date:20160302


On Wed, 02 Mar 2016, Sumit Bose wrote:

On Wed, Mar 02, 2016 at 05:24:55PM +0200, Alexander Bokovoy wrote:

On Wed, 02 Mar 2016, Petr Vobornik wrote:
>On 03/02/2016 11:55 AM, Alexander Bokovoy wrote:
>>Hi,
>>
>>http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains
>>describes a design page to support name suffixes from trusted Active
>>Directory domains.
>>
>>A prototype code exists (written by me and Sumit) and was tested by Sumit
>>against recent releases of SSSD.
>>
>>Text is provided below for easier commenting.
>>-
>>{{Feature|version=TODO|ticket=TODO|author=Ab}}
>>
>>== Overview ==
>>User principal name (UPN) in Active Directory is the primary form of
>>addressing users. UPN has structure of 'user name@suffix' where both
>>user name and suffix parts may vary. By default the suffix is the same
>>as the Active Directory domain name but AD administrators may create
>>additional name suffixes and associate them with specific users. These
>>additional UPNs for users may then be used for Kerberos authentication
>>against Active Directory domains.
>>
>>Alternative UPNs are often used when several companies with Active
>>Directory deployments merge and want to provide unified logon namespace.
>>
>>The purpose of this feature is to allow using alternative UPNs
>>associated with the Active Directory users when accessing resources in
>>FreeIPA domain.
>>
>>== Use Cases ==
>>
>>As an Active Directory user, I want to login using my user@EXAMPLE user
>>principal name even if my Active Directory domain is named
>>REGION.EXAMPLE.COM.
>>== Design==
>>Support for UPNs is split to three different components:
>>;Client-side
>>: SSSD already supports logon with UPN by asking a KDC to accept
>>enterprise logon names.  By default, the use of enterprise principals is
>>disabled, therefore, krb5_use_enterprise_principal = True
>>needs to be added to sssd.conf to enable it.
>>
>>;KDC
>>: IPA KDC does understand multiple domains associated with the trusted
>>AD forest. However, since no information about name suffixes associated
>>with the forest is available, it cannot take them into account when
>>processing enteprise logon names to issue referrals to the correct
>>realm. Support needs to be added to allow IPA KDC to look up name
>>suffixes associated with a trusted forest.
>>
>>; IPA framework
>>: Changes needed on IPA framework side to fetch from Active Directory a
>>list of name suffixes and store them in the trusted domain objects.
>>
>>== Implementation ==
>>For retrieving name suffixes, IPA framework needs to move to use
>>NETLOGON netr_DsRGetForestTrustInformation function instead of
>>netr_DsrEnumerateDomainTrusts. This allows to retrieve both domains and
>>top level names associated with the forest.
>>
>>As top level names (TLNs) have only a single string as a name suffix,
>>they cannot be stored as trusted domains (they lack SID and NetBIOS
>>name). Thus, either IPA KDB driver needs to be extended to understand
>>trusted domains without SID and NetBIOS name, or TLNs need to be stored
>>as a property of tree root domains of the forest.
>>
>>== Feature Management ==
>>
>>=== UI ===
>>If TLNs are added as a property of tree root domains of the forest,
>>appropriate panel needs to be extended to display them.
>>
>>=== CLI ===
>>If TLNs are added as a property of tree root domains of the forest,
>>appropriate attribute need to be handled by '''trust-show''' command. If
>>TLNs represented as separate 'trusted domains' of the trusted forest, no
>>work is needed on CLI other than being able to support 'trusted domains'
>>without SID and NetBIOS name.
>
>What is meant by 'tree root domains of the forest' in IPA context? The
>trust object?
Yes. A forest might have multiple tree roots. We establish trust with
one of them (forest root domain) but you can have distinct tree roots
too. For a forest example.com a separate tree root could be ad.test
which is still a part of the forest. In Windows' UI for domains and
forests trust you'll see it as a separate entry at the top level. Each
tree root may have associated name suffixes.


But I thought they still can be used across the whole forest, e.g. if
you assign an alternative domain suffix in the UI of ad.test you can use
this suffix for users from example.com as well?

That's something I need to test. It seems like that, though, from what I
remember...

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Supporting UPNs of trusted forests


On Wed, 02 Mar 2016, Simo Sorce wrote:

On Wed, 2016-03-02 at 17:24 +0200, Alexander Bokovoy wrote:

On Wed, 02 Mar 2016, Petr Vobornik wrote:
>On 03/02/2016 11:55 AM, Alexander Bokovoy wrote:
>>Hi,
>>
>>http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains
>>describes a design page to support name suffixes from trusted Active
>>Directory domains.
>>
>>A prototype code exists (written by me and Sumit) and was tested by Sumit
>>against recent releases of SSSD.
>>
>>Text is provided below for easier commenting.
>>-
>>{{Feature|version=TODO|ticket=TODO|author=Ab}}
>>
>>== Overview ==
>>User principal name (UPN) in Active Directory is the primary form of
>>addressing users. UPN has structure of 'user name@suffix' where both
>>user name and suffix parts may vary. By default the suffix is the same
>>as the Active Directory domain name but AD administrators may create
>>additional name suffixes and associate them with specific users. These
>>additional UPNs for users may then be used for Kerberos authentication
>>against Active Directory domains.
>>
>>Alternative UPNs are often used when several companies with Active
>>Directory deployments merge and want to provide unified logon namespace.
>>
>>The purpose of this feature is to allow using alternative UPNs
>>associated with the Active Directory users when accessing resources in
>>FreeIPA domain.
>>
>>== Use Cases ==
>>
>>As an Active Directory user, I want to login using my user@EXAMPLE user
>>principal name even if my Active Directory domain is named
>>REGION.EXAMPLE.COM.
>>== Design==
>>Support for UPNs is split to three different components:
>>;Client-side
>>: SSSD already supports logon with UPN by asking a KDC to accept
>>enterprise logon names.  By default, the use of enterprise principals is
>>disabled, therefore, krb5_use_enterprise_principal = True
>>needs to be added to sssd.conf to enable it.
>>
>>;KDC
>>: IPA KDC does understand multiple domains associated with the trusted
>>AD forest. However, since no information about name suffixes associated
>>with the forest is available, it cannot take them into account when
>>processing enteprise logon names to issue referrals to the correct
>>realm. Support needs to be added to allow IPA KDC to look up name
>>suffixes associated with a trusted forest.
>>
>>; IPA framework
>>: Changes needed on IPA framework side to fetch from Active Directory a
>>list of name suffixes and store them in the trusted domain objects.
>>
>>== Implementation ==
>>For retrieving name suffixes, IPA framework needs to move to use
>>NETLOGON netr_DsRGetForestTrustInformation function instead of
>>netr_DsrEnumerateDomainTrusts. This allows to retrieve both domains and
>>top level names associated with the forest.
>>
>>As top level names (TLNs) have only a single string as a name suffix,
>>they cannot be stored as trusted domains (they lack SID and NetBIOS
>>name). Thus, either IPA KDB driver needs to be extended to understand
>>trusted domains without SID and NetBIOS name, or TLNs need to be stored
>>as a property of tree root domains of the forest.
>>
>>== Feature Management ==
>>
>>=== UI ===
>>If TLNs are added as a property of tree root domains of the forest,
>>appropriate panel needs to be extended to display them.
>>
>>=== CLI ===
>>If TLNs are added as a property of tree root domains of the forest,
>>appropriate attribute need to be handled by '''trust-show''' command. If
>>TLNs represented as separate 'trusted domains' of the trusted forest, no
>>work is needed on CLI other than being able to support 'trusted domains'
>>without SID and NetBIOS name.
>
>What is meant by 'tree root domains of the forest' in IPA context? The
>trust object?
Yes. A forest might have multiple tree roots. We establish trust with
one of them (forest root domain) but you can have distinct tree roots
too. For a forest example.com a separate tree root could be ad.test
which is still a part of the forest. In Windows' UI for domains and
forests trust you'll see it as a separate entry at the top level. Each
tree root may have associated name suffixes.

There are actually two different approaches we discussed with Sumit
-- one is to store TLNs as attributes of TDO, another is to create
separate TDOs, building on the fact you noticed:
>Btw trustdomain object has ipantflatname and ipanttrusteddomainsid
>attributes as optional so it is possible to store it there assuming
>modification of KDB driver.
This is what I did already in the prototype:
https://abbra.fedorapeople.org/.paste/0001-WIP-support-UPNs-for-trusted-domain-users.master.patch

So we are sure that either way would work, the question is what would be
more usable UX-wise.


How does Windows represent them ?

Weirdly.


I'd try to stick to something close to what AD does to avoid pain if
later is found that the way Windows does things is necessary (or just
easier) to keep adding further options down the road.

See following

Re: [Freeipa-devel] External trust to AD


On Wed, 02 Mar 2016, Petr Vobornik wrote:

On 03/02/2016 11:13 AM, Alexander Bokovoy wrote:

Hi,

http://www.freeipa.org/page/V4/External_trust_to_AD documents a design
for external trust to AD feature.

