
   'ignoring', ldap_rrset, type(e))
 continue
 
diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py
index 59c49fae5441531015a45532df07439daac35290..f19324f0e4e0511f9445aae9e9ac14347da4a03b 100644
--- a/ipalib/plugins/migration.py
+++ b/ipalib/plugins/migration.py
@@ -168,7 +168,7 @@ def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs
 # See if the gidNumber at least points to a valid group on the remote
 # server.
 if entry_attrs['gidnumber'][0] in invalid_gids:
-api.log.warn('GID number %s of migrated user %s does not point to a known group.' \
+api.log.warning('GID number %s of migrated user %s does not point to a known group.' \
  

Re: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin

[Filip Skola]

Hi,

sending rebased patch.

F.

- Original Message -
> Hello,
> 
> sorry for delays. The patch no longer applies to master. Rebase it, please.
> 
> Milan
> 
> - Original Message -
> From: "Filip Škola" 
> To: "Milan Kubík" 
> Cc: freeipa-devel@redhat.com
> Sent: Wednesday, 9 December, 2015 7:01:02 PM
> Subject: Re: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin
> 
> On Mon, 7 Dec 2015 17:49:18 +0100
> Milan Kubík  wrote:
> 
> > On 12/03/2015 08:15 PM, Filip Škola wrote:
> > > On Mon, 30 Nov 2015 17:18:30 +0100
> > > Milan Kubík  wrote:
> > >
> > >> On 11/23/2015 04:42 PM, Filip Škola wrote:
> > >>> Sending updated patch.
> > >>>
> > >>> F.
> > >>>
> > >>> On Mon, 23 Nov 2015 14:59:34 +0100
> > >>> Filip Škola  wrote:
> > >>>
> >  Found couple of issues (broke some dependencies).
> > 
> >  NACK
> > 
> >  F.
> > 
> >  On Fri, 20 Nov 2015 13:56:36 +0100
> >  Filip Škola  wrote:
> > 
> > > Another one.
> > >
> > > F.
> > >>>
> > >> Hi, the tests look good. Few remarks, though.
> > >>
> > >> 1. Please, use the shortes copyright notice in new modules.
> > >>
> > >>   #
> > >>   # Copyright (C) 2015  FreeIPA Contributors see COPYING for
> > >> license #
> > >>
> > >> 2. The tests `test_group_remove_group_from_protected_group` and
> > >> `test_group_full_set_of_objectclass_not_available_post_detach`
> > >> were not ported. Please, include them in the patch.
> > >>
> > >> Also, for less hassle, please rebase your patches on top of
> > >> freeipa-mkubik-0025-3-Separated-Tracker-implementations-into-standalone-pa.patch
> > >> Which changes the location of tracker implementations and prevents
> > >> circular imports.
> > >>
> > >> Thanks.
> > >>
> > >
> > >
> > > Hi,
> > >
> > > these cases are there, in corresponding classes. They are marked
> > > with the original comments. (However I can move them to separate
> > > class if desirable.)
> > >
> > > The copyright notice is changed. Also included a few changes in the
> > > test with user without private group.
> > >
> > > Filip
> > NACK
> > 
> > linter:
> > * Module tracker.group_plugin
> > ipatests/test_xmlrpc/tracker/group_plugin.py:257:
> > [E0102(function-redefined), GroupTracker.check_remove_member] method
> > already defined line 253)
> > 
> > Probably a leftover after the rebase made on top of my patch. Please
> > fix it. You can check youch changes by make-lint script before
> > sending them.
> > 
> > Thanks
> > 
> 
> 
> Hi,
> 
> I learned to use make-lint!
> 
> Thanks,
> F.
> 
From 0f4585c1595cb0130c771d61f883c80a4349ff98 Mon Sep 17 00:00:00 2001
From: Filip Skola 
Date: Mon, 9 Nov 2015 16:48:55 +0100
Subject: [PATCH] Refactor test_group_plugin, use GroupTracker for tests