The text is included below for easier review.
---
{{Feature|version=TODO|ticket=TODO|author=Ab}}

== Overview ==
Support for external trust to a domain from Active Directory forest

An external trust is a trust relationship between Active Directory
domains that are in different Active Directory forests. While forest
trust always requires to establish trust between root domains of the
Active Directory forests, external trust can be established to any
domain within the forest.

== Use Cases ==

As an Active Directory domain admin, I want to establish trust between
IPA and my domain only. The trust between IPA and an external Active
Directory domain will be non-transitive as no users or groups from other
Active Directory domains will have access to IPA resources.

== Design==

External trust between Active Directory domains is by definition
non-transitive and enforces SID filtering between the domain boundaries.
This means only users and groups with SIDs from the trusted domain can
use the resources and be visible on IPA systems. None of other users and
groups from domains the trusted domain trusts within its own Active
Directory forest or other externally trusted domains will be allowed to
access IPA resources.

== Implementation ==

External trust feature re-uses existing forest trust infrastructure.
There are several specific changes to allow supporting external trust:
* '''Non-transitivity''': since external trust is non-transitive by
* definition, any attempt to set transitivity feature of the trust link
* with LSA SetInformationTrustedDomain() command will fail. Thus, there
* is no need to set transitivity for the external trust.


Sounds very simple :)

Do I get it right that it is possible to do it today? Because now the 
code just do:

  root_logger.error('unable to set trust to transitive: %s' % (str(e)))
  pass

I have a patchset to add this support already. I want to clean up some
parts of it, namely, reporting of the resulting trust type, but it all works.




* '''Trust attributes''': external trust can be detected by looking into
* absense of ipaNTTrustAttributes LDAP attribute of the trusted domain
* object.

== Feature Management ==

=== UI ===
An option 'external trust' needs to be added to Web UI, corresponding to
'--external' flag in 'trust-add' command in CLI.

=== CLI ===
An external trust creation can be requested by passing additional flag
'--external=true' to the 'trust-add' command. The flag defaults to
'false', e.g. no external trust would be created.

{| class="wikitable"
|-
! Command
! Options
|-
| trust-add
| --external=true/false
|}


We should also add 'external' param to output of trust_find and 
trust_show + corresponding change in Web UI and CLI.

It will be part of trust type string, not a separate param.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Supporting UPNs of trusted forests

2016-03-02 Thread Simo Sorce

On Wed, 2016-03-02 at 17:24 +0200, Alexander Bokovoy wrote:
> On Wed, 02 Mar 2016, Petr Vobornik wrote:
> >On 03/02/2016 11:55 AM, Alexander Bokovoy wrote:
> >>Hi,
> >>
> >>http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains
> >>describes a design page to support name suffixes from trusted Active
> >>Directory domains.
> >>
> >>A prototype code exists (written by me and Sumit) and was tested by Sumit
> >>against recent releases of SSSD.
> >>
> >>Text is provided below for easier commenting.
> >>-
> >>{{Feature|version=TODO|ticket=TODO|author=Ab}}
> >>
> >>== Overview ==
> >>User principal name (UPN) in Active Directory is the primary form of
> >>addressing users. UPN has structure of 'user name@suffix' where both
> >>user name and suffix parts may vary. By default the suffix is the same
> >>as the Active Directory domain name but AD administrators may create
> >>additional name suffixes and associate them with specific users. These
> >>additional UPNs for users may then be used for Kerberos authentication
> >>against Active Directory domains.
> >>
> >>Alternative UPNs are often used when several companies with Active
> >>Directory deployments merge and want to provide unified logon namespace.
> >>
> >>The purpose of this feature is to allow using alternative UPNs
> >>associated with the Active Directory users when accessing resources in
> >>FreeIPA domain.
> >>
> >>== Use Cases ==
> >>
> >>As an Active Directory user, I want to login using my user@EXAMPLE user
> >>principal name even if my Active Directory domain is named
> >>REGION.EXAMPLE.COM.
> >>== Design==
> >>Support for UPNs is split to three different components:
> >>;Client-side
> >>: SSSD already supports logon with UPN by asking a KDC to accept
> >>enterprise logon names.  By default, the use of enterprise principals is
> >>disabled, therefore, krb5_use_enterprise_principal = True
> >>needs to be added to sssd.conf to enable it.
> >>
> >>;KDC
> >>: IPA KDC does understand multiple domains associated with the trusted
> >>AD forest. However, since no information about name suffixes associated
> >>with the forest is available, it cannot take them into account when
> >>processing enteprise logon names to issue referrals to the correct
> >>realm. Support needs to be added to allow IPA KDC to look up name
> >>suffixes associated with a trusted forest.
> >>
> >>; IPA framework
> >>: Changes needed on IPA framework side to fetch from Active Directory a
> >>list of name suffixes and store them in the trusted domain objects.
> >>
> >>== Implementation ==
> >>For retrieving name suffixes, IPA framework needs to move to use
> >>NETLOGON netr_DsRGetForestTrustInformation function instead of
> >>netr_DsrEnumerateDomainTrusts. This allows to retrieve both domains and
> >>top level names associated with the forest.
> >>
> >>As top level names (TLNs) have only a single string as a name suffix,
> >>they cannot be stored as trusted domains (they lack SID and NetBIOS
> >>name). Thus, either IPA KDB driver needs to be extended to understand
> >>trusted domains without SID and NetBIOS name, or TLNs need to be stored
> >>as a property of tree root domains of the forest.
> >>
> >>== Feature Management ==
> >>
> >>=== UI ===
> >>If TLNs are added as a property of tree root domains of the forest,
> >>appropriate panel needs to be extended to display them.
> >>
> >>=== CLI ===
> >>If TLNs are added as a property of tree root domains of the forest,
> >>appropriate attribute need to be handled by '''trust-show''' command. If
> >>TLNs represented as separate 'trusted domains' of the trusted forest, no
> >>work is needed on CLI other than being able to support 'trusted domains'
> >>without SID and NetBIOS name.
> >
> >What is meant by 'tree root domains of the forest' in IPA context? The 
> >trust object?
> Yes. A forest might have multiple tree roots. We establish trust with
> one of them (forest root domain) but you can have distinct tree roots
> too. For a forest example.com a separate tree root could be ad.test
> which is still a part of the forest. In Windows' UI for domains and
> forests trust you'll see it as a separate entry at the top level. Each
> tree root may have associated name suffixes.
> 
> There are actually two different approaches we discussed with Sumit
> -- one is to store TLNs as attributes of TDO, another is to create
> separate TDOs, building on the fact you noticed:
> >Btw trustdomain object has ipantflatname and ipanttrusteddomainsid 
> >attributes as optional so it is possible to store it there assuming 
> >modification of KDB driver.
> This is what I did already in the prototype: 
> https://abbra.fedorapeople.org/.paste/0001-WIP-support-UPNs-for-trusted-domain-users.master.patch
> 
> So we are sure that either way would work, the question is what would be
> more usable UX-wise.

How does Windows represent them ?
I'd try to stick to something close to what AD does to

Re: [Freeipa-devel] [PATCH 0429] fix suspicious except statement




On 02.03.2016 17:17, Martin Basti wrote:

Patch attached, read commit message for more info.



https://fedorahosted.org/freeipa/ticket/5718

Updated patch attached.
From a4d22716232dd7eaf39fa13df0f857d5d288d5ac Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 2 Mar 2016 17:13:27 +0100
Subject: [PATCH] fix suspicious except statements

The "except ValueError as UnicodeDecodeError" looks very suspicious.
Commit change except to catch both exceptions.

https://fedorahosted.org/freeipa/ticket/5718
---
 client/ipa-client-install | 2 +-
 ipalib/util.py| 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/client/ipa-client-install b/client/ipa-client-install
index 1e611244593b4db88beacfdeb47e92faae24132e..44ddeb956dfd6928317d50309aea42d8eb9e2de0 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -1798,7 +1798,7 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp):
 continue
 try:
 pubkey = SSHPublicKey(line)
-except ValueError as UnicodeDecodeError:
+except (ValueError, UnicodeDecodeError):
 continue
 root_logger.info("Adding SSH public key from %s", filename)
 pubkeys.append(pubkey)
diff --git a/ipalib/util.py b/ipalib/util.py
index 6c70fbdfcb1f936468101dd2e5ed726ec614a893..262acf926e73ba1521faa151154e2149875be4b7 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -278,13 +278,13 @@ def normalize_sshpubkey(value):
 def validate_sshpubkey(ugettext, value):
 try:
 SSHPublicKey(value)
-except ValueError as UnicodeDecodeError:
+except (ValueError, UnicodeDecodeError):
 return _('invalid SSH public key')
 
 def validate_sshpubkey_no_options(ugettext, value):
 try:
 pubkey = SSHPublicKey(value)
-except ValueError as UnicodeDecodeError:
+except (ValueError, UnicodeDecodeError):
 return _('invalid SSH public key')
 
 if pubkey.has_options():
@@ -304,7 +304,7 @@ def convert_sshpubkey_post(ldap, dn, entry_attrs):
 for pubkey in pubkeys:
 try:
 pubkey = SSHPublicKey(pubkey)
-except ValueError as UnicodeDecodeError:
+except (ValueError, UnicodeDecodeError):
 continue
 
 fp = pubkey.fingerprint_hex_md5()
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0001] Add new parameter --ssh-update to ipa-client-install




On 27.02.2016 21:19, Martin Štefany wrote:

Hi,

I did as Jan suggested, everything is now a new command 'ipa-sshupdate',
(so it's based on Jan's 'ipa-certupdate', yeah, a bit of copy-paste),
rest is based on ipa-client-install's code. I'm not sure if this is
correct, but you might want to change ipa-client-install to just 'import
ipaclient.ipa_sshupdate' for ssh update, or not - I'm not sure how this
is compatible with 'code deduplication', 're-usage', etc.