---
 ipatests/test_xmlrpc/test_group_plugin.py | 1738 +
 ipatests/test_xmlrpc/test_stageuser_plugin.py |4 +-
 ipatests/test_xmlrpc/tracker/group_plugin.py  |  146 ++-
 3 files changed, 735 insertions(+), 1153 deletions(-)

diff --git a/ipatests/test_xmlrpc/test_group_plugin.py b/ipatests/test_xmlrpc/test_group_plugin.py
index 6eb57c12f18d125de04beefa056f53b4caff1d64..ee672859376fcd2823907ed9d3ffc77943f1061a 100644
--- a/ipatests/test_xmlrpc/test_group_plugin.py
+++ b/ipatests/test_xmlrpc/test_group_plugin.py
@@ -1,6 +1,7 @@
 # Authors:
 #   Rob Crittenden 
 #   Pavel Zuna 
+#   Filip Skola 
 #
 # Copyright (C) 2008  Red Hat
 # see file 'COPYING' for use and warranty information
@@ -23,1141 +24,646 @@ Test the `ipalib/plugins/group.py` module.
 
 import pytest
 
-from ipalib import api, errors
+from ipalib import errors
 from ipatests.test_xmlrpc import objectclasses
 from ipatests.test_xmlrpc.xmlrpc_test import (
-Declarative,
-fuzzy_digits,
-fuzzy_uuid,
-fuzzy_set_ci,
-add_sid,
-add_oc)
-from ipapython.dn import DN
-from ipatests.test_xmlrpc.test_user_plugin import get_user_result
+fuzzy_digits, fuzzy_uuid, fuzzy_set_ci, add_oc,
+XMLRPC_test, raises_exact
+)
+from ipatests.test_xmlrpc.tracker.group_plugin import GroupTracker
+from ipatests.test_xmlrpc.test_user_plugin import user, user_npg2
+from ipatests.util import assert_deepequal, get_group_dn
+
+notagroup = u'notagroup'
+renamedgroup1 = u'renamedgroup'
+invalidgroup1 = u'+tgroup1'
+external_sid1 = u'S-1-1-123456-789-1'
+
+
+@pytest.fixture(scope='class')
+def group(request):
+tracker = GroupTracker(name=u'testgroup1', description=u'Test desc1')
+return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
+def group2(request):
+tracker = GroupTracker(name=u'testgroup2', description=u'Test desc2')
+return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
+def managed_group(request, user):
+user.ensure_exists()
+tracker = GroupTracker(
+  

Re: [Freeipa-devel] [PATCH 0005] Refactor test_nesting, create HostGroupTracker

[Filip Skola]

Hi,

sending rebased patch.

F.

- Original Message -
> Hi,
> 
> the patch no longer applies to master. Please rebase it.
> 
> Thanks,
> Milan
> 
> - Original Message -
> From: "Filip Skola" 
> To: freeipa-devel@redhat.com
> Cc: "Milan Kubík" , "Aleš Mareček" 
> Sent: Tuesday, 22 December, 2015 11:56:15 AM
> Subject: [PATCH 0005] Refactor test_nesting, create HostGroupTracker
> 
> Hi,
> 
> another patch from refactoring-test_xmlrpc series.
> 
> Filip
> 
From 85950890a8eb97ec2d138fa9b9b2c24cc2b3d408 Mon Sep 17 00:00:00 2001
From: Filip Skola 
Date: Fri, 15 Jan 2016 15:08:46 +0100
Subject: [PATCH] Refactor test_nesting, create HostGroupTracker

---
 ipatests/test_xmlrpc/test_nesting.py   | 776 -
 ipatests/test_xmlrpc/tracker/group_plugin.py   |   4 +-
 ipatests/test_xmlrpc/tracker/host_plugin.py|   1 +
 .../{group_plugin.py => hostgroup_plugin.py}   | 218 +++---
 4 files changed, 257 insertions(+), 742 deletions(-)
 copy ipatests/test_xmlrpc/tracker/{group_plugin.py => hostgroup_plugin.py} (53%)

diff --git a/ipatests/test_xmlrpc/test_nesting.py b/ipatests/test_xmlrpc/test_nesting.py
index c3bf1ce84e0bef412c44ed847e7e0fc4648a4b74..f78a6e54bd7a94cb9d2645f5bdc5d5c109a79b1f 100644
--- a/ipatests/test_xmlrpc/test_nesting.py
+++ b/ipatests/test_xmlrpc/test_nesting.py
@@ -20,193 +20,93 @@
 Test group nesting and indirect members
 """
 
-from ipalib import api
-from ipatests.test_xmlrpc import objectclasses
-from ipatests.test_xmlrpc.xmlrpc_test import (Declarative, fuzzy_digits,
-  fuzzy_uuid)
-from ipapython.dn import DN
-from ipatests.test_xmlrpc.test_user_plugin import get_user_result
+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
+from ipatests.test_xmlrpc.tracker.user_plugin import UserTracker
+from ipatests.test_xmlrpc.tracker.group_plugin import GroupTracker
+from ipatests.test_xmlrpc.tracker.host_plugin import HostTracker
+from ipatests.test_xmlrpc.tracker.hostgroup_plugin import HostGroupTracker
 import pytest
 
-group1 = u'testgroup1'
-group2 = u'testgroup2'
-group3 = u'testgroup3'
-group4 = u'testgroup4'
-user1 = u'tuser1'
-user2 = u'tuser2'
-user3 = u'tuser3'
-user4 = u'tuser4'
-
-hostgroup1 = u'testhostgroup1'
-hgdn1 = DN(('cn',hostgroup1),('cn','hostgroups'),('cn','accounts'),
-   api.env.basedn)
-hostgroup2 = u'testhostgroup2'
-hgdn2 = DN(('cn',hostgroup2),('cn','hostgroups'),('cn','accounts'),
-   api.env.basedn)
-
-fqdn1 = u'testhost1.%s' % api.env.domain
-host_dn1 = DN(('fqdn',fqdn1),('cn','computers'),('cn','accounts'),
-  api.env.basedn)
+
+@pytest.fixture(scope='class')
+def user1(request):
+tracker = UserTracker(name=u'tuser1', givenname=u'Test1', sn=u'User1')
+return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
+def user2(request):
+tracker = UserTracker(name=u'tuser2', givenname=u'Test2', sn=u'User2')
+return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
+def user3(request):
+tracker = UserTracker(name=u'tuser3', givenname=u'Test3', sn=u'User3')
+return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
+def user4(request):
+tracker = UserTracker(name=u'tuser4', givenname=u'Test4', sn=u'User4')
+return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
+def group1(request):
+tracker = GroupTracker(name=u'testgroup1', description=u'Test desc1')
+return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
+def group2(request):
+tracker = GroupTracker(name=u'testgroup2', description=u'Test desc2')
+return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
+def group3(request):
+tracker = GroupTracker(name=u'testgroup3', description=u'Test desc3')
+return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
+def group4(request):
+tracker = GroupTracker(name=u'testgroup4', description=u'Test desc4')
+return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
+def host1(request):
+tracker = HostTracker(name=u'host1')
+return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
+def hostgroup1(request):
+tracker = HostGroupTracker(name=u'hostgroup1')
+return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
+def hostgroup2(request):
+tracker = HostGroupTracker(name=u'hostgroup2')
+return tracker.make_fixture(request)
 
 
 @pytest.mark.tier1
-class test_nesting(Declarative):
-cleanup_commands = [
-('group_del', [group1], {}),
-('group_del', [group2], {}),
-('group_del', [group3], {}),
-('group_del', [group4], {}),
-('user_del', [user1], {}),
-('user_del', [user2], {}),
-('user_del', [user3], {}),
-('user_del', [user4], {}),
-('host_del', [fqdn1], {}),
-

Re: [Freeipa-devel] [PATCH 0121] consider IPA master removed from topology when request for host TGT fails

[Simo Sorce]

On Fri, 2016-01-15 at 13:35 +0100, Martin Babinsky wrote:
> On 01/14/2016 10:31 PM, Simo Sorce wrote:
> > On Wed, 2016-01-13 at 17:31 +0100, Martin Babinsky wrote:
> >> On 01/13/2016 10:31 AM, Martin Babinsky wrote:
> >>> On 01/07/2016 05:38 PM, Martin Babinsky wrote:
>  On 01/07/2016 05:37 PM, Martin Babinsky wrote:
> > https://fedorahosted.org/freeipa/ticket/5584
> >
>  And the patch is here.
> 
> 
> 
> >>> self-NACK, there may be a better way to handle this. I will do some
> >>> investigation and send updated patch.
> >>>
> >> Attaching updated patch.
> >
> > A failure to obtain a tgt may be due to other reasons (for example the
> > KDC crashed), why are you trying to use this test ?
> > Isn't it sufficient to see there is no host entry in the directory ?
> >
> > Simo.
> >
> There were some corner cases I encountered, mostly concerning a cleanup 
> after unsuccessful replica promotion.
> 
> You may sometimes end up in a state where local DS is working, but KDC 
> crashed and the krb5.conf is still pointing at a remote one. In that 
> case "malformed" replica's local host entry exist, but when such host 
> tries to get TGT, the AS-REQ goes to remote KDC from other master.
> 
> However, if the admin had in the mean time cleaned up this host's 
> kerberos principals/keys, the crashed replica gets one of the following 
> errors:
> 
> Client not found in Kerberos database
> Client credentials have been revoked
> Generic preauthentication failure
> 
> These were printed out as errors during uninstall, but were actually 
> expected in situation like this. It is true that the code should check 
> and ignore these specific errors.