Another open point from my side is PEP8 compliance, I've ran the new
code through pep8 utility with defaults and it's 'OK'. But so is code in
my employer's project and they look slightly 'different', mainly for
brackets, strings, etc. Please, have a look to that, too, I'm happy for
any guidance.

Martin

On Št, 2016-02-25 at 14:36 +0100, Jan Cholasta wrote:

Hi,

On 25.2.2016 14:23, Martin Basti wrote:



On 22.02.2016 22:13, Martin Štefany wrote:

Hi,

please, review the attached patch which adds --ssh-update to ipa-
client-
install.

Ticket:https://fedorahosted.org/freeipa/ticket/2655

Hello,
thank you for your patch.
Please attach a patch as a file next time.

I have doubts that this should be part of ipa-client-install, this
needs
a broader discussion.

+1, I think it should be a separate command (ignore my earlier
suggestion from Trac to incorporate this into ipa-client-install, I
was
young and stupid).

See client/ipa-certupdate and ipaclient/ipa_certupdate.py for an
example
of how such a command should be implemented.



Code comments inline:


---
Martin


 From 4974a57f48a0cd48b83724297ae2af572bc530eb Mon Sep 17
00:00:00 2001

From: Martin Stefany 
Date: Mon, 22 Feb 2016 20:58:13 +
Subject: [PATCH] Add new parameter --ssh-update to ipa-client-
install

Add a new parameter '--ssh-update' which can be used later after
freeipa
client is installed to update SSH hostkeys and SSHFP DNS records
for
host.

https://fedorahosted.org/freeipa/ticket/2655
---
   ipa-client/ipa-install/ipa-client-install | 102
+-
   1 file changed, 99 insertions(+), 3 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-
client/ipa-
install/ipa-client-install
index
789ff591591673744ee3b922e5c0181233ad553c..97adfb6b449fb441bddada89
a3b151
33e398ca50 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -71,6 +71,7 @@ CLIENT_INSTALL_ERROR = 1
   CLIENT_NOT_CONFIGURED = 2
   CLIENT_ALREADY_CONFIGURED = 3
   CLIENT_UNINSTALL_ERROR = 4 # error after restoring files/state
+CLIENT_SSHUPDATE_ERROR = 5 # error during update of SSH public
keys

   def parse_options():
   def validate_ca_cert_file_option(option, opt, value,
parser):
@@ -215,6 +216,12 @@ def parse_options():
 "be run with --
unattended
option")
   parser.add_option_group(uninstall_group)

+sshupdate_group = OptionGroup(parser, "SSH key update
options")
+sshupdate_group.add_option("--ssh-update", dest="ssh_update",
+  action="store_true", default=False,
+  help="update local host's SSH public keys
in host
entry and DNS.")
+parser.add_option_group(sshupdate_group)
+
   options, args = parser.parse_args()
   safe_opts = parser.get_safe_opts(options)

@@ -840,6 +847,92 @@ def uninstall(options, env):

   return rv

+def sshupdate(options, env):
+if not is_ipa_client_installed():
+root_logger.error("IPA client is not configured on this
system.")
+return CLIENT_NOT_CONFIGURED
+
+api.bootstrap(context='cli_installer', debug=options.debug)
+api.finalize()
+if 'config_loaded' not in api.env:
+root_logger.error("Failed to initialize IPA API.")
+return CLIENT_SSHUPDATE_ERROR
+
+# Now, let's try to connect to the server's RPC interface
+connected = False
+try:
+api.Backend.rpcclient.connect()
+connected = True
+root_logger.debug("Try RPC connection")
+api.Backend.rpcclient.forward('ping')
+except errors.KerberosError as e:
+if connected:
+api.Backend.rpcclient.disconnect()
+root_logger.info(
+"Cannot connect to the server due to Kerberos error:
%s. "
+"Trying with delegate=True", e)
+try:
+api.Backend.rpcclient.connect(delegate=True)
+root_logger.debug("Try RPC connection")
+api.Backend.rpcclient.forward('ping')
+
+root_logger.info("Connection with delegate=True
successful")
+
+# The remote server is not capable of Kerberos
S4U2Proxy
+# delegation. This features is implemented in IPA
server
+# version 2.2 and higher
+root_logger.warning(
+"Target IPA server has a lower version than the
enrolled "
+"client")
+root_logger.warning(
+"Some capabilities including the ipa command
capability
"
+

[Freeipa-devel] [PATCH 0430] remove unused argument from function update_ssh_keys


Patch attached, see commit message for details
From 630dee2536106cbda7b49345733f37cfd8834f08 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 2 Mar 2016 17:26:33 +0100
Subject: [PATCH] Remove unused arguments from update_ssh_keys method

First argumet has been unused and can be safely removed, because server
is not used for nsupdate anymore
---
 client/ipa-client-install | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/client/ipa-client-install b/client/ipa-client-install
index 44ddeb956dfd6928317d50309aea42d8eb9e2de0..48c325f53c295a5e30a9a59f357f8561d9875400 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -1776,7 +1776,8 @@ def check_ip_addresses(options):
 return False
 return True
 
-def update_ssh_keys(server, hostname, ssh_dir, create_sshfp):
+
+def update_ssh_keys(hostname, ssh_dir, create_sshfp):
 if not os.path.isdir(ssh_dir):
 return
 
@@ -2887,7 +2888,8 @@ def install(options, env, fstore, statestore):
 configure_certmonger(fstore, subject_base, cli_realm, hostname,
  options, ca_enabled)
 
-update_ssh_keys(cli_server[0], hostname, services.knownservices.sshd.get_config_dir(), options.create_sshfp)
+update_ssh_keys(hostname, services.knownservices.sshd.get_config_dir(),
+options.create_sshfp)
 
 try:
 os.remove(CCACHE_FILE)
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0429] fix suspicious except statement


Patch attached, read commit message for more info.
From 2346845810137b7a844747ad75ee6e626d45d84e Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 2 Mar 2016 17:13:27 +0100
Subject: [PATCH] fix suspicious except statement in update_ssh_key

The "except ValueError as UnicodeDecodeError" looks very suspicious.
Commit change except to catch both exceptions.
---
 client/ipa-client-install | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/client/ipa-client-install b/client/ipa-client-install
index 1e611244593b4db88beacfdeb47e92faae24132e..44ddeb956dfd6928317d50309aea42d8eb9e2de0 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -1798,7 +1798,7 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp):
 continue
 try:
 pubkey = SSHPublicKey(line)
-except ValueError as UnicodeDecodeError:
+except (ValueError, UnicodeDecodeError):
 continue
 root_logger.info("Adding SSH public key from %s", filename)
 pubkeys.append(pubkey)
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0005] Refactor test_nesting, create HostGroupTracker




On 28.01.2016 10:45, Filip Skola wrote:


- Original Message -

On 01/18/2016 02:26 PM, Filip Skola wrote:

Hi,

this should be fixed in this patch.

F.

- Original Message -

On 01/15/2016 03:37 PM, Filip Skola wrote:

Hi,

sending rebased patch.

F.

- Original Message -

Hi,

the patch no longer applies to master. Please rebase it.

Thanks,
Milan

- Original Message -
From: "Filip Skola" 
To: freeipa-devel@redhat.com
Cc: "Milan Kubík" , "Aleš Mareček"

Sent: Tuesday, 22 December, 2015 11:56:15 AM
Subject: [PATCH 0005] Refactor test_nesting, create HostGroupTracker

Hi,

another patch from refactoring-test_xmlrpc series.

Filip


NACK, something seems to be missing in the patch


* Module ipatests.test_xmlrpc.tracker.hostgroup_plugin
ipatests/test_xmlrpc/tracker/hostgroup_plugin.py:222: [E1101(no-member),
HostGroupTracker.check_add_member_negative] Instance of
'HostGroupTracker' has no 'adds' member)

--
Milan Kubik



The same as with patch 0002:
* Module ipatests.test_xmlrpc.tracker.hostgroup_plugin
W:142,26: Calling a dict.iter*() method (dict-iter-method)

Please use dict.items method.

--
Milan Kubik



Hi,

attaching a fixed patch. This patch is dependent on updated group plugin test 
patch 0002-7.