Only the first id valid for your case, the others may be transient
errors.

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0121] consider IPA master removed from topology when request for host TGT fails

[Martin Babinsky]

On 01/15/2016 04:57 PM, Simo Sorce wrote:

On Fri, 2016-01-15 at 13:35 +0100, Martin Babinsky wrote:

On 01/14/2016 10:31 PM, Simo Sorce wrote:

On Wed, 2016-01-13 at 17:31 +0100, Martin Babinsky wrote:

On 01/13/2016 10:31 AM, Martin Babinsky wrote:

On 01/07/2016 05:38 PM, Martin Babinsky wrote:

On 01/07/2016 05:37 PM, Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/5584


And the patch is here.




self-NACK, there may be a better way to handle this. I will do some
investigation and send updated patch.


Attaching updated patch.


A failure to obtain a tgt may be due to other reasons (for example the
KDC crashed), why are you trying to use this test ?
Isn't it sufficient to see there is no host entry in the directory ?

Simo.


There were some corner cases I encountered, mostly concerning a cleanup
after unsuccessful replica promotion.

You may sometimes end up in a state where local DS is working, but KDC
crashed and the krb5.conf is still pointing at a remote one. In that
case "malformed" replica's local host entry exist, but when such host
tries to get TGT, the AS-REQ goes to remote KDC from other master.

However, if the admin had in the mean time cleaned up this host's
kerberos principals/keys, the crashed replica gets one of the following
errors:

Client not found in Kerberos database
Client credentials have been revoked
Generic preauthentication failure

These were printed out as errors during uninstall, but were actually
expected in situation like this. It is true that the code should check
and ignore these specific errors.


Only the first id valid for your case, the others may be transient
errors.

Simo.


True, attaching updated patch. The other errors will now pop out in the 
output and the warning will be displayed.


--
Martin^3 Babinsky
From 6517633c8b8019ad275e85c2273177a1275bdc62 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 7 Jan 2016 16:48:11 +0100
Subject: [PATCH] uninstallation: more robust check for master removal from
 topology

When uninstalling IPA master in domain level 1 topology, the code that checks
for correct removal from topology will now consider failures to lookup host
entry in local LDAP and to obtain host TGT as a sign that the master entry was
already removed.

https://fedorahosted.org/freeipa/ticket/5584
---
 ipalib/krb_utils.py |  1 +
 ipaserver/install/server/install.py | 40 +
 2 files changed, 37 insertions(+), 4 deletions(-)

diff --git a/ipalib/krb_utils.py b/ipalib/krb_utils.py
index 0c4340c3f232135b64dafb6a675ffbcdd7ea59cd..b33e4b7c82cf08c68220531ebacca309117ad770 100644
--- a/ipalib/krb_utils.py
+++ b/ipalib/krb_utils.py
@@ -32,6 +32,7 @@ if six.PY3:
 # Kerberos error codes
 KRB5_CC_NOTFOUND= 2529639053 # Matching credential not found
 KRB5_FCC_NOFILE = 2529639107 # No credentials cache found
+KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN = 2529638918  # client not found in Kerberos db
 KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN = 2529638919 # Server not found in Kerberos database
 KRB5KRB_AP_ERR_TKT_EXPIRED  = 2529638944 # Ticket expired
 KRB5_FCC_PERM   = 2529639106 # Credentials cache permissions incorrect
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 49e97eb667a322898acc3a064f4eae5381ded918..362b99f320a7e83ff0427924c41f3e26a42c3226 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -4,6 +4,7 @@
 