Filip



Bump for review
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 951 webui: fail nicely if cookies are disabled




On 28.01.2016 16:25, Petr Vobornik wrote:

On 01/28/2016 04:23 PM, Tomas Babej wrote:



On 01/28/2016 04:15 PM, Petr Vobornik wrote:
Reworks also sessionStorage test because disablement of cookies 
might be

connected with sessionStorage and localStorage. E.g. Chrome raises
exception when *Storage is accessed with "Block sites from setting any
data" settings set in "Content Settings/Cookies" section.

https://fedorahosted.org/freeipa/ticket/4338




Seems that two spaces inserted themselves to the error message for
localStorage :)



updated patch attached.



Bump for review
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0128] ipalib/cli.py: pythonify Collector class




On 28.01.2016 17:32, Martin Babinsky wrote:

On 01/28/2016 05:06 PM, Tomas Babej wrote:



On 01/28/2016 04:44 PM, Martin Babinsky wrote:

On 01/28/2016 03:20 PM, Tomas Babej wrote:



On 01/27/2016 03:58 PM, Martin Babinsky wrote:

On 01/18/2016 06:43 PM, Martin Babinsky wrote:

A little patch that should make some future pylint errors disappear.




Attaching updated patch that does not promote direct molestation of
instance dictionaries.





Patch looks good, one thing I am concerened about though is that
__todict__ now returns a direct reference to the internal, mutable 
dict,

and no longer a (shallow) copy.

Maybe we should use dict.copy() there?

Tomas



Ah I didn't realize that. Fixed in updated patch.



Nitpick: Sorry for being misleading - I did not mean to suggest invoking
the method using the dict type directly. While being equivalent, the

dict.copy(self.__options)

it's less idiomatic than:

self.__options.copy()

Tomas



Ah sorry I forgot how to python again.

Attaching patch.




Bump for review
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0422] CI: allow customized DS install test to run under different domain levels




On 24.02.2016 19:01, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5606

Patch attached.



Bump for review
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0017 configure DNA shared config entry to allow connection with GSSAPI




On 01.03.2016 14:50, Martin Babinsky wrote:

On 02/29/2016 05:37 PM, thierry bordaz wrote:

On 02/26/2016 05:48 PM, Martin Babinsky wrote:

On 02/26/2016 04:24 PM, thierry bordaz wrote:

On 02/25/2016 07:17 PM, thierry bordaz wrote:

On 02/25/2016 12:03 PM, Martin Babinsky wrote:

On 02/24/2016 04:30 PM, thierry bordaz wrote:

On 01/21/2016 05:04 PM, Martin Babinsky wrote:

On 01/21/2016 01:37 PM, thierry bordaz wrote:





Hi Thierry,

I have couple of comments to your patch:

1.)
there is a number of PEP8 errors in the patch
(http://paste.fedoraproject.org/313246/33893701), please fix them.

See http://www.freeipa.org/page/Python_Coding_Style for our
conventions used in Python code.

2.)
+DNA_BIND_METHOD   = "dnaRemoteBindMethod"
+DNA_CONN_PROTOCOL = "dnaRemoteConnProtocol"
+DNA_PLUGIN_DN = 'cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config'
+dna_config_base   = 'cn=Posix IDs,%s' % DNA_PLUGIN_DN

Uppercase names are usually reserved for module-level constants.
OTOH,
local variables should be lowercase. Also you can instantiate
dna_config_base directly as DN, using 2-member tuples, i. e:

"""
dna_config_base = DN(('cn', 'posix IDs'), ('cn', 'Distributed
Numeric
Assignment Plugin'), ('cn', 'plugins'), ('cn', 'config'))
"""

When passing DN object to the formatting functions/operators, 
it is

automatically converted to string so no need to hold string and DN
object separately. This is done in other places (see
function/methods
in replication.py).

3.)

+for i in range(len(entries)) :
+
+mod = []
+if entries[i].single_value.get(DNA_BIND_METHOD) !=
method:
+mod.append((ldap.MOD_REPLACE, DNA_BIND_METHOD,
method))
+
+if entries[i].single_value.get(DNA_CONN_PROTOCOL) !=
protocol:
+mod.append((ldap.MOD_REPLACE, DNA_CONN_PROTOCOL,
protocol))


please use idiomatic Python when handling list of entries, e.g.:

"""
for entry in entries:
   mod = []
   if entry.single_value.get(DNA_BIND_METHOD) != method:
   ...
"""

4.) I think that this method should in DSInstance class since it
deals
with directory server configuration. Service is a parent object
of all
other service installers/configurators and should contain only
methods
common to more children.

5.) Since the method is called from every installer, it could be
beneficial to call it in DSInstance.__common_post_setup() as a
part of
Directory server installation. Is there any reason why this is
not the
case?

6.)

+while attempt != MAX_WAIT:
+try:
+entries = conn.get_entries(sharedcfgdn,
scope=ldap.SCOPE_ONELEVEL, filter='dnaHostname=%s' % self.fqdn)
+break
+except errors.NotFound:
+root_logger.debug("So far enable not find DNA
shared
config entry for dnaHostname=%s under %s. Retry in 2sec" %
(self.fqdn,
sharedcfgdn))
+attempt = attempt + 1
+time.sleep(2)
+continue
+
+# safety checking
+# there is no return, if there are several entries, as a
workaround of #5510
+if len(entries) != 1:

I am quite afraid what would happen if the server does not return
any
entries until 30 s timeout. The code will then continue to the
condition which can potentially test an uninitialized variable and
blow up with 'NameError'. This should be handled more robustly,
e. g.
raise an exception when a timeout is reached and no entries were
returned.

7.)

+if len(mod) > 0:

A Pythonic way to test for non-empty container is

"""
if mods:
   # do stuff
"""

since an empty list/dict/set evaluates to False and non-empty
containers are True.


8.)

+entry = conn.get_entry(entries[i].dn)
+if entry.single_value.get(DNA_BIND_METHOD) !=
method:
+root_logger.error("Fail to set SASL/GSSAPI 
bind

method to %s" % (entries[i].dn))
+if entry.single_value.get(DNA_CONN_PROTOCOL) !=
protocol:
+root_logger.error("Fail to set LDAP 
protocol to

%s" % (entries[i].dn))

rather than re-fetching the modified entry and testing what
happened,
you can just catch an exception raised by unsuccessfull mod and
log an
error like this:

"""
try:
   conn.modify_s(entry.dn, mod)
except Exception as e:
   root_logger.error("Failed to modify entry {}:
{}".format(entry, e))
"""

as a matter of fact, if the modify_s operation would fail for some
reason, an ldap exception would be raised and you checks would not
even be executed.

9.)
The debug message on line 219 should read "Unable to find DNA 
shared
config entry for dnaHostname=%s so far. Retry in 2 sec.". The 
errors

at the end of the method should have "Failed" instead of "Fail".


Hi Martin,

Finally tested... here is the updated patch. Thanks for you 
patience



thanks
thierry


Hi Thierry,

the patch works as expected. I have some more nitpicks though:

1.) Please fix the following pep8 errors:

Re: [Freeipa-devel] [TEST][Patch 0022] small refactoring in integration tests due to BZ 1303095




On 01.03.2016 15:22, Milan Kubík wrote:

On 02/19/2016 02:11 PM, Oleg Fayans wrote:

Hi Milan,

On 02/12/2016 04:03 PM, Milan Kubík wrote:



Agreed. The latest patch gets rid of all resolv.conf related
manipulations. The tests work (where not affected by
https://fedorahosted.org/bind-dyndb-ldap/ticket/160)



--
Milan Kubik


Works for me, tested on sudo test that requires autodiscovery. ACK


Pushed to:
ipa-4-3: a8f53296f633a8c2a0f6a041dd1d4bec854d206e
master: cfbb7769a70f4cac4bb6d6b7fe36116b43c830e7

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Supporting UPNs of trusted forests

2016-03-02 Thread Sumit Bose

On Wed, Mar 02, 2016 at 05:24:55PM +0200, Alexander Bokovoy wrote:
> On Wed, 02 Mar 2016, Petr Vobornik wrote:
> >On 03/02/2016 11:55 AM, Alexander Bokovoy wrote:
> >>Hi,
> >>
> >>http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains
> >>describes a design page to support name suffixes from trusted Active
> >>Directory domains.
> >>
> >>A prototype code exists (written by me and Sumit) and was tested by Sumit
> >>against recent releases of SSSD.
> >>
> >>Text is provided below for easier commenting.
> >>-
> >>{{Feature|version=TODO|ticket=TODO|author=Ab}}
> >>
> >>== Overview ==
> >>User principal name (UPN) in Active Directory is the primary form of
> >>addressing users. UPN has structure of 'user name@suffix' where both
> >>user name and suffix parts may vary. By default the suffix is the same
> >>as the Active Directory domain name but AD administrators may create
> >>additional name suffixes and associate them with specific users. These
> >>additional UPNs for users may then be used for Kerberos authentication
> >>against Active Directory domains.
> >>
> >>Alternative UPNs are often used when several companies with Active
> >>Directory deployments merge and want to provide unified logon namespace.
> >>
> >>The purpose of this feature is to allow using alternative UPNs
> >>associated with the Active Directory users when accessing resources in
> >>FreeIPA domain.
> >>
> >>== Use Cases ==
> >>
> >>As an Active Directory user, I want to login using my user@EXAMPLE user
> >>principal name even if my Active Directory domain is named
> >>REGION.EXAMPLE.COM.
> >>== Design==
> >>Support for UPNs is split to three different components:
> >>;Client-side
> >>: SSSD already supports logon with UPN by asking a KDC to accept
> >>enterprise logon names.  By default, the use of enterprise principals is
> >>disabled, therefore, krb5_use_enterprise_principal = True
> >>needs to be added to sssd.conf to enable it.
> >>
> >>;KDC
> >>: IPA KDC does understand multiple domains associated with the trusted
> >>AD forest. However, since no information about name suffixes associated
> >>with the forest is available, it cannot take them into account when
> >>processing enteprise logon names to issue referrals to the correct
> >>realm. Support needs to be added to allow IPA KDC to look up name
> >>suffixes associated with a trusted forest.
> >>
> >>; IPA framework
> >>: Changes needed on IPA framework side to fetch from Active Directory a
> >>list of name suffixes and store them in the trusted domain objects.
> >>
> >>== Implementation ==
> >>For retrieving name suffixes, IPA framework needs to move to use
> >>NETLOGON netr_DsRGetForestTrustInformation function instead of
> >>netr_DsrEnumerateDomainTrusts. This allows to retrieve both domains and
> >>top level names associated with the forest.
> >>
> >>As top level names (TLNs) have only a single string as a name suffix,
> >>they cannot be stored as trusted domains (they lack SID and NetBIOS
> >>name). Thus, either IPA KDB driver needs to be extended to understand
> >>trusted domains without SID and NetBIOS name, or TLNs need to be stored
> >>as a property of tree root domains of the forest.
> >>
> >>== Feature Management ==
> >>
> >>=== UI ===
> >>If TLNs are added as a property of tree root domains of the forest,
> >>appropriate panel needs to be extended to display them.
> >>
> >>=== CLI ===
> >>If TLNs are added as a property of tree root domains of the forest,
> >>appropriate attribute need to be handled by '''trust-show''' command. If
> >>TLNs represented as separate 'trusted domains' of the trusted forest, no
> >>work is needed on CLI other than being able to support 'trusted domains'
> >>without SID and NetBIOS name.
> >
> >What is meant by 'tree root domains of the forest' in IPA context? The
> >trust object?
> Yes. A forest might have multiple tree roots. We establish trust with
> one of them (forest root domain) but you can have distinct tree roots
> too. For a forest example.com a separate tree root could be ad.test
> which is still a part of the forest. In Windows' UI for domains and
> forests trust you'll see it as a separate entry at the top level. Each
> tree root may have associated name suffixes.

But I thought they still can be used across the whole forest, e.g. if
you assign an alternative domain suffix in the UI of ad.test you can use
this suffix for users from example.com as well?


bye,
Sumit

> 
> There are actually two different approaches we discussed with Sumit
> -- one is to store TLNs as attributes of TDO, another is to create
> separate TDOs, building on the fact you noticed:
> >Btw trustdomain object has ipantflatname and ipanttrusteddomainsid
> >attributes as optional so it is possible to store it there assuming
> >modification of KDB driver.
> This is what I did already in the prototype: 
>

Re: [Freeipa-devel] External trust to AD


On 03/02/2016 11:13 AM, Alexander Bokovoy wrote:

Hi,

http://www.freeipa.org/page/V4/External_trust_to_AD documents a design
for external trust to AD feature.

The text is included below for easier review.
---
{{Feature|version=TODO|ticket=TODO|author=Ab}}

== Overview ==
Support for external trust to a domain from Active Directory forest

An external trust is a trust relationship between Active Directory
domains that are in different Active Directory forests. While forest
trust always requires to establish trust between root domains of the
Active Directory forests, external trust can be established to any
domain within the forest.

== Use Cases ==

As an Active Directory domain admin, I want to establish trust between
IPA and my domain only. The trust between IPA and an external Active
Directory domain will be non-transitive as no users or groups from other
Active Directory domains will have access to IPA resources.

== Design==

External trust between Active Directory domains is by definition
non-transitive and enforces SID filtering between the domain boundaries.
This means only users and groups with SIDs from the trusted domain can
use the resources and be visible on IPA systems. None of other users and
groups from domains the trusted domain trusts within its own Active
Directory forest or other externally trusted domains will be allowed to
access IPA resources.

== Implementation ==

External trust feature re-uses existing forest trust infrastructure.
There are several specific changes to allow supporting external trust:
* '''Non-transitivity''': since external trust is non-transitive by
* definition, any attempt to set transitivity feature of the trust link
* with LSA SetInformationTrustedDomain() command will fail. Thus, there
* is no need to set transitivity for the external trust.


Sounds very simple :)

Do I get it right that it is possible to do it today? Because now the 
code just do:

   root_logger.error('unable to set trust to transitive: %s' % (str(e)))
   pass



* '''Trust attributes''': external trust can be detected by looking into
* absense of ipaNTTrustAttributes LDAP attribute of the trusted domain
* object.

== Feature Management ==

=== UI ===
An option 'external trust' needs to be added to Web UI, corresponding to
'--external' flag in 'trust-add' command in CLI.

=== CLI ===
An external trust creation can be requested by passing additional flag
'--external=true' to the 'trust-add' command. The flag defaults to
'false', e.g. no external trust would be created.

{| class="wikitable"
|-
! Command
! Options
|-
| trust-add
| --external=true/false
|}


We should also add 'external' param to output of trust_find and 
trust_show + corresponding change in Web UI and CLI.



=== Configuration ===
No configuration options needed.

== Upgrade ==
No changes on upgrades. The trust properties are only set up at trust
creation time.

== How to Test ==
In order to test the external trust, attempt to create a trust to
non-root domain in an Active Directory forest. It should fail without
'--external=true' option and should be able to establish the external
trust with '--external=true' option to 'trust-add' command.

A type of the trust can be seen with 'trust-show' command.

== Test Plan ==

---


--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Supporting UPNs of trusted forests

On Wed, 02 Mar 2016, Petr Vobornik wrote:

On 03/02/2016 11:55 AM, Alexander Bokovoy wrote:

Hi,

http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains
describes a design page to support name suffixes from trusted Active
Directory domains.

A prototype code exists (written by me and Sumit) and was tested by Sumit
against recent releases of SSSD.

Text is provided below for easier commenting.
-
{{Feature|version=TODO|ticket=TODO|author=Ab}}

== Overview ==
User principal name (UPN) in Active Directory is the primary form of
addressing users. UPN has structure of 'user name@suffix' where both
user name and suffix parts may vary. By default the suffix is the same
as the Active Directory domain name but AD administrators may create
additional name suffixes and associate them with specific users. These
additional UPNs for users may then be used for Kerberos authentication
against Active Directory domains.

Alternative UPNs are often used when several companies with Active
Directory deployments merge and want to provide unified logon namespace.

The purpose of this feature is to allow using alternative UPNs
associated with the Active Directory users when accessing resources in
FreeIPA domain.

== Use Cases ==

As an Active Directory user, I want to login using my user@EXAMPLE user
principal name even if my Active Directory domain is named
REGION.EXAMPLE.COM.
== Design==
Support for UPNs is split to three different components:
;Client-side
: SSSD already supports logon with UPN by asking a KDC to accept
enterprise logon names. By default, the use of enterprise principals is
disabled, therefore, krb5_use_enterprise_principal = True
needs to be added to sssd.conf to enable it.

;KDC
: IPA KDC does understand multiple domains associated with the trusted
AD forest. However, since no information about name suffixes associated
with the forest is available, it cannot take them into account when
processing enteprise logon names to issue referrals to the correct
realm. Support needs to be added to allow IPA KDC to look up name
suffixes associated with a trusted forest.

; IPA framework
: Changes needed on IPA framework side to fetch from Active Directory a
list of name suffixes and store them in the trusted domain objects.

== Implementation ==
For retrieving name suffixes, IPA framework needs to move to use
NETLOGON netr_DsRGetForestTrustInformation function instead of
netr_DsrEnumerateDomainTrusts. This allows to retrieve both domains and
top level names associated with the forest.

As top level names (TLNs) have only a single string as a name suffix,
they cannot be stored as trusted domains (they lack SID and NetBIOS
name). Thus, either IPA KDB driver needs to be extended to understand
trusted domains without SID and NetBIOS name, or TLNs need to be stored
as a property of tree root domains of the forest.

== Feature Management ==

=== UI ===
If TLNs are added as a property of tree root domains of the forest,
appropriate panel needs to be extended to display them.

=== CLI ===
If TLNs are added as a property of tree root domains of the forest,
appropriate attribute need to be handled by '''trust-show''' command. If
TLNs represented as separate 'trusted domains' of the trusted forest, no
work is needed on CLI other than being able to support 'trusted domains'
without SID and NetBIOS name.