 from __future__ import print_function
 
+import gssapi
 import os
 import pickle
 import pwd
@@ -27,6 +28,7 @@ from ipaplatform import services
 from ipaplatform.paths import paths
 from ipaplatform.tasks import tasks
 from ipalib import api, create_api, constants, errors, x509
+from ipalib.krb_utils import KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
 from ipalib.constants import CACERT
 from ipalib.util import validate_domain_name
 import ipaclient.ntpconf
@@ -291,20 +293,50 @@ def common_cleanup(func):
 
 
 def check_master_deleted(api, masters, interactive):
+"""
+Determine whether the IPA master was removed from the domain level 1
+topology. The function first tries to locally lookup the master host entry
+and fetches host prinicipal from DS. Then we attempt to acquire host TGT,
+contact the other masters one at a time and query for the existence of the
+host entry for our IPA master.
+
+:param api: instance of API object
+:param masters: list of masters to contact
+:param interactive: whether run in interactive mode. The user will be
+prompted for action if the removal status cannot be determined
+:return: True if the master is not part of the topology anymore as
+determined by the following conditions:
+* the host entry does not exist in local DS
+* request for host TGT fails due to missing/invalid/revoked creds
+* GSSAPI connection to remote DS fails on 

Re: [Freeipa-devel] [PATCH 0398] logger: Use warning instead of warn

[Tomas Babej]

On 01/15/2016 05:12 PM, Martin Basti wrote:
> 
> 
> On 15.01.2016 16:27, Tomas Babej wrote:
>> Hi,
>>
>> this should build up to another pylint-related patch Martin^2 has in works.
>>
>> Tomas
>>
>>
>>
> NACK :)
> 
> * Module ipalib.plugins.dns
> ipalib/plugins/dns.py:3441: [E1101(no-member),
> dnsrecord.wait_for_modified_attr] Class 'log' has no 'warn' member)
> 

My regexp was too strict, it seems :)

Updated patch attached.
From 66bcfd88cf6020ecc7aca769a41cdf1dd747ae19 Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Fri, 15 Jan 2016 16:25:33 +0100
Subject: [PATCH] logger: Use warning instead of warn

---
 install/tools/ipa-httpd-kdcproxy | 10 +-
 ipa-client/ipaclient/ipadiscovery.py |  6 +++---
 ipalib/plugins/dns.py|  4 ++--
 ipalib/plugins/migration.py  | 16 
 ipalib/plugins/passwd.py |  2 +-
 ipalib/plugins/permission.py |  4 ++--
 ipaserver/dcerpc.py  |  2 +-
 ipaserver/install/ipa_otptoken_import.py |  2 +-
 ipaserver/install/ipa_replica_prepare.py |  2 +-
 ipaserver/install/ipa_restore.py |  2 +-
 ipatests/pytest_plugins/integration.py   |  2 +-
 11 files changed, 26 insertions(+), 26 deletions(-)

diff --git a/install/tools/ipa-httpd-kdcproxy b/install/tools/ipa-httpd-kdcproxy
index 5e9863f8bd82e1628030b0b767a6697ab2a1d7bd..5e67f61a6e2b3fe26532323d773bd502ac52f454 100755
--- a/install/tools/ipa-httpd-kdcproxy
+++ b/install/tools/ipa-httpd-kdcproxy
@@ -141,7 +141,7 @@ class KDCProxyConfig(object):
 try:
 valid = self.validate_symlink()
 except ConfigFileError as e:
-self.log.warn("Cannot enable KDC proxy: %s " % e)
+self.log.warning("Cannot enable KDC proxy: %s " % e)
 return False
 
 if valid:
@@ -149,7 +149,7 @@ class KDCProxyConfig(object):
 return True
 
 if not os.path.isfile(self.conf):
-self.log.warn("'%s' does not exist", self.conf)
+self.log.warning("'%s' does not exist", self.conf)
 return False
 