What is meant by 'tree root domains of the forest' in IPA context? The
trust object?

Yes. A forest might have multiple tree roots. We establish trust with
one of them (forest root domain) but you can have distinct tree roots
too. For a forest example.com a separate tree root could be ad.test
which is still a part of the forest. In Windows' UI for domains and
forests trust you'll see it as a separate entry at the top level. Each
tree root may have associated name suffixes.

There are actually two different approaches we discussed with Sumit
-- one is to store TLNs as attributes of TDO, another is to create
separate TDOs, building on the fact you noticed:
Btw trustdomain object has ipantflatname and ipanttrusteddomainsid
attributes as optional so it is possible to store it there assuming
modification of KDB driver.
This is what I did already in the prototype:
https://abbra.fedorapeople.org/.paste/0001-WIP-support-UPNs-for-trusted-domain-users.master.patch

So we are sure that either way would work, the question is what would be
more usable UX-wise.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Supporting UPNs of trusted forests


On 03/02/2016 11:55 AM, Alexander Bokovoy wrote:

Hi,

http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains
describes a design page to support name suffixes from trusted Active
Directory domains.

A prototype code exists (written by me and Sumit) and was tested by Sumit
against recent releases of SSSD.

Text is provided below for easier commenting.
-
{{Feature|version=TODO|ticket=TODO|author=Ab}}

== Overview ==
User principal name (UPN) in Active Directory is the primary form of
addressing users. UPN has structure of 'user name@suffix' where both
user name and suffix parts may vary. By default the suffix is the same
as the Active Directory domain name but AD administrators may create
additional name suffixes and associate them with specific users. These
additional UPNs for users may then be used for Kerberos authentication
against Active Directory domains.

Alternative UPNs are often used when several companies with Active
Directory deployments merge and want to provide unified logon namespace.

The purpose of this feature is to allow using alternative UPNs
associated with the Active Directory users when accessing resources in
FreeIPA domain.

== Use Cases ==

As an Active Directory user, I want to login using my user@EXAMPLE user
principal name even if my Active Directory domain is named
REGION.EXAMPLE.COM.
== Design==
Support for UPNs is split to three different components:
;Client-side
: SSSD already supports logon with UPN by asking a KDC to accept
enterprise logon names.  By default, the use of enterprise principals is
disabled, therefore, krb5_use_enterprise_principal = True
needs to be added to sssd.conf to enable it.

;KDC
: IPA KDC does understand multiple domains associated with the trusted
AD forest. However, since no information about name suffixes associated
with the forest is available, it cannot take them into account when
processing enteprise logon names to issue referrals to the correct
realm. Support needs to be added to allow IPA KDC to look up name
suffixes associated with a trusted forest.

; IPA framework
: Changes needed on IPA framework side to fetch from Active Directory a
list of name suffixes and store them in the trusted domain objects.

== Implementation ==
For retrieving name suffixes, IPA framework needs to move to use
NETLOGON netr_DsRGetForestTrustInformation function instead of
netr_DsrEnumerateDomainTrusts. This allows to retrieve both domains and
top level names associated with the forest.

As top level names (TLNs) have only a single string as a name suffix,
they cannot be stored as trusted domains (they lack SID and NetBIOS
name). Thus, either IPA KDB driver needs to be extended to understand
trusted domains without SID and NetBIOS name, or TLNs need to be stored
as a property of tree root domains of the forest.

== Feature Management ==

=== UI ===
If TLNs are added as a property of tree root domains of the forest,
appropriate panel needs to be extended to display them.

=== CLI ===
If TLNs are added as a property of tree root domains of the forest,
appropriate attribute need to be handled by '''trust-show''' command. If
TLNs represented as separate 'trusted domains' of the trusted forest, no
work is needed on CLI other than being able to support 'trusted domains'
without SID and NetBIOS name.


What is meant by 'tree root domains of the forest' in IPA context? The 
trust object?


Btw trustdomain object has ipantflatname and ipanttrusteddomainsid 
attributes as optional so it is possible to store it there assuming 
modification of KDB driver.




=== Configuration ===
No configuration options.

== Upgrade ==
No impact to upgrade.

== How to Test ==
In order to test UPN-based logons, create additional name suffixes in
Active Directory and establish trust to it. After trust is established,
the name suffixes should be usable when trying to kinit as enterprise
principal.

== Test Plan ==

-


--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCHES 548-549] ipalib: add convenient Command method for adding messages

2016-03-02 Thread Jan Cholasta


Hi,

these patches are for master only, see commit messages for details.

Honza

--
Jan Cholasta
From 49f3e365dc56ccda7d8aec7cf9d8e2d98791b031 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 2 Mar 2016 11:00:23 +0100
Subject: [PATCH 1/2] ipalib: provide per-call command context

Add context which is valid for the duration of command call. The context
is accessible using the `context` attribute of Command and Object plugins.
---
 ipalib/frontend.py | 10 ++
 ipalib/request.py  | 21 +
 2 files changed, 31 insertions(+)

diff --git a/ipalib/frontend.py b/ipalib/frontend.py
index 5b730b1..e91660d 100644
--- a/ipalib/frontend.py
+++ b/ipalib/frontend.py
@@ -38,6 +38,7 @@ from ipalib.errors import (ZeroArgumentError, MaxArgumentError, OverlapError,
 VersionError, OptionError, InvocationError,
 ValidationError, ConversionError)
 from ipalib import messages
+from ipalib.request import context, context_frame
 from ipalib.util import json_serialize
 
 if six.PY3:
@@ -370,6 +371,10 @@ class HasParam(Plugin):
 check(namespace)
 setattr(self, name, namespace)
 
+@property
+def context(self):
+return context.current_frame
+
 
 class Command(HasParam):
 """
@@ -424,6 +429,11 @@ class Command(HasParam):
 XML-RPC and the executed an the nearest IPA server.
 """
 self.ensure_finalized()
+with context_frame():
+self.context.principal = getattr(context, 'principal', None)
+return self.__do_call(*args, **options)
+
+def __do_call(self, *args, **options):
 version_provided = 'version' in options
 if version_provided:
 self.verify_client_version(unicode(options['version']))
diff --git a/ipalib/request.py b/ipalib/request.py
index 9484be5..d851ba8 100644
--- a/ipalib/request.py
+++ b/ipalib/request.py
@@ -22,6 +22,7 @@
 Per-request thread-local data.
 """
 
+import contextlib
 import threading
 
 from ipalib.base import ReadOnly, lock
@@ -32,6 +33,26 @@ from ipalib.constants import CALLABLE_ERROR
 context = threading.local()
 
 
+class _FrameContext(object):
+pass
+
+
+@contextlib.contextmanager
+def context_frame():
+try:
+frame_back = context.current_frame
+except AttributeError:
+pass
+context.current_frame = _FrameContext()
+try:
+yield
+finally:
+try:
+context.current_frame = frame_back
+except UnboundLocalError:
+del context.current_frame
+
+
 class Connection(ReadOnly):
 """
 Base class for connection objects stored on `request.context`.
-- 
2.5.0

From 8ca33656a7ebb7819af9a8101befb20396d2bd75 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 2 Mar 2016 12:44:15 +0100
Subject: [PATCH 2/2] ipalib: add convenient Command method for adding messages

Call the add_message() method of Command from anywhere in the implementation
of a command to add a message to the result of the command.
---
 ipalib/frontend.py | 20 
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/ipalib/frontend.py b/ipalib/frontend.py
index e91660d..ba830f2 100644
--- a/ipalib/frontend.py
+++ b/ipalib/frontend.py
@@ -434,13 +434,17 @@ class Command(HasParam):
 return self.__do_call(*args, **options)
 
 def __do_call(self, *args, **options):
-version_provided = 'version' in options
-if version_provided:
+self.context.__messages = []
+if 'version' in options:
 self.verify_client_version(unicode(options['version']))
 elif self.api.env.skip_version_check and not self.api.env.in_server:
 options['version'] = u'2.0'
 else:
 options['version'] = API_VERSION
+if self.api.env.in_server:
+# add message only on server side
+self.add_message(
+messages.VersionMissing(server_version=API_VERSION))
 params = self.args_options_2_params(*args, **options)
 self.debug(
 'raw: %s(%s)', self.name, ', '.join(self._repr_iter(**params))
@@ -454,12 +458,9 @@ class Command(HasParam):
 self.validate(**params)
 (args, options) = self.params_2_args_options(**params)
 ret = self.run(*args, **options)
-if (not version_provided and isinstance(ret, dict) and
-self.api.env.in_server):
-# add message only on server side
-messages.add_message(
-API_VERSION, ret,
-messages.VersionMissing(server_version=API_VERSION))
+if isinstance(ret, dict):
+for message in self.context.__messages:
+messages.add_message(options['version'], ret, message)
 if (
 isinstance(ret, dict)
 and 'summary' in self.output
@@ -470,6 +471,9 @@ class Command(HasParam):
 self.validate_output(ret,

Re: [Freeipa-devel] [PATCH 0425] pylint: suppress false positive no-member errors

2016-03-02 Thread Tomas Babej



On 03/02/2016 01:35 PM, David Kupka wrote:
> Tested with pylint-1.5.4-2, works for me, ACK.
> 
> - Original Message -
> From: "Martin Basti" 
> To: "freeipa-devel" 
> Sent: Tuesday, March 1, 2016 5:55:54 PM
> Subject: Re: [Freeipa-devel] [PATCH 0425] pylint: suppress false positive 
> no-member errors
> 
> 
> 
> On 25.02.2016 17:50, Martin Basti wrote: 
> 
> 
> 
> 
> On 25.02.2016 15:48, Martin Basti wrote: 
> 
> 
> The last pylint 1.5 patch, \o/ 
> 
> https://fedorahosted.org/freeipa/ticket/5615 
> 
> 
> self-NACK too broad disables 
> 
> 
> Updated patches attached. 
> 

Pushed to:
ipa-4-2: aaad91d32ee855813bac5f57f8af128cfee327a5
ipa-4-3: 76545e2a54ebbfc5422d2a4bcd51fad1bbd8a79a
master: 72d5499c5a902c860c5496ee6e604526672e5777

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan

2016-03-02 Thread Oleg Fayans

Hi Martin,

I've made the requested changes.

The full set of necessary patches is attached.


On 03/02/2016 10:05 AM, Martin Basti wrote:
> 
> 
> On 02.03.2016 00:12, Oleg Fayans wrote:
>> Hi Martin,
>>
>> On 03/01/2016 07:04 PM, Martin Basti wrote:
>>>
>>> On 01.03.2016 14:56, Martin Basti wrote:


 On 01.03.2016 12:37, Martin Basti wrote:
>
> On 01.03.2016 12:32, Martin Basti wrote:
>>
>> On 29.02.2016 13:16, Oleg Fayans wrote:
>>> Hi all,
>>>
>>> Finally the tests pass.
>>>
>>> The patch 0024 applies on top of patch 0022 (please, consider
>>> reviewing
>>> it also). Besides, the whole functionality depends on Martin's
>>> patch N 0421
>>>
>>> All patches pass pylint.
>> hello,
>>
>> I cannot apply patches on master branch
>> Martin^2
> My bad I applied wrong patch
>
>>>
>>> On 12/19/2015 11:56 PM, Martin Basti wrote:
 On 17.12.2015 10:04, Oleg Fayans wrote:
> Hi Martin,
>
> I am sorry, in my previous email I attached the old version of
> patch
> 0016. The correct on is attached.
>
> On 12/16/2015 05:47 PM, Martin Basti wrote:
>> On 16.12.2015 15:39, Martin Basti wrote:
>>> On 15.12.2015 10:29, Oleg Fayans wrote:
 Hi Martin,

 The updated patches are attached. Patch 0017 includes all
 changes from
 patch 0018, so, if you approve this one, there would be no
 need to
 continue with the review of 0018. This one contains all changes
 related
 to you remarks from 0018 review. Please see my explanation
 on the
 stdout+stderr part in the thread from patch 0018.
 With these two patches applied one of the tests fails due this
 bug:
 https://fedorahosted.org/freeipa/ticket/5550

 On 12/09/2015 12:17 PM, Martin Basti wrote:
> On 09.12.2015 12:10, Martin Basti wrote:
>> On 09.12.2015 11:14, Oleg Fayans wrote:
>>> Hi Martin
>>>
>>> On 12/09/2015 10:30 AM, Martin Basti wrote:
 On 08.12.2015 23:48, Oleg Fayans wrote:
> Substituted a hardcoded suffix name with a constant
> DOMAIN_SUFFIX_NAME
>
> On 12/08/2015 02:33 PM, Oleg Fayans wrote:
>> Hi all,
>>
>>
>> The patches are rebased against the current master.
>>
>> On 12/02/2015 05:10 PM, Martin Basti wrote:
>>> On 02.12.2015 16:18, Oleg Fayans wrote:
 Hi Martin,

 On 12/01/2015 04:08 PM, Martin Basti wrote:
> On 27.11.2015 16:26, Oleg Fayans wrote:
>> And patch N 16 passes lint too:
>>
>> On 11/27/2015 04:03 PM, Oleg Fayans wrote:
>>> Hi,
>>>
>>> On 11/27/2015 03:26 PM, Martin Basti wrote:
 On 27.11.2015 15:04, Oleg Fayans wrote:
> Hi Martin,
>
> All your suggestions were taken into account. Both
> patches are
> updated. Thank you for your help!
>
> On 11/26/2015 10:50 AM, Martin Basti wrote:
>> On 26.11.2015 10:04, Oleg Fayans wrote:
>>> Hi Martin,
>>>
>>> I agree to all your points but one. please,
>>> see my
>>> comment
>>> below
>>>
>>> On 11/25/2015 07:42 PM, Martin Basti wrote:
 Hi,

 0) Note
 Please be aware of
 https://fedorahosted.org/freeipa/ticket/5469
 during
 KRA testing

 1)
 Please do not use MIN and MAX_DOMAIN_LEVEL
 constants,
 this may
 change
 over time, use DOMAIN_LEVEL_0 and
 DOMAIN_LEVEL_1 for
 domain
 level 0
 and 1

 2)
 Why uninstall KRA then server, is not enough
 just
 uninstall

Re: [Freeipa-devel] [PATCH 0425] pylint: suppress false positive no-member errors

2016-03-02 Thread David Kupka

Tested with pylint-1.5.4-2, works for me, ACK.

- Original Message -
From: "Martin Basti" 
To: "freeipa-devel" 
Sent: Tuesday, March 1, 2016 5:55:54 PM
Subject: Re: [Freeipa-devel] [PATCH 0425] pylint: suppress false positive 
no-member errors



On 25.02.2016 17:50, Martin Basti wrote: 




On 25.02.2016 15:48, Martin Basti wrote: 


The last pylint 1.5 patch, \o/ 

https://fedorahosted.org/freeipa/ticket/5615 


self-NACK too broad disables 


Updated patches attached. 

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 954 fix incorrect name of ipa-winsync-migrate command in help

2016-03-02 Thread Tomas Babej



On 03/02/2016 12:42 PM, Petr Vobornik wrote:
> Help and status text used incorrect name "ipa-migrate-winsync"
> 
> https://fedorahosted.org/freeipa/ticket/5713
> 
> 

ACK, Pushed to:
ipa-4-2: 7151ea394aac00ca596a8d7460a2fcefd258b36e
ipa-4-3: 57e02c7140fe2ad6fe6a6bc9823f84500bb78732
master: c68e9510d03abb75d353e209ea32ac9d1ed362bc

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] 954 fix incorrect name of ipa-winsync-migrate command in help


Help and status text used incorrect name "ipa-migrate-winsync"

https://fedorahosted.org/freeipa/ticket/5713
--
Petr Vobornik
From bed7e2721d6f6d995df47fc2d15e5b4a1b3ee489 Mon Sep 17 00:00:00 2001
From: Petr Vobornik 
Date: Wed, 2 Mar 2016 12:37:33 +0100
Subject: [PATCH] fix incorrect name of ipa-winsync-migrate command in help

Help and status text used incorrect name "ipa-migrate-winsync"

https://fedorahosted.org/freeipa/ticket/5713
---
 ipaserver/install/ipa_winsync_migrate.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/ipa_winsync_migrate.py b/ipaserver/install/ipa_winsync_migrate.py
index a96845dccc9323efc6eb617c4520cf9678846377..545a224921a0cf1f8d849f0a71018769c36cfe41 100644
--- a/ipaserver/install/ipa_winsync_migrate.py
+++ b/ipaserver/install/ipa_winsync_migrate.py
@@ -37,15 +37,15 @@ class WinsyncMigrate(admintool.AdminTool):
 Tool to migrate winsync users.
 """
 
-command_name = 'ipa-migrate-winsync'
-usage = "ipa-migrate-winsync"
+command_name = 'ipa-winsync-migrate'
+usage = "ipa-winsync-migrate"
 description = (
 "This tool creates user ID overrides for all the users "
 "that were previously synced from AD domain using the "
 "winsync replication agreement. It requires that trust "
 "with the AD forest has already been established and "
 "the users in question are resolvable using SSSD. "
-"For more information, see `man ipa-migrate-winsync`."
+"For more information, see `man ipa-winsync-migrate`."
 )
 
 @classmethod
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] Supporting UPNs of trusted forests


Hi,

http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains
describes a design page to support name suffixes from trusted 
Active Directory domains.


A prototype code exists (written by me and Sumit) and was tested by Sumit
against recent releases of SSSD.

Text is provided below for easier commenting.
-
{{Feature|version=TODO|ticket=TODO|author=Ab}}

== Overview ==
User principal name (UPN) in Active Directory is the primary form of
addressing users. UPN has structure of 'user name@suffix' where both
user name and suffix parts may vary. By default the suffix is the same
as the Active Directory domain name but AD administrators may create
additional name suffixes and associate them with specific users. These
additional UPNs for users may then be used for Kerberos authentication
against Active Directory domains.