 # create the symbolic link
@@ -163,7 +163,7 @@ class KDCProxyConfig(object):
 try:
 valid = self.validate_symlink()
 except CheckError as e:
-self.log.warn("Cannot disable KDC proxy: %s " % e)
+self.log.warning("Cannot disable KDC proxy: %s " % e)
 return False
 
 if valid:
@@ -203,8 +203,8 @@ def main(debug=DEBUG, time_limit=TIME_LIMIT):
 api.log.info('KDC proxy disabled')
 return 0
 except CheckError as e:
-api.log.warn(str(e))
-api.log.warn('Disabling KDC proxy')
+api.log.warning(str(e))
+api.log.warning('Disabling KDC proxy')
 cfg.remove_symlink()
 return 0
 except Exception as e:
diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py
index 2e51293c2db35d655b1d9936103a729bd61a60ae..45a71e190e56d33d51d37f16ae61a7b4c28df521 100644
--- a/ipa-client/ipaclient/ipadiscovery.py
+++ b/ipa-client/ipaclient/ipadiscovery.py
@@ -266,14 +266,14 @@ class IPADiscovery(object):
 # via DNS
 break
 elif ldapret[0] == NOT_IPA_SERVER:
-root_logger.warn(
+root_logger.warning(
'Skip %s: not an IPA server', server)
 elif ldapret[0] == NO_LDAP_SERVER:
-root_logger.warn(
+root_logger.warning(
'Skip %s: LDAP server is not responding, unable to verify if '
'this is an IPA server', server)
 else:
-root_logger.warn(
+root_logger.warning(
'Skip %s: cannot verify if this is an IPA server', server)
 
 # If one of LDAP servers checked rejects access (maybe anonymous
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index 59cb0ea3982256e9d98b8216207514e28e229d03..3da44ef3c34f8e0540b6dcdc3465b913c11833c5 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -3438,7 +3438,7 @@ class dnsrecord(LDAPObject):
 
 while attempt < max_attempts:
 if attempt >= warn_attempts:
-log_fn = self.log.warn
+log_fn = self.log.warning
 attempt += 1
 try:
 dns_answer = resolver.query(dns_name, rdtype,
@@ -3514,7 +3514,7 @@ class dnsrecord(LDAPObject):
 except dns.resolver.NoNameservers as e:
 # Do not raise exception if we have got SERVFAILs.
 # Maybe the user has created an invalid zone intentionally.
-self.log.warn('waiting for DNS answer {%s}: got {%s}; '
+self.log.warning('waiting for DNS answer {%s}: got {%s}; '
   'ignoring', ldap_rrset, type(e))
 continue
 
diff 

Re: [Freeipa-devel] [PATCH 0398] logger: Use warning instead of warn

[Martin Basti]

On 15.01.2016 16:27, Tomas Babej wrote:

Hi,

this should build up to another pylint-related patch Martin^2 has in works.

Tomas




NACK :)

* Module ipalib.plugins.dns
ipalib/plugins/dns.py:3441: [E1101(no-member), 
dnsrecord.wait_for_modified_attr] Class 'log' has no 'warn' member)


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0405] Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporter

[Martin Basti]

https://fedorahosted.org/freeipa/ticket/5262

Patch attached, detailed description in the commit message.
From 4c674535fa994a2a7c4208d3382c41bc6692e04e Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 14 Jan 2016 14:52:15 +0100
Subject: [PATCH] Fix: uninstall does not stop named-pkcs11 and
 ipa-ods-exporter

ipactl is not aware of new services installed later, if ipactl restart
or start has not been executed.

This commit is workaround, proper fix may need to improve ipactl.

https://fedorahosted.org/freeipa/ticket/5262
---
 install/tools/ipa-ca-install  | 3 +++
 install/tools/ipa-dns-install | 4 
 2 files changed, 7 insertions(+)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index f39847b9011fe801be48c40f44eb43f599c5bc90..83cf98ec6a34093c826470e06ad448e6033bc682 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -295,6 +295,9 @@ def main():
 else:
 install(safe_options, options, filename)
 
+# execute ipactl to refresh services status
+ipautil.run(['ipactl', 'start', '--ignore-service-failures'],
+raiseonerr=False)
 
 fail_message = '''
 Your system may be partly configured.
diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index 91f608941d2dcced898c7ea2e479382ef307490c..2eb1d0258bd6e323f9659da84692facef85a788d 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -149,6 +149,10 @@ def main():
 service.print_msg("Restarting the web server")
 http.restart()
 
+# execute ipactl to refresh services status
+ipautil.run(['ipactl', 'start', '--ignore-service-failures'],
+raiseonerr=False)
+
 return 0
 
 if __name__ == '__main__':
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code