Alternative UPNs are often used when several companies with Active
Directory deployments merge and want to provide unified logon namespace.

The purpose of this feature is to allow using alternative UPNs
associated with the Active Directory users when accessing resources in
FreeIPA domain.

== Use Cases ==

As an Active Directory user, I want to login using my user@EXAMPLE user
principal name even if my Active Directory domain is named
REGION.EXAMPLE.COM. 


== Design==
Support for UPNs is split to three different components:
;Client-side
: SSSD already supports logon with UPN by asking a KDC to accept
enterprise logon names.  By default, the use of enterprise principals is
disabled, therefore, krb5_use_enterprise_principal = True
needs to be added to sssd.conf to enable it.

;KDC
: IPA KDC does understand multiple domains associated with the trusted
AD forest. However, since no information about name suffixes associated
with the forest is available, it cannot take them into account when
processing enteprise logon names to issue referrals to the correct
realm. Support needs to be added to allow IPA KDC to look up name
suffixes associated with a trusted forest.

; IPA framework
: Changes needed on IPA framework side to fetch from Active Directory a
list of name suffixes and store them in the trusted domain objects.

== Implementation ==
For retrieving name suffixes, IPA framework needs to move to use
NETLOGON netr_DsRGetForestTrustInformation function instead of
netr_DsrEnumerateDomainTrusts. This allows to retrieve both domains and
top level names associated with the forest.

As top level names (TLNs) have only a single string as a name suffix,
they cannot be stored as trusted domains (they lack SID and NetBIOS
name). Thus, either IPA KDB driver needs to be extended to understand
trusted domains without SID and NetBIOS name, or TLNs need to be stored
as a property of tree root domains of the forest.

== Feature Management ==

=== UI ===
If TLNs are added as a property of tree root domains of the forest,
appropriate panel needs to be extended to display them.

=== CLI ===
If TLNs are added as a property of tree root domains of the forest,
appropriate attribute need to be handled by '''trust-show''' command. If
TLNs represented as separate 'trusted domains' of the trusted forest, no
work is needed on CLI other than being able to support 'trusted domains'
without SID and NetBIOS name.

=== Configuration ===
No configuration options.

== Upgrade ==
No impact to upgrade.

== How to Test ==
In order to test UPN-based logons, create additional name suffixes in
Active Directory and establish trust to it. After trust is established,
the name suffixes should be usable when trying to kinit as enterprise
principal.

== Test Plan ==

-

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] man: Decribe ipa-client-install workaround for broken D-Bus enviroment.

2016-03-02 Thread David Kupka

https://fedorahosted.org/freeipa/ticket/5694From 0a7afc3042835935e2891032664afcead1f4bcea Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 2 Mar 2016 11:08:19 +0100
Subject: [PATCH] man: Decribe ipa-client-install workaround for broken D-Bus
 enviroment.

https://fedorahosted.org/freeipa/ticket/5694
---
 client/man/ipa-client-install.1 | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1
index 92ea77a4bda539f8614f3d47cac7b53faf57482c..ce5258b3eac08b9a04bf5f4142635d2e21310f32 100644
--- a/client/man/ipa-client-install.1
+++ b/client/man/ipa-client-install.1
@@ -176,6 +176,16 @@ valid for the IPA domain.
 .TP
 \fB\-\-request\-cert\fR
 Request certificate for the machine. The certificate will be stored in /etc/ipa/nssdb under the nickname "Local IPA host".
+
+Using this option requires that D-Bus is properly configured or not configured
+at all. In enviroment where this condition is not met (e.g. anaconda kickstart
+chroot environment) set the system bus address to /dev/null to enable
+workaround in ipa-client-install.
+
+# env DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null ipa-client-install --request-cert
+
+Note that the certmonger service requires a system reboot to start monitoring
+the certificate obtained in this way.
 .TP
 \fB\-\-automount\-location\fR=\fILOCATION\fR
 Configure automount by running ipa\-client\-automount(1) with \fILOCATION\fR as
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] External trust to AD


Hi,

http://www.freeipa.org/page/V4/External_trust_to_AD documents a design
for external trust to AD feature.

The text is included below for easier review.
---
{{Feature|version=TODO|ticket=TODO|author=Ab}}

== Overview ==
Support for external trust to a domain from Active Directory forest

An external trust is a trust relationship between Active Directory
domains that are in different Active Directory forests. While forest
trust always requires to establish trust between root domains of the
Active Directory forests, external trust can be established to any
domain within the forest.

== Use Cases ==

As an Active Directory domain admin, I want to establish trust between
IPA and my domain only. The trust between IPA and an external Active
Directory domain will be non-transitive as no users or groups from other
Active Directory domains will have access to IPA resources.

== Design==

External trust between Active Directory domains is by definition
non-transitive and enforces SID filtering between the domain boundaries.
This means only users and groups with SIDs from the trusted domain can
use the resources and be visible on IPA systems. None of other users and
groups from domains the trusted domain trusts within its own Active
Directory forest or other externally trusted domains will be allowed to
access IPA resources.

== Implementation ==

External trust feature re-uses existing forest trust infrastructure.
There are several specific changes to allow supporting external trust:
* '''Non-transitivity''': since external trust is non-transitive by
* definition, any attempt to set transitivity feature of the trust link
* with LSA SetInformationTrustedDomain() command will fail. Thus, there
* is no need to set transitivity for the external trust.
* '''Trust attributes''': external trust can be detected by looking into
* absense of ipaNTTrustAttributes LDAP attribute of the trusted domain
* object.

== Feature Management ==

=== UI ===
An option 'external trust' needs to be added to Web UI, corresponding to
'--external' flag in 'trust-add' command in CLI.

=== CLI ===
An external trust creation can be requested by passing additional flag
'--external=true' to the 'trust-add' command. The flag defaults to
'false', e.g. no external trust would be created.

{| class="wikitable"
|-
! Command
! Options
|-
| trust-add
| --external=true/false
|}

=== Configuration ===
No configuration options needed.

== Upgrade ==
No changes on upgrades. The trust properties are only set up at trust
creation time.

== How to Test ==
In order to test the external trust, attempt to create a trust to
non-root domain in an Active Directory forest. It should fail without
'--external=true' option and should be able to establish the external
trust with '--external=true' option to 'trust-add' command.

A type of the trust can be seen with 'trust-show' command.

== Test Plan ==

---

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0427] fix broken configuration of sidgen and extdom plugins


On 03/01/2016 06:32 PM, Martin Basti wrote:



On 01.03.2016 17:14, Martin Basti wrote:



On 01.03.2016 17:13, Petr Vobornik wrote:

On 03/01/2016 05:02 PM, Martin Basti wrote:



On 01.03.2016 16:39, Petr Vobornik wrote:

On 02/23/2016 06:15 PM, Martin Basti wrote:



On 23.02.2016 17:31, Tomas Babej wrote:


On 02/23/2016 01:25 PM, Martin Basti wrote:


On 23.02.2016 13:02, Alexander Bokovoy wrote:

On Tue, 23 Feb 2016, Martin Basti wrote:

 From f2ae1bd129a1741500d2f3dcb86a0da553604d15 Mon Sep 17
00:00:00
2001
From: Martin Basti 
Date: Tue, 23 Feb 2016 10:37:47 +0100
Subject: [PATCH 4/4] fix upgrade: wait for proper DS socket
after DS
restart

Restarting DS executed by upgrade plugin causes that upgrade
frameworg
was waiting for not proper socket to be ready. This commit fix
issue.

Please fix the commit message typos.


Fixed. Updated patches attached.

ACK.

Tomas

Pushed to master: 0accf8ccb64963954dbe7c137d23f52e5901ac4f
Pushed to ipa-4-3: 4734012c8063460f93f3b819a5bbcca797f6059e
Pushed to ipa-4-2: 63d8caf0d105f02decc0b5d865fedf6ad063bc1a



Testing freeipa-4.2.4 build and it fails at
install/dsinstance.py:add_sidgen_plugin:936

adding self.ldap_connect() on line 937 fixed the issue.


Well I may rework PATCH 0416, and fix it in different way, or I can add
self.ldap_connect() to sidgen and extdom steps.

Which is better?



I would avoid reworking it in all 3 branches if in 4.3 and master it
works and is actually correct. Doesn't make sense to change new code
because of missing features in old branches. Adding connect to
ipa-4-2 seems enough to me.


IMO it works accidentaly there, any additional patch or restart can
break it in 4.3 and master too


Patch attached.

ipa-4-2 needs to have backported ca8f63624b204f0c4f2d1ac5f4ed93551f7e62df



ACK

pushed to:

master:
* fcc540bbdc5daa24990940124ec3bd439b05257d Fix connections to DS during 
installation

ipa-4-3:
* c14fb0b9e0f4cb977e897645126ef7d1bbf9aa9e Fix connections to DS during 
installation

ipa-4-2:
*e2ef561375c63a375710254f159f75d7318c514d Insure the admin_conn is 
disconnected on stop
* 0af81913258b2f4c9841c5baddda146667282b2c Fix connections to DS during 
installation


--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